CN102572829A - Key synchronization method for communication between two users accessing same access gateway in WIMAX system - Google Patents

Abstract

The invention discloses a key synchronization method for communication between two users accessing the same access gateway in a worldwide interoperability for microwave access (WIMAX) system. The key synchronization method comprises the steps as follows: firstly, judging whether the two users in communication access the same gateway (ASN-GW), if not, quitting, otherwise, carrying out the next step; secondly, based on a connection ID (CID) and a delivery point ID (DPID), establishing an independent data path for the two users in communication; and lastly, synchronizing the encryption algorithm and the encryption key of the two users in communication. By adopting the technical scheme provided by the invention, a base station (BS) does not need to tautologically encrypt and decrypt a data packet, so that the load of the base station is reduced, and the processing efficiency of the base station is improved; and besides, the cost of processing the data package at the gateway (ASN-GW) is lowered to a certain extent, and the system efficiency is improved.

Description

The cipher key synchronization method of two users' communication under the same IAD in the WIMAX system

Technical field

The present invention relates to cipher key synchronization method between the user in a kind of WIMA of being applied to GSM.

Background technology

WIMAX (Worldwide Interoperability for Microwave Access; Micro-wave access global inter communication) network can be divided into two parts, and is as shown in Figure 1, and a part is responsible for access; Be called Access Network (ASN), like ASN-1, ASN-2, the ASN-3 of dotted line scope among Fig. 1; Another part is responsible for functions such as authentication, core route, is called core net (CSN), like the CSN-1 among Fig. 1, CSN-2.Access Network (ASN) generally includes base station (BS) and gateway (ASN-GW) two parts.The major function of BS is to be connected with terminal MS through eating dishes without rice or wine, thereby makes the terminal can be connected to the WIMAX network.ASN-GW is the up outlet of Access Network, functions such as its responsible authentication to the terminal, access route.CSN mainly comprises certificate server and core route.CSN is the home agent that terminal MS provides MIP, and ASN-GW is a terminal MS MIP is provided the external agent.When two terminal communications, their data path possibly pass through a plurality of ASN-GW, and transmits for example MS-A among Fig. 1 and the communication between the MS-E through CSN.

For a MS, the ASN-GW in the Access Network at the BS place that it adheres to is called service IAD (Serving ASN-GW).The ASN-GW that the communication data of MS possibly pass through behind the Serving ASN-GW again through other arrives CSN.MS is in moving process; It the data transfer path of process can change; But an invariant point is also arranged, and that constant ASN-GW is called grappling IAD (Anchor ASN-GW) in the data transfer path, and this is called " grappling data path " function in the WIMAX network.Anchor ASN-GW links to each other with CSN through Interface R3.The Serving ASN-GW of a MS possibly be exactly Anchor ASN-GW simultaneously, when for example MS has just networked.Give an example, as shown in Figure 2, to terminal MS-C, line 201 is former data path, the data path when line 202 moves to certain base station of another Access Network for MS-C.Obviously, before MS-C moves, ASN-GW-1 be its Serving ASN-GW be again its Anchor ASN-GW; When MS-C moved to the position shown in Fig. 2, its Serving ASN-GW was ASN-GW-2, and its Anchor ASN-GW still is ASN-GW-1.

Following brief account is the background knowledge relevant with this programme in the WIMAX system once.

Mainly contain two kinds of authentication modes commonly used in the WIMAX network: the EAP authentication mode of mainly supporting based on the X.509 digital authenticating mode of RSA (in the PKMv1 protocol version, propose, in the PKMv2 protocol version, continue to use) and PKMv2 agreement.No matter be which kind of mode; After authentication, authentication, MS can obtain legal authorization key (AK), is mapped to corresponding SA (security association; Secure group); Each user's service flow all can be mapped to a SA, by SA decision AES and encryption key, and obtains corresponding TEK (being the key at terminal).

For the Revest-Shamir-Adleman Algorithm (RSA) authentication mode, this process mainly is divided into initial authorization process and licensing process, and is as shown in Figure 3.

Fig. 3 is done simple declaration:

(1) during the initial authorization, BS carries out simple authentication to client terminal MS.BS can verify the digital certificate of terminal MS, after checking, use public-key AK is encrypted, and the AK after will encrypting sends to the terminal MS of request AK.

(2) after the initial authorization, terminal MS can be sent authorization request message to BS.Authorization request message mainly comprises: the X.509 AES supported of digital certificate, terminal MS, the basic CID of terminal MS.BS carries out identity to terminal MS and differentiates, and selects associated encryption algorithm and agreement, and is terminal MS activation AK.The authorization response of BS mainly comprises: AK, Ciphering Key Sequence Number (being used to identify the AK in continuous two generations), cryptographic key existence cycle, the terminal MS of using terminal public key to encrypt is authorized to obtain sign SAID and the attribute information thereof of the SA of key information.Terminal MS obtains effective AK and adds after the SA of appointment, and terminal MS starts a TEK state machine for each SAID that in authorization response message, identifies, this state machine mutual through with BS, and final terminal MS obtains business cipher key TEK.

For the EAP authentication mode, its authentication framework remains based on the RSA mode under the PKMv1 agreement, and detailed process repeats no more.

Insert the WIMAX system smoothly behind the above-mentioned authentication of MS process, the verification process.Introduce below, be in two users' of same gateway (ASN-GW) normal data packet reciprocal process now in the WIMAX international standard.

In existing WIMAX network, if carry out service interaction between two terminal uses, because the encryption and decryption process of BS end is more loaded down with trivial details, and encryption and decryption process expense is also bigger, can cause the expense of system bigger (like time delay, power consumption etc.).As shown in Figure 4, if two terminal use MS-A under the same ASN-GW communicate by letter with MS-B, its flow process is following:

(1) with encryption of communicated data, ciphertext is delivered to BS1 to MS-A with the traffic encryption key TEK-A of oneself;

The major parameter of explanation to SA: SA has SAID (identifying different SA), algorithm identifier (Cryptographic suite; Sign adopts which kind of is encrypted, identifying algorithm), SA type (SA, static SA, dynamically SA) etc., the i.e. corresponding a kind of AES of each SA; Each service flow all can map to a certain SA, and this SA distributes corresponding TEK for the terminal MS of application TEK, and the TEK of distribution just is used for the packet of this service flow and encrypts.

(2) after BS1 obtains the deciphering of encrypt data bag expressly with TEK-A, use IPSEC cipher modes such as (being optional in standard) to carry out the encryption of IP packet payload again; After carrying out tunnel encapsulation at last, the communication ciphertext transmits to upper strata ASN-GW.

(3) ASN-GW separates uplink tunnel encapsulation, and according to and BS2 between newly-built DPID gap marker, carry out the downlink tunnel encapsulation, packet passes to BS2;

Explain: DPID is the gap marker between BS and ASN-GW and BS and the BS, is used to identify the data channel of logic; ASN-GW is when separating the uplink tunnel encapsulation and carrying out the downlink tunnel encapsulation, and main work is to carry out simple verification, and the DPID sign of change tunnel header.

(4) BS2 unties tunnel encapsulation, and unties the IP packet that IPSEC encrypts and obtain expressly, and the traffic encryption key TEK-B that uses MS-B at last is encrypted packets again, issues MS-B through air interface at last;

(5) MS-B obtains communication expressly with the traffic encryption key TEK-B deciphering of oneself.

(6) the MS-B packet that mails to MS-A also experiences identical process, repeats no more.

In sum, no matter which kind of position relation two users that communicating by letter are, at the BS end, the upstream data bag of delivering to BS will pass through deciphering and encrypt and could transmit to the upper strata gateway; For downlink data, BS also will pass through deciphering and encrypt, could pass to the user through eating dishes without rice or wine simultaneously.Simultaneously at the ASN-GW end, also may packet be correspondingly processed according to the cipher mode of both agreements between ASN-GW and the BS (like verification etc.).Especially when the letter data amount was bigger, the encryption and decryption expense of base station and ASN-GW end was very big.

Summary of the invention

Technical problem to be solved by this invention is to the base station BS end that relates in the background technology expense brought of encryption and decryption and tunnel encapsulation and decapsulation repeatedly; Reduce the processing delay and the power consumption of main network element; Improve the efficient of WIMAX system, two mobile subscribers that propose a kind of same gateway (ASN-GW) adopt the method for identical AES and encryption key (TEK).

The present invention adopts following technical scheme for solving the problems of the technologies described above:

The cipher key synchronization method of two users' communication under the same IAD in the WIMAX system may further comprise the steps:

Step 1: judge that two users communicating by letter are whether under same gateway (ASN-GW), if judged result not under same gateway, then withdraws from; If at the next entering next step of same gateway;

Step 2: based on connection identifier (CID) and gap marker (DPID) is that two users that communicate set up independent data path;

Step 3: two AES and encryption keys that communicate between the user are carried out synchronously; If first communication user (MS-A) belongs to first base station (BS-1) management; Second communication user (MS-B) belongs to second base station (BS-2) management, and concrete method for synchronous is following:

A. gateway (ASN-GW) is not participated in the negotiation of secure group (SA) and encryption key (TEK), may further comprise the steps:

A-1 sends a message by gateway (ASN-GW) to first base station (BS-1), and this message comprises the IP address of second base station (BS-2), the service flow sign (SFID-A) that first base station is set up, the service flow sign (SFID-B) that second base station is set up;

A-2; After the message of gateway (ASN-GW) transmission is received in first base station (BS-1); Identify first secure group (SA1) that (SFID-A) finds first communication user (MS-A) to be mapped to according to service flow; And the AES collection that first communication user (MS-A) is supported is included in second message field, begin to prepare next step negotiation;

A-3; Send a message by first base station (BS-1) to second base station (BS-2), this message comprises the algorithm set of first communication user (MS-A) support, the service flow sign (SFID-A) that first base station is set up, the service flow sign (SFID-B) that second base station is set up;

A-4; After the message of sending first base station (BS-1) is received in second base station (BS-2); Identify second secure group (SA2) that (SFID-B) finds second communication user (MS-B) to be mapped to according to service flow, and compare the algorithm set of corresponding AES of second secure group (SA2) and first communication user (MS-A) support;

When the algorithm set that the AES and first communication user (MS-A) of second secure group (SA2) correspondence are supported is not occured simultaneously; From the algorithm set that first communication user (MS-A) is supported, select the common a kind of AES supported of first communication user (MS-A) and second communication user (MS-B), select suitable secure group and distribute encryption key for second communication user (MS-B) again;

When the corresponding AES of second secure group (SA2) belongs to a kind of in the algorithm set that first communication user (MS-A) supports, adopt the pairing AES of second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;

A-5; Send a message by second base station (BS-2) to first base station (BS-1), this message comprises: the AES that the service flow sign (SFID-A) that the service flow sign (SFID-B) that second base station is set up, first base station are set up, second communication user (MS-B) select and the encryption key of distribution;

A-6 sends an acknowledge message by first base station (BS-1) to second base station (BS-2), representes that first base station (BS-1) received the message that send before second base station (BS-2) smoothly;

B. gateway (ASN-GW) is participated in the negotiation of secure group (SA) and encryption key (TEK), may further comprise the steps:

B-1 sends a message by gateway (ASN-GW) to first base station (BS-1), and this message comprises the service flow sign of setting up first base station (SFID-A);

B-2; After message is received in first base station (BS-1); Identify first secure group (SA1) that (SFID-A) finds first communication user (MS-A) to be mapped to according to service flow; And the AES collection that first communication user (MS-A) is supported is included in second message field, begin to prepare next step negotiation;

B-3 sends a message by first base station (BS-1) to gateway (ASN-GW), and this message comprises the algorithm set of first communication user (MS-A) support, the service flow sign (SFID-A) that first base station is set up;

B-4 after gateway (ASN-GW) is received message, is revised as the service flow sign of setting up second base station (SFID-B) with the service flow sign of being set up by first base station in the message (SFID-A), then amended message is sent to second base station (BS-2);

B-5; After message is received in second base station (BS-2); Identify second secure group (SA2) that (SFID-B) finds second communication user (MS-B) to be mapped to according to service flow, and compare the algorithm set of corresponding AES of second secure group (SA2) and first communication user (MS-A) support;

When the algorithm set that the AES and first communication user (MS-A) of second secure group (SA2) correspondence are supported is not occured simultaneously; From the algorithm set that first communication user (MS-A) is supported, select the common a kind of AES supported of first communication user (MS-A) and second communication user (MS-B), select suitable secure group and distribute encryption key for second communication user (MS-B) again;

When the corresponding AES of second secure group (SA2) belongs to a kind of in the algorithm set that first communication user (MS-A) supports, adopt the pairing AES of second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;

B-6 sends a message by second base station (BS-2) to gateway (ASN-GW), and this message comprises: the AES that the service flow sign (SFID-B) that second base station is set up, second communication user (MS-B) select and the encryption key of distribution;

B-7 after gateway (ASN-GW) is received message, is revised as the service flow sign of setting up first base station (SFID-A) with the service flow sign of being set up by second base station in the message (SFID-B), then amended message is sent to first base station (BS-1);

B-8 after first base station (BS-1) receives message, compares the AES of selecting in the message with the corresponding AES of first secure group (SA1),

The AES of in the corresponding AES of first secure group (SA1) and message, selecting is identical, then adopts the AES of first secure group (SA1) correspondence to upgrade the encryption key of first communication user (MS-A);

The AES of in the corresponding AES of first secure group (SA1) and message, selecting is inequality, and the AES of selecting in the employing message upgrades the encryption key of first communication user (MS-A);

B-9 sends an acknowledge message by first base station (BS-1) to gateway (ASN-GW), representes it and has received the message of sending before smoothly; Send an acknowledge message by gateway (ASN-GW) to second base station (BS-2) then, represent it and received the message of sending before smoothly.

The present invention adopts above technical scheme compared with prior art, has following technique effect:

(1) in the WIMAX communication system, two communication users that are under the same gateway A SN-GW can adopt identical AES and encryption key (TEK).Like this, base station BS can alleviate the burden of base station BS to packet encryption and decryption repeatedly, has improved the treatment effeciency of base station.

(2) packet of delivering to gateway from base station BS can carry out the encryption and decryption of IP layer or transport layer again, has alleviated the processing data packets expense at ASN-GW place to a certain extent, has improved system effectiveness.

Description of drawings

Fig. 1 is the basic network topology diagram of WIMAX.

Fig. 2 is the data path situation sketch map after terminal location moves.

Fig. 3 is the verification process figure under the RSA mode.

Fig. 4 is the processing data packets procedure chart of two users' communication under the same gateway (ASN-GW).

Fig. 5 is that MS-A is mapped to SA1 and obtains the process of TEK.

Fig. 6 is the process that ASN-GW takes a decision as to whether the gateway local route.

Fig. 7 is that MS-B is mapped to SA2 and obtains the procedure chart of TEK.

Fig. 8 is that independent upstream data path is set up procedure chart.

Fig. 9 is that procedure chart is set up in independent downlink data path.

Figure 10 is the flow chart of ASN-GW when not participating in the negotiation of SA and TEK.

Figure 11 is that BS2 is that MS-B upgrades SA and the method flow diagram of distribution T EK again.

Figure 12 is that BS2 is the method flow diagram that MS-B upgrades TEK.

Figure 13 is the negotiations process figure that ASN-GW participates in.

Figure 14 be TEK synchronously, the processing procedure figure of packet in the renewal process.

Figure 15 is the processing data packets flow chart of flag bit method.

Embodiment

Below in conjunction with accompanying drawing technical scheme of the present invention is done further detailed description:

I. the judgement of gateway local route and the startup of present design

The judgement of gateway local route is based on the inquiry of gateway to the IP address of the packet received, judges whether communicating pair is under the same gateway.Judgement is after the packet of gateway local route, just can start the safety approach of the present invention's design.Therefore, in order to understand design of the present invention better, be necessary to explain the deterministic process of gateway local route here.If the gateway local route so just can start the safety scheme.

Concrete judgement thinking is: the terminal in the initial communication process according to normal WiMAX communication process; First packet is transmitted to the upper strata; Packet is sent to gateway to the upper strata always, takes a decision as to whether local route by gateway again, i.e. the judgement of gateway local route.

Illustrate the decision process of gateway local route now.

Existing hypothesis: user MS-A and user MS-B are under the same gateway A SN-GW, and MS-A is attached to base station BS-1, and MS-B is attached to base station BS-2, and MS-A sends packet to MS-B,, then whole flow process is following:

(1) MS-A user initiates new service request, the newly-built service flow SFID-A of BS-1, and MS-A is mapped to SA1, and distributes corresponding encryption key TEK-A.After the BS-1 decrypted data packet, packet arrives ASN-GW.

It is as shown in Figure 5 that MS-A is mapped to the process of SA1 and distribution T EK:

Fig. 5 is done following explanation:

(a) BS-1 is when creating a new service flow SFID-A, and MS-A sends the DSA-REQ message request and adds certain SA, thereby BS-1 can be mapped to some secure group SA1 with MS-A in DSA-RSP message; Perhaps BS-1 also can directly be mapped to a certain SA1 with MS-A through DSA-REQ message.

(b) be mapped to SA1 after, MS-A will be through the Key-Request request message to the SA1 of correspondence application TEK; BS-1 informs MS-A through Key-Reply message with the TEK-A that distributes.

(c) obtain after the TEK-A, MS-A is sent to BS-1 with TEK-A with the packet encryption of this service flow and through eating dishes without rice or wine; BS-1 can at first decipher this packet, and it is become expressly, then packet is carried out tunnel encapsulation, encryption, is sent to ASN-GW.

(2) ASN-GW separates tunnel encapsulation, deciphering, and checks the purpose IP address of packet, according to the IP information table of keeping in this ASN-GW of IP address searching.Within the IP information table, explain that two users that communicating by letter are under the same ASN-GW, then start Safety Design scheme of the present invention if find purpose IP address.The above-mentioned processing procedure of ASN-GW can be represented with Fig. 6:

(3) simultaneously, in down link, the also newly-built service flow SFID-B of BS-2, MS-B is mapped to SA2, and distributes corresponding encryption key TEK-B.As shown in Figure 7:

Here no longer specify Fig. 7, can be with reference to the explanation of Fig. 6, its process is identical.

The method for building up of the data path that II is independent

Here the prerequisite of setting up independent data transfer path once need be described.

Because the solution of different WiMAX solution providers is variant, the solution that the operator of country variant, different regions adopts finally also maybe be different on technology realizes.Therefore, if the WiMAX network in somewhere is that the result of the method for saying below this follows (newly-built independent data path) is the same, has not therefore just needed the newdata path again according to the corresponding CID/DPID link of each Business Stream.But the technology of the WiMAX network of different regions realizes also having other modes.Such as; If according to CID link corresponding certain bandwidth requirement; And the multi-user service of identical qos requirement stream can transmit on this CID, and the method below just needing is the data transfer path of the newly-built uplink and downlink of user of gateway local route.

Be illustrated in fig. 8 shown below, if terminal MS-A is attached to base station BS-1, terminal MS-B is attached to base station BS-2, and terminal MS-A and terminal MS-B are under the same ASN-GW, and terminal MS-A will communicate by letter with terminal MS-B, then upstream data path to set up process as shown in Figure 8.

Fig. 8 is done following explanation:

(1) after Anchor ASN-GW received packet from Serving ASN-GW, whether the purpose IP address of in its IP address information table, searching packet was the gateway local routing user to confirm two communication users.After the affirmation, Anchor ASN-GW utilizes signaling message DSA-REQ to be the newly-built CID-A/ DPID-A passage of the business datum of gateway local route through Serving ASN-GW, BS-1 to the MS-A application;

(2) after MS-A receives the DSA-REQ signaling message, obtain CID-A and respective classified device, make the DSA-RSP response to Anchor ASN-GW through Serving ASN-GW, BS-1;

(3) after Anchor ASN-GW receives the DSA-RSP signaling message, send the DSA-ACK acknowledge message to MS-A through Serving ASN-GW, BS-1.After MS-A receives the DSA-ACK signaling message, just on newly-built CID-A/DPID-A, transmit data.

(4) Anchor ASN-GW links the data sent buffer memory with CID-A/DPID-A.

The newly-built process of the data path of up link that Here it is, in like manner, we can obtain the newly-built process of data path of down link shown in Figure 9.

Fig. 9 is done following explanation:

(1) Anchor ASN-GW sends DSA-REQ message through Serving ASN-GW, BS-2 to MS-B, for MS-B sets up the CID-B/DPID-B data channel.

(2) after MS-B receives the DSA-REQ signaling message, return the DSA-RSP signaling message, newly-built CID-B/DPID-B data channel.

(3) after Anchor ASN-GW receives the DSA-RSP signaling message, send the DSA-ACK acknowledge message to MS-B, on CID-B/DPID-B, transmit data then through Serving ASN-GW, BS-2.

Set up after the independent up-downgoing data path, two mobile subscribers' communication data just transmits on newly-built CID, DPID passage, and at this moment, service flow SFID and data path CID/DPID are one to one.Therefore; BS and ASN-GW are when handle packet; Can no longer decipher the IP address of seeing packet but directly discern the service flow of gateway local route according to CID and DPID; Thereby realize the smooth forwarding of data, this also is that we do not process packet and the direct theoretical foundation of transmitting at BS and gateway A SN-GW place.

The synchronization mechanism of III AES and encryption key

Start after the design of the present invention, need Signalling exchange mechanism, finally make two communication users of gateway route adopt identical AES and encryption key through following our design.The present invention has designed two kinds of Signalling exchange modes; First gateway A SN-GW participates in the negotiation of BS-1 (base station at user MS-A place) and BS-2 (base station at user MS-B place); Another kind of mode is to hold consultation separately between BS-1 and the BS-2, and need not through ASN-GW.

Here do a little and explain.Because R8 interface (interface between the base station) is logic, may reside between any two BS, can directly consult between BS-1 and the BS-2 like this and participate in without ASN-GW.Certainly, if do not have direct correlation between two BS of actual networking, then ASN-GW can be used as bridge, guarantees carrying out smoothly of this negotiations process.So negotiation and ASN-GW that this Signalling exchange mechanism has two kinds of implementation: ASN-GW not participate in secure group SA and encryption key TEK participate in the negotiation of secure group SA and encryption key TEK.

Specifically introduce these two kinds of schemes below respectively.

.ASN-GW do not participate in the negotiation of SA and TEK

In the starting stage of gateway local routing user communication; The user has been mapped to corresponding SA; And distributed initial TEK to be used for data encryption; Therefore the core of negotiations process is exactly through the Signalling exchange between the base station, consults two AES and encryption keys that communication user is taked, and the user that is arranged so that through the base station adopts identical AES and encryption key at last.Concrete negotiations process is shown in figure 10.

Figure 10 is done following explanation:

(1) Message1 message mails to BS-1 by ASN-GW.The major parameter of this message is as shown in table 1 below:

The IP address of BS

SFID-A

SFID-B

Table 1 Message1 message parameter

His-and-hers watches 1 are done following explanation:

A. first is the IP address of BS, and the IP address among Figure 10 in the Meaaage1 message is the IP address of BS-2, and BS-1 receives this message, will be according to the Message message of this IP address after BS-2 sends.Containing this field in the Message1 message promptly consults in order to be convenient to directly to carry out message between BS-1 and the BS-2.

B. second and third is the service flow sign, and SFID-A is that BS-1 is the newly-established service flow of gateway local routing service of MS-A; SFID-B is that BS-2 is the newly-established service flow of gateway local routing service of MS-B.Contain SFID-A/SFID-B in this message field and be BS for ease and find corresponding SA according to the service flow of correspondence.

C.BS-1 identifies the SA1 that finds MS-A to be mapped to according to SFID-A after receiving Message1 message, and the AES collection of MS-A support is included in the Message2 message field, begins to prepare next step negotiation.

(2) Message2, Message3, Message4 message are sent through the R8 interface.

Specify Message2, Message3, Meassage4 message below.

A.Message2 message mails to BS-2 by BS-1, and the main effect of this message is that the AES collection (with the form of AES tabulation) that BS-1 supports MS-A is informed BS-2.Its major parameter is as shown in table 2 below.

SFID-A

SFID-B

The AES tabulation

Table 2 Message2 message parameter

His-and-hers watches 2 are done following explanation:

(1) the 3rd " AES tabulation " is the algorithm set supported of user MS-A (" AES tabulation " information field is from base station BS-1, when MS-A networking authentication, the AES information that BS-1 has been supported with regard to having had MS-A).

(2) after BS-2 receives Message2 message, find the corresponding SA2 of MS-B according to list item " SFID-B " earlier, and " the AES tabulation " of AES that more once SA2 is corresponding and MS-A support.

Here " the AES tabulation " that have corresponding AES of two comparative result: SA2 and MS-A to support specifically do not occur simultaneously, and this just means that needs upgrade SA2 and corresponding TEK; The AES that SA2 is corresponding belongs to a kind of in " AES tabulation ", and need not upgrade SA2 this moment, only needs the TEK of renewal MS-B to get final product.

The concrete grammar that upgrades SA2 and corresponding TEK is: from " AES tabulation ", select the common a kind of AES supported of MS-A and MS-B, for MS-B selects suitable SA and distribution T EK, method is shown in figure 11 again.

Only shown in figure 12 for the method for MS-B renewal TEK.

Figure 11 is done following explanation:

(1) BS-2 is that MS-B selects after the suitable SA, is that MS-B upgrades SA and distribution T EK again through DSC message.DSC message constitutes supporting use by three message in the diagram 4.7.

(2) contain the SAID information that BS-2 is the selected SA of MS-B in the DSC-REQ message field, BS-2 is through being updated to selected SA with the mutual of MS-B with it.

(3) MS-B is updated to after the new SA, promptly applies for new TEK through Key Request message to BS-2, and BS-2 is that it distributes new TEK in Key-Reply message.

Figure 12 is done following explanation:

(1) BS-2 sends TEK Invalid message to MS-B, and its TEK of notice MS-B is invalid, and MS-B is promptly to the new TEK of BS-2 application.

(2) to the new TEK of BS-2 application, BS-2 distributes new TEK for it to MS-B in Key Reply message through Key Request message.

B.Message3 message mails to BS-1 by BS-2, and the main effect of this message is: BS-2 will inform BS-1 for the selected AES of MS-B and the TEK of distribution.Its major parameter is shown in following table 4-3.

SFID-B

SFID-A

Selected AES

TEK information

Table 3 Message3 message parameter

His-and-hers watches 3 are done following explanation:

(1) after BS-1 receives Message3 message, finds the corresponding SA1 of the local routing service of MS-A according to SFID-A;

(2) according to list item in the table 3 " selected AES " and the corresponding AES of SA1, relatively whether both are identical, and two comparative results are arranged: both are identical, need not upgrade SA1, only need upgrade TEK (upgrading TEK method such as Figure 12) for MS-A; Both are different, and SA1 is updated to suitable SA (this SA is identical with " selected AES ") according to " selected AES ", and upgrade TEK (upgrading method such as Figure 11 of SA and TEK) according to list item " TEK information ".

C.Message4 message mails to BS-2 by BS-1, and this message mainly is the affirmation to above-mentioned message, is acknowledge message.Its major parameter is as shown in table 4 below.

SFID-B

Confirm sign

Table 4 Message4 message parameter

His-and-hers watches 4 are done following explanation:

BS-1 returns Message4 message, accomplishes smoothly to confirm above-mentioned information interactive process; And BS-2 receives Message4 message, just representes that BS-1 has received the message of sending before the BS-2 smoothly.

.ASN-GW participate in the negotiation of SA and TEK

The core of negotiations process be between the base station with regard to the Signalling exchange of two AESs that communication user adopted and encryption key, concrete negotiations process is shown in figure 13.

Figure 13 is done following explanation:

(1) Message1 message mails to BS-1 by ASN-GW.The parameter of this message is SFID-A, is the BS-1 SA1 that finds corresponding MS-A to be mapped to according to SFID-A for ease, and prepares " AES tabulation " that MS-A supports is included in the Message2 message field.

(2) Message2-5 message is the core of this negotiations process.

To specify Message2, Message3, Message4 and Message5 message below.

The main effect of a.Message2, Message3 message is that the AES collection (with the form of AES tabulation) that MS-A supports is informed BS-2; The major parameter of two message is as shown in table 5 below:

SFID information

The AES tabulation

Table 5 Message2, Message 3 message parameters

His-and-hers watches 5 are done following explanation:

(1) " SFID information " is SFID-A in Message2 message, and " SFID information " is SFID-B in Message3 message.After ASN-GW receives Message2 message, can in Message3 message, the SFID field be done corresponding change according to the correspondence of uplink and downlink SFID.

(2) BS-2 finds the corresponding SA2 of MS-B according to SFID-B earlier after receiving Message3 message, " the AES tabulation " that AES that more once SA2 is corresponding and MS-A support.

Here " the AES tabulation " that have corresponding AES of two comparative result: SA2 and MS-A to support specifically do not occur simultaneously, and this just means that needs upgrade SA2 and corresponding TEK; The AES that SA2 is corresponding belongs to a kind of in " AES tabulation ", and need not upgrade SA2 this moment, only needs the TEK of renewal MS-B to get final product.

The concrete grammar that upgrades SA2 and corresponding TEK is: from " AES tabulation ", select the common a kind of AES supported of MS-A and MS-B, for MS-B selects suitable SA and distribution T EK, method is as above shown in Figure 11 again.The method of upgrading TEK for MS-B is as above shown in Figure 12, repeats no more.

B.Message4, Message 5 message mainly are that BS-2 informs BS-1 with the selected AES and the TEK of distribution.The major parameter of two message is as shown in table 6 below:

SFID information

Selected AES

TEK information

Table 6 Message4, Message5 message parameter

His-and-hers watches 6 are done following explanation:

I. " SFID information " is SFID-B in Message4 message, and " SFID information " is SFID-A in Message5 message.The SFID field is revised through ASN-GW the time equally.

II .BS-1 finds corresponding SA1 according to SFID-A after receiving Message5 message; According to " selected AES " among the table 4-6 and the corresponding AES of SA1, relatively whether both are identical, and two results are arranged: both are identical; Need not upgrade SA1, only need to upgrade TEK; Both are different, and SA1 is updated to suitable SA according to " selected AES ", and upgrade TEK.

(3) Message6, Message 7 message are simple acknowledge message.Message6 message is that BS-1 has received the message that ASN-GW sends smoothly to the ASN-GW affirmation, and Message7 message is ASN-GW confirms to have received smoothly message from the BS-2 transmission to BS-2.The major parameter of two message is as shown in table 7 below.

SFID information

Confirm sign

Table 7 Message6, Message7 message parameter

Through above-mentioned two kinds of negotiation modes, two communication users that are in same gateway local route have just adopted identical AES and encryption key, and this programme core procedure is accomplished.

In addition, in the synchronous method of the AES of two communication users that propose for the present invention and communication key, also need solve two key issues.

Problem one: the synchronous and reproducting periods at two users' TEK, how packet is handled.

Here explain; TEK has life cycle; It can be in the cycle of default (the shortest 30min of WiMAX standard code, the longest 7 days) upgrade, therefore sometime; Certain mobile subscriber is (promptly so-called new, the old TEK) that has two TEK simultaneously, and the user can encrypt packet with these two TEK.Simultaneously, when this programme is implemented, (though time compole lack transmission time of signaling just) that needs the time to being synchronously from judging whether two users are under the same gateway to two users' AES and encryption key.During this period of time, still can useful old TEK encrypted data packet can deliver to the base station BS place.This part packet does not preferably abandon.So the base station this how to handle these packets, so this programme has designed relevant treatment mechanism.

, adopts after the identical AES and encryption key through consulting at two communication users, as far as upstream data, the base station can be directly with packet to the upper strata forwarding and be left intact; As far as downlink data, the base station is not done encryption and decryption yet and is handled, and directly gives the user through eating dishes without rice or wine.

Between two users' TEK sync period, the encryption key TEK of two communication users is different, so the base station needs still according to common processing data packets flow processing.

Same, at a certain user's TEK reproducting periods, the encryption of packet possibly adopted new TEK, also possibly adopt old TEK, and the new and old base station of TEK can be discerned through the EKS field of mac frame head.Therefore when the user of gateway local route carries out the TEK renewal, still can carry out the synchronous of TEK between the base station through the Message message among Figure 13 and Figure 10.Such as; When user MS-A will upgrade TEK; Base station BS-1 can be synchronous through the TEK that the Message3 among the Message4 among Figure 13, Message5, Message6, Message7 message or Figure 10, Message4 message and base station BS-2 communicate the user with new TEK; After user's TEK upgrades, still can adopt identical TEK to encrypt like this, promptly the synchronizing process of TEK reproducting periods is accomplished.Same, the TEK reproducting periods also exist above-mentioned can not synchronous fully problem, solve thinking and remain in this time (being several signaling interaction time between the base station) of extremely lacking, packet is walked common packet flow process.

Consider that actual equipment adopts the form of transmitting usually when transmitting, we have designed table 8 solve problem one.Its major parameter is as shown in the table.

 

The up CID-A of MS

The descending CID-B of MS

(0-is different for the TEK flag bit; 1-is identical)

(0-does not upgrade TEK ID flag bit; 1-upgrades)

Table 8 TEK is synchronous, renewal front and back processing data packets reference table

His-and-hers watches 8 are done following explanation:

(1) connection of WiMAX standard code uplink and downlink can be adopted different CID; Therefore preceding two parameters of table 8 are cid information; It is exactly for the complete data interaction path of identifying a local route of ability that two CID list items are set here, can comprise that upstream data path also comprises the downlink data path.If as far as a certain user, this user's up-downgoing connects adopts same CID, and then table 8 can have only a cid information list item with preceding two merging.Table 8 has several cid information list items, depends on concrete WiMAX system implementation, can have 1 CID list item that 2 CID list items also can be arranged.

(2) " TEK flag bit " initial value in the list item is " 0 ", representes that the TEK of two communication users is asynchronous; If this sign place value is " 1 ", expression two users' TEK is synchronous.

" TEK flag bit " is carved with two when upgrading: one of which, after the completion negotiations process, the TEK flag bit in the automatic ST Stuffing Table 8 of base station meeting makes it to become " 1 ", otherwise promptly is " 0 " always between the base station.Its two, begin reproducting periods at user's TEK, the TEK flag bit is filled to " 0 ".After having carried out upgrading the negotiation of TEK between the base station, the TEK flag bit in the automatic ST Stuffing Table 8 of base station meeting makes it to become " 1 ", shows that the synchronizing process of TEK reproducting periods is accomplished.

(3) list item " TEK ID flag bit " is synchronous with the renewal of TEK, whether is in reproducting periods in order to identify TEK exactly.If TEK is in reproducting periods, then " TEK ID flag bit " is filled to " 1 " automatically, otherwise is " 0 " always.It is to manage for the ease of base station BS that this flag bit is set, and through combining of " TEK ID flag bit " and " TEK flag bit ", just can obviously find out user's TEK state.

Here explain that list item " TEK flag bit " is such with the value relation of list item " TEK ID flag bit ": at the TEK reproducting periods, " TEK ID flag bit " is " 1 ", and list item " TEK flag bit " is " 0 "; If not at the TEK reproducting periods; " TEK ID flag bit " is " 0 "; And list item " TEK flag bit " comes value according to whether accomplishing negotiations process, and its updated time has two, accomplishes between the base station and accomplishes the negotiations process that TEK upgrades between negotiations process and the base station.

How base station BS comes the flow process of handle packet shown in figure 14 according to table 8.

Figure 14 is done following explanation:

(1) after base station BS is received packet, takes out CID, table look-up and 8 can know that whether this packet is to need the packet handled from the packet head.

(2) if need the packet of processing, then check " TEK flag bit " in the table 8, if " 1 ", the TEK that two communication users are described is synchronous, then is left intact directly to transmit.If " 0 " explains that then two users' TEK is asynchronous, packet is through the normal processing flow process.

(3) manage for the ease of base station BS, can further check " TEK ID flag bit " in the table 8,, show to be in the TEK reproducting periods,, show to be between the TEK sync period if this flag bit is " 0 " if this flag bit is " 1 ".In fact, packet all is to walk common handling process under the both of these case.

Through the foundation of table 8, base station BS can well classify, transmit packet, and through the more new management to flag bit, we have carried out good solution to problem one.

Problem two: how base station BS tells gateway A SN-GW that which packet need not be handled, and can directly transmit.

Packet from base station BS to gateway A SN-GW can be to encrypt and (encryption of this part packet is the IP packet encryption of network layer basically, as IPSec etc.) of tunnel encapsulation.After present design realizes; Two communication users that are under the same ASN-GW have adopted identical AES and encryption key; This just means that two user's communications packets are to being fully transparent each other; The encrypt data bag that is a certain user can directly be delivered to another user, and this user just can use the key of oneself to decipher these packets fully, obtains communication expressly.

According to the WiMAX standard-required, the terminal is delivered to the Frame of BS and is encrypted through payload through eating dishes without rice or wine, so this part packet that BS receives is exactly the communication ciphertext with the secret key encryption at terminal.After this programme is implemented; Because the data that transmit between two communication users can be deciphered mutually, so this has just reached a purpose: with regard to upstream data path, BS delivers to the data of ASN-GW; Can be left intact, directly deliver to gateway A SN-GW place; As far as the downlink data path, the data that ASN-GW delivers to BS also are left intact, and directly deliver to the BS place, are handed down to Correspondent Node through eating dishes without rice or wine by BS again.Correspondent Node obviously can be deciphered after receiving packet.Like this, up BS has save deciphering, encryption, encapsulation process in the place, and ASN-GW has save at the place decapsulation, encapsulation process, and descending BS has save decapsulation, deciphering, ciphering process in the place, and the data transfer overhead of WiMAX network reduces, and treatment effeciency significantly improves.

This processing procedure is not to go on always; Because it is not send between sync period as yet at the TEK of TEK reproducting periods and two communication users that the sub-fraction packet is arranged, this partial data bag still need continue the flow processing (as shown in Figure 4) according to the WiMAX standard code.Therefore, when BS gave ASN-GW packet, BS need tell ASN-GW that which packet need not be handled, and can directly transmit.The related problem two of this programme that Here it is.

Because behind the gateway routing safety scheme implementation that the present invention proposes; The base station is directly packet to be sent to the gateway place; Gateway also is direct forwarding without any need for handling, and TEK not between sync period and TEK reproducting periods packet be through common packet flow process, promptly upwards transmit after packet deciphering, tunnel encapsulation are encrypted again the base station again; At this moment, gateway need carry out processing such as decapsulation to packet.Therefore, in the process that whole proposal is implemented, gateway need be done above two kinds of different processing procedures to the packet in the whole communication process.Therefore, the base station need tell which packet of gateway to handle, and can directly transmit.

The present invention proposes following method solve problem two, promptly the mac frame head at packet is provided with flag bit.Introduce this mode below.

WiMAX standard code, the encryption of packet are the encryptions to its mac frame payload, so the network layer of packet is comprised the IP head by encryption fully.Therefore, when flag bit is set, can only start with from the MAC layer of packet.We have two kinds of common selections when the selection marker position: the reservation bit of certain field in reservation position in the Frame and the Frame.Only need choose wherein 1 bit position as a token of,, represent that this packet is the conventional data bag if this flag bit is " 0 "; If this flag bit is " 1 ", represent that this packet is the gateway local route data packets.The filling of flag bit is responsible for by the base station, after gateway is received the packet of local route, just can know through checking this flag bit whether packet can directly be transmitted.

In the network of reality, mostly the double layer network between base station and the gateway is Ethernet or MPLS network etc., and the reservation position that choose 1 bit therein as a token of position is feasible.Handle problems in two processes with this method, base station and gateway are shown in figure 15 to the handling process of packet.

Figure 15 is done following explanation:

(1) direction of tentation data stream is from base station BS-1 to base station BS-2, and base station BS-1 can be judged the packet of gateway local route through the CID field in packet header when handle packet; Check then whether " TEK flag bit " in the table 8 is " 1 ",, just represent that packet can directly transmit if be " 1 "; At this moment; Base station BS-1 is set flag bit with these packets according to method one, and value is " 1 ", is intended to tell these packets of gateway directly to transmit.And the packet that the base station can not directly be transmitted, selected flag bit is set at " 0 ".

(2) after gateway A SN-GW receives packet, check the flag bit that the data frame head is set, if " 1 ", then gateway is directly transmitted this packet, if " 0 ", then packets need is through handling process commonly used.

(3) after receiving terminal BS-2 receives packet, check " TEK flag bit " among the table 4-8, downwards if then directly transmit through eating dishes without rice or wine " 1 "; " if 0 ", then packets need is through handling process commonly used.In fact, base station BS-2 can also judge through checking the flag bit that packet is set, here with flag bit as further affirmation means, promptly check the flag bit of further checking setting on the basis of table 8 again.If flag bit is " 1 ", the declarative data bag can directly be transmitted.

Here underline; Packet is walked generalized flowsheet; Promptly, up base station end (like the BS-1 place among Figure 15) transmits to the upper strata gateway again after showing as the deciphering of packets need process, tunnel encapsulation, encryption; The gateway place shows as packets need and encrypts the back again to descending base station end transmission through separating tunnel encapsulation, deciphering, and descending base station end (like the BS-2 place among Figure 15) shows as packets need could give the terminal through separating through eating dishes without rice or wine after tunnel encapsulation, deciphering are encrypted again.In problem one, the synchronous and TEK reproducting periods at TEK, packet is walked generalized flowsheet, and the packet generalized flowsheet in problem two also is like this.

So far, the design's detailed protocol finishes.

Claims (1)

1. the cipher key synchronization method of two users' communication under the same IAD in the WIMAX system is characterized in that, may further comprise the steps:

Step 1: judge that two users communicating by letter are whether under same gateway (ASN-GW), if judged result not under same gateway, then withdraws from; If at the next entering next step of same gateway;

Step 2: based on connection identifier (CID) and gap marker (DPID) is that two users that communicate set up independent data path;

Step 3: two AES and encryption keys that communicate between the user are carried out synchronously; If first communication user (MS-A) belongs to first base station (BS-1) management; Second communication user (MS-B) belongs to second base station (BS-2) management, and concrete method for synchronous is following:

A. gateway (ASN-GW) is not participated in the negotiation of secure group (SA) and encryption key (TEK), may further comprise the steps:

A-1 sends a message by gateway (ASN-GW) to first base station (BS-1), and this message comprises the IP address of second base station (BS-2), the service flow sign (SFID-A) that first base station is set up, the service flow sign (SFID-B) that second base station is set up;

A-2; After the message of gateway (ASN-GW) transmission is received in first base station (BS-1); Identify first secure group (SA1) that (SFID-A) finds first communication user (MS-A) to be mapped to according to service flow; And the AES collection that first communication user (MS-A) is supported is included in second message field, begin to prepare next step negotiation;

A-3; Send a message by first base station (BS-1) to second base station (BS-2), this message comprises the algorithm set of first communication user (MS-A) support, the service flow sign (SFID-A) that first base station is set up, the service flow sign (SFID-B) that second base station is set up;

A-4; After the message of sending first base station (BS-1) is received in second base station (BS-2); Identify second secure group (SA2) that (SFID-B) finds second communication user (MS-B) to be mapped to according to service flow, and compare the algorithm set of corresponding AES of second secure group (SA2) and first communication user (MS-A) support;

When the algorithm set that the AES and first communication user (MS-A) of second secure group (SA2) correspondence are supported is not occured simultaneously; From the algorithm set that first communication user (MS-A) is supported, select the common a kind of AES supported of first communication user (MS-A) and second communication user (MS-B), select suitable secure group and distribute encryption key for second communication user (MS-B) again;

When the corresponding AES of second secure group (SA2) belongs to a kind of in the algorithm set that first communication user (MS-A) supports, adopt the pairing AES of second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;

A-5; Send a message by second base station (BS-2) to first base station (BS-1), this message comprises: the AES that the service flow sign (SFID-A) that the service flow sign (SFID-B) that second base station is set up, first base station are set up, second communication user (MS-B) select and the encryption key of distribution;

A-6 sends an acknowledge message by first base station (BS-1) to second base station (BS-2), representes that first base station (BS-1) received the message that send before second base station (BS-2) smoothly;

B. gateway (ASN-GW) is participated in the negotiation of secure group (SA) and encryption key (TEK), may further comprise the steps:

B-1 sends a message by gateway (ASN-GW) to first base station (BS-1), and this message comprises the service flow sign of setting up first base station (SFID-A);

B-2; After message is received in first base station (BS-1); Identify first secure group (SA1) that (SFID-A) finds first communication user (MS-A) to be mapped to according to service flow; And the AES collection that first communication user (MS-A) is supported is included in second message field, begin to prepare next step negotiation;

B-3 sends a message by first base station (BS-1) to gateway (ASN-GW), and this message comprises the algorithm set of first communication user (MS-A) support, the service flow sign (SFID-A) that first base station is set up;

B-4 after gateway (ASN-GW) is received message, is revised as the service flow sign of setting up second base station (SFID-B) with the service flow sign of being set up by first base station in the message (SFID-A), then amended message is sent to second base station (BS-2);

B-5; After message is received in second base station (BS-2); Identify second secure group (SA2) that (SFID-B) finds second communication user (MS-B) to be mapped to according to service flow, and compare the algorithm set of corresponding AES of second secure group (SA2) and first communication user (MS-A) support;

When the algorithm set that the AES and first communication user (MS-A) of second secure group (SA2) correspondence are supported is not occured simultaneously; From the algorithm set that first communication user (MS-A) is supported, select the common a kind of AES supported of first communication user (MS-A) and second communication user (MS-B), select suitable secure group and distribute encryption key for second communication user (MS-B) again;

When the corresponding AES of second secure group (SA2) belongs to a kind of in the algorithm set that first communication user (MS-A) supports, adopt the pairing AES of second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;

B-6 sends a message by second base station (BS-2) to gateway (ASN-GW), and this message comprises: the AES that the service flow sign (SFID-B) that second base station is set up, second communication user (MS-B) select and the encryption key of distribution;

B-7 after gateway (ASN-GW) is received message, is revised as the service flow sign of setting up first base station (SFID-A) with the service flow sign of being set up by second base station in the message (SFID-B), then amended message is sent to first base station (BS-1);

B-8 after first base station (BS-1) receives message, compares the AES of selecting in the message with the corresponding AES of first secure group (SA1),

The AES of in the corresponding AES of first secure group (SA1) and message, selecting is identical, then adopts the AES of first secure group (SA1) correspondence to upgrade the encryption key of first communication user (MS-A);

The AES of in the corresponding AES of first secure group (SA1) and message, selecting is inequality, and the AES of selecting in the employing message upgrades the encryption key of first communication user (MS-A);

B-9 sends an acknowledge message by first base station (BS-1) to gateway (ASN-GW), representes it and has received the message of sending before smoothly; Send an acknowledge message by gateway (ASN-GW) to second base station (BS-2) then, represent it and received the message of sending before smoothly.

Images