CN101938743A - Generation method and device of safe keys - Google Patents

Generation method and device of safe keys Download PDF

Info

Publication number
CN101938743A
CN101938743A CN200910151993.1A CN200910151993A CN101938743A CN 101938743 A CN101938743 A CN 101938743A CN 200910151993 A CN200910151993 A CN 200910151993A CN 101938743 A CN101938743 A CN 101938743A
Authority
CN
China
Prior art keywords
key
kdf
algorithm
generate
keys
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200910151993.1A
Other languages
Chinese (zh)
Other versions
CN101938743B (en
Inventor
李静岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200910151993.1A priority Critical patent/CN101938743B/en
Priority to PCT/CN2010/072691 priority patent/WO2011006390A1/en
Publication of CN101938743A publication Critical patent/CN101938743A/en
Application granted granted Critical
Publication of CN101938743B publication Critical patent/CN101938743B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a generation method of safe keys. When the three safe keys of an AS (Access Layer) are generated: if an encryption algorithm is a null algorithm, a signaling integrity protection key is generated by only one calling of a KDF (Key Derivation Function), and a signaling encryption key and a user data encryption key are directly set as 0; if the encryption algorithm is not the null algorithm, parameters for generating any two keys are combined, and in the process of once calling the KDF, the two keys can be obtained, thus, the three keys can be generated by only twice calling the KDF; and meanwhile, the invention discloses a generation device of the safe keys, and the utilization ratio of key generation resources can be improved and the time delay of the whole key generation system can be reduced through the method or the device.

Description

A kind of generation method and apparatus of safe key
Technical field
The present invention relates to the mobile communication security fields, relate in particular to a kind of generation method and apparatus of safe key.
Background technology
At Long Term Evolution (LTE; Long Term Evolution) in the system, the Radio Resource of network control (RRC, Radio Resource Control) function is placed on the Node B (eNB of evolution; Evolved NodeB) on, so the corresponding safety protecting mechanism of RRC also is placed among the eNB thereupon.Because the One's name is legion that eNB disposes, distribution area is wide, each network entity still all is high degree of dispersionization in logic from the geographical position between the Access Layer, operator at all can't be to its implement security centralized control, each eNB is in non-safety zone, so each eNB needs self to generate and each subscriber equipment (UE, User Equipment) between be used for the key of Access Layer (AS, Access Stratum) security mechanism.
Description according to 3GPP TS33.401 agreement, Mobility Management Entity (MME in core net, Mobility Management Entity) initial context of Fa Qiing is set up in the process, eNB need set up AS root key K entrained in the request message according to this initial context after the initial context of receiving MME is set up request message ENB, use key generating function (KDF, Key Derivation Function) to generate three keys that are used for AS integrity protection and encryption: signaling integrity protection key K RrcInt, signaling encryption key K RrcEnc, the ciphering user data key K UpEnc, the length of these three keys is the regular length of 128 bits.
When the RRC of network switches or rebuilds immediately, next fresh jumping that need provide (NH, Next Hop) value or current K according to the MME of core net ENB, generate new AS root key K * ENBWhen not having fresh NH value, need generate K according to target physical sub-district ID (PCI, Target Physical Cell ID), target physical cell downlink carrier frequency (EARFCN-DL, Target Physical Cell Downlink Frequency) * ENBGenerate K * ENBAfter, again according to K * ENBUse KDF to produce three keys that are used for AS integrity protection and encryption.
What KDF adopted is HMAC-SHA-256 (Keyed-Hash Message Authentication Code-Secure Hash Algorithm-256) algorithm, it has two input parameters, one is character string (S), one is AS root key (Key), these two parameters all are variable lengths, in the LTE system, Key is for fixing 256 bits; The output of KDF is fixed as 256 bits.
In the prior art, use KDF to generate three key K RrcInt, K RrcEnc, K UpEncProcess, as shown in Figure 1:
Step 101: be configured to generate K respectively RrcInt, K RrcEnc, K UpEncCharacter string input parameter S1, S2, the S3 of KDF;
Be configured to generate K respectively RrcInt, K RrcEnc, K UpEncCharacter string input parameter S1, S2, the S3 of KDF, wherein,
S1=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt
S2=FC||P0 RrcEnc||L0 RrcEnc||P1 RrcEnc||L1 RrcEnc
S3=FC||P0 UpEnc||L0 UpEnc||P1 UpEnc||L1 UpEnc
Wherein: " || " expression series connection; FC is the KDF instance identification, is used to identify different K DF example, and when using the KDF generation to be used for three safe keys of AS, its value is 0x15; P0 iBe algorithm types sign (algorithm type distinguisher), concrete value sees Table 1; L0 iBe P0 iByte length; RrcInt, RrcEnc and UpEnc in the above-mentioned i expression; Herein, the following target parameter of RrcInt, RrcEnc and UpEnc conduct is respectively to being applied to generate K RrcInt, K RrcEnc, K UpEncParameter; Wherein, P0 RrcIntRRC-int-alg in the correspondence table 1; P0 RrcEncRRC-enc-alg in the correspondence table 1; P0 UpEncUP-enc-alg in the correspondence table 1; P1 iBe the encryption adopted or the sign (algorithm identity) of protection algorithm integrallty, concrete value sees Table 2, such as: when the cryptographic algorithm of selecting is empty algorithm, i.e. Null ciphering algorithm in the table 2, P1 iValue is 0x00, but according to the description of 3GPP TS33.401 agreement, to K RrcIntAlgorithm can not be empty algorithm; L1 iBe P1 iByte length;
algorithm?type?distinguisher Value
RRC-enc-alg 0x03
RRC-int-alg 0x04
UP-enc-alg 0x05
Table 1
algorithm?identity Value
128-EIA1SNOW?3G 0x01
128-EIA2AES 0x02
Null?ciphering?algorithm 0x00
128-EEA?1SNOW?3G?based?algorithm 0x01
128-EEA2AES?based?algorithm 0x02
Table 2
Step 102: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S1 and K ENBSwitch or rebuild immediately at the RRC of network, the input parameter of KDF is S1 and K * ENB, obtain the KDF output string of 256 bits;
Step 103: low 128 bits of intercepting KDF output string are as K RrcInt
Step 104: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S2 and K ENBSwitch or rebuild immediately at the RRC of network, the input parameter of KDF is S2 and K * ENBObtain the KDF output string of 256 bits;
Step 105: low 128 bits of intercepting KDF output string are as K RrcEnc
Step 106: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S3 and K ENBSwitch or rebuild immediately at the RRC of network, the input parameter of KDF is S3 and K * ENBObtain the KDF output string of 256 bits;
Step 107: low 128 bits of intercepting KDF output string are as K UpEnc
As can be seen in order to generate three keys that are used for AS, need call KDF from top process three times, call at every turn and obtain a key; And the output of each KDF is 256 bits, but the length of each key is only required 128 bits, so each invoked procedure has only utilized the part of KDF output.Obviously, such key generation method has not only reduced resource utilization, and has increased the time delay of whole key generation system.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of generation method and apparatus of safe key, improves key and generates resource utilization, and reduce the time delay of whole key generation system.
For achieving the above object, technical scheme of the present invention is achieved in that
The present invention realizes a kind of generation method of safe key, and when generating the safe key of Access Layer AS, this method comprises:
If the cryptographic algorithm of selecting is empty algorithm:
Signaling encryption key and ciphering user data key directly are changed to 0; Be configured to generate the character string input parameter of the key generating function KDF of signaling integrity protection key, call KDF, generate signaling integrity protection key by the KDF output string that obtains;
If the cryptographic algorithm of selecting is not empty algorithm:
Be configured to generate the character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key, call KDF, generate described two keys by the KDF output string that obtains;
Be configured to generate the character string input parameter of the KDF of remaining in signaling integrity protection key, signaling encryption key and a ciphering user data key key, call KDF, generate described key by the KDF output string that obtains.
The described character string input parameter that is configured to generate the KDF of signaling integrity protection key; be specially: choose the parameter that is used to generate signaling integrity protection key: the byte length of the byte length of KDF instance identification, algorithm types sign, algorithm types sign, protection algorithm integrallty sign, protection algorithm integrallty sign; described each parameter is connected, be configured to the character string input parameter of KDF.
Described when the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving, be specially: 128 bits of intercepting KDF output string are as described signaling integrity protection key.
The described character string input parameter that is configured to generate the KDF of two keys specifically comprises: a character string is formed in the parameter splicing that will be used to generate described two keys, as the character string input parameter of KDF.
Described character string of parameter splicing composition that will be used to generate two keys; be specially: the parameter of choosing two keys that are used for generating signaling integrity protection key, signaling encryption key and ciphering user data key; comprise: the byte length of byte length, encryption or the protection algorithm integrallty sign of KDF instance identification, algorithm types sign, algorithm types sign, encryption or protection algorithm integrallty sign, will described each parameter connecting is spliced into character string of composition.
The generation method of described a kind of safe key, if the cryptographic algorithm of selecting is not empty algorithm,
Described two keys of described generation are specially: 128 bits that intercept described KDF output string are as a key in described two keys, and 128 bits that intercept described KDF output string again are as another key in described two keys;
The described key of described generation is specially: 128 bits that intercept described KDF output string are as a described remaining key.
The described KDF that calls is specially: KDF obtains described KDF output string with the character string input parameter of AS root key and described KDF as input parameter.
The present invention realizes a kind of generating apparatus of safe key, and this device comprises:
The first string argument constructing module is used in the cryptographic algorithm of selecting during for empty algorithm, is configured to generate the first character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key;
The second string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of remaining in signaling integrity protection key, signaling encryption key and a ciphering user data key key, be sent to the KDF processing module; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to the KDF processing module;
The KDF processing module is used to obtain the KDF output string, and the described KDF output string that will be obtained by the first character string input parameter of described KDF sends to first key production module and second key production module respectively; The described KDF output string that will be obtained by the second character string input parameter of described KDF sends to the 3rd key production module;
First key production module is used in the cryptographic algorithm of selecting during for empty algorithm, generates a key in described two keys by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
Second key production module is used in the cryptographic algorithm of selecting during for empty algorithm, generates another key in described two keys by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module is used for generating a described remaining key by the described KDF output string of receiving when the cryptographic algorithm of selecting is not empty algorithm; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving.
This device also comprises:
AS root key module is used for providing AS root key to the KDF processing module.
A kind of safe key provided by the invention generates method and apparatus, when generating three keys of AS: if when cryptographic algorithm is empty algorithm, K RrcEnc, K UpEncDirectly be changed to 0, only need call a KDF generates K RrcIntWhen if cryptographic algorithm is not empty algorithm, the parameter that will be used to generate any two key is spliced, call the process of a KDF again, just can obtain this two keys, like this, the generation of three keys only need be called twice KDF and be got final product, thereby omitted once the generative process of complicated key (when cryptographic algorithm is sky, can omit the generative process of two secondary keys), obviously can reduce the amount of calculation of key generation and the time delay of key generation system, when inserting a plurality of UE especially at the same time, this advantage is more remarkable.
Description of drawings
Fig. 1 is for being used for the generative process schematic diagram of three keys of AS in the prior art;
Fig. 2 is for realizing the generation method flow schematic diagram of safe key among the present invention;
The generation method flow schematic diagram of safe key when Fig. 3 is empty algorithm for the cryptographic algorithm of selecting among the present invention;
Fig. 4 is with K among the present invention RrcEncAnd K UpEncThe method flow schematic diagram of the safe key that in once calling the KDF process, generates;
Fig. 5 is with K among the present invention RrcIntAnd K RrcEncThe method flow schematic diagram of the safe key that in once calling the KDF process, generates;
Fig. 6 is with K among the present invention RrcIntAnd K UpEncThe method flow schematic diagram of the safe key that in a KDF process, generates;
Fig. 7 is the structural representation of the device of the generation of realization safe key among the present invention.
Embodiment
Basic thought of the present invention is: generate when being used for the safe key of AS, if the cryptographic algorithm of selecting for use is empty algorithm, equal not carry out ciphering process, can not generate K so RrcEncAnd K UpEnc, then directly with K RrcEncAnd K UpEncTwo keys are changed to 0, call KDF and only generate K RrcIntOtherwise, be configured to generate the character string input parameter of the KDF of wherein any two keys, call KDF, generate this two keys by the KDF output string that obtains; At last, be configured to generate the KDF output string of a remaining key, call KDF, generate this key by the KDF output string that obtains.
Embodiment one: the generative process of safe key as shown in Figure 2, before generating safe key, the communicating pair of network consults the interception way to the KDF output string that generates three keys, and each interception way had better not be identical, promptly three keys of Sheng Chenging have nothing in common with each other, can strengthen fail safe, this method comprises following step:
Step 201: if selected cryptographic algorithm is empty algorithm, equal not carry out ciphering process, can not generate K so RrcEncAnd K UpEnc, then with K RrcEncAnd K UpEncTwo keys directly are changed to 0, change step 205, if selected cryptographic algorithm is not empty algorithm, then change step 202;
Step 202: when the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn two be respectively first key K AS1With second key K AS2, choose and be used to generate K AS1And K AS2Each parameter, and be spliced into and be used to generate K AS1And K AS2The character string input parameter (S1) of KDF;
Choose and be used to generate K AS1Parameter: P0 Key1, L0 Key1, P1 Key1And L1 KeyI, and be used to generate K AS2Parameter: P0 Key2, L0 Key2, P1 Key2And L1 Key2FC=0x15; To be used to generate K AS1And K AS2Parameter be spliced into the character string input parameter S1 of KDF, that is:
S1=FC||P0 Key1||L0 Key1||P1 Key1||L1 Key1||P0 Key2||L0 Key2||P1 Key2||L1 Key2
Wherein, " || " expression series connection, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue all be 0x0001, i.e. byte length, the i here represents Key1, Key2, Key1, Key2 are respectively two among RrcInt, the RrcEnc of KAS1 and K AS2 correspondence and the UpEnc;
algorithm?identity Value
128-EIA1SNOW?3G 0x01
128-EIA2AES 0x02
128-EEA1SNOW?3G?based?algorithm 0x01
128-EEA2AES?based?algorithm 0x02
Table 3
Step 203: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S1 and K * ENBObtain the KDF output string of 256 bits;
Step 204: according to the interception way that the communicating pair of network consults, the 128 different bits that intercept the KDF output string respectively are as K AS1And K AS2
Step 205: when the cryptographic algorithm of selecting is empty algorithm, with K RrcIntAs the 3rd key K AS3When the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn remaining one be K AS3Be configured to generate K AS3The character string input parameter (S2) of KDF;
When the cryptographic algorithm of selecting is empty algorithm, K AS3Be K RrcInt, then choose and be used to generate K RrcIntThe parameter P0 of S2 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15, the structure S2 be:
S2=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt
Wherein, P0 RrcIntChoose according to table 1; P1 RrcIntBe chosen for 0x04 according to table 3; L0 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue all be 0x0001, i.e. byte length;
When the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn remaining one be K AS3, choose and be used to generate K AS3The parameter P0 of S2 Key3, L0 Key3, P1 Key3, L1 Key3, FC=0x15, the structure S2 be:
S2=FC||P0 Key3||L0 Key3||P1 Key3||L1 Key3
Wherein, P0 Key3Choose P1 according to table 1 Key3Choose L0 according to table 3 Key3Be P0 Key3Byte length, L1 Key3Be P1 Key3Byte length, according to table 1 and table 3, L0 Key3, L1 Key3Value all be 0x0001, i.e. byte length, Key3 is K AS3Among corresponding RrcInt, RrcEnc and the UpEnc one;
Step 206: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S2 and K * ENBObtain the KDF output string of 256 bits;
Step 207: according to the interception way that the communicating pair of network consults, 128 bits of intercepting KDF output string are as K AS3, current safety key generative process finishes.
By said method, can obtain K AS1, K AS2And K AS3Pairing separately K RrcInt, K RrcEncAnd K UpEnc
Embodiment two: when the cryptographic algorithm of selecting is empty algorithm, what the intercepting of KDF output string was adopted is that the KDF output string is intercepted high or low 128 bits, the present invention realizes the embodiment of the generation method of safe key, as shown in Figure 3, may further comprise the steps:
Step 301: directly signaling encryption key and data encryption key are changed to 0, i.e. K RrcEnc=0, K UpEnc=0;
Step 302: be configured to generate K RrcIntThe character string input parameter (S) of KDF;
Choose and be used to generate K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15, structure K RrcIntThe character string input parameter of KDF be:
S=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt
Wherein, P0 RrcIntChoose according to table 1, i.e. P0 RrcIntBe 0x04, P1 RrcIntChoose L0 according to table 3 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue all be 0x0001, i.e. byte length, for example:
According to table 3, work as P1 RrcIntDuring for 128-EIA1SNOW 3G:
S=0x15||0x04||0x0001||0x01||0x0001,
And for example, work as P1 RrcIntDuring for 128-EIA2AES, S=0x15||0x04||0x0001||0x02||0x0001;
Step 303: call KDF, when the RRC of network initial safe activated, its input parameter was S and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S and K * ENBObtain the KDF output string of 256 bits;
Step 304: high or low 128 bits of intercepting KDF output string are as K RrcInt
Embodiment three: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcEncAnd K UpEncIn the process of once calling KDF, generate, what the intercepting of KDF output string was adopted is that the KDF output string is intercepted high 128 bits or low 128 bits, the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 4, may further comprise the steps:
Step 401: choose and be used to generate K RrcEncAnd K UpEncEach parameter, and be spliced into the character string input parameter (S1) of KDF;
Concrete, choose and be used to generate K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEncAnd be used to generate K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEncWherein, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue all be 0x0001, i.e. byte length, the i here represents RrcEnc, UpEnc, promptly according to table 1, P0 RrcEncBe 0x03, P0 UpEncBe 0x05; Be spliced into and be used to generate K RrcEncAnd K UpEncThe character string input parameter of KDF be:
S1=FC||P0 RrcEnc|| L0 RrcEnc|| P1 RrcEnc|| L1 RrcEnc|| P0 UpEnc|| L0 UpEnc|| P1 UpEnc|| L1 UpEnc, for example:
According to table 3, work as P1 RrcEncAnd P1 UpEncBe 128-EIA1SNOW 3G, the time:
S1=0x15||0x03||0x0001||0x01||0x0001||0x05||0x0001||0x01||0x0001,
Perhaps, work as P1 RrcEncAnd P1 UpEncDuring for 128-EEA2AES based algorithm:
S1=0x15||0x03||0x0001||0x02||0x0001||0x05||0x0001||0x02||0x0001;
Step 402: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S1 and K * ENBObtain the KDF output string of 256 bits;
Step 403: high 128 bits of intercepting KDF output string are as K RrcEnc, low 128 bits of intercepting KDF output are as K UpEncPerhaps, high 128 bits of intercepting KDF output string are as K UpEnc, low 128 bits of intercepting KDF output are as K RrcEnc
Step 404: be configured to generate K RrcIntThe character string input parameter (S2) of KDF:
Choose and be used to generate K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15 is used to generate K RrcIntThe character string input parameter of KDF be:
S2=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt
Wherein, P0 RrcIntChoose P0 according to table 1 RrcIntBe 0x04; P1 RrcIntChoose according to table 3; L0 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue all be 0x0001, i.e. byte length, for example:
According to table 3, work as P1 RrcIntDuring for 128-EIA1SNOW 3G:
S2=0x15||0x04||0x0001||0x01||0x0001,
Perhaps work as P1 RrcIntDuring for 128-EIA2AES:
S2=0x15||0x04||0x0001||0x02||0x0001;
Step 405: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S2 and K * ENBObtain the KDF output string of 256 bits;
Step 406: high or low 128 bits of intercepting KDF output string are as K RrcInt
Embodiment four: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcIntAnd K RrcEncIn the process of once calling KDF, generate, what the intercepting of KDF output string was adopted is that the KDF output string is intercepted high 128 bits or low 128 bits, the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 5, may further comprise the steps:
Step 501: choose and be used to generate K RrcIntAnd K RrcEncEach parameter, and be spliced into the character string input parameter (S1) of KDF;
Concrete, choose and be used to generate K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, be used to generate K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEncFC=0x15; Be spliced into and be used to generate K RrcIntAnd K RrcEncThe character string input parameter of KDF be:
S1=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt||P0 RrcEnc||L0 RrcEnc||P1 RrcEnc||L1 RrcEnc
Wherein, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue all be 0x0001, i.e. byte length, the i here represents RrcInt, RrcEnc, promptly according to table 1, P0 RrcIntBe 0x04, P0 RrcEncBe 0x03; For example:
According to table 3, work as P1 RrcIntBe 128-EIA1SNOW 3G and P1 RrcEncDuring for 128-EEA1SNOW3G based algorithm:
S1=0x15||0x04||0x0001||0x01||0x0001||0x03||0x0001||0x01||0x0001;
And for example, work as P1 RrcIntBe 128-EIA2AES and P1 RrcEncDuring for 128-EEA2AES basedalgorithm:
S1=0x1||0x04||0x0001||0x02||0x00015||0x03||0x0001||0x02||0x0001;
And for example, work as P1 RrcIntBe 128-EIA1SNOW 3G and P1 RrcEncDuring for 128-EEA2AES basedalgorithm:
S1=0x15||0x04||0x0001||0x01||0x0001||0x03||0x0001||0x02||0x0001;
For another example, work as P1 RrcIntBe 128-EIA2AES and P1 RrcEncDuring for 128-EEA1SNOW 3G based algorithm:
S1=0x15||0x04||0x0001||0x02||0x0001||0x03||0x0001||0x01||0x0001;
Step 502: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S1 and K * ENBObtain the KDF output string of 256 bits;
Step 503: high 128 bits of intercepting KDF output string are as K RrcInt, low 128 bits of intercepting KDF output string are as K RrcEncHigh 128 bits that perhaps intercept the KDF output string are as K RrcEnc, low 128 bits of intercepting KDF output string are as K RrcInt
Step 504: be configured to generate K UpEncThe character string input parameter (S2) of KDF;
Choose and be used to generate K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEnc, FC is configured to generate K UpEncThe character string input parameter of KDF be:
S2=FC||P0 UpEnc||L0 UpEnc||P1 UpEnc||L1 UpEnc
Wherein, " || " expression series connection, P0 UpEncChoose according to table 1, i.e. P0 UpEncBe 0x05, P1 UpEncChoose L0 according to table 3 UpEncBe P0 UpEncByte length, L1 UpEncBe P1 UpEncByte length, according to table 1 and table 3, L0 UpEnc, L1 UpEncValue all be 0x0001, i.e. byte length, FC=0x15; For example:
According to table 3, work as P1 UpEncDuring for 128-EIA1SNOW 3G:
S2=0x15||0x05||0x0001||0x01||0x0001;
And for example, work as P1 UpEncDuring for 128-EIA2AES:
S2=0x15||0x05||0x0001||0x02||0x0001;
Step 505: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S2 and K * ENBObtain the KDF output string of 256 bits;
Step 506: high or low 128 bits of intercepting KDF output string are as K UpEnc
Embodiment five: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcIntAnd K UpEncGenerate in once calling the KDF process, what the intercepting of KDF output string was adopted is that the KDF output string is intercepted high or low 128 bits, and the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 6, may further comprise the steps:
Step 601: choose and be used to generate K RrcIntAnd K UpEncEach parameter, and be spliced into and be used to generate K RrcIntAnd K UpEncThe character string input parameter (S1) of KDF;
Concrete, choose and be used to generate K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, be used to generate K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEncFC=0x15; Be spliced into and be used to generate K RrcIntAnd K UpEncThe character string input parameter of KDF be:
S1=FC||P0 RrcInt||L0 RrcInt||P1 RrcInt||L1 RrcInt||P0 UpEnc||L0 UpEnc||P1 UpEnc||L1 UpEnc
Wherein, " || " expression series connection, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue all be 0x0001, i.e. byte length, the i here represents RrcInt, UpEnc, promptly according to table 1, P0 RrcIntBe 0x04, P0 UpEncBe 0x05;
For example:
According to table 3, work as P1 RrcIntBe 128-EIA1SNOW 3G, P1 UpEncDuring for 128-EEA1SNOW 3Gbased algorithm:
S1=0x15||0x04||0x0001||0x01||0x0001||0x05||0x0001||0x01||0x0001;
And for example, work as P1 RrcIntBe 128-EIA2AES, P1 UpEncDuring for 128-EEA2AES basedalgorithm:
S1=0x15||0x04||0x0001||0x02||0x0001||0x05||0x0001||0x02||0x0001;
And for example, work as P1 RrcIntBe 128-EIA1SNOW 3G, P1 UpEncDuring for 128-EEA2AES based algorithm:
S1=0x15||0x04||0x0001||0x01||0x0001||0x05||0x0001||0x02||0x0001;
For another example, work as P1 RrcIntBe 128-EIA2AES, P1 UpEncDuring for 128-EEA1SNOW 3G based algorithm:
S1=0x15||0x04||0x0001||0x02||0x0001||0x05||0x0001||0x01||0x0001;
Step 602: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S1 and K * ENBObtain the KDF output string of 256 bits;
Step 603: high 128 bits of intercepting KDF output string are as K RrcInt, low 128 bits of intercepting KDF output string are as K UpEncPerhaps, high 128 bits of intercepting KDF output string are as K UpEnc, low 128 bits of intercepting KDF output string are as K RrcInt
Step 604: be configured to generate K RrcEncThe character string input parameter (S2) of KDF:
Choose and be used to generate K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEnc, FC=0x15 is configured to generate K RrcEncThe character string input parameter of KDF be:
S2=FC||P0 RrcEnc||L0 RrcEnc||P1 RrcEnc||L1 RrcEnc
Wherein, " || " expression series connection, P0 RrcEncChoose according to table 1, i.e. P0 RrcEncBe 0x03, P1 RrcEncChoose L0 according to table 3 RrcEncBe P0 RrcEncByte length, L1 RrcEncBe P1 RrcEncByte length, according to table 1 and table 3, L0 RrcEnc, L1 RrcEncValue all be 0x0001, i.e. byte length;
For example:
According to table 3, work as P1 RrcEncDuring for 128-EIA1SNOW 3G:
S2=0x15||0x03||0x0001||0x01||0x0001;
And for example, work as P1 RrcEncDuring for 128-EIA2AES:
S2=0x15||0x03||0x0001||0x02||0x0001;
Step 605: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K ENBSwitch or rebuild immediately at the RRC of network, its input parameter is S2 and K * ENBObtain the KDF output string of 256 bits;
Step 606: high or low 128 bits of intercepting KDF output string are as K RrcEnc
Based on above-mentioned method, realize the device that safe key generates among the present invention, before generating safe key, the communicating pair of network consults the interception way to the KDF output string that generates three keys, and each interception way had better not be identical, promptly three keys of Sheng Chenging have nothing in common with each other, and as shown in Figure 7, this device comprises:
The first string argument constructing module 71, the second string argument constructing module 72, KDF processing module 74, first key production module 75, second key production module 76, the 3rd key production module 77; Wherein,
The first string argument constructing module 71, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the first character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key, the first character string input parameter is sent to KDF processing module 74; Be configured to generate the character string input parameter of the KDF of two keys, specifically: a character string is formed in the parameter splicing that will be used to generate described two keys, and as the character string input parameter of KDF, the parameter of choosing is; The byte length of byte length, encryption or the protection algorithm integrallty sign of the KDF instance identification relevant, algorithm types sign, algorithm types sign, encryption or protection algorithm integrallty sign with each key; when the cryptographic algorithm of selecting was empty algorithm, this module was not worked.
The second string argument constructing module 72, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of remaining in signaling integrity protection key, signaling encryption key and a ciphering user data key key, be sent to KDF processing module 74; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to KDF processing module 74;
KDF processing module 74, be used for when the cryptographic algorithm of selecting is not empty algorithm, obtain the KDF output string, the KDF output string that will be obtained by the first character string input parameter that the first string argument constructing module 71 transmits sends to first key production module 75 and second key production module 76 respectively; The KDF output string that will be obtained by the second character string input parameter that the second string argument constructing module 72 transmits sends to the 3rd key production module 77; When the cryptographic algorithm of selecting was empty algorithm, only the KDF output string that will be obtained by the second character string input parameter that the second string argument constructing module 72 transmits sent to the 3rd key production module 77;
First key production module 75 is used in the cryptographic algorithm of selecting during for empty algorithm, and the interception way that consults according to the communicating pair of network generates a key in described two keys by the KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
Second key production module 76 is used in the cryptographic algorithm of selecting during for empty algorithm, and the interception way that consults according to the communicating pair of network generates another key in described two keys by the KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module 77 is used in the cryptographic algorithm of selecting during for empty algorithm, and the interception way according to the communicating pair of network consults generates a remaining key by the KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving;
KDF processing module 74 is provided with can be provided with the first string argument constructing module 71 and first key production module 75 in the correspondence, second key production module 76 is corresponding, is about to send to first key production module 75, second key production module 76 respectively by the KDF output string that the first character string input parameter that the first string argument constructing module 71 transmits obtains; Correspondingly, it is corresponding with the 3rd key production module 77 that the second string argument constructing module 72 is set, and is about to send to the 3rd key production module 77 by the KDF output string that the second character string input parameter that the second string argument constructing module 72 transmits obtains.
The above KDF output string can be 256 bits, and any 128 bits of each key production module intercepting KDF output string are as the gained key.
Further, this device also comprises: AS root key module 73;
AS root key module 73 is used for providing AS root key to KDF processing module 74, particularly, when the RRC of network initial safe activates, provides another input parameter of KDF: K ENBSwitch or rebuild immediately at the RRC of network, another input parameter of KDF: K is provided * ENB
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. the generation method of a safe key is characterized in that, this method comprises when generating the safe key of Access Layer AS:
If the cryptographic algorithm of selecting is empty algorithm:
Signaling encryption key and ciphering user data key directly are changed to 0; Be configured to generate the character string input parameter of the key generating function KDF of signaling integrity protection key, call KDF, generate signaling integrity protection key by the KDF output string that obtains;
If the cryptographic algorithm of selecting is not empty algorithm:
Be configured to generate the character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key, call KDF, generate described two keys by the KDF output string that obtains;
Be configured to generate the character string input parameter of the KDF of remaining in signaling integrity protection key, signaling encryption key and a ciphering user data key key, call KDF, generate described key by the KDF output string that obtains.
2. the generation method of a kind of safe key according to claim 1; it is characterized in that; the described character string input parameter that is configured to generate the KDF of signaling integrity protection key; be specially: choose the parameter that is used to generate signaling integrity protection key: the byte length of the byte length of KDF instance identification, algorithm types sign, algorithm types sign, protection algorithm integrallty sign, protection algorithm integrallty sign; described each parameter is connected, be configured to the character string input parameter of KDF.
3. the generation method of a kind of safe key according to claim 1 and 2; it is characterized in that; it is described when the cryptographic algorithm of selecting is empty algorithm; generate signaling integrity protection key by the KDF output string of receiving, be specially: 128 bits of intercepting KDF output string are as described signaling integrity protection key.
4. the generation method of a kind of safe key according to claim 1, it is characterized in that, the described character string input parameter that is configured to generate the KDF of two keys, specifically comprise: will be used to generate character string of parameter splicing composition of described two keys, as the character string input parameter of KDF.
5. the generation method of a kind of safe key according to claim 4; it is characterized in that; described character string of parameter splicing composition that will be used to generate two keys; be specially: choose and be used to generate signaling integrity protection key; the parameter of two keys in signaling encryption key and the ciphering user data key; comprise: the KDF instance identification; the algorithm types sign; the byte length of algorithm types sign; encrypt or the protection algorithm integrallty sign; encrypt or the byte length of protection algorithm integrallty sign, will described each parameter connecting is spliced into character string of composition.
6. according to the generation method of claim 1 or 4 or 5 described a kind of safe keys, it is characterized in that, if the cryptographic algorithm of selecting is not empty algorithm,
Described two keys of described generation are specially: 128 bits that intercept described KDF output string are as a key in described two keys, and 128 bits that intercept described KDF output string again are as another key in described two keys;
The described key of described generation is specially: 128 bits that intercept described KDF output string are as a described remaining key.
7. the generation method of a kind of safe key according to claim 1 is characterized in that, the described KDF that calls is specially: KDF obtains described KDF output string with the character string input parameter of AS root key and described KDF as input parameter.
8. the generating apparatus of a safe key is characterized in that, this device comprises:
The first string argument constructing module is used in the cryptographic algorithm of selecting during for empty algorithm, is configured to generate the first character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key;
The second string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of remaining in signaling integrity protection key, signaling encryption key and a ciphering user data key key, be sent to the KDF processing module; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to the KDF processing module;
The KDF processing module is used to obtain the KDF output string, and the described KDF output string that will be obtained by the first character string input parameter of described KDF sends to first key production module and second key production module respectively; The described KDF output string that will be obtained by the second character string input parameter of described KDF sends to the 3rd key production module;
First key production module is used in the cryptographic algorithm of selecting during for empty algorithm, generates a key in described two keys by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
Second key production module is used in the cryptographic algorithm of selecting during for empty algorithm, generates another key in described two keys by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module is used for generating a described remaining key by the described KDF output string of receiving when the cryptographic algorithm of selecting is not empty algorithm; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving.
9. the generating apparatus of a kind of safe key according to claim 8 is characterized in that, this device also comprises:
AS root key module is used for providing AS root key to the KDF processing module.
CN200910151993.1A 2009-06-30 2009-07-15 Generation method and device of safe keys Active CN101938743B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910151993.1A CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys
PCT/CN2010/072691 WO2011006390A1 (en) 2009-07-15 2010-05-12 Method and device for generating security keys

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN200910158444.7 2009-06-30
CN200910158444 2009-06-30
CN200910151993.1A CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys

Publications (2)

Publication Number Publication Date
CN101938743A true CN101938743A (en) 2011-01-05
CN101938743B CN101938743B (en) 2013-05-08

Family

ID=43391826

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910151993.1A Active CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys

Country Status (1)

Country Link
CN (1) CN101938743B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563290A (en) * 2011-06-01 2014-02-05 国际商业机器公司 Combining key control information in common cryptographic architecture services
CN110191084A (en) * 2019-03-27 2019-08-30 青岛海信电子设备股份有限公司 The encapsulation of IPsec data, method of reseptance and device
CN110771205A (en) * 2017-06-15 2020-02-07 高通股份有限公司 Refreshing security keys in 5G wireless systems
CN112771815A (en) * 2020-03-31 2021-05-07 华为技术有限公司 Key processing method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100456669C (en) * 2003-09-22 2009-01-28 华为技术有限公司 Method of distributing group secret keys
CN100579010C (en) * 2007-05-09 2010-01-06 中兴通讯股份有限公司 Method and system for generating and transmitting key
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Method, apparatus and system for generating cipher key

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563290A (en) * 2011-06-01 2014-02-05 国际商业机器公司 Combining key control information in common cryptographic architecture services
CN103563290B (en) * 2011-06-01 2016-03-16 国际商业机器公司 The method and system of combination key control information in the service of public encryption architecture
CN110771205A (en) * 2017-06-15 2020-02-07 高通股份有限公司 Refreshing security keys in 5G wireless systems
CN110771205B (en) * 2017-06-15 2022-03-29 高通股份有限公司 Refreshing security keys in 5G wireless systems
US11503461B2 (en) 2017-06-15 2022-11-15 Qualcomm Incorporated Refreshing security keys in 5G wireless systems
CN110191084A (en) * 2019-03-27 2019-08-30 青岛海信电子设备股份有限公司 The encapsulation of IPsec data, method of reseptance and device
CN112771815A (en) * 2020-03-31 2021-05-07 华为技术有限公司 Key processing method and device

Also Published As

Publication number Publication date
CN101938743B (en) 2013-05-08

Similar Documents

Publication Publication Date Title
EP2868029B1 (en) Key agreement for wireless communication
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
US9326142B2 (en) Cryptographic key generation
Choudhury et al. Enhancing user identity privacy in LTE
KR102112542B1 (en) Method and system for generating session key using Diffie-Hellman procedure
CN101511084B (en) Authentication and cipher key negotiation method of mobile communication system
US9088408B2 (en) Key agreement using a key derivation key
Saxena et al. Authentication protocol for an IoT-enabled LTE network
US11082843B2 (en) Communication method and communications apparatus
CN108809635A (en) Anchor key generation method, equipment and system
CN101552983A (en) Key generating method, key generating device, mobile management entity and user equipment
EP2648437B1 (en) Method, apparatus and system for key generation
US10320917B2 (en) Key negotiation processing method and apparatus
CN104661217A (en) Authentication and key derivation method and system based on TD-LTE (time division-long term evolution) network
CN101938743B (en) Generation method and device of safe keys
CN112134831B (en) Method and device for sending and processing access request
CN104735626A (en) Achieving method and device for trunking group communication public security
Deng et al. A novel 3GPP SAE authentication and key agreement protocol
Farhat et al. An extended authentication and key agreement protocol of UMTS
CN110536289A (en) Key providing method and device thereof, mobile terminal, communication equipment and storage medium
Zugenmaier et al. Security technology for SAE/LTE
RU2781250C2 (en) Method for key formation, user equipment, device, computer-readable data carrier and communication system
Zhang et al. 5G AKA Cryptographic Functions Based on SM4 Algorithm
CN116782211A (en) Determination method of switching key, switching method and device
Peng et al. A novel key derivation method for eavesdropper in LTE system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant