CN101964803B - System and method for establishing session key between nodes - Google Patents

System and method for establishing session key between nodes Download PDF

Info

Publication number
CN101964803B
CN101964803B CN2010105185631A CN201010518563A CN101964803B CN 101964803 B CN101964803 B CN 101964803B CN 2010105185631 A CN2010105185631 A CN 2010105185631A CN 201010518563 A CN201010518563 A CN 201010518563A CN 101964803 B CN101964803 B CN 101964803B
Authority
CN
China
Prior art keywords
key
terminal equipment
connection device
sta
field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010105185631A
Other languages
Chinese (zh)
Other versions
CN101964803A (en
Inventor
铁满霞
李琴
黄振海
胡亚楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Iwncomm Co Ltd
Original Assignee
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co Ltd filed Critical China Iwncomm Co Ltd
Priority to CN2010105185631A priority Critical patent/CN101964803B/en
Priority to PCT/CN2011/070016 priority patent/WO2012055172A1/en
Publication of CN101964803A publication Critical patent/CN101964803A/en
Application granted granted Critical
Publication of CN101964803B publication Critical patent/CN101964803B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a system for establishing a session key between nodes. The system comprises terminal equipment and connecting equipment, wherein the terminal equipment comprises initiating end terminal equipment and receiving end terminal equipment; the connecting equipment comprises core connecting equipment, initiating end connecting equipment on a link between the initiating end connecting equipment and the core connecting equipment and receiving end connecting equipment on a link between the receiving end connecting equipment and the core connecting equipment. The invention solves the technical problem that the distributing and the updating processes of the nodes in a local area network are extremely complicated, has flexible establishing process, can realize the establishment of the session key between the nodes without users to participate in configuration and guarantees the confidentiality of subsequent communication between the nodes.

Description

Session key sets up system and method between node
Technical field
The present invention relates to network communications technology field, be specifically related to the system and method for setting up of session key between node.
Background technology
Cable LAN is generally broadcast type network, the data that node sends, and other node can both be received.Each nodes sharing channel on the network, this has brought great potential safety hazard to network.The assailant just can catch packets all on the network as long as access network is monitored.
The local area network (LAN) LAN of existing standard GB/T 15629.3 (corresponding IEEE 802.3 or ISO/IEC 8802-3) definition does not provide data encryption method, so just makes the assailant steal key message easily.In the international research field, the IEEE 802.1AE standard that IEEE formulated provides data encryption protocol for the protection Ethernet, and adopts the safety measure of hop-by-hop encryption to realize that the safety of data is passed between the network node.This safety measure has brought huge computation burden for the switching equipment in the local area network (LAN), causes the attack of assailant to switching equipment easily; And packet also can increase from the time-delay that sending node is delivered to destination node, has reduced network transmission efficiency.
The topological structure more complicated of cable LAN, the node that relates to (here, terminal and switching equipment are collectively referred to as node) number is also many, so the data communication more complicated in the network.If for distributing static key to setting up session key between node between LAN node, its distribution and renewal process are very complicated.Therefore, the mode that static keys is right also is not suitable for setting up session key between node.
Summary of the invention
In order to solve the above-mentioned technical problem that exists in the background technology, the invention provides the system and method for setting up of session key between node, make and can set up and upgrade the session key between them flexibly between the legal node of local area network (LAN).
The system that sets up of session key between node, this system comprises two types equipment, representes with terminal equipment and connection device respectively; Wherein, connection device is constantly cascade in network, and terminal equipment can only be connected in the network through connection device, and any equipment all can not pass through the terminal equipment access network; Selecting perhaps in the connection device specifies a specific connection device as the core connection device in these connection devices; All connection devices all need to set up safety with this core connection device and are connected; All terminal equipments are all set up safety with the connection device (this connection device is from the nearest connection device of terminal equipment) that directly links to each other and are connected; In this system, all can set up safety connection between the two between two any terminal equipments through the connection device and the core connection device that directly link to each other.
With the first terminal equipment STA-A, the second terminal equipment STA-B in the system is that example describes; The first terminal equipment STA-A directly links to each other with the first connection device SW1; The second terminal equipment STA-B directly links to each other with the second connection device SW2, and connection device SW-Center is the core connection device in this system; The then said first connection device SW1 and the second connection device SW2 exist safety to be connected with core connection device SW-Center respectively; The said first connection device SW1 exists safety to be connected with the first terminal equipment STA-A, and the said second connection device SW2 exists safety to be connected with the second terminal equipment STA-B; The foundation of session key is to generate a random number and secret the announcement to the other side respectively by the first terminal equipment STA-A and the second terminal equipment STA-B between the first terminal equipment STA-A and the second terminal equipment STA-B, and first terminal equipment STA-A random number that utilization generates oneself with the second terminal equipment STA-B and the random number calculating that is generated by the other side of receiving can obtain and set up consistent session key.
The method for building up of session key between node may further comprise the steps:
1] between the first terminal equipment STA-A and the first connection device SW1, between the first connection device SW1 and the core connection device SW-Center, between core connection device SW-Center and the second connection device SW2, setting up safety between the second connection device SW2 and the second terminal equipment STA-B is connected;
2] the first terminal equipment STA-A sends the first key negotiation request packet M1 and gives the first connection device SW1; Give the first connection device SW1 with the secret announcement of first terminal equipment inquiry random number that oneself generates;
3] the first connection device SW1 sends the second key negotiation request packet M2 to core connection device SW-Center after receiving the first key negotiation request packet M1; The first connection device SW1 gives core connection device SW-Center through the secret announcement of first terminal equipment inquiry random number that the second key negotiation request packet M2 will obtain;
4] core connection device SW-Center sends the 3rd key negotiation request packet M3 to the second connection device SW2 after receiving the second key negotiation request packet M2; Core connection device SW-Center gives the second connection device SW2 through the secret announcement of first terminal equipment inquiry random number that the 3rd key negotiation request packet M3 will obtain;
5] the second connection device SW2 receives the 3rd key negotiation request packet M3 and sends the 4th key negotiation request packet M4 to the second terminal equipment STA-B; The second connection device SW2 gives the second terminal equipment STA-B through the secret announcement of first terminal equipment inquiry random number that the 4th key negotiation request packet M4 will obtain;
6] the second terminal equipment STA-B receives the 4th key negotiation request packet M4 and sends the 4th key negotiation response packet M5 to the second connection device SW2; The second terminal equipment STA-B after first terminal equipment that utilization obtains inquiry random number and own second terminal equipment inquiry random number that generates calculate session key, through the 4th key negotiation response packet M5 with own secret announcement of second terminal equipment inquiry random number that generates to the second connection device SW2;
7] the second connection device SW2 sends the 3rd key negotiation response packet M6 to core connection device SW-Center after receiving the 4th key negotiation response packet M5; The second connection device SW2 gives core connection device SW-Center through the secret announcement of second terminal equipment inquiry random number that the 3rd key negotiation response packet M6 will obtain;
8] core connection device SW-Center sends the second key negotiation response packet M7 to the first connection device SW1 after receiving the 3rd key negotiation response packet M6; Core connection device SW-Center gives the first connection device SW1 through the secret announcement of second terminal equipment inquiry random number that the second key negotiation response packet M7 will obtain;
9] the first connection device SW1 sends the first key negotiation response packet M8 to the first terminal equipment STA-A after receiving the second key negotiation response packet M7; The first connection device SW1 gives the first terminal equipment STA-A through the secret announcement of second terminal equipment inquiry random number that the first key negotiation response packet M8 will obtain;
10] the first terminal equipment STA-A receives the first key negotiation response packet M8; Utilize first terminal equipment inquiry random number that oneself generates and second terminal equipment inquiry random number that obtains to calculate session key, the foundation of the session key between the completion and the second terminal equipment STA-B.Adopt session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-BCarry out confidential corespondence.
The method for building up of session key between above-mentioned node, it specifically may further comprise the steps:
1] between the first terminal equipment STA-A and the first connection device SW1, between the first connection device SW1 and the core connection device SW-Center, between core connection device SW-Center and the second connection device SW2, setting up safety between the second connection device SW2 and the second terminal equipment STA-B is connected;
1.1] set up between the first terminal equipment STA-A and the first connection device SW1 and have first and share key K EY A-1Safety connect; The said first connection device SW1 is meant first connection device of the packet process from the first terminal equipment STA-A to the second terminal equipment STA-B;
1.2] set up between the first connection device SW1 and the core connection device SW-Center and have second and share key K EY 1-CenterSafety connect; Said core connection device SW-Center is a specific connection device, every other connection device all need set up and core connection device SW-Center between safety connect;
1.3] set up between core connection device SW-Center and the second connection device SW2 and have the 3rd and share key K EY 2-CenterSafety connect; The said second connection device SW2 is meant last connection device of the packet process from the first terminal equipment STA-A to the second terminal equipment STA-B;
1.4] set up between the second connection device SW2 and the second terminal equipment STA-B and have the 4th and share key K EY B-2Safety connect;
2] the first terminal equipment STA-A sends the first key negotiation request packet M1 and gives the first connection device SW1;
Said first key agreement is asked and please be divided into groups to comprise ID STA-BField, E 1(Nonce A) field and Message Authentication Code MIC1 field; Said ID STA-BField is represented the sign of the second terminal equipment STA-B; Said E 1(Nonce A) field is expression inquiry data, is to utilize first to share key K EY by the first terminal equipment STA-A A-1To first terminal equipment inquiry random number N once AData encrypted; Nonce wherein AIt is first terminal equipment inquiry random number that generates by the first terminal equipment STA-A; Said MIC1 field is represented the message integrity identifying code, is to utilize first to share key K EY by the first terminal equipment STA-A A-1The Hash Value that other outer fields of this field among this first key negotiation request packet M1 are calculated through hash function;
3] after the first connection device SW1 receives the first key negotiation request packet M1, make following processing:
3.1] the first connection device SW1 utilizes first to share key K EY A-1Whether MIC1 is correct in checking, if incorrect, then abandon first key agreement and asks and please divide into groups; Otherwise, execution in step 3.2];
3.2] the first connection device SW1 utilizes first to share key K EY A-1Deciphering E 1(Nonce A) field obtains first terminal equipment inquiry random number N once A
3.3] the first connection device SW1 constructs the second key negotiation request packet M2 and sends to core connection device SW-Center: the said second key negotiation request packet M2 comprises ID STA-AField, ID STA-BField, E 2(Nonce A) field and Message Authentication Code MIC2 field, said ID STA-AField is represented the sign of the first terminal equipment STA-A; Said E 2(Nonce A) field is expression inquiry data, is to utilize second to share key K EY by the first connection device SW1 1-CenterTo first terminal equipment inquiry random number N once AData encrypted; Said MIC2 field is represented the message integrity identifying code, is to utilize second to share key K EY by the first connection device SW1 1-CenterThe Hash Value that other fields outside the MIC2 field among the second key negotiation request packet M2 are calculated through hash function;
4] after core connection device SW-Center receives the second key negotiation request packet M2, make following processing:
4.1] core connection device SW-Center utilizes second to share key K EY 1-CenterWhether checking MIC2 field is correct, if incorrect, then abandons the second key negotiation request packet M2; Otherwise, execution in step 4.2];
4.2] core connection device SW-Center utilizes second to share key K EY 1-CenterDeciphering E 2(Nonce A) field obtains first terminal equipment inquiry random number N once A
4.3] core connection device SW-Center sends the 3rd key negotiation request packet M3 and give the second connection device SW2;
Said the 3rd key negotiation request packet M3 comprises ID STA-AField, ID STA-BField, E 3(Nonce A) field and Message Authentication Code MIC3 field, said E 3(Nonce A) field is the inquiry data, is to utilize the 3rd to share key K EY by core connection device SW-Center 2-CenterTo first terminal equipment inquiry random number N once AData encrypted; Said MIC3 field is represented the message integrity identifying code, is to utilize the 3rd to share key K EY by core connection device SW-Center 2-CenterThe Hash Value that other outer fields of this field among the 3rd key negotiation request packet M3 are calculated through hash function;
5] after the second connection device SW2 receives the 3rd key negotiation request packet M3, make following processing:
5.1] the second connection device SW2 utilizes the 3rd to share key K EY 2-CenterWhether checking MIC3 field is correct, if incorrect, then abandons the 3rd key negotiation request packet M3; Otherwise, execution in step 5.2];
5.2] the second connection device SW2 utilizes the 3rd to share key K EY 2-CenterDeciphering E 3(Nonce A) field obtains first terminal equipment inquiry random number N once A
5.3] the second connection device SW2 sends the 4th key negotiation request packet M4 and gives the second terminal equipment STA-B:
Said the 4th key negotiation request packet M4 comprises ID STA-AField, E 4(Nonce A) field and MIC4 field, said E 4(Nonce A) field is the inquiry data, is to utilize the 4th to share key K EY by the second connection device SW2 B-2To first terminal equipment inquiry random number N once AData encrypted; Said MIC4 field is represented the message integrity identifying code, is to utilize the 4th to share key K EY by the second connection device SW2 B-2The Hash Value that other outer fields of MIC4 field among the 4th key negotiation request packet M4 are calculated through hash function;
6] after the second terminal equipment STA-B receives the 4th key negotiation request packet M4, handle as follows:
6.1] the second terminal equipment STA-B utilizes the 4th to share key K EY B-2Whether checking MIC4 field is correct, if incorrect, then abandons the 4th key negotiation request packet M4; Otherwise, execution in step 6.2];
6.2] the second terminal equipment STA-B utilizes the 4th to share key K EY B-2Deciphering E 4(Nonce A) field obtains first terminal equipment inquiry random number N once A
6.3] the second terminal equipment STA-B generates second terminal equipment inquiry random number N once immediately B, through one-way function F (Nonce A, Nonce B) calculate the session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-B
6.4] the second terminal equipment STA-B constructs the 4th key negotiation response packet M5 and send to the second connection device SW2;
Said the 4th key negotiation response packet M5 comprises ID STA-AField, E 5(Nonce B) field and the said E of MIC5 field 5(Nonce B) field is the inquiry data, is to utilize the 4th to share key K EY by the second terminal equipment STA-B B-2To second terminal equipment inquiry random number N once BData encrypted, wherein Nonce BIt is second terminal equipment inquiry random number that generates by the second terminal equipment STA-B; Said MIC5 field is represented the message integrity identifying code, is to utilize the 4th to share key K EY by the second terminal equipment STA-B B-2The Hash Value that other fields outside the MIC5 field among the 4th key negotiation response packet M5 are calculated through hash function;
7] after the second connection device SW2 receives the 4th key negotiation response packet M5, handle as follows:
7.1] the second connection device SW2 verifies the ID among the 4th key negotiation response packet M5 STA-AID among field and the 4th key negotiation request packet M4 STA-AWhether field value is consistent, if inconsistent, then abandons the 4th key negotiation response packet M5; Otherwise, execution in step 7.2];
7.2] the second connection device SW2 utilizes the 4th to share key K EY B-2Whether checking MIC5 field is correct, if incorrect, then abandons the 4th key negotiation response packet M5; Otherwise, execution in step 7.3];
7.3] the second connection device SW2 utilizes the 4th to share key K EY B-2Deciphering E 5(Nonce B) field obtains second terminal equipment inquiry random number N once B
7.4] the second connection device SW2 constructs the 3rd key negotiation response packet M6 and send to core connection device SW-Center; Said the 3rd key negotiation response packet M6 comprises ID STA-AField, ID STA-BField, E 6(Nonce B) field and MIC6 field, said E 6(Nonce B) field is the inquiry data, is to utilize the 3rd to share key K EY by the second connection device SW2 2-CenterTo second terminal equipment inquiry random number N once BData encrypted; Said MIC6 field is represented the message integrity identifying code, is to utilize the 3rd to share key K EY by the second connection device SW2 2-CenterThe Hash Value that other fields outside the MIC6 field among the 3rd key negotiation response packet M6 are calculated through hash function;
8] after core connection device SW-Center receives the 3rd key negotiation response packet M6, handle as follows:
8.1] checking the 3rd key negotiation response packet M6 ID STA-AField, ID STA-BCorresponding ID among the 3rd key negotiation request packet M3 of field and transmission before STA-AField, ID STA-BWhether field is consistent, if all consistent, then execution in step 8.2]; Otherwise, abandon the 3rd key negotiation response packet M6;
8.2] core connection device SW-Center utilizes the 3rd to share key K EY 2-CenterWhether checking MIC6 field is correct, if incorrect, then abandons the 3rd key negotiation response packet M6, otherwise, execution in step 8.3];
8.3] core connection device SW-Center utilizes the 3rd to share key K EY 2-CenterDeciphering E 6(Nonce B) field obtains second terminal equipment inquiry random number N once B
8.4] core connection device SW-Center constructs the second key negotiation response packet M7 and send to the first connection device SW1;
The said second key negotiation response packet M7 comprises ID STA-AField, ID STA-BField, E 7(Nonce B) field and MIC7 field, said E 7(Nonce B) field is the inquiry data, is to utilize second to share key K EY by core connection device SW-Center 1-CenterTo second terminal equipment inquiry random number N once BData encrypted; Said MIC7 field is an expression message integrity identifying code, is to utilize second to share key K EY by core connection device SW-Center 1-CenterThe Hash Value that other fields outside the MIC7 field among the second key negotiation response packet M7 are calculated through hash function;
9] after the first connection device SW1 receives the second key negotiation response packet M7, handle as follows:
9.1] checking the second key negotiation response packet M7 ID STA-AField, ID STA-BCorresponding ID among the second key negotiation request packet M2 of field and transmission before STA-AField, ID STA-BWhether field is consistent, if all consistent, then execution in step 9.2]; Otherwise, abandon the second key negotiation response packet M7;
9.2] the first connection device SW1 utilizes second to share key K EY 1-CenterWhether checking MIC7 field is correct, if incorrect, then abandons the second key negotiation response packet M7, otherwise, execution in step 9.3];
9.3] the first connection device SW1 utilizes second to share key K EY 1-CenterDeciphering E 7(Nonce B) field obtains second terminal equipment inquiry random number N once B
9.4] the first connection device SW1 constructs the first key negotiation response packet M8 and send to the first terminal equipment STA-A, the said first key negotiation response packet M8 comprises ID STA-BField, E 8(Nonce B) field and MIC8 field; Said E 8(Nonce B) field representes to inquire data, is to utilize first to share key K EY by the first connection device SW1 A-1To second terminal equipment inquiry random number N once BData encrypted; Said MIC8 field is an expression message integrity identifying code, is to utilize first to share key K EY by the first connection device SW1 A-1To outside the MIC8 field among the first key negotiation response packet M8 the Hash Value that calculates through hash function of other fields;
10] after the first terminal equipment STA-A receives the first key negotiation response packet M8, handle as follows:
10.1] ID of checking among the first key negotiation response packet M8 STA-BCorresponding ID among the first key negotiation request packet M1 of field and transmission before STA-BWhether field is consistent, if consistent, then execution in step 10.2]; Otherwise, abandon the first key negotiation response packet M8;
10.2] the first terminal equipment STA-A utilizes first to share key K EY A-1Whether MIC8 is correct in checking, if incorrect, then abandons the first key negotiation response packet M8, otherwise execution in step 10.3];
10.3] the first terminal equipment STA-A utilizes first to share key K EY A-1Deciphering E 8(Nonce B) field obtains second terminal equipment inquiry random number N once B
10.4] the first terminal equipment STA-A is through one-way function F (Nonce A, Nonce B) calculate the session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-B
11] adopt session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-BCarry out confidential corespondence.
The above-mentioned first terminal equipment STA-A generates a message freshness sign; The said first key negotiation request packet M1, the second key negotiation request packet M2, the 3rd key negotiation request packet M3, the 4th key negotiation request packet M4, the 4th key negotiation response packet M5, the 3rd key negotiation response packet M6, the second key negotiation response packet M7 and the first key negotiation response packet M8 all carry this message freshness sign; After the said second connection device SW2 receives the 4th key negotiation response packet M5, need the ident value in this grouping of checking whether consistent with the ident value among its 3rd key negotiation request packet M3 that receives before; After said core connection device SW-Center receives the 3rd key negotiation response packet M6, need the ident value in this grouping of checking whether consistent with the ident value among its second key negotiation request packet M2 that receives before; After the said first connection device SW1 receives the second key negotiation response packet M7, need the ident value in this grouping of checking whether consistent with the ident value among its first key negotiation request packet M1 that receives before; After the said first terminal equipment STA-A receives the first key negotiation response packet M8, need the ident value in this grouping of checking whether consistent with the ident value among its first key negotiation request packet M1 that sends before.
Above-mentioned message freshness is designated clock, serial number or random number.
The above-mentioned first key negotiation request packet M1, the second key negotiation request packet M2, the 3rd key negotiation request packet M3 and the 4th key negotiation request packet M4 generate message freshness sign separately respectively, should carry among the 4th key negotiation response packet M5 that the said second terminal equipment STA-B sends with the 4th key negotiation request packet M4 in the same ident value; Should carry among the 3rd key negotiation response packet M6 that the said second connection device SW2 sends with the 3rd key negotiation request packet M3 in the same ident value; Should carry among the second key negotiation response packet M7 that said core connection device SW-Center sends with the second key negotiation request packet M2 in the same ident value; Should carry among the first key negotiation response packet M8 that the said first connection device SW1 sends with the first key negotiation request packet M1 in the same ident value; After the said second connection device SW2 receives the 4th key negotiation response packet M5, need the ident value in this grouping of checking whether consistent with the ident value among the 4th key negotiation request packet M4 that sends before; After said core connection device SW-Center receives the 3rd key negotiation response packet M6, need the ident value in this grouping of checking whether consistent with the ident value among the 3rd key negotiation request packet M3 that sends before; After the said second connection device SW2 receives the second key negotiation response packet M7, need the ident value in this grouping of checking whether consistent with the ident value among the second key negotiation request packet M2 that takes place before; After the said first terminal equipment STA-A receives the first key negotiation response packet M8, need the ident value in this grouping of checking whether consistent with the ident value among the first key negotiation request packet M1 that sends before.
Above-mentioned message freshness is designated clock, serial number or random number.
The method for building up of session key between node, it specifically may further comprise the steps:
1] between the first terminal equipment STA-A and the first connection device SW1, between the first connection device SW1 and the core connection device SW-Center, between core connection device SW-Center and the second connection device SW2, setting up safety between the second connection device SW2 and the second terminal equipment STA-B is connected;
2] interim first terminal equipment inquiry random number N once that generates of the first terminal equipment STA-A A, utilize first between the first terminal equipment STA-A and the first connection device SW1 to share key K EY A-1, second between the first connection device SW1 and the core connection device SW-Center share key K EY 1-Center, the 3rd between core connection device SW-Center and the second connection device SW2 share key K EY 2-CenterAnd second the 4th between connection device SW2 and the second terminal equipment STA-B share key K EY B-2With first terminal equipment inquiry random number N once AThe second terminal equipment STA-B is given in announcement;
3] interim second terminal equipment inquiry random number N once that generates of the second terminal equipment STA-B B, utilize first terminal equipment inquiry random number N once AWith second terminal equipment inquiry random number N once B, calculate the session key KEY between the second terminal equipment STA-B and the first terminal equipment STA-A A-BThe second terminal equipment STA-B utilizes the 4th between the second connection device SW2 and the second terminal equipment STA-B to share key K EY then B-2, the 3rd between core connection device SW-Center and the second connection device SW2 share key K EY 2-Center, second between the first connection device SW1 and the core connection device SW-Center share key K EY 1-CenterAnd first first between terminal equipment STA-A and the first connection device SW1 share key K EY A-1With session key K EY A-BThe first terminal equipment STA-A is given in announcement;
4] the first terminal equipment STA-A utilizes first terminal equipment inquiry random number N once AWith second terminal equipment inquiry random number N once BCalculate the session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-B
5] adopt session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-BCarry out confidential corespondence.
The method for building up of session key between a kind of node; Its special character is: first connection device (SW1) and second connection device (SW2) are set up safety with core connection device (SW-Center) respectively and are connected; First connection device (SW1) is set up safety with first terminal equipment (STA-A) and is connected, and second connection device (SW2) is set up safety with second terminal equipment (STA-B) and is connected; First terminal equipment (STA-A) and second terminal equipment (STA-B) generate a random number respectively and the other side is given in secret announcement, and first terminal equipment (STA-A) random number that utilization generates oneself with second terminal equipment (STA-B) and the random number of receiving that is generated by the other side calculate and set up consistent session key.
This method specifically may further comprise the steps:
1] between first terminal equipment (STA-A) and first connection device (SW1), between first connection device (SW1) and the core connection device (SW-Center), between core connection device (SW-Center) and second connection device (SW2), setting up safety between second connection device (SW2) and second terminal equipment (STA-B) is connected;
2] first terminal equipment (STA-A) generates first terminal equipment inquiry random number N once temporarily A, utilize first between first terminal equipment (STA-A) and first connection device (SW1) to share key (KEY A-1), second between first connection device (SW1) and the core connection device (SW-Center) share key (KEY 1-Center), the 3rd between core connection device (SW-Center) and second connection device (SW2) share key (KEY 2-Center) and second connection device (SW2) and second terminal equipment (STA-B) between the 4th share key (KEY B-2) with first terminal equipment inquiry random number N once ASecond terminal equipment (STA-B) is given in announcement;
3] second terminal equipment (STA-B) generates second terminal equipment inquiry random number N once temporarily B, utilize first terminal equipment inquiry random number N once AWith second terminal equipment inquiry random number N once B, calculate the session key KEY between second terminal equipment (STA-B) and first terminal equipment (STA-A) A-BSecond terminal equipment (STA-B) utilizes the 4th between second connection device (SW2) and second terminal equipment (STA-B) to share key (KEY then B-2), the 3rd between core connection device (SW-Center) and second connection device (SW2) share key (KEY 2-Center), second between first connection device (SW1) and the core connection device (SW-Center) share key (KEY 1-Center) and first terminal equipment (STA-A) and first connection device (SW1) between first share key (KEY A-1) with session key K EY A-BFirst terminal equipment (STA-A) is given in announcement;
4] first terminal equipment (STA-A) utilizes first terminal equipment inquiry random number N once AWith second terminal equipment inquiry random number N once BCalculate the session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B
5] adopt session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-BCarry out confidential corespondence.
The advantage that the present invention had:
The present invention can realize the secret transmission between the LAN subscriber terminal, and need not be user terminal configuring static key.Core connection device SW-Center of the present invention only need preserve and network in switching equipment between key, need not to set up and user terminal between key; Each switching equipment only need preserve and adjacent switching equipment between key and and core connection device SW-Center between key; Each user terminal only need keep and adjacent switching equipment between key.Session key between the first terminal equipment STA-A and the second terminal equipment STA-B is to utilize interim first terminal equipment inquiry random number N once that generates of both sides by the first terminal equipment STA-A and the second terminal equipment STA-B AWith second terminal equipment inquiry random number N once BCalculate.Utilize the present invention to set up between node behind the session key, internodal secure communication just can directly use this session key to protect.It is flexible that this sets up process, need not the user and participate in disposing the foundation that can realize session key between node, guaranteed the confidentiality of the communication between subsequent node.
Description of drawings
Fig. 1 sets up the process sketch map for session key provided by the present invention.
Embodiment
In network, all connection devices all with network in core connection device SW-Center between send out or other security mechanisms have been set up safe the connection through presorting, promptly had cipher key shared; All terminal equipments only with between the adjacent connection device are sent out or other security mechanisms have been set up safe the connection through presorting, and have promptly had cipher key shared (will not limiting and define among safe establishment of connection mechanism described herein the present invention).
Be established as example with the session key between the first terminal equipment STA-A and the second terminal equipment STA-B and describe SW CenterBe the core connection device in the network; The first connection device SW1 is meant first connection device of the packet process from the first terminal equipment STA-A to the second terminal equipment STA-B, and the second connection device SW2 is meant last connection device of the packet process from the first terminal equipment STA-A to the second terminal equipment STA-B.Set up safe the connection between the first terminal equipment STA-A and the first connection device SW1, what have first shares key and is designated as KEY A-1Set up safe the connection between the first connection device SW1 and the core connection device SW-Center, what have second shares key and is designated as KEY 1-CenterSet up safe the connection between the second connection device SW2 and the core connection device SW-Center, what have the 3rd shares key and is designated as KEY 2-CenterSet up safe the connection between the second terminal equipment STA-B and the second connection device SW2, what have the 4th shares key and is designated as KEY B-2
Fig. 1 is that the concrete scheme of example method for building up that session key between node provided by the present invention is described is following with the step of setting up session key between the first terminal equipment STA-A and the second terminal equipment STA-B:
1) the first terminal equipment STA-A sends the first key negotiation request packet M1 and gives the first connection device SW1;
This first key negotiation request packet M1 mainly comprises:
ID STA-B E 1(Nonce A) MIC1
Wherein:
ID STA-BField: the sign of representing the second terminal equipment STA-B;
E 1(Nonce A) field: expression inquiry data, by the first terminal equipment STA-A utilize its with the first connection device SW1 between the first shared key K EY A-1To first terminal equipment inquiry random number N once AData encrypted; Nonce wherein AIt is the random number that generates by the first terminal equipment STA-A;
The MIC1 field: expression message integrity identifying code, by the first terminal equipment STA-A utilize its with the first connection device SW1 between the first shared key K EY A-1The Hash Value that other outer fields of this field among this first key negotiation request packet M1 are calculated through hash function.
2) the first connection device SW1 sends the second key negotiation request packet M2 and gives core connection device SW-Center;
The first connection device SW1 handles after receiving the first key negotiation request packet M1 as follows:
2.1) utilize with the first terminal equipment STA-A between the first shared key K EY A-1Whether MIC1 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 2.2);
2.2) utilize with the first terminal equipment STA-A between the first shared key K EY A-1Deciphering E 1(Nonce A) field can obtain the inquiry Nonce of the first terminal equipment STA-A A
2.3) structure the second key negotiation request packet M2 send to core connection device SW-Center.
This second key negotiation request packet M2 mainly comprises:
ID STA-A ID STA-B E 2(Nonce A) MIC2
Wherein:
ID STA-AField: the sign of representing the first terminal equipment STA-A;
E 2(Nonce A) field: expression inquiry data, share key K EY by second between first connection device SW1 utilization and the core connection device SW-Center 1-CenterTo first terminal equipment inquiry random number N once AData encrypted;
The MIC2 field: expression message integrity identifying code, and second between the core connection device SW-Center shares key K EY 1-CenterThe Hash Value that other outer fields of this field among this second key negotiation request packet M2 are calculated through hash function.
3) core connection device SW-Center sends the 3rd key negotiation request packet M3 and gives the second connection device SW2;
Core connection device SW-Center handles after receiving the second key negotiation request packet M2 as follows:
3.1) utilize with the first connection device SW1 between the second shared key K EY 1-CenterWhether MIC2 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 3.2);
3.2) utilize with the first connection device SW1 between the second shared key K EY 1-CenterDeciphering E 2(Nonce A) field can obtain first terminal equipment inquiry random number N once A
3.3) structure the 3rd key negotiation request packet M3 send to the second connection device SW2.
Mainly comprise among the 3rd key negotiation request packet M3:
ID STA-A ID STA-B E 3(Nonce A) MIC3
Wherein:
E 3(Nonce A) field: be the inquiry data, share key K EY by the 3rd between the core connection device SW-Center utilization and the second connection device SW2 2-CenterTo first terminal equipment inquiry random number N once AData encrypted;
The MIC3 field: expression message integrity identifying code, share key K EY by the 3rd between the core connection device SW-Center utilization and the second connection device SW2 2-CenterThe Hash Value that other outer fields of this field among the 3rd key negotiation request packet M3 are calculated through hash function.
4) the second connection device SW2 sends the 4th key negotiation request packet M4 and gives the second terminal equipment STA-B;
The second connection device SW2 handles after receiving the 3rd key negotiation request packet M3 as follows:
4.1) utilize with core connection device SW-Center between the 3rd shared key K EY 2-CenterWhether MIC3 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 4.2);
4.2) utilize with core connection device SW-Center between the 3rd shared key K EY 2-CenterDeciphering E 3(Nonce A) field can obtain first terminal equipment inquiry random number N once A
4.3) structure the 4th key negotiation request packet M4 send to the second terminal equipment STA-B.
The 4th key negotiation request packet M4 mainly comprises:
ID STA-A E 4(Nonce A) MIC4
Wherein:
E 4(Nonce A) field: expression inquiry data, share key K EY by the 4th between the second connection device SW2 utilization and the second terminal equipment STA-B B-2To first terminal equipment inquiry random number N once AData encrypted;
The MIC4 field: expression message integrity identifying code, share key K EY by the 4th between the second connection device SW2 utilization and the second terminal equipment STA-B B-2The Hash Value that other outer fields of this field among the 4th key negotiation request packet M4 are calculated through hash function.
5) the second terminal equipment STA-B sends the 4th key negotiation response packet M5 and gives the second connection device SW2;
The second terminal equipment STA-B handles after receiving the 4th key negotiation request packet M4 as follows:
5.1) utilize with the second connection device SW2 between the 4th shared key K EY B-2Whether MIC4 is correct in checking, if incorrect, then abandons this grouping, otherwise, carry out 5.2);
5.2) utilize with the second connection device SW2 between the 4th shared key K EY B-2Deciphering E 4(Nonce A) field, can obtain first terminal equipment inquiry random number N once A
5.3) generate a random number as second terminal equipment inquiry random number N once B, through one-way function F (Nonce A, Nonce B) calculate and can obtain the session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-B(one-way function F used herein will not limit and define among the present invention);
5.4) structure the 4th key negotiation response packet M5 send to the second connection device SW2.
The 4th key negotiation response packet M5 mainly comprises:
ID STA-A E 5(Nonce B) MIC5
Wherein:
E 5(Nonce B) field: expression inquiry data, share key K EY by the 4th between the second terminal equipment STA-B utilization and the second connection device SW2 B-2To second terminal equipment inquiry random number N once BData encrypted;
The MIC5 field: expression message integrity identifying code, share key K EY by the 4th between the second terminal equipment STA-B utilization and the second connection device SW2 B-2The Hash Value that other outer fields of this field among the 4th key negotiation response packet M5 are calculated through hash function.
6) the second connection device SW2 sends the 3rd key negotiation response packet M6 and gives core connection device SW-Center;
The second connection device SW2 handles after receiving the 4th key negotiation response packet M5 as follows:
6.1) ID of checking in dividing into groups STA-AWhether the corresponding field value is consistent among the 4th key negotiation request packet M4 of field and transmission before, if inconsistent, then abandons this grouping; Otherwise, carry out 6.2);
6.2) utilize with the second terminal equipment STA-B between the 4th shared key K EY B-2Whether MIC5 is correct in checking, if incorrect, then abandons this grouping, otherwise, carry out 6.3);
6.3) utilize with the second terminal equipment STA-B between the 4th shared key K EY B-2Deciphering E 5(Nonce B) field, can obtain second terminal equipment inquiry random number N once B
6.4) structure the 3rd key negotiation response packet M6 send to core connection device SW-Center.
The 3rd key negotiation response packet M6 mainly comprises:
ID STA-A ID STA-B E 6(Nonce B) MIC6
Wherein:
E 6(Nonce B) field: expression inquiry data, share key K EY by the 3rd between second connection device SW2 utilization and the core connection device SW-Center 2-CenterTo second terminal equipment inquiry random number N once BData encrypted;
The MIC6 field: expression message integrity identifying code, share key K EY by the 3rd between second connection device SW2 utilization and the core connection device SW-Center 2-CenterThe Hash Value that other outer fields of this field among the 3rd key negotiation response packet M6 are calculated through hash function.
7) core connection device SW-Center sends the second key negotiation response packet M7 and gives the first connection device SW1;
Core connection device SW-Center handles after receiving the 3rd key negotiation response packet M6 as follows:
7.1) ID of checking in dividing into groups STA-AField, ID STA-BWhether the corresponding field value is consistent among the 3rd key negotiation request packet M3 of field and transmission before, if all consistent, then carries out 7.2); Otherwise, abandon this grouping;
7.2) utilize with the second connection device SW2 between the 3rd shared key K EY 2-CenterWhether MIC6 is correct in checking, if incorrect, then abandons this grouping, otherwise, carry out 7.3);
7.3) utilize with the second connection device SW2 between the 3rd shared key K EY 2-CenterDeciphering E 6(Nonce B) field, can obtain second terminal equipment inquiry random number N once B
7.4) structure the second key negotiation response packet M7 send to the first connection device SW1.
This second key negotiation response packet M7 mainly comprises:
ID STA-A ID STA-B E 7(Nonce B) MIC7
Wherein:
E 7(Nonce B) field: expression inquiry data, share key K EY by second between the core connection device SW-Center utilization and the first connection device SW1 1-CenterTo second terminal equipment inquiry random number N once BData encrypted;
The MIC7 field: expression message integrity identifying code, share key K EY by second between the core connection device SW-Center utilization and the first connection device SW1 1-CenterThe Hash Value that other outer fields of this field among this second key negotiation response packet M7 are calculated through hash function.
8) the first connection device SW1 sends the first key negotiation response packet M8 and gives the first terminal equipment STA-A;
The first connection device SW1 handles after receiving the second key negotiation response packet M7 as follows:
8.1) ID of checking in dividing into groups STA-AField, ID STA-BWhether the corresponding field value is consistent among the second key negotiation request packet M2 of field and transmission before, if all consistent, then carries out 8.2); Otherwise, abandon this grouping;
8.2) utilize with core connection device SW-Center between the second shared key K EY 1-CenterWhether MIC7 is correct in checking, if incorrect, then abandons this grouping, otherwise, carry out 8.3);
8.3) utilize with core connection device SW-Center between the second shared key K EY 1-CenterDeciphering E 7(Nonce B) field, can obtain second terminal equipment inquiry random number N once B
8.4) structure the first key negotiation response packet M8 send to the first connection device SW1.
This first key negotiation response packet M8 mainly comprises:
ID STA-B E 8(Nonce B) MIC8
Wherein:
E 8(Nonce B) field: expression inquiry data, first between the first connection device SW1 utilization and the first terminal equipment STA-A shares key K EY A-1To second terminal equipment inquiry random number N once BData encrypted;
The MIC8 field: expression message integrity identifying code, share key K EY by first between the first connection device SW1 utilization and the first terminal equipment STA-A A-1The Hash Value that other outer fields of this field among this first key negotiation response packet M8 are calculated through hash function.
9) the first terminal equipment STA-A receives the first key negotiation response packet M8.
The first terminal equipment STA-A handles after receiving the first key negotiation response packet M8 as follows:
9.1) ID of checking in dividing into groups STA-BWhether the corresponding field value is consistent among the first key negotiation request packet M1 of field and transmission before, if consistent, then carries out 9.2); Otherwise, abandon this grouping;
9.2) utilize with the first connection device SW1 between the first shared key K EY A-1Whether MIC8 is correct in checking, if incorrect, then abandon this grouping, otherwise carries out 9.3);
9.3) utilize with the first connection device SW1 between the first shared key K EY A-1Deciphering E 8(Nonce B) field, can obtain second terminal equipment inquiry random number N once B
9.4) through one-way function F (Nonce A, Nonce B) calculate and can obtain the session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-B(one-way function F used herein will not limit and define among the present invention); Promptly accomplished the foundation of session key between the first terminal equipment STA-A and the second terminal equipment STA-B.After this, can adopt this session key KEY between the first terminal equipment STA-A and the second terminal equipment STA-B A-BCarry out confidential corespondence.
When such scheme was carried out practical implementation, the first terminal equipment STA-A also can generate a numerical value, set up the sign of process as this session key, and this sign can be clock, serial number or random number, and in each divides into groups, carried.Correspondingly, after the second connection device SW2 receives the 4th key negotiation response packet M5, need the ident value in this grouping of checking whether consistent with the ident value among its 3rd key negotiation request packet M3 that receives before; After core connection device SW-Center receives the 3rd key negotiation response packet M6, need the ident value in this grouping of checking whether consistent with the ident value among its second key negotiation request packet M2 that receives before; After the first connection device SW1 receives the second key negotiation response packet M7, need the ident value in this grouping of checking whether consistent with the ident value among its first key negotiation request packet M1 that receives before; After the first terminal equipment STA-A receives the first key negotiation response packet M8, need the ident value in this grouping of checking whether consistent with the ident value among its first key negotiation request packet M1 that sends before.
When utilizing such scheme to carry out practical implementation; Also can send the first key negotiation request packet M1, the second key negotiation request packet M2, the 3rd key negotiation request packet M3, when reaching the 4th key negotiation request packet M4, independently generate a numerical value (can be clock, serial number or random number) separately and be carried at respectively in the above-mentioned grouping by the first terminal equipment STA-A, the first connection device SW1, core connection device SW-Center and the second connection device SW2 as message freshness sign; Should carry among the 4th key negotiation response packet M5 that the second terminal equipment STA-B sends with the 4th key negotiation request packet M4 in the same ident value; Should carry among the 3rd key negotiation response packet M6 that the second connection device SW2 sends with the 3rd key negotiation request packet M3 in the same ident value; Should carry among the second key negotiation response packet M7 that core connection device SW-Center sends with the second key negotiation request packet M2 in the same ident value; Should carry among the first key negotiation response packet M8 that the first connection device SW1 sends with the first key negotiation request packet M1 in the same ident value.Correspondingly, after the second connection device SW2 receives the 4th key negotiation response packet M5, need the ident value in this grouping of checking whether consistent with the ident value among the 4th key negotiation request packet M4 that takes place before; After core connection device SW-Center receives the 3rd key negotiation response packet M6, need the ident value in this grouping of checking whether consistent with the ident value among the 3rd key negotiation request packet M3 that sends before; After the second connection device SW2 receives the second key negotiation response packet M7, need the ident value in this grouping of checking whether consistent with the ident value among the second key negotiation request packet M2 that takes place before; After the first terminal equipment STA-A receives the first key negotiation response packet M8, need the ident value in this grouping of checking whether consistent with the ident value among the first key negotiation request packet M1 that sends before.
In the specific implementation, if the present invention is used for local area network (LAN), then the user terminal in the local area network (LAN) is as terminal equipment, and the switching equipment in the local area network (LAN) is as connection device, and one of them specific switching equipment is the core connection device; Physical layer equipments such as the hub in the local area network (LAN) are not regarded as connection device or terminal equipment is handled, and can be embodied as the foundation of session key between any two user terminals through the present invention.

Claims (6)

1. the system that sets up of session key between node; It is characterized in that: this system comprises terminal equipment and connection device; Said terminal equipment comprises originating end terminal equipment and receiving terminal terminal equipment, and said connection device comprises the core connection device, at originating end connection device on the link between originating end terminal equipment and the core connection device and the receiving terminal connection device on link between receiving terminal terminal equipment and the core connection device;
Said originating end terminal equipment and receiving terminal terminal equipment generate a random number respectively and the other side is given in secret announcement; Originating end terminal equipment and receiving terminal terminal equipment utilize the random number that oneself generates respectively and the random number that is generated by the other side received calculates consistent session key, the foundation of completion session key;
Said originating end connection device comprises first connection device (SW1); Said receiving terminal connection device comprises second connection device (SW2); Said originating end terminal equipment comprises first terminal equipment (STA-A), and said receiving terminal terminal equipment comprises second terminal equipment (STA-B); Said first connection device (SW1) and second connection device (SW2) exist safety to be connected with core connection device (SW-Center) respectively; Said first connection device (SW1) exists safety to be connected with first terminal equipment (STA-A); Said second connection device (SW2) exists safety to be connected with second terminal equipment (STA-B), specifically comprises:
Set up between first terminal equipment (STA-A) and first connection device (SW1) and have the first shared key (KEY A-1) safety connect; Said first connection device (SW1) is meant first connection device of the packet process from first terminal equipment (STA-A) to second terminal equipment (STA-B);
Set up between first connection device (SW1) and the core connection device (SW-Center) and have the second shared key (KEY 1-Center) safety connect;
Set up between core connection device (SW-Center) and second connection device (SW2) and have the 3rd shared key (KEY 2-Center) safety connect; Said second connection device (SW2) is meant last connection device of the packet process from first terminal equipment (STA-A) to second terminal equipment (STA-B);
Set up between second connection device (SW2) and second terminal equipment (STA-B) and have the 4th shared key (KEY B-2) safety connect;
Said first terminal equipment (STA-A) and second terminal equipment (STA-B) generate a random number respectively and the other side is given in secret announcement; First terminal equipment (STA-A) random number that utilization generates oneself with second terminal equipment (STA-B) and the random number of receiving that is generated by the other side calculate and set up consistent session key, specifically comprise:
First terminal equipment (STA-A) sends first key negotiation request packet (M1) and gives first connection device (SW1); First terminal equipment (STA-A) is given first connection device (SW1) through first key negotiation request packet (M1) with the secret announcement of first terminal equipment inquiry random number that first terminal equipment (STA-A) generates, and said first key negotiation request packet comprises ID STA-BField, E 1(Nonce A) field and Message Authentication Code MIC1 field; Said ID STA-BField is represented the sign of the second terminal equipment STA-B; Said E 1(Nonce A) field is expression inquiry data, is to utilize first to share key K EY by the first terminal equipment STA-A A-1To first terminal equipment inquiry random number N once AData encrypted; Nonce wherein AIt is first terminal equipment inquiry random number that generates by first terminal equipment (STA-A); Said MIC1 field is represented the message integrity identifying code, is to utilize first to share key (KEY by first terminal equipment (STA-A) A-1) Hash Value that other outer fields of this field in this first key negotiation request packet (M1) are calculated through hash function;
First connection device (SW1) receives first key negotiation request packet (M1) back and sends second key negotiation request packet (M2) to core connection device (SW-Center); First connection device (SW1) is given core connection device (SW-Center) through the secret announcement of first terminal equipment inquiry random number that second key negotiation request packet (M2) will obtain:
First connection device (SW1) utilizes first to share key (KEY A-1) whether MIC1 correct in checking, if incorrect, then abandons first key negotiation request packet; Otherwise first connection device (SW1) utilizes first to share key (KEY A-1) deciphering E 1(Nonce A) field obtains first terminal equipment inquiry random number N once A
First connection device (SW1) structure second key negotiation request packet (M2) also sends to core connection device (SW-Center): said second key negotiation request packet (M2) comprises ID STA-AField, ID STA-BField, E 2(Nonce A) field and Message Authentication Code MIC2 field, said ID STA-AField is represented the sign of first terminal equipment (STA-A); Said E 2(Nonce A) field is expression inquiry data, is to utilize second to share key (KEY by first connection device (SW1) 1-Center) to first terminal equipment inquiry random number N once AData encrypted; Said MIC2 field is represented the message integrity identifying code, is to utilize second to share key (KEY by first connection device (SW1) 1-Center) Hash Value that other fields outside the MIC2 field in second key negotiation request packet (M2) are calculated through hash function;
Core connection device (SW-Center) receives second key negotiation request packet (M2) back and sends the 3rd key negotiation request packet (M3) to second connection device (SW2); Core connection device (SW-Center) is given second connection device (SW2) through the secret announcement of first terminal equipment inquiry random number that the 3rd key negotiation request packet (M3) will obtain:
Core connection device (SW-Center) utilizes second to share key (KEY 1-Center) verify whether the MIC2 field is correct, if incorrect, then abandon second key negotiation request packet (M2); Otherwise core connection device (SW-Center) utilizes second to share key (KEY 1-Center) deciphering E 2(Nonce A) field obtains first terminal equipment inquiry random number N once A
Core connection device (SW-Center) sends the 3rd key negotiation request packet (M3) and gives second connection device (SW2);
Said the 3rd key negotiation request packet (M3) comprises ID STA-AField, ID STA-BField, E 3(Nonce A) field and Message Authentication Code MIC3 field, said E 3(Nonce A) field is the inquiry data, is to utilize the 3rd to share key (KEY by core connection device (SW-Center) 2-Center) to first terminal equipment inquiry random number N once AData encrypted; Said MIC3 field is represented the message integrity identifying code, is to utilize the 3rd to share key (KEY by core connection device (SW-Center) 2-Center) Hash Value that other outer fields of this field in the 3rd key negotiation request packet (M3) are calculated through hash function
Second connection device (SW2) receives the 3rd key negotiation request packet (M3) and sends the 4th key negotiation request packet (M4) to second terminal equipment (STA-B); Second connection device (SW2) is given second terminal equipment (STA-B) through the secret announcement of first terminal equipment inquiry random number that the 4th key negotiation request packet (M4) will obtain:
Second connection device (SW2) utilizes the 3rd to share key (KEY 2-Center) verify whether the MIC3 field is correct, if incorrect, then abandon the 3rd key negotiation request packet (M3); Otherwise second connection device (SW2) utilizes the 3rd to share key (KEY 2-Center) deciphering E 3(Nonce A) field obtains first terminal equipment inquiry random number N once A
Second connection device (SW2) sends the 4th key negotiation request packet (M4) and gives second terminal equipment (STA-B):
Said the 4th key negotiation request packet (M4) comprises ID STA-AField, E 4(Nonce A) field and MIC4 field, said E 4(Nonce A) field is the inquiry data, is to utilize the 4th to share key (KEY by second connection device (SW2) B-2) to first terminal equipment inquiry random number N once AData encrypted; Said MIC4 field is represented the message integrity identifying code, is to utilize the 4th to share key (KEY by second connection device (SW2) B-2) Hash Value that other outer fields of MIC4 field in the 4th key negotiation request packet (M4) are calculated through hash function;
Second terminal equipment (STA-B) receives the 4th key negotiation request packet (M4) and sends the 4th key negotiation response packet (M5) to second connection device (SW2); Second terminal equipment (STA-B) is announced second terminal equipment inquiry random number secret that second terminal equipment generates to second connection device (SW2) through the 4th key negotiation response packet (M5) after first terminal equipment that utilization obtains inquires that second terminal equipment of random number and the generation of second terminal equipment inquires that random number calculates session key:
Second terminal equipment (STA-B) utilizes the 4th to share key (KEY B-2) verify whether the MIC4 field is correct, if incorrect, then abandon the 4th key negotiation request packet (M4); Otherwise second terminal equipment (STA-B) utilizes the 4th to share key (KEY B-2) deciphering E 4(Nonce A) field obtains first terminal equipment inquiry random number N once A
Second terminal equipment (STA-B) generates second terminal equipment inquiry random number N once immediately B, through one-way function F (Nonce A, Nonce B) calculate the session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B
Second terminal equipment (STA-B) structure the 4th key negotiation response packet (M5) also sends to second connection device (SW2);
Said the 4th key negotiation response packet (M5) comprises ID STA-AField, E 5(Nonce B) field and the said E of MIC5 field 5(Nonce B) field is the inquiry data, is to utilize the 4th to share key (KEY by second terminal equipment (STA-B) B-2) to second terminal equipment inquiry random number N once BData encrypted, wherein Nonce BIt is second terminal equipment inquiry random number that generates by second terminal equipment (STA-B); Said MIC5 field is represented the message integrity identifying code, is to utilize the 4th to share key (KEY by second terminal equipment (STA-B) B-2) Hash Value that other fields outside the MIC5 field in the 4th key negotiation response packet (M5) are calculated through hash function;
Second connection device (SW2) receives the 4th key negotiation response packet (M5) back and sends the 3rd key negotiation response packet (M6) to core connection device (SW-Center); Second connection device (SW2) is given core connection device (SW-Center) through the secret announcement of second terminal equipment inquiry random number that the 3rd key negotiation response packet (M6) will obtain:
ID in second connection device (SW2) checking the 4th key negotiation response packet (M5) STA-AID in field and the 4th key negotiation request packet (M4) STA-AWhether field value is consistent, if inconsistent, then abandons the 4th key negotiation response packet (M5); Otherwise second connection device (SW2) utilizes the 4th to share key (KEY B-2) verify whether the MIC5 field is correct, if incorrect, then abandon the 4th key negotiation response packet (M5); Otherwise second connection device (SW2) utilizes the 4th to share key (KEY B-2) deciphering E 5(Nonce B) field obtains second terminal equipment inquiry random number N once B
Second connection device (SW2) structure the 3rd key negotiation response packet (M6) also sends to core connection device (SW-Center); Said the 3rd key negotiation response packet (M6) comprises ID STA-AField, ID STA-BField, E 6(Nonce B) field and MIC6 field, said E 6(Nonce B) field is the inquiry data, is to utilize the 3rd to share key (KEY by second connection device (SW2) 2-Center) to second terminal equipment inquiry random number N once BData encrypted; Said MIC6 field is represented the message integrity identifying code, is to utilize the 3rd to share key (KEY by second connection device (SW2) 2-Center) Hash Value that other fields outside the MIC6 field in the 3rd key negotiation response packet (M6) are calculated through hash function;
Core connection device (SW-Center) receives the 3rd key negotiation response packet (M6) back and sends second key negotiation response packet (M7) to first connection device (SW1); Core connection device (SW-Center) is given first connection device (SW1) through the secret announcement of second terminal equipment inquiry random number that second key negotiation response packet (M7) will obtain:
Verify the ID of the 3rd key negotiation response packet (M6) STA-AField, ID STA-BCorresponding ID in the 3rd key negotiation request packet (M3) of field and transmission before STA-AField, ID STA-BWhether field is consistent, if all inconsistent, then abandons the 3rd key negotiation response packet (M6); If consistent core connection device (SW-Center) utilizes the 3rd to share key (KEY 2-Center) verify whether the MIC6 field is correct, if incorrect, then abandon the 3rd key negotiation response packet (M6), otherwise core connection device (SW-Center) utilizes the 3rd to share key (KEY 2-Center) deciphering E 6(Nonce B) field obtains second terminal equipment inquiry random number N once B
Core connection device (SW-Center) structure second key negotiation response packet (M7) also sends to first connection device (SW1);
Said second key negotiation response packet (M7) comprises ID STA-AField, ID STA-BField, E 7(Nonce B) field and MIC7 field, said E 7(Nonce B) field is the inquiry data, is to utilize second to share key (KEY by core connection device (SW-Center) 1-Center) to second terminal equipment inquiry random number N once BData encrypted; Said MIC7 field is an expression message integrity identifying code, is to utilize second to share key (KEY by core connection device (SW-Center) 1-Center) Hash Value that other fields outside the MIC7 field in second key negotiation response packet (M7) are calculated through hash function;
(M7) sent first key negotiation response packet (M8) to first terminal equipment (STA-A) after first connection device (SW1) received second key negotiation response packet; First connection device (SW1) is given first terminal equipment (STA-A) through the secret announcement of second terminal equipment inquiry random number that first key negotiation response packet (M8) will obtain:
Verify the ID of second key negotiation response packet (M7) STA-AField, ID STA-BCorresponding ID in second key negotiation request packet (M2) of field and transmission before STA-AField, ID STA-BWhether field is consistent, if inconsistent, then abandons second key negotiation response packet (M7); Otherwise first connection device (SW1) utilizes second to share key (KEY 1-Center) verify whether the MIC7 field is correct, if incorrect, then abandon second key negotiation response packet (M7), otherwise, execution in step 9.3];
First connection device (SW1) utilizes second to share key (KEY 1-Center) deciphering E 7(Nonce B) field obtains second terminal equipment inquiry random number N once B
First connection device (SW1) structure first key negotiation response packet (M8) also sends to first terminal equipment (STA-A), and said first key negotiation response packet (M8) comprises ID STA-BField, E 8(Nonce B) field and MIC8 field; Said E 8(Nonce B) field representes to inquire data, is to utilize first to share key (KEY by first connection device (SW1) A-1) to second terminal equipment inquiry random number N once BData encrypted; Said MIC8 field is an expression message integrity identifying code, is to utilize first to share key (KEY by first connection device (SW1) A-1) to outside the MIC8 field in first key negotiation response packet (M8) the Hash Value that calculates through hash function of other fields;
First terminal equipment (STA-A) receives first key negotiation response packet (M8); Second terminal equipment inquiry random number of utilizing first terminal equipment inquiry random number of first terminal equipment (STA-A) generation and obtaining calculates session key, the foundation of the session key between completion and second terminal equipment (STA-B); Adopt session key (KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B) )Carry out confidential corespondence:
Verify the ID in first key negotiation response packet (M8) STA-BCorresponding ID in first key negotiation request packet (M1) of field and transmission before STA-BWhether field is consistent, if inconsistent, then abandons first key negotiation response packet (M8); Otherwise first terminal equipment (STA-A) utilizes first to share key (KEY A-1) whether MIC8 correct in checking, if incorrect, then abandons first key negotiation response packet (M8), otherwise first terminal equipment (STA-A) utilizes first to share key (KEY A-1) deciphering E 8(Nonce B) field obtains second terminal equipment inquiry random number N once B
First terminal equipment (STA-A) is through one-way function F (Nonce A, Nonce B) calculate the session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B
2. the method for building up of session key between node is characterized in that: may further comprise the steps:
1] between first terminal equipment (STA-A) and first connection device (SW1), between first connection device (SW1) and the core connection device (SW-Center), between core connection device (SW-Center) and second connection device (SW2), setting up safety between second connection device (SW2) and second terminal equipment (STA-B) is connected; Specifically comprise:
1.1] set up between first terminal equipment (STA-A) and first connection device (SW1) and have first and share key (KEY A-1) safety connect; Said first connection device (SW1) is meant first connection device of the packet process from first terminal equipment (STA-A) to second terminal equipment (STA-B);
1.2] set up between first connection device (SW1) and the core connection device (SW-Center) and have second and share key (KEY 1-Center) safety connect;
1.3] set up between core connection device (SW-Center) and second connection device (SW2) and have the 3rd and share key (KEY 2-Center) safety connect; Said second connection device (SW2) is meant last connection device of the packet process from first terminal equipment (STA-A) to second terminal equipment (STA-B);
1.4] set up between second connection device (SW2) and second terminal equipment (STA-B) and have the 4th and share key (KEY B-2) safety connect;
2] first terminal equipment (STA-A) sends first key negotiation request packet (M1) and gives first connection device (SW1); First terminal equipment (STA-A) is given first connection device (SW1) through first key negotiation request packet (M1) with the secret announcement of first terminal equipment inquiry random number that first terminal equipment (STA-A) generates;
Said first key negotiation request packet comprises ID STA-BField, E 1(Nonce A) field and Message Authentication Code MIC1 field; Said ID STA-BField is represented the sign of the second terminal equipment STA-B; Said E 1(Nonce A) field is expression inquiry data, is to utilize first to share key K EY by the first terminal equipment STA-A A-1To first terminal equipment inquiry random number N once AData encrypted; Nonce wherein AIt is first terminal equipment inquiry random number that generates by first terminal equipment (STA-A); Said MIC1 field is represented the message integrity identifying code, is to utilize first to share key (KEY by first terminal equipment (STA-A) A-1) Hash Value that other outer fields of this field in this first key negotiation request packet (M1) are calculated through hash function;
3] first connection device (SW1) receives first key negotiation request packet (M1) back and sends second key negotiation request packet (M2) to core connection device (SW-Center); First connection device (SW1) is given core connection device (SW-Center) through the secret announcement of first terminal equipment inquiry random number that second key negotiation request packet (M2) will obtain;
3.1] first connection device (SW1) utilizes first to share key (KEY A-1) whether MIC1 correct in checking, if incorrect, then abandons first key negotiation request packet; Otherwise, execution in step 3.2];
3.2] first connection device (SW1) utilizes first to share key (KEY A-1) deciphering E 1(Nonce A) field obtains first terminal equipment inquiry random number N once A
3.3] first connection device (SW1) structure, second key negotiation request packet (M2) and send to core connection device (SW-Center): said second key negotiation request packet (M2) comprises ID STA-AField, ID STA-BField, E 2(Nonce A) field and Message Authentication Code MIC2 field, said ID STA-AField is represented the sign of first terminal equipment (STA-A); Said E 2(Nonce A) field is expression inquiry data, is to utilize second to share key (KEY by first connection device (SW1) 1-Center) to first terminal equipment inquiry random number N once AData encrypted; Said MIC2 field is represented the message integrity identifying code, is to utilize second to share key (KEY by first connection device (SW1) 1-Center) Hash Value that other fields outside the MIC2 field in second key negotiation request packet (M2) are calculated through hash function;
4] after core connection device (SW-Center) receives second key negotiation request packet (M2), do following processing:
4.1] core connection device (SW-Center) utilizes second to share key (KEY 1-Center) verify whether the MIC2 field is correct, if incorrect, then abandon second key negotiation request packet (M2); Otherwise, execution in step 4.2];
4.2] core connection device (SW-Center) utilizes second to share key (KEY 1-Center) deciphering E 2(Nonce A) field obtains first terminal equipment inquiry random number N once A
4.3] core connection device (SW-Center) sends the 3rd key negotiation request packet (M3) and give second connection device (SW2); Core connection device (SW-Center) is given second connection device (SW2) through the secret announcement of first terminal equipment inquiry random number that the 3rd key negotiation request packet (M3) will obtain;
Said the 3rd key negotiation request packet (M3) comprises ID STA-AField, ID STA-BField, E 3(Nonce A) field and Message Authentication Code MIC3 field, said E 3(Nonce A) field is the inquiry data, is to utilize the 3rd to share key (KEY by core connection device (SW-Center) 2-Center) to first terminal equipment inquiry random number N once AData encrypted; Said MIC3 field is represented the message integrity identifying code, is to utilize the 3rd to share key (KEY by core connection device (SW-Center) 2-Center) Hash Value that other outer fields of this field in the 3rd key negotiation request packet (M3) are calculated through hash function;
5] second connection device (SW2) receives the 3rd key negotiation request packet (M3) and sends the 4th key negotiation request packet (M4) to second terminal equipment (STA-B); Second connection device (SW2) is given second terminal equipment (STA-B) through the secret announcement of first terminal equipment inquiry random number that the 4th key negotiation request packet (M4) will obtain, and specifically comprises:
5.1] second connection device (SW2) utilizes the 3rd to share key (KEY 2-Center) verify whether the MIC3 field is correct, if incorrect, then abandon the 3rd key negotiation request packet (M3); Otherwise, execution in step 5.2];
5.2] second connection device (SW2) utilizes the 3rd to share key (KEY 2-Center) deciphering E 3(Nonce A) field obtains first terminal equipment inquiry random number N once A
5.3] second connection device (SW2) sends the 4th key negotiation request packet (M4) and gives second terminal equipment (STA-B):
Said the 4th key negotiation request packet (M4) comprises ID STA-AField, E 4(Nonce A) field and MIC4 field, said E 4(Nonce A) field is the inquiry data, is to utilize the 4th to share key (KEY by second connection device (SW2) B-2) to first terminal equipment inquiry random number N once AData encrypted; Said MIC4 field is represented the message integrity identifying code, is to utilize the 4th to share key (KEY by second connection device (SW2) B-2) Hash Value that other outer fields of MIC4 field in the 4th key negotiation request packet (M4) are calculated through hash function;
6] second terminal equipment (STA-B) receives the 4th key negotiation request packet (M4) and sends the 4th key negotiation response packet (M5) to second connection device (SW2); Second terminal equipment (STA-B) is announced second terminal equipment inquiry random number secret that second terminal equipment generates to second connection device (SW2) through the 4th key negotiation response packet (M5) after first terminal equipment that utilization obtains inquires that second terminal equipment of random number and the generation of second terminal equipment inquires that random number calculates session key; Specifically comprise:
6.1] second terminal equipment (STA-B) utilizes the 4th to share key (KEY B-2) verify whether the MIC4 field is correct, if incorrect, then abandon the 4th key negotiation request packet (M4); Otherwise, execution in step 6.2];
6.2] second terminal equipment (STA-B) utilizes the 4th to share key (KEY B-2) deciphering E 4(Nonce A) field obtains first terminal equipment inquiry random number N once A
6.3] second terminal equipment (STA-B) generates second terminal equipment inquiry random number N once immediately B, through one-way function F (Nonce A, Nonce B) calculate the session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B
6.4] second terminal equipment (STA-B) structure the 4th key negotiation response packet (M5) and send to second connection device (SW2);
Said the 4th key negotiation response packet (M5) comprises ID STA-AField, E 5(Nonce B) field and the said E of MIC5 field 5(Nonce B) field is the inquiry data, is to utilize the 4th to share key (KEY by second terminal equipment (STA-B) B-2) to second terminal equipment inquiry random number N once BData encrypted, wherein Nonce BIt is second terminal equipment inquiry random number that generates by second terminal equipment (STA-B); Said MIC5 field is represented the message integrity identifying code, is to utilize the 4th to share key (KEY by second terminal equipment (STA-B) B-2) Hash Value that other fields outside the MIC5 field in the 4th key negotiation response packet (M5) are calculated through hash function;
7] second connection device (SW2) receives the 4th key negotiation response packet (M5) back and sends the 3rd key negotiation response packet (M6) to core connection device (SW-Center); Second connection device (SW2) is given core connection device (SW-Center) through the secret announcement of second terminal equipment inquiry random number that the 3rd key negotiation response packet (M6) will obtain; Specifically comprise:
7.1] ID in second connection device (SW2) checking the 4th key negotiation response packet (M5) STA-AID in field and the 4th key negotiation request packet (M4) STA-AWhether field value is consistent, if inconsistent, then abandons the 4th key negotiation response packet (M5); Otherwise, execution in step 7.2];
7.2] second connection device (SW2) utilizes the 4th to share key (KEY B-2) verify whether the MIC5 field is correct, if incorrect, then abandon the 4th key negotiation response packet (M5); Otherwise, execution in step 7.3];
7.3] second connection device (SW2) utilizes the 4th to share key (KEY B-2) deciphering E 5(Nonce B) field obtains second terminal equipment inquiry random number N once B
7.4] second connection device (SW2) structure the 3rd key negotiation response packet (M6) and send to core connection device (SW-Center); Said the 3rd key negotiation response packet (M6) comprises ID STA-AField, ID STA-BField, E 6(Nonce B) field and MIC6 field, said E 6(Nonce B) field is the inquiry data, is to utilize the 3rd to share key (KEY by second connection device (SW2) 2-Center) to second terminal equipment inquiry random number N once BData encrypted; Said MIC6 field is represented the message integrity identifying code, is to utilize the 3rd to share key (KEY by second connection device (SW2) 2-Center) Hash Value that other fields outside the MIC6 field in the 3rd key negotiation response packet (M6) are calculated through hash function;
8] core connection device (SW-Center) receives the 3rd key negotiation response packet (M6) back and sends second key negotiation response packet (M7) to first connection device (SW1); Core connection device (SW-Center) is given first connection device (SW1) through the secret announcement of second terminal equipment inquiry random number that second key negotiation response packet (M7) will obtain; Specifically comprise:
8.1] checking the 3rd key negotiation response packet (M6) ID STA-AField, ID STA-BCorresponding ID in the 3rd key negotiation request packet (M3) of field and transmission before STA-AField, ID STA-BWhether field is consistent, if all consistent, then execution in step 8.2]; Otherwise, abandon the 3rd key negotiation response packet (M6);
8.2] core connection device (SW-Center) utilizes the 3rd to share key (KEY 2-Center) verify whether the MIC6 field is correct, if incorrect, then abandon the 3rd key negotiation response packet (M6), otherwise, execution in step 8.3];
8.3] core connection device (SW-Center) utilizes the 3rd to share key (KEY 2-Center) deciphering E 6(Nonce B) field obtains second terminal equipment inquiry random number N once B
8.4] core connection device (SW-Center) structure second key negotiation response packet (M7) and send to first connection device (SW1);
Said second key negotiation response packet (M7) comprises ID STA-AField, ID STA-BField, E 7(Nonce B) field and MIC7 field, said E 7(Nonce B) field is the inquiry data, is to utilize second to share key (KEY by core connection device (SW-Center) 1-Center) to second terminal equipment inquiry random number N once BData encrypted; Said MIC7 field is an expression message integrity identifying code, is to utilize second to share key (KEY by core connection device (SW-Center) 1-Center) Hash Value that other fields outside the MIC7 field in second key negotiation response packet (M7) are calculated through hash function;
9] (M7) sent first key negotiation response packet (M8) to first terminal equipment (STA-A) after first connection device (SW1) received second key negotiation response packet; First connection device (SW1) is given first terminal equipment (STA-A) through the secret announcement of second terminal equipment inquiry random number that first key negotiation response packet (M8) will obtain; Specifically comprise:
9.1] checking second key negotiation response packet (M7) ID STA-AField, ID STA-BCorresponding ID in second key negotiation request packet (M2) of field and transmission before STA-AField, ID STA-BWhether field is consistent, if all consistent, then execution in step 9.2]; Otherwise, abandon second key negotiation response packet (M7);
9.2] first connection device (SW1) utilizes second to share key (KEY 1-Center) verify whether the MIC7 field is correct, if incorrect, then abandon second key negotiation response packet (M7), otherwise, execution in step 9.3];
9.3] first connection device (SW1) utilizes second to share key (KEY 1-Center) deciphering E 7(Nonce B) field obtains second terminal equipment inquiry random number N once B
9.4] first connection device (SW1) structure, first key negotiation response packet (M8) and send to first terminal equipment (STA-A), said first key negotiation response packet (M8) comprises ID STA-BField, E 8(Nonce B) field and MIC8 field; Said E 8(Nonce B) field representes to inquire data, is to utilize first to share key (KEY by first connection device (SW1) A-1) to second terminal equipment inquiry random number N once BData encrypted; Said MIC8 field is an expression message integrity identifying code, is to utilize first to share key (KEY by first connection device (SW1) A-1) to outside the MIC8 field in first key negotiation response packet (M8) the Hash Value that calculates through hash function of other fields;
10] first terminal equipment (STA-A) receives first key negotiation response packet (M8); Second terminal equipment inquiry random number of utilizing first terminal equipment inquiry random number of first terminal equipment (STA-A) generation and obtaining calculates session key, the foundation of the session key between completion and second terminal equipment (STA-B); Adopt session key (KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B) )Carry out confidential corespondence, specifically comprise:
10.1] ID in the checking first key negotiation response packet (M8) STA-BCorresponding ID in first key negotiation request packet (M1) of field and transmission before STA-BWhether field is consistent, if consistent, then execution in step 10.2]; Otherwise, abandon first key negotiation response packet (M8);
10.2] first terminal equipment (STA-A) utilizes first to share key (KEY A-1) whether MIC8 correct in checking, if incorrect, then abandons first key negotiation response packet (M8), otherwise execution in step 10.3];
10.3] first terminal equipment (STA-A) utilizes first to share key (KEY A-1) deciphering E 8(Nonce B) field obtains second terminal equipment inquiry random number N once B
10.4] first terminal equipment (STA-A) is through one-way function F (Nonce A, Nonce B) calculate the session key KEY between first terminal equipment (STA-A) and second terminal equipment (STA-B) A-B
3. the method for building up of session key between node according to claim 2; It is characterized in that: said first terminal equipment (STA-A) generates a message freshness sign; Said first key negotiation request packet (M1), second key negotiation request packet (M2), the 3rd key negotiation request packet (M3), the 4th key negotiation request packet (M4), the 4th key negotiation response packet (M5), the 3rd key negotiation response packet (M6), second key negotiation response packet (M7) and first key negotiation response packet (M8) are all carried this message freshness sign; After said second connection device (SW2) is received the 4th key negotiation response packet (M5), need the ident value in this grouping of checking whether consistent with the ident value in its 3rd key negotiation request packet (M3) that receives before; After said core connection device (SW-Center) is received the 3rd key negotiation response packet (M6), need the ident value in this grouping of checking whether consistent with the ident value in its second key negotiation request packet (M2) that receives before; After said first connection device (SW1) is received second key negotiation response packet (M7), need the ident value in this grouping of checking whether consistent with the ident value in its first key negotiation request packet (M1) that receives before; After said first terminal equipment (STA-A) is received first key negotiation response packet (M8), need the ident value in this grouping of checking whether consistent with the ident value in its first key negotiation request packet (M1) of sending before.
4. the method for building up of session key between node according to claim 3 is characterized in that: said message freshness is designated clock, serial number or random number.
5. the method for building up of session key between node according to claim 2; It is characterized in that: said first key negotiation request packet (M1), second key negotiation request packet (M2), the 3rd key negotiation request packet (M3) and the 4th key negotiation request packet (M4) generate message freshness sign separately respectively, should carry in the 4th key negotiation response packet (M5) that said second terminal equipment (STA-B) sends with the 4th key negotiation request packet (M4) in the same ident value; Should carry in the 3rd key negotiation response packet (M6) that said second connection device (SW2) sends with the 3rd key negotiation request packet (M3) in the same ident value; Should carry in second key negotiation response packet (M7) that said core connection device (SW-Center) sends with second key negotiation request packet (M2) in the same ident value; Should carry in first key negotiation response packet (M8) that said first connection device (SW1) sends with first key negotiation request packet (M1) in the same ident value; After said second connection device (SW2) is received the 4th key negotiation response packet (M5), need the ident value in this grouping of checking whether consistent with the ident value in the 4th key negotiation request packet (M4) of sending before; After said core connection device (SW-Center) is received the 3rd key negotiation response packet (M6), need the ident value in this grouping of checking whether consistent with the ident value in the 3rd key negotiation request packet (M3) of sending before; After said second connection device (SW2) is received second key negotiation response packet (M7), need the ident value in this grouping of checking whether consistent with the ident value in second key negotiation request packet (M2) that takes place before; After said first terminal equipment (STA-A) is received first key negotiation response packet (M8), need the ident value in this grouping of checking whether consistent with the ident value in first key negotiation request packet (M1) of sending before.
6. the method for building up of session key between node according to claim 5 is characterized in that: said message freshness is designated clock, serial number or random number.
CN2010105185631A 2010-10-25 2010-10-25 System and method for establishing session key between nodes Active CN101964803B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2010105185631A CN101964803B (en) 2010-10-25 2010-10-25 System and method for establishing session key between nodes
PCT/CN2011/070016 WO2012055172A1 (en) 2010-10-25 2011-01-04 System, method and device for establishing inter-node session key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105185631A CN101964803B (en) 2010-10-25 2010-10-25 System and method for establishing session key between nodes

Publications (2)

Publication Number Publication Date
CN101964803A CN101964803A (en) 2011-02-02
CN101964803B true CN101964803B (en) 2012-11-28

Family

ID=43517535

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105185631A Active CN101964803B (en) 2010-10-25 2010-10-25 System and method for establishing session key between nodes

Country Status (2)

Country Link
CN (1) CN101964803B (en)
WO (1) WO2012055172A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841547A (en) * 2010-05-20 2010-09-22 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end shared key and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100811419B1 (en) * 2000-12-07 2008-03-07 주식회사 케이티 Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
CN100359845C (en) * 2004-03-26 2008-01-02 中兴通讯股份有限公司 Self arranged net mode shared key authentication and conversation key consulant method of radio LAN

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841547A (en) * 2010-05-20 2010-09-22 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end shared key and system

Also Published As

Publication number Publication date
WO2012055172A1 (en) 2012-05-03
CN101964803A (en) 2011-02-02

Similar Documents

Publication Publication Date Title
KR101492179B1 (en) Method and system for establishing secure connection between user terminals
US10594672B2 (en) Secure node admission in a communication network
CN101917272B (en) Secret communication method and system among neighboring user terminals
JP7248059B2 (en) Network node and communication method
CN101841413B (en) Creation method of end-to-end secure link and system
CN105306492A (en) Asynchronous key negotiation method and device aiming at secure instant messaging
CN101741548B (en) Method and system for establishing safe connection between switching equipment
CN101841547B (en) Creation method of end-to-end shared key and system
CN101834863B (en) Method and system for establishing secure connection between local area network nodes
CN101964708B (en) System and method for establishing session key between nodes
CN101814987B (en) Method and system for establishing key between nodes
CN101834862B (en) Method and system for establishing safe connection between nodes
US20230208625A1 (en) Communication method and related apparatus
CN101964803B (en) System and method for establishing session key between nodes
CN101964802B (en) Centralized safety connection establishing system and method
CN101902324B (en) Method and system for establishing communication key between nodes
CN101841414B (en) Creation method of end-to-end communication key and system
CN101969375B (en) Notice-type safe connection establishing system and method
CN107483197A (en) A kind of VPN terminal key distribution method and device
CN116233767B (en) Cluster intercom communication method, device, equipment and storage medium
CN114339740B (en) AKA authentication method and system for 5G communication
CN101217765A (en) A remote communication means for mobile Internet protocol analysis devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant