CN102026192B - Mobile backhaul network certificate distributing method and system - Google Patents
Mobile backhaul network certificate distributing method and system Download PDFInfo
- Publication number
- CN102026192B CN102026192B CN200910171500.0A CN200910171500A CN102026192B CN 102026192 B CN102026192 B CN 102026192B CN 200910171500 A CN200910171500 A CN 200910171500A CN 102026192 B CN102026192 B CN 102026192B
- Authority
- CN
- China
- Prior art keywords
- certificate
- base station
- authentication
- security gateway
- load
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000004044 response Effects 0.000 claims description 58
- 230000008569 process Effects 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000007246 mechanism Effects 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000010276 construction Methods 0.000 claims 2
- 238000004891 communication Methods 0.000 abstract description 2
- 238000010295 mobile communication Methods 0.000 abstract 1
- 238000012795 verification Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 101100148729 Caenorhabditis elegans sar-1 gene Proteins 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 101000896740 Solanum tuberosum Cysteine protease inhibitor 9 Proteins 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Abstract
The invention discloses a mobile backhaul network certificate distributing method and system, mainly relating to the field of mobile communication. The method of the invention comprises the following steps of: authenticating a base station and a security gateway on the basis of an IKE (Internet Key Exchange) protocol and creating an IPSec (Internet Protocol Security) tunnel on the basis of IKESA (Internet Key Exchange Security Authority); receiving a certificate registration request sent by the base station through the created IPSec tunnel and forwarding the certificate registration request to RA (Registration Authority) or CA (Certification Authority) by the security gateway and authenticating the certificate registration request by the RA or the CA; and generating a base station certificate after certificate registration request passes the authentication, sending the generated base station certificate to the security gateway and sending the base station certificate to the base station by the security gateway through the created IPSec tunnel. The technical scheme of the invention issues the operator certificate, is compatible with SON (Short Communications), HNB (Heterogeneous Evolved NodeB), RS (Remote Switching), and the like, has commonality in mobile backhaul networks and maximizes the certificate value.
Description
Technical field
The present invention relates generally to moving communicating field, particularly a kind of Mobile backhaul network certificate distributing method and system.
Background technology
The Security Assurance Mechanism fragility of mobile backhaul net, safety problem complexity.On the one hand, in base station, (Node B) stops customer side encryption.On the other hand, Mobile backhaul network element can not get due safety guarantee, is positioned at non-complete trusted area.Therefore, the safety that how to guarantee mobile backhaul net is problem urgently to be resolved hurrily, has caused the extensive concern of industrial circle and academia.
3GPP LTE (Long Term Evolution; Long Term Evolution)/SAE (System ArchitectureEvolution; System Architecture Evolution) in security framework standard TS 33.401; suggestion utilizes IPSec (Internet Protocol Security, IP layer protocol safety) protection mobile backhaul net to connect safety.Wherein the administration base network domain security authentication framework TS 33.310 of IPSec certificate implements.Because TS33.310 formulates for the authentication demand between core network element, do not consider the feature of mobile backhaul net, therefore need TS 33.310 to strengthen, make it can be for LTE mobile backhaul net certificate management.
LTE mobile backhaul net about certificate management strengthen demand mainly comprise following some:
(1) first to guarantee the safety of certificate registration process
In TS 33.310, do not set forth the safety that how to guarantee certificate registration process, and the ownership of Mobile backhaul network element not only belongs to operator, also may be user or equipment vendor etc., the safety problem of certificate registration has very large difference with the situation of network domains, between network element, be related to complexity, therefore need to guarantee the safety of certificate registration process.
(2) the same SON of its less important assurance certificate registration scheme (Self-Organized Network, self-organizing network), H (e) NB (Home Evolved Node B, the evolved Node B of family) and the compatibility such as RS (RelayStation, relay station)
SON is eNB self-configuring, the self-optimizing process newly adding, and object is that minimum human participates in, and reaches the object of saving operation cost by self-organizing.In SON process, eNB node first will be based on DHCP (Dynamic Host Configuration Protocol, DHCP)) carry out IP address, gateway and DNS (Domain Name Server, name server) configuration, and carry out OAM (Operation, Administration, Maintenance, operation, management, the safeguard) detection of server.Then eNB node is carried out to authentication, the association of foundation and EPC (Evolved Packet Core Network, Evolved Packet Core), completes the download of eNB software and operational factor configuration.If complete certificate registration distribution in the IP address configuration stage, by maximizing the use value of certificate, for the application such as ensuing authentication, parameter configuration, IPSec SA (Security Association, security association) negotiation provide security credence.
In H (e) NB situation, because H (e) NB is all for user, this proprietorial variation, may bring impact to operator, and especially certificate registration process will be affected.Therefore in design certificate Managed Solution, should consider this impact, and compatible this scene.
In actual mobile backhaul net network application, may there is such scene.Between eNB and SeGW (security gateway), there is shared secret, as PKI (Public Key Infrastructure, PKIX) or wildcard, SeGW and RA (Register Authority, certificate registration audit mechanism) or CA (Certificate Authority, digital certificate authentication center) between have safe connection.How to realize the authentication to eNB, and the certificate of issuing safely operator is to need the problem that solves to eNB.
Summary of the invention
Technical problem to be solved by this invention is, a kind of Mobile backhaul network certificate distributing method and system are provided, and realizes safety certification and credential distribution between eNB and SeGW.
In order to address the above problem, the invention discloses a kind of Mobile backhaul network certificate distributing method, comprising:
Base station and security gateway authenticate based on IKE agreement, and create ipsec tunnel based on IKE SA;
In the time that described security gateway passes through created ipsec tunnel and receives the certificate registration request that described base station sends, this certificate registration request is transmitted to RA or CA, described RA or CA verify described certificate registration request, after being verified, generate base station certificate, and generated base station certificate is sent to security gateway, described security gateway passes through created ipsec tunnel base station certificate is sent to described base station.
Further, in said method, while having the wildcard of configured in advance between described base station and described security gateway, the process that described base station and security gateway authenticate based on IKE agreement is as follows:
Described base station and security gateway carry out after IKE protocol initializing, and authentication request is initiated to security gateway in described base station, and described authentication request comprises the authentication load of described base station;
Described security gateway receives described authentication request, according to the authentication load of base station in the wildcard of configured in advance and described authentication request, described base station is authenticated;
In the time that described security gateway is successful to described base station authentication, described security gateway is to the response of described base station return authentication, and described authentication response comprises the authentication load of described security gateway;
Described base station receives described authentication response, according to the authentication load of security gateway in the wildcard of configured in advance and described authentication response, described security gateway is authenticated.
Wherein, the identification load, security association load and the flow that in described authentication request, also comprise described base station are selected load.
Further, in said method, described base station has device certificate that equipment vendor signs and issues and the root certificate of equipment vendor, when described security gateway has cross-certificate that equipment vendor signs and issues, SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator, the process that described base station and security gateway authenticate based on IKE agreement is as follows:
Described base station and security gateway carry out after IKE protocol initializing, and authentication request is initiated to security gateway in described base station, and described authentication request comprises the device certificate load of described base station and has the authentication load of base station signing messages;
Described security gateway receives described authentication request, the authentication load that has base station signing messages in this authentication request is authenticated, the authenticity of the device certificate of the root certificate that utilizes equipment vendor to base station in authentication request authenticates, and verifies the validity of the device certificate of described base station;
Described security gateway completes after authentication operation, sends authentication response to described base station, and described authentication response comprises security gateway certificate and cross-certificate load, has the authentication load of security gateway signing messages;
Described base station receives described authentication response, according to security gateway certificate in described authentication response, the authentication load that has security gateway signing messages is authenticated, according to cross-certificate in described authentication response, the authenticity of security gateway certificate is authenticated, and the validity of authenticating security gateway certificate, the validity of described cross-certificate, again according to the authenticity of cross-certificate described in the root certification authentication of equipment vendor, is verified in described base station.
Wherein, also comprise the identification load of described base station in described authentication request, certificate request load, security association load and flow are selected load.
The invention also discloses a kind of mobile backhaul net credential distribution system, comprise base station and security gateway, wherein:
Described base station, for authenticating based on IKE agreement with described security gateway, and the request of the ipsec tunnel creating by described security gateway transmission certificate registration, and the base station certificate sending for receive described security gateway from described ipsec tunnel;
Described security gateway, for authenticating based on IKE agreement with described base station, and create ipsec tunnel based on IKE SA, receive by described ipsec tunnel the certificate registration request that described base station sends, and this certificate registration request is transmitted to RA or CA, and send to described base station for the base station certificate that described RA or CA are returned by described ipsec tunnel.
Further, in said system, while thering is the wildcard of configured in advance between described base station and described security gateway:
Described base station, for sending authentication request to described security gateway, described authentication request comprises the authentication load of described base station, and the authentication response sending for receiving described security gateway, according to the authentication load of security gateway in the wildcard of configured in advance and described authentication response, described security gateway is authenticated;
Described security gateway, the authentication request sending for receiving described base station, according to the authentication load of base station in the wildcard of configured in advance and described authentication request, described base station is authenticated, and for when to described base station authentication success, to the response of described base station return authentication, described authentication response comprises the authentication load of described security gateway.
Wherein, the identification load, security association load and the flow that in described authentication request, also comprise described base station are selected load.
Further, in said system, described base station has device certificate that equipment vendor signs and issues and the root certificate of equipment vendor, when described security gateway has cross-certificate that equipment vendor signs and issues, SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator:
Described base station, for initiating authentication request to described security gateway, described authentication request comprises the device certificate load of described base station and has the authentication load of base station signing messages, and for receiving described authentication response, according to security gateway certificate in described authentication response, the authentication load that has security gateway signing messages is authenticated, according to cross-certificate in described authentication response, the authenticity of security gateway certificate is authenticated, and the validity of authenticating security gateway certificate, according to the authenticity of cross-certificate described in the root certification authentication of equipment vendor, verify the validity of described cross-certificate,
Described security gateway, be used for receiving described authentication request, the authentication load that has base station signing messages in this authentication request is authenticated, the authenticity of the device certificate of the root certificate that utilizes equipment vendor to base station in authentication request authenticates, and verify the validity of the device certificate of described base station, and for sending authentication response to described base station, described authentication response comprises security gateway certificate and cross-certificate load, has the authentication load of security gateway signing messages.
Wherein, also comprise the identification load of described base station in described authentication request, certificate request load, security association load and flow are selected load.
Technical solution of the present invention has realized issuing of operator's certificate in the verification process in eNB self-configuring stage, with compatibilities such as existing SON, H (e) NB, RS; And operator's certificate of issuing to eNB has versatility in mobile backhaul net, can be communication between the follow-up interface such as S1, X2 safety guarantee is provided, maximize the value of certificate.In addition, technical solution of the present invention connects based on the IPSec setting up in eNB verification process, realizes the protection of certificate registration and dispatch messages, guarantees the safety of certificate registration process.
Accompanying drawing explanation
Mobile backhaul net certificate secure distribution schematic diagram in Fig. 1 the present invention;
Mobile backhaul net certificate secure distribution schematic diagram based on wildcard in Fig. 2 embodiment 1;
Mobile backhaul net certificate secure distribution schematic diagram based on cross-certificate in Fig. 3 embodiment 2.
Embodiment
Main design of the present invention is, realizes operator's certificate authority in the verification process in eNB self-configuring stage, and particularly, certificate secure distribution process can comprise the following steps, as shown in Figure 1:
Step 101:eNB and SeGW authenticate based on IKE (Internet cipher key change, Internet KeyExchange) agreement;
Step 102:eNB and SeGW create IPSec SA based on IKE SA;
The step 103:eNB login request message that Generates Certificate, and certificate registration request message is sent to SeGW by ipsec tunnel based on setting up;
Step 104:SeGW receives the certificate registration request message that eNB sends, and is transmitted to RA or the CA of operator;
Step 105:RA or CA receive certificate registration request message, and request is verified, generate eNB certificate, by credential distribution message, certificate are sent to SeGW;
Step 106:SeGW receives the credential distribution message that RA or CA return, and credential distribution message is returned to eNB by the ipsec tunnel based on setting up.
Below in conjunction with drawings and the specific embodiments, technical solution of the present invention is described in further detail.
A kind of mobile backhaul net credential distribution system, comprises eNB and SeGW, wherein:
ENB, for authenticating based on IKE agreement with SeGW, and the request of the ipsec tunnel creating by SeGW transmission certificate registration, and the base station certificate sending for receive SeGW from ipsec tunnel;
SeGW, for authenticating based on IKE agreement with eNB, and create ipsec tunnel based on IKE SA, receive by ipsec tunnel the certificate registration request that eNB sends, and this certificate registration request is transmitted to RA or the CA of operator, and send to eNB for the base station certificate that RA or CA are returned by ipsec tunnel.
Wherein, in the time thering is the wildcard of configured in advance between eNB and SeGW:
ENB, sends authentication request to SeGW, and this authentication request comprises the authentication load of base station, and the authentication response sending for receiving SeGW, according to the authentication load of security gateway in the wildcard of configured in advance and described authentication response, SeGW is authenticated;
SeGW, receive the authentication request that eNB sends, according to the authentication load of base station in the wildcard of configured in advance and authentication request, eNB is authenticated, and for when to eNB authentication success, to the response of eNB return authentication, this authentication response comprises the authentication load of described security gateway.
When eNB has device certificate that equipment vendor signs and issues and the root certificate of equipment vendor, when SeGW has cross-certificate that equipment vendor signs and issues, SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator:
ENB, initiate authentication request to SeGW, this authentication request comprises the device certificate load of eNB and has the authentication load of eNB signing messages, and for receiving authentication response, according to SeGW certificate in authentication response, the authentication load that has SeGW signing messages is authenticated, according to cross-certificate in authentication response, the authenticity of SeGW certificate is authenticated, and verify the validity of SeGW certificate, according to the authenticity of the root certification authentication cross-certificate of equipment vendor, the validity of checking cross-certificate;
SeGW, receive authentication request, the authentication load that has eNB signing messages in this authentication request is authenticated, the authenticity of the device certificate of the root certificate that utilizes equipment vendor to eNB in authentication request authenticates, and verify the validity of the device certificate of eNB, and for sending authentication response to eNB, this authentication response comprises SeGW certificate and cross-certificate load, has the authentication load of SeGW signing messages.
Introduce the process of said system secure distribution certificate below in conjunction with concrete application scenarios.
Embodiment 1
In the present embodiment, between eNB and SeGW, there is the wildcard of configured in advance; authentication and IPSec SA that first eNB and SeGW carry out based on IKEv2 agreement consult; then the secure distribution of utilizing the ipsec tunnel protection operator certificate of consulting, detailed process as shown in Figure 2, comprises the following steps:
Step 201:eNB initiates IKEv2 initialization, sends IKE_SA_INIT request message to SeGW;
In this step, IKE_SA_INIT request message comprises HDR, SAi1, Kei and Ni, and wherein, HDR represents IKEv2 message header; SAi1 has comprised the suggestion of promoter for IKE-SA, and suggestion comprises the contents such as cryptographic algorithm, identifying algorithm, DH group; The Diffle-Hellman that KEi has comprised promoter is openly worth; Ni represents promoter's Nonce value.
Step 202:SeGW receives the IKE_SA_INIT request message that eNB sends, in SAi1 in this request message, select certain suggestion to form SAr1, and KEr and Nr are openly worth and Nonce value sends to eNB by response message as the Diffle-Hellman of SeGW respectively;
Step 203:eNB receives after the response message of SeGW, utilizes the SA and the KE that consult in the IKE_SA_INIT stage, initiates verification process, sends IKE_AUTH request message to SeGW;
In this step, IKE-AUTH request message is made up of IKEv2 message header HDR and an encrypted payload, has comprised identification load (ID) in this encrypted payload, authentication load (AUTH), security association load (SA), flow is selected load (TS).
Step 204:SeGW receives the IKE_AUTH request message that eNB sends, and the content that authenticates payload field AUTH in the wildcard based on pre-configured and the IKE_AUTH request message that receives authenticates eNB;
Step 205: when SeGW is during to eNB authentication success, return to IKE_AUTH response message to eNB;
Step 206:eNB receives the IKE_AUTH response message that SeGW returns, and the content that authenticates payload field AUTH in the wildcard based on pre-configured and the IKE_AUTH response message that receives authenticates SeGW, consults to obtain IKE-SA with SeGW;
Step 207:eNB initiates CREATE_CHILD_SA switching phase, sends CREATE_CHILD_SA request message to SeGW, consults IPSec SA;
In this step, CREATE_CHILD_SA request message comprises HDR and an encrypted payload, and encrypted payload comprises the security association parameters (SA) that needs are consulted.
Step 208:SeGW receives after the CREATE_CHILD_SA request message of eNB transmission, returns to CREATE_CHILD_SA response message to eNB, consults to obtain IPSec SA with eNB.
The step 209:eNB login request message that Generates Certificate, and certificate registration request message is sent to SeGW by ipsec tunnel based on setting up;
Step 210:SeGW receives the certificate registration request message that eNB sends, and this request message is transmitted to RA or the CA of operator;
Step 211:RA or CA receive certificate registration request message, and this request is verified, generate eNB certificate, and by credential distribution message, generated certificate are sent to SeGW;
Step 212:SeGW receives the credential distribution message that RA or CA return, and credential distribution message is returned to eNB by the ipsec tunnel based on setting up.
Embodiment 2
In the present embodiment, eNB has the eNB device certificate that equipment vendor signs and issues, and has the root certificate of equipment vendor.SeGW has the cross-certificate that equipment vendor signs and issues, the SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator.Authentication and IPSec SA that first eNB and SeGW carry out based on IKEv2 consult, and then utilize the secure distribution of the ipsec tunnel protection operator certificate of consulting, and detailed process as shown in Figure 3, comprises the following steps:
Step 301:eNB initiates IKEv2 initialization, sends IKE_SA_INIT request message to SeGW, and message content comprises HDR, SAi1, Kei and Ni;
In this step, HDR represents IKEv2 message header; SAi1 has comprised the suggestion of promoter for IKE-SA, and suggestion comprises the contents such as cryptographic algorithm, identifying algorithm, DH group; The Diffle-Hellman that KEi has comprised promoter is openly worth; Ni represents promoter's Nonce value.
Step 302:SeGW receives after the IKE_SA_INIT request message that eNB sends and selects certain suggestion to form SAr1 in SAi1 in this request message, and KEr and Nr are openly worth and Nonce value sends to eNB by IKE_SA_INIT response message as the Diffle-Hellman of SeGW respectively;
In this step, in IKE_SA_INIT response message, comprise certificate request load CERTREQ, for asking the device certificate of eNB.
Step 303:eNB receives after the IKE_SA_INIT response message of SeGW, utilizes SA and KE that the IKE_SA_INIT stage consults, initiates verification process, sends IKE_AUTH request message to SeGW;
In this step, IKE-AUTH request message is made up of IKEv2 message header HDR and an encrypted payload, in this encrypted payload, comprise identification load (ID), the device certificate load (CERT) of eNB, certificate request load (CERTREQ), has authentication load (AUTH), security association load (SA), the flow of eNB signing messages to select load (TS).
Step 304:SeGW receives the IKE_AUTH request message that eNB sends, and the AUTH load that eNB is sent authenticates, and utilizes the root certificate of equipment vendor to authenticate the authenticity of eNB certificate;
Step 305:SeGW is by the validity of inquiry CRL checking eNB device certificate;
Step 306:SeGW returns to IKE_AUTH response message to eNB after completing authentication, response message comprises IKEv2 message header HDR and an encrypted payload composition, in this encrypted payload, comprise identification load (ID), SeGW certificate and cross-certificate load (CERT), have authentication load (AUTH), security association load (SA), the flow of SeGW signing messages to select load (TS);
Step 307:eNB receives the IKE_AUTH response message that SeGW returns, and the signing messages AUTH that utilizes SeGW certificate to send SeGW authenticates;
Step 308:eNB utilizes cross-certificate to authenticate the authenticity of SeGW certificate, and by the validity of inquiry CRL checking SeGW certificate;
Step 309:eNB utilizes the authenticity of the root certification authentication cross-certificate of equipment vendor, and inquires about the validity of CRL checking SeGW cross-certificate, completes above negotiation and obtains IKE-SA;
Step 310:eNB initiates CREATE_CHILD_SA exchange process, sends CREATE_CHILD_SA request message to SeGW, consults IPSec SA;
In this step, CREATE_CHILD_SA request message comprises HDR and an encrypted payload.
Step 311:SeGW receives after the CREATE_CHILD_SA request message of eNB transmission, returns to CREATE_CHILD_SA response message to eNB, consults to obtain IPSec SA.
The step 312:eNB login request message that Generates Certificate, and certificate registration request message is sent to SeGW by ipsec tunnel based on setting up;
Step 313:SeGW receives the certificate registration request application that eNB sends, and is transmitted to RA or the CA of operator;
Step 314:RA or CA receive certificate registration request message, and request is verified, generate eNB certificate, by credential distribution message, certificate are sent to SeGW;
Step 315:SeGW receives the credential distribution message that RA or CA return, and credential distribution message is returned to eNB by the ipsec tunnel based on setting up.
The above; be only part embodiment of the present invention; be not intended to limit protection scope of the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in the protection range of the appended claim of the present invention.
Claims (8)
1. a Mobile backhaul network certificate distributing method, is characterized in that, the method comprises:
Base station and security gateway authenticate based on Internet cipher key change (IKE) agreement, and create IP layer protocol safeguard construction (IPSec) tunnel based on IKE SA;
In the time that described security gateway passes through created ipsec tunnel and receives the certificate registration request that described base station sends, this certificate registration request is transmitted to certificate registration audit mechanism (RA) or digital certificate authentication center (CA), described RA or CA verify described certificate registration request, after being verified, generate base station certificate, and generated base station certificate is sent to security gateway, described security gateway passes through created ipsec tunnel base station certificate is sent to described base station;
Wherein, described base station has device certificate that equipment vendor signs and issues and the root certificate of equipment vendor, when described security gateway has cross-certificate that equipment vendor signs and issues, SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator, the process that described base station and security gateway authenticate based on IKE agreement is as follows:
Described base station and security gateway carry out after IKE protocol initializing, and the first authentication request is initiated to security gateway in described base station, and described the first authentication request comprises the device certificate load of described base station and has the authentication load of base station signing messages;
Described security gateway receives described the first authentication request, to there being the authentication load of base station signing messages to authenticate in this first authentication request, utilize the root certificate of equipment vendor to authenticate the authenticity of the device certificate of base station in the first authentication request, and verify the validity of the device certificate of described base station;
Described security gateway completes after authentication operation, sends the first authentication response to described base station, and described the first authentication response comprises security gateway certificate and cross-certificate load, has the authentication load of security gateway signing messages;
Described base station receives described the first authentication response, according to security gateway certificate in described the first authentication response, the authentication load that has security gateway signing messages is authenticated, according to cross-certificate in described the first authentication response, the authenticity of security gateway certificate is authenticated, and the validity of authenticating security gateway certificate, the validity of described cross-certificate, again according to the authenticity of cross-certificate described in the root certification authentication of equipment vendor, is verified in described base station.
2. the method for claim 1, is characterized in that,
While having the wildcard of configured in advance between described base station and described security gateway, the process that described base station and security gateway authenticate based on IKE agreement is as follows:
Described base station and security gateway carry out after IKE protocol initializing, and the second authentication request is initiated to security gateway in described base station, and described the second authentication request comprises the authentication load of described base station;
Described security gateway receives described the second authentication request, according to the authentication load of base station in the wildcard of configured in advance and described the second authentication request, described base station is authenticated;
In the time that described security gateway is successful to described base station authentication, described security gateway returns to the second authentication response to described base station, and described the second authentication response comprises the authentication load of described security gateway;
Described base station receives described the second authentication response, according to the authentication load of security gateway in the wildcard of configured in advance and described the second authentication response, described security gateway is authenticated.
3. method as claimed in claim 2, is characterized in that,
The identification load, security association load and the flow that in described the second authentication request, also comprise described base station are selected load.
4. the method for claim 1, is characterized in that,
In described the first authentication request, also comprise the identification load of described base station, certificate request load, security association load and flow are selected load.
5. a mobile backhaul net credential distribution system, is characterized in that, this system comprises base station and security gateway, wherein:
Described base station, for authenticating based on Internet cipher key change (IKE) agreement with described security gateway, and IP layer protocol safeguard construction (IPSec) tunnel creating by described security gateway transmission certificate registration request, and the base station certificate sending for receive described security gateway from described ipsec tunnel;
Described security gateway, for authenticating based on IKE agreement with described base station, and create ipsec tunnel based on IKE SA, receive by described ipsec tunnel the certificate registration request that described base station sends, and this certificate registration request is transmitted to certificate registration audit mechanism (RA) or digital certificate authentication center (CA), and send to described base station for the base station certificate that described RA or CA are returned by described ipsec tunnel;
Wherein, described base station has device certificate that equipment vendor signs and issues and the root certificate of equipment vendor, when described security gateway has cross-certificate that equipment vendor signs and issues, SeGW certificate that operator signs and issues, the root certificate of equipment vendor and the root certificate of operator:
Described base station, for initiating the first authentication request to described security gateway, described the first authentication request comprises the device certificate load of described base station and has the authentication load of base station signing messages, and for receiving described the first authentication response, according to security gateway certificate in described the first authentication response, the authentication load that has security gateway signing messages is authenticated, according to cross-certificate in described the first authentication response, the authenticity of security gateway certificate is authenticated, and the validity of authenticating security gateway certificate, according to the authenticity of cross-certificate described in the root certification authentication of equipment vendor, verify the validity of described cross-certificate,
Described security gateway, be used for receiving described the first authentication request, to there being the authentication load of base station signing messages to authenticate in this first authentication request, utilize the root certificate of equipment vendor to authenticate the authenticity of the device certificate of base station in the first authentication request, and verify the validity of the device certificate of described base station, and for sending the first authentication response to described base station, described the first authentication response comprises security gateway certificate and cross-certificate load, has the authentication load of security gateway signing messages.
6. system as claimed in claim 5, is characterized in that, while thering is the wildcard of configured in advance between described base station and described security gateway:
Described base station, for sending the second authentication request to described security gateway, described the second authentication request comprises the authentication load of described base station, and the second authentication response sending for receiving described security gateway, according to the authentication load of security gateway in the wildcard of configured in advance and described the second authentication response, described security gateway is authenticated;
Described security gateway, the second authentication request sending for receiving described base station, according to the authentication load of base station in the wildcard of configured in advance and described the second authentication request, described base station is authenticated, and for when to described base station authentication success, return to the second authentication response to described base station, described the second authentication response comprises the authentication load of described security gateway.
7. system as claimed in claim 6, is characterized in that,
The identification load, security association load and the flow that in described the second authentication request, also comprise described base station are selected load.
8. system as claimed in claim 5, is characterized in that,
In described the first authentication request, also comprise the identification load of described base station, certificate request load, security association load and flow are selected load.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910171500.0A CN102026192B (en) | 2009-09-21 | 2009-09-21 | Mobile backhaul network certificate distributing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910171500.0A CN102026192B (en) | 2009-09-21 | 2009-09-21 | Mobile backhaul network certificate distributing method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102026192A CN102026192A (en) | 2011-04-20 |
| CN102026192B true CN102026192B (en) | 2014-05-28 |
Family
ID=43866908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910171500.0A Expired - Fee Related CN102026192B (en) | 2009-09-21 | 2009-09-21 | Mobile backhaul network certificate distributing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102026192B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014040235A1 (en) * | 2012-09-12 | 2014-03-20 | 华为技术有限公司 | Communication method, device and system in mobile backhaul network |
| EP2709336A1 (en) | 2012-09-18 | 2014-03-19 | Thomson Licensing | Method and devices for securely accessing a web service |
| CN103986687B (en) * | 2013-02-07 | 2017-09-15 | 电信科学技术研究院 | A kind of method, equipment and system for realizing the management of car networking device authorization |
| CN107078908A (en) * | 2014-08-22 | 2017-08-18 | 诺基亚通信公司 | Trust anchor in public key infrastructure updates |
| US10142323B2 (en) * | 2016-04-11 | 2018-11-27 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| CN108990060B (en) * | 2017-06-05 | 2021-02-02 | 中国移动通信集团公司 | Certificate distribution system and method of base station equipment |
| CN108897531B (en) * | 2018-06-29 | 2021-11-16 | 播思通讯技术(北京)有限公司 | Carplay development and debugging method |
| CN113497779A (en) * | 2020-03-18 | 2021-10-12 | 华为技术有限公司 | Method and communication device for network key exchange protocol authentication using certificate |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471934A (en) * | 2007-12-28 | 2009-07-01 | 三星电子株式会社 | Bidirectional encipher and identification authentication method of dynamic host configuration protocol |
-
2009
- 2009-09-21 CN CN200910171500.0A patent/CN102026192B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101471934A (en) * | 2007-12-28 | 2009-07-01 | 三星电子株式会社 | Bidirectional encipher and identification authentication method of dynamic host configuration protocol |
Non-Patent Citations (5)
| Title |
|---|
| 3GPP.Technical Specification Group Service and System Aspects Network Domain Security (NDS) Authentication Framework (AF) (Release 9).《3GPP TS 33.310 V9.0.0》.2009, * |
| IPSEC中密钥交换协议的分析改进及其实现;黄松柏;《中国优秀硕士学位论文 信息科技辑》;20071115;第9-14、20-39页,第2.1.1、2.2、2.3节 * |
| 一种数字证书系统的体系结构与实现模型;李建廷;《计算机应用与软件》;20061231;第122-125页,第1节 * |
| 李建廷.一种数字证书系统的体系结构与实现模型.《计算机应用与软件》.2006, |
| 黄松柏.IPSEC中密钥交换协议的分析改进及其实现.《中国优秀硕士学位论文 信息科技辑》.2007, |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102026192A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102026192B (en) | Mobile backhaul network certificate distributing method and system | |
| US8374582B2 (en) | Access method and system for cellular mobile communication network | |
| Arbaugh et al. | Your 80211 wireless network has no clothes | |
| US8122249B2 (en) | Method and arrangement for providing a wireless mesh network | |
| CN101371550B (en) | Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service | |
| TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
| EP1997292B1 (en) | Establishing communications | |
| CN107005534B (en) | Method and device for establishing secure connection | |
| US20130091556A1 (en) | Method for establishing a secure and authorized connection between a smart card and a device in a network | |
| CN103155512A (en) | System and method for providing secured access to services | |
| KR20080086127A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
| CN102088699B (en) | Trust list-based system and method | |
| CN102223634A (en) | Method and device for controlling mode of accessing user terminal into Internet | |
| CN104683343B (en) | A kind of method of terminal quick registration Wi-Fi hotspot | |
| CN101478388B (en) | Multi-stage security mobile IPSec access authentication method | |
| CN102231725A (en) | Method, equipment and system for authenticating dynamic host configuration protocol message | |
| US11316670B2 (en) | Secure communications using network access identity | |
| WO2010124569A1 (en) | Method and system for user access control | |
| WO2012094920A1 (en) | Method and system for authenticating relay node | |
| CN101272297B (en) | EAP authentication method of WiMAX network user | |
| Sithirasenan et al. | An EAP framework for unified authentication in wireless networks | |
| CN1996838A (en) | AAA certification and optimization method for multi-host WiMAX system | |
| Namal et al. | Secure and multihomed vehicular femtocells | |
| Park et al. | A new user authentication protocol for mobile terminals in wireless network | |
| Saay | Toward authentication mechanisms for Wi-Fi mesh networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: NANJING BRANCH OF ZTE CORPORATION Free format text: FORMER OWNER: ZTE CORPORATION Effective date: 20131104 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518057 SHENZHEN, GUANGDONG PROVINCE TO: 210012 NANJING, JIANGSU PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20131104 Address after: 210012 Zhongxing communication, No. 68, Bauhinia Road, Yuhuatai District, Jiangsu, Nanjing Applicant after: Nanjing Branch of Zhongxing Communication Co., Ltd. Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department Applicant before: ZTE Corporation |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150626 Address after: 518057 Nanshan District Guangdong high tech Industrial Park, South Road, science and technology, ZTE building, Ministry of Justice Patentee after: ZTE Corporation Address before: 210012 Zhongxing communication, No. 68, Bauhinia Road, Yuhuatai District, Jiangsu, Nanjing Patentee before: Nanjing Branch of Zhongxing Communication Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140528 Termination date: 20200921 |