CN102572829B - Key synchronization method for communication between two users accessing same access gateway in WIMAX system - Google Patents
Key synchronization method for communication between two users accessing same access gateway in WIMAX system Download PDFInfo
- Publication number
- CN102572829B CN102572829B CN201210001450.3A CN201210001450A CN102572829B CN 102572829 B CN102572829 B CN 102572829B CN 201210001450 A CN201210001450 A CN 201210001450A CN 102572829 B CN102572829 B CN 102572829B
- Authority
- CN
- China
- Prior art keywords
- base station
- message
- communication user
- cryptographic algorithm
- sfid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a key synchronization method for communication between two users accessing the same access gateway in a worldwide interoperability for microwave access (WIMAX) system. The key synchronization method comprises the steps as follows: firstly, judging whether the two users in communication access the same gateway (ASN-GW), if not, quitting, otherwise, carrying out the next step; secondly, based on a connection ID (CID) and a delivery point ID (DPID), establishing an independent data path for the two users in communication; and lastly, synchronizing the encryption algorithm and the encryption key of the two users in communication. By adopting the technical scheme provided by the invention, a base station (BS) does not need to tautologically encrypt and decrypt a data packet, so that the load of the base station is reduced, and the processing efficiency of the base station is improved; and besides, the cost of processing the data package at the gateway (ASN-GW) is lowered to a certain extent, and the system efficiency is improved.
Description
Technical field
The present invention relates to cipher key synchronization method between the user in a kind of WIMA of being applied to mobile communication system.
Background technology
WIMAX (Worldwide Interoperability for Microwave Access, micro-wave access global inter communication) network can be divided into two parts, and as shown in Figure 1, a part is responsible for access, be called Access Network (ASN), as ASN-1, ASN-2, the ASN-3 of dotted line scope in Fig. 1; Another part is responsible for the functions such as authentication, core route, is called core net (CSN), as the CSN-1 in Fig. 1, CSN-2.Access Network (ASN) generally includes base station (BS) and gateway (ASN-GW) two parts.The major function of BS is to be connected with terminal MS by eating dishes without rice or wine, thereby makes terminal can be connected to WIMAX network.ASN-GW is the up outlet of Access Network, and it is responsible for functions such as the authentication of terminal, access routes.CSN mainly comprises certificate server and core route.CSN provides the home agent of MIP for terminal MS, and ASN-GW provides MIP external agent for terminal MS.When two terminal communications, their data path may pass through a plurality of ASN-GW, and forwards by CSN, for example MS-A in Fig. 1 and the communication between MS-E.
For a MS, the ASN-GW in the Access Network at the BS place that it is accompanying is called service IAD (Serving ASN-GW).The ASN-GW that the communication data of MS may pass through again other after Serving ASN-GW arrives CSN.MS is in moving process, it the data transfer path of process can change, but also have an invariant point, in data transfer path, that constant ASN-GW is called grappling IAD (Anchor ASN-GW), and this is called " grappling data path " function in WIMAX network.Anchor ASN-GW is connected with CSN by Interface R3.The Serving ASN-GW of a MS may be exactly Anchor ASN-GW simultaneously, for example, when MS has just networked.Give an example, as shown in Figure 2, to terminal MS-C, line 201 is former data path, data path when line 202 moves to certain base station of another Access Network for MS-C.Obviously, before MS-C is not mobile, ASN-GW-1 is its Serving ASN-GW and its Anchor ASN-GW; When MS-C moves to the position shown in Fig. 2, its Serving ASN-GW is ASN-GW-2, and its Anchor ASN-GW is still ASN-GW-1.
Simply introduce background knowledge relevant with this programme in WIMAX system below.
In WIMAX network, mainly contain two kinds of conventional authentication modes: the EAP authentication mode that the X.509 digital authenticating mode based on RSA (propose, continue to use in PKMv2 protocol version) and PKMv2 agreement are mainly supported in PKMv1 protocol version.No matter be which kind of mode, after authentication, authentication, MS can obtain legal authorization key (AK), be mapped to corresponding SA(security association, secure group), each user's service flow can be mapped to a SA, determines cryptographic algorithm and encryption key, and obtain the key that corresponding TEK(is terminal by SA).
For Revest-Shamir-Adleman Algorithm (RSA) authentication mode, this process is mainly divided into initial authorization process and licensing process, as shown in Figure 3.
Fig. 3 is briefly described:
(1), during initial authorization, BS carries out simple authentication to client terminal MS.BS can verify the digital certificate of terminal MS, after checking, uses public-key AK is encrypted, and the AK after encrypting is sent to the terminal MS of request AK.
(2), after initial authorization, terminal MS can send authorization request message to BS.Authorization request message mainly comprises: the cryptographic algorithm that X.509 digital certificate, terminal MS are supported, the basic CID of terminal MS.BS carries out identity discriminating to terminal MS, and selects associated encryption algorithm and agreement, and is terminal MS activation AK.The authorization response of BS mainly comprises: authorized sign SAID and the attribute information thereof that can obtain the SA of key information of AK, Ciphering Key Sequence Number (for identifying the AK in continuous two generations), cryptographic key existence cycle, terminal MS that uses terminal public key to encrypt.After terminal MS obtains effective AK and adds the SA of appointment, SAID that terminal MS identifies for each in authorization response message starts a TEK state machine, mutual by with BS of this state machine, and final terminal MS obtains business cipher key TEK.
For EAP authentication mode, its authentication framework remains the RSA mode based under PKMv1 agreement, and detailed process repeats no more.
MS accesses smoothly WIMAX system after above-mentioned authentication, verification process.Introduce below, now the normal data packet reciprocal process of two users in same gateway (ASN-GW) in WIMAX international standard.
In existing WIMAX network, if carry out service interaction between two terminal uses, because the encryption and decryption process of BS end is more loaded down with trivial details, and encryption and decryption process expense is also larger, can cause the expense of system larger (as time delay, power consumption etc.).As shown in Figure 4, if two terminal use MS-A under same ASN-GW communicate by letter with MS-B, its flow process is as follows:
(1) MS-A is with the traffic encryption key TEK-A of oneself by encryption of communicated data, and ciphertext is delivered to BS1;
The major parameter of explanation to SA: SA has SAID(to identify different SA), algorithm identifier (Cryptographic suite, sign adopts which kind of is encrypted, identifying algorithm), SA type (SA, static SA, dynamically SA) etc., the i.e. corresponding a kind of cryptographic algorithm of each SA; Each service flow can map to a certain SA, and this SA distributes corresponding TEK for the terminal MS of application TEK, and the TEK of distribution is just for the Data Packet Encryption of this service flow.
(2) after BS1 obtains expressly with TEK-A by encrypt data bag deciphering, then with IPSEC(, in standard, be optional) etc. cipher mode carry out the encryption of IP packet payload; Finally carry out after tunnel encapsulation, communication ciphertext transmits to upper strata ASN-GW.
(3) ASN-GW separates uplink tunnel encapsulation, and according to and BS2 between newly-built DPID gap marker, carry out downlink tunnel encapsulation, packet passes to BS2;
Illustrate: DPID is the gap marker between BS and ASN-GW and BS and BS, for identifying the data channel of logic; ASN-GW is when separating that uplink tunnel encapsulates and carry out downlink tunnel encapsulation, and main work is to carry out simple verification, and changes the DPID sign of tunnel header.
(4) BS2 unties tunnel encapsulation, and unties the IP packet acquisition plaintext that IPSEC encrypts, and finally uses the traffic encryption key TEK-B re-encrypted packet of MS-B, finally by air interface, issues MS-B;
(5) the traffic encryption key TEK-B deciphering of oneself for MS-B, obtains communication expressly.
(6) packet that MS-B mails to MS-A also experiences identical process, repeats no more.
In sum, no matter which kind of position relationship two users that communicating by letter are, at BS end, deliver to the upstream data bag of BS and will encrypt and could transmit to upper strata gateway again through deciphering; For downlink data, BS also will encrypt through deciphering again, could pass to by eating dishes without rice or wine user simultaneously.Simultaneously at ASN-GW end, between ASN-GW and BS, also may packet be correspondingly processed according to the cipher mode of both agreements (as verification etc.).Especially when letter data amount is larger, the encryption and decryption expense of base station and ASN-GW end is very large.
Summary of the invention
Technical problem to be solved by this invention is for the base station BS end relating in the background technology expense that encryption and decryption and tunnel encapsulation and decapsulation bring repeatedly, reduce processing delay and the power consumption of main network element, the efficiency that improves WIMAX system, two mobile subscribers that propose a kind of same gateway (ASN-GW) adopt the method for identical cryptographic algorithm and encryption key (TEK).
The present invention is for solving the problems of the technologies described above by the following technical solutions:
The cipher key synchronization method of two users' communication under same IAD in WIMAX system, comprises the following steps:
Step 1: judge that two users communicating by letter whether under same gateway (ASN-GW), if judged result is not under same gateway, exit; If at the next next step that enters of same gateway;
Step 2: be that two users that communicate set up independent data path based on connection identifier (CID) and gap marker (DPID);
Step 3: two cryptographic algorithm and encryption keys that communicate between user are carried out synchronously, if the first communication user (MS-A) belongs to the first base station (BS-1) management, second communication user (MS-B) belongs to the second base station (BS-2) management, and concrete synchronous method is as follows:
A. gateway (ASN-GW) does not participate in the negotiation of secure group (SA) and encryption key (TEK), comprises the following steps:
A-1, by gateway (ASN-GW), to the first base station (BS-1), send a message, this message comprises the IP address of the second base station (BS-2), the service flow sign (SFID-A) that the first base station is set up, the service flow sign (SFID-B) that the second base station is set up;
A-2, receive after the message of gateway (ASN-GW) transmission the first base station (BS-1), the first secure group (SA1) that finds the first communication user (MS-A) to be mapped to according to service flow sign (SFID-A), and the cryptographic algorithm collection of the first communication user (MS-A) support is included in the second message field, start to prepare next step negotiation;
A-3, by the first base station (BS-1), to the second base station (BS-2), send a message, this message comprises algorithm set, the service flow sign (SFID-A) of the first base station foundation, the service flow sign (SFID-B) of the second base station foundation that the first communication user (MS-A) is supported;
A-4, receive after the message of the first base station (BS-1) transmission the second base station (BS-2), the second secure group (SA2) that finds second communication user (MS-B) to be mapped to according to service flow sign (SFID-B), and compare the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support;
When the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support is not occured simultaneously, the algorithm set of supporting from the first communication user (MS-A), select the common a kind of cryptographic algorithm supported of the first communication user (MS-A) and second communication user (MS-B), again for second communication user (MS-B), select suitable secure group and distribute encryption key;
When cryptographic algorithm corresponding to the second secure group (SA2) belongs to a kind of in the algorithm set that the first communication user (MS-A) supports, adopt the corresponding cryptographic algorithm of the second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;
A-5, by the second base station (BS-2), to the first base station (BS-1), send a message, this message comprises: the cryptographic algorithm that the service flow sign (SFID-A) that the service flow sign (SFID-B) that the second base station is set up, the first base station are set up, second communication user (MS-B) select and the encryption key of distribution;
A-6, sends an acknowledge message by the first base station (BS-1) to the second base station (BS-2), and expression the first base station (BS-1) has been received the message that the second base station (BS-2) sends before smoothly;
B. gateway (ASN-GW) participates in the negotiation of secure group (SA) and encryption key (TEK), comprises the following steps:
B-1, sends a message by gateway (ASN-GW) to the first base station (BS-1), and this message comprises the service flow sign (SFID-A) of setting up the first base station;
B-2, (BS-1) receives after message in the first base station, the first secure group (SA1) that finds the first communication user (MS-A) to be mapped to according to service flow sign (SFID-A), and the cryptographic algorithm collection of the first communication user (MS-A) support is included in the second message field, start to prepare next step negotiation;
B-3, sends a message by the first base station (BS-1) to gateway (ASN-GW), and this message comprises the algorithm set of the first communication user (MS-A) support, the service flow sign (SFID-A) that the first base station is set up;
B-4, gateway (ASN-GW) is received after message, the service flow sign (SFID-A) of being set up is revised as to the service flow sign (SFID-B) of setting up the second base station in message by the first base station, then amended message is sent to the second base station (BS-2);
B-5, (BS-2) receives after message in the second base station, the second secure group (SA2) that finds second communication user (MS-B) to be mapped to according to service flow sign (SFID-B), and compare the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support;
When the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support is not occured simultaneously, the algorithm set of supporting from the first communication user (MS-A), select the common a kind of cryptographic algorithm supported of the first communication user (MS-A) and second communication user (MS-B), again for second communication user (MS-B), select suitable secure group and distribute encryption key;
When cryptographic algorithm corresponding to the second secure group (SA2) belongs to a kind of in the algorithm set that the first communication user (MS-A) supports, adopt the corresponding cryptographic algorithm of the second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;
B-6, sends a message by the second base station (BS-2) to gateway (ASN-GW), and this message comprises: the cryptographic algorithm that the service flow sign (SFID-B) that the second base station is set up, second communication user (MS-B) select and the encryption key of distribution;
B-7, gateway (ASN-GW) is received after message, the service flow sign (SFID-B) of being set up is revised as to the service flow sign (SFID-A) of setting up the first base station in message by the second base station, then amended message is sent to the first base station (BS-1);
B-8, the first base station (BS-1) receives after message, the cryptographic algorithm that the cryptographic algorithm of selecting in message is corresponding with the first secure group (SA1) compares,
The cryptographic algorithm corresponding when the first secure group (SA1) is identical with the cryptographic algorithm of selecting in message, adopts cryptographic algorithm corresponding to the first secure group (SA1) to upgrade the encryption key of the first communication user (MS-A);
The cryptographic algorithm corresponding when the first secure group (SA1) is not identical with the cryptographic algorithm of selecting in message, adopts the cryptographic algorithm of selecting in message to upgrade the encryption key of the first communication user (MS-A);
B-9, sends an acknowledge message by the first base station (BS-1) to gateway (ASN-GW), represents the message that it sends before having received smoothly; Then by gateway (ASN-GW), to the second base station (BS-2), send an acknowledge message, represent the message that it sends before having received smoothly.
The present invention adopts above technical scheme compared with prior art, has following technique effect:
(1), in WIMAX communication system, two communication users under same gateway A SN-GW can adopt identical cryptographic algorithm and encryption key (TEK).Like this, base station BS can alleviate the burden of base station BS to packet encryption and decryption repeatedly, has improved the treatment effeciency of base station.
(2) packet of delivering to gateway from base station BS can carry out the encryption and decryption of IP layer or transport layer again, has alleviated to a certain extent the processing data packets expense at ASN-GW place, has improved system effectiveness.
Accompanying drawing explanation
Fig. 1 is the basic network topology diagram of WIMAX.
Fig. 2 is the data path situation schematic diagram after terminal location moves.
Fig. 3 is the verification process figure under RSA mode.
Fig. 4 is the processing data packets procedure chart of two users' communication under same gateway (ASN-GW).
Fig. 5 is that MS-A is mapped to SA1 and obtains the process of TEK.
Fig. 6 is the process that ASN-GW takes a decision as to whether gateway local route.
Fig. 7 is that MS-B is mapped to SA2 and obtains the procedure chart of TEK.
Fig. 8 is independent upstream data path process of establishing figure.
Fig. 9 is independent downlink data path process of establishing figure.
Figure 10 is the flow chart of ASN-GW while not participating in the negotiation of SA and TEK.
Figure 11 is that BS2 is that MS-B upgrades SA the method flow diagram of distribution T EK again.
Figure 12 is that BS2 is the method flow diagram that MS-B upgrades TEK.
Figure 13 is the negotiations process figure that ASN-GW participates in.
Figure 14 is that TEK is synchronous, the processing procedure figure of packet in renewal process.
Figure 15 is the processing data packets flow chart of flag bit method.
Embodiment
Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail:
i. the judgement of gateway local route and the startup of present design
The judgement of gateway local route, is the inquiry to the IP address of the packet of receiving based on gateway, judges that communicating pair is whether under same gateway.Judgement is after the packet of gateway local route, just can start the safety approach of the present invention's design.Therefore,, in order to understand better design of the present invention, be necessary to illustrate the deterministic process of gateway local route here.If gateway local route so just can start safety scheme.
Concrete judge thinking as: terminal in initial communication process according to normal WiMAX communication process, first packet is transmitted to upper strata, packet is sent to gateway always to upper strata, then takes a decision as to whether local routing by gateway, i.e. the judgement of gateway local route.
Illustrate now the decision process of gateway local route.
Existing hypothesis: user MS-A and user MS-B are under same gateway A SN-GW, and MS-A is attached to base station BS-1, and MS-B is attached to base station BS-2, MS-A transmission packet is to MS-B,, whole flow process is as follows:
(1) MS-A user initiates new service request, the newly-built service flow SFID-A of BS-1, and MS-A is mapped to SA1, and distributes corresponding encryption key TEK-A.After BS-1 decrypted data packet, packet arrives ASN-GW.
The process that MS-A is mapped to SA1 distribution T EK is as shown in Figure 5:
Fig. 5 is explained as follows:
(a) BS-1 is when creating a new service flow SFID-A, and MS-A sends DSA-REQ message request and adds certain SA, thereby BS-1 can be mapped to MS-A some secure group SA1 in DSA-RSP message; Or BS-1 also can directly be mapped to MS-A a certain SA1 by DSA-REQ message.
(b) be mapped to after SA1, MS-A will apply for TEK to corresponding SA1 by Key-Request request message; BS-1 informs MS-A by Key-Reply message by the TEK-A of distribution.
(c) after obtaining TEK-A, MS-A is sent to BS-1 by the Data Packet Encryption of this service flow and by eating dishes without rice or wine with TEK-A; First BS-1 can decipher this packet, is become expressly, then packet is carried out to tunnel encapsulation, encryption, is sent to ASN-GW.
(2) ASN-GW separates tunnel encapsulation, deciphering, and checks the object IP address of packet, according to the IP information table maintaining in this ASN-GW of IP address searching.If find that object IP address, within IP information table, illustrates that two users that communicating by letter are under same ASN-GW, start Safe Design Scheme of the present invention.The above-mentioned processing procedure of ASN-GW can represent with Fig. 6:
(3) simultaneously, in down link, BS-2 is newly-built service flow SFID-B also, and MS-B is mapped to SA2, and distributes corresponding encryption key TEK-B.As shown in Figure 7:
Here no longer describe Fig. 7 in detail, can be with reference to the explanation of Fig. 6, its process is identical.
the method for building up of the data path that II is independent
Here need to illustrate the prerequisite of setting up independent data transfer path.
Because the solution of different WiMAX solution providers is variant, the solution that the operator of country variant, different regions adopts finally also may be different on technology realizes.Therefore, if the WiMAX network in somewhere is that this result with the method (newly-built independent data path) of saying is below the same, has not therefore just needed newdata path again according to the corresponding CID/DPID link of each Business Stream.But the technology of the WiMAX network of different regions realizes may also have other modes.Such as, if according to CID link corresponding certain bandwidth requirement, and the multi-user service stream of identical qos requirement can transmit on this CID, just needing method is below the data transfer path of the newly-built uplink and downlink of user of gateway local route.
Be illustrated in fig. 8 shown below, if terminal MS-A is attached to base station BS-1, terminal MS-B is attached to base station BS-2, and terminal MS-A and terminal MS-B are under same ASN-GW, and terminal MS-A will communicate by letter with terminal MS-B, and the process of establishing of upstream data path as shown in Figure 8.
Fig. 8 is explained as follows:
(1) Anchor ASN-GW receives after packet from Serving ASN-GW, and the object IP address of searching packet in its IP address information table, take and confirm whether two communication users are gateway local routing user.After confirmation, Anchor ASN-GW utilizes the newly-built CID-A/ DPID-A passage of business datum that signaling message DSA-REQ is gateway local route by Serving ASN-GW, BS-1 to MS-A application;
(2) MS-A receives after DSA-REQ signaling message, obtains CID-A and corresponding grader, makes DSA-RSP respond by Serving ASN-GW, BS-1 to Anchor ASN-GW;
(3) Anchor ASN-GW receives after DSA-RSP signaling message, by Serving ASN-GW, BS-1, to MS-A, sends DSA-ACK acknowledge message.MS-A receives after DSA-ACK signaling message, just on newly-built CID-A/DPID-A, transmits data.
(4) data buffer storage that Anchor ASN-GW sends CID-A/DPID-A link.
The newly-built process of the data path of up link that Here it is, in like manner, we can obtain the newly-built process of data path of the down link shown in Fig. 9.
Fig. 9 is explained as follows:
(1) Anchor ASN-GW sends DSA-REQ message by Serving ASN-GW, BS-2 to MS-B, for MS-B sets up CID-B/DPID-B data channel.
(2) MS-B receives after DSA-REQ signaling message, returns to DSA-RSP signaling message, newly-built CID-B/DPID-B data channel.
(3) Anchor ASN-GW receives after DSA-RSP signaling message, by Serving ASN-GW, BS-2, to MS-B, sends DSA-ACK acknowledge message, then on CID-B/DPID-B, transmits data.
After setting up independent up-downgoing data path, two mobile subscribers' communication data just transmits on newly-built CID, DPID passage, and now, service flow SFID and data path CID/DPID are one to one.Therefore, BS and ASN-GW are when handle packet, can no longer decipher see packet IP address but directly according to the service flow of CID and DPID identification gateway local route, thereby realize the smooth forwarding of data, this is also that we do not process packet and the direct theoretical foundation forwarding at BS and gateway A SN-GW place.
the synchronization mechanism of III cryptographic algorithm and encryption key
After starting design of the present invention, need the Signalling exchange mechanism by our design below, finally make two communication users of gateway route adopt identical cryptographic algorithm and encryption key.The present invention has designed two kinds of Signalling exchange modes, first gateway A SN-GW participates in the base station at BS-1(user MS-A place) with the base station at BS-2(user MS-B place) negotiation, another kind of mode is to hold consultation separately between BS-1 and BS-2, and without passing through ASN-GW.
Here do a little and explain.Because R8 interface (interface between base station) is logic, may reside between any two BS, between BS-1 and BS-2, can directly consult like this and participate in without ASN-GW.Certainly, if between two BS of actual networking without direct correlation, ASN-GW can be used as bridge, guarantees carrying out smoothly of this negotiations process.So this Signalling exchange mechanism has two kinds of implementation: ASN-GW not participate in the negotiation of secure group SA and encryption key TEK and the negotiation that ASN-GW participates in secure group SA and encryption key TEK.
Specifically introduce respectively this two schemes below.
.ASN-GW do not participate in the negotiation of SA and TEK
In the starting stage of gateway local routing user communication, user has been mapped to corresponding SA, and distributed initial TEK for data encryption, therefore the core of negotiations process is exactly by the Signalling exchange between base station, consult two cryptographic algorithm and encryption keys that communication user is taked, finally the user that is arranged so that by base station adopts identical cryptographic algorithm and encryption key.Concrete negotiations process as shown in figure 10.
Figure 10 is explained as follows:
(1) Message1 message mails to BS-1 by ASN-GW.The major parameter of this message is as shown in table 1 below:
| The IP address of BS | SFID-A | SFID-B |
Table 1 Message1 message parameter
His-and-hers watches 1 are explained as follows:
A. first IP address that is BS, the IP address in Figure 10 in Meaaage1 message is the IP address of BS-2, BS-1 receives this message, will be according to this IP address the Message message after BS-2 sends.In Message1 message, contain this field for the ease of directly carrying out message negotiation between BS-1 and BS-2.
B. second and third is service flow sign, and SFID-A is that BS-1 is the newly-established service flow of gateway local routing service of MS-A; SFID-B is that BS-2 is the newly-established service flow of gateway local routing service of MS-B.In this message field, containing SFID-A/SFID-B, be in order to facilitate BS to find corresponding SA according to corresponding service flow.
C.BS-1, after receiving Message1 message, identifies the SA1 that finds MS-A to be mapped to according to SFID-A, and the cryptographic algorithm collection of MS-A support is included in Message2 message field, starts to prepare next step negotiation.
(2) Message2, Message3, Message4 message send by R8 interface.
Describe Message2, Message3, Meassage4 message below in detail.
A.Message2 message mails to BS-2 by BS-1, and the Main Function of this message is that the cryptographic algorithm collection (with the form of cryptographic algorithm list) that BS-1 supports MS-A is informed BS-2.Its major parameter is as shown in table 2 below.
| SFID-A | SFID-B | Cryptographic algorithm list |
Table 2 Message2 message parameter
His-and-hers watches 2 are explained as follows:
(1) the 3rd " cryptographic algorithm list " is the algorithm set (" cryptographic algorithm list " information field is from base station BS-1, and when MS-A networks authentication, BS-1 has just had the cryptographic algorithm information that MS-A supports) that user MS-A supports.
(2) BS-2 receives after Message2 message, first according to list item " SFID-B ", finds the SA2 that MS-B is corresponding, and " the cryptographic algorithm list " of the cryptographic algorithm that more once SA2 is corresponding and MS-A support.
Here " the cryptographic algorithm list " that have specifically cryptographic algorithm that two comparative result: SA2 are corresponding and MS-A to support do not occur simultaneously, and this just means need to upgrade SA2 and corresponding TEK; The cryptographic algorithm that SA2 is corresponding belongs to a kind of in " cryptographic algorithm list ", now does not need to upgrade SA2, only need to upgrade the TEK of MS-B.
The concrete grammar that upgrades SA2 and corresponding TEK is: from " cryptographic algorithm list ", select the common a kind of cryptographic algorithm supported of MS-A and MS-B, for MS-B selects suitable SA distribution T EK, method as shown in figure 11 again.
Only for the method for MS-B renewal TEK as shown in figure 12.
Figure 11 is explained as follows:
(1) BS-2 is after MS-B selects suitable SA, by DSC message, is that MS-B upgrades SA distribution T EK again.DSC message consists of three message that illustrate in 4.7, supports the use.
(2) in DSC-REQ message field, containing BS-2, be the SAID information of the selected SA of MS-B, BS-2 is by being updated to selected SA with MS-B mutual.
(3), after MS-B is updated to new SA, by Key Request message, to BS-2, apply for new TEK, BS-2 in Key-Reply message for it distributes new TEK.
Figure 12 is explained as follows:
(1) BS-2 sends TEK Invalid message to MS-B, and its TEK of notice MS-B is invalid, and MS-B applies for new TEK to BS-2.
(2) MS-B applies for new TEK by Key Request message to BS-2, BS-2 in Key Reply message for it distributes new TEK.
B.Message3 message mails to BS-1 by BS-2, and the Main Function of this message is: BS-2 will be that the selected cryptographic algorithm of MS-B and the TEK of distribution inform BS-1.Its major parameter is as shown in following table 4-3.
| SFID-B | SFID-A | Selected cryptographic algorithm | TEK information |
Table 3 Message3 message parameter
His-and-hers watches 3 are explained as follows:
(1) BS-1 receives after Message3 message, according to SFID-A, finds the SA1 that MS-A local route service is corresponding;
(2) according to the list item in table 3 " selected cryptographic algorithm " and cryptographic algorithm corresponding to SA1, relatively whether both are identical, have two comparative results: both are identical, do not need to upgrade SA1, only need to upgrade TEK method as Figure 12 for MS-A upgrades TEK(); Both are different, SA1 are updated to this SA of suitable SA(according to " selected cryptographic algorithm " identical with " selected cryptographic algorithm "), and the method for upgrading TEK(renewal SA and TEK according to list item " TEK information " is as Figure 11).
C.Message4 message mails to BS-2 by BS-1, and this message is mainly the confirmation to above-mentioned message, is acknowledge message.Its major parameter is as shown in table 4 below.
| SFID-B | Confirm sign |
Table 4 Message4 message parameter
His-and-hers watches 4 are explained as follows:
BS-1 returns to Message4 message, to confirm that above-mentioned information interactive process completes smoothly; And BS-2 receives Message4 message, just represent that BS-1 has received the message sending before BS-2 smoothly.
.ASN-GW participate in the negotiation of SA and TEK
The core of negotiations process is the cryptographic algorithm that adopts with regard to two communication users between base station and the Signalling exchange of encryption key, and concrete negotiations process as shown in figure 13.
Figure 13 is explained as follows:
(1) Message1 message mails to BS-1 by ASN-GW.The parameter of this message is SFID-A, is the SA1 in order to facilitate BS-1 to find corresponding MS-A to be mapped to according to SFID-A, and " the cryptographic algorithm list " of preparing MS-A to support is included in Message2 message field.
(2) core that Message2-5 message is this negotiations process.
To describe Message2, Message3, Message4 and Message5 message below in detail.
The Main Function of a.Message2, Message3 message is that the cryptographic algorithm collection (with the form of cryptographic algorithm list) that MS-A is supported is informed BS-2; The major parameter of two message is as shown in table 5 below:
| SFID information | Cryptographic algorithm list |
Table 5 Message2, Message 3 message parameters
His-and-hers watches 5 are explained as follows:
(1) in Message2 message, " SFID information " is SFID-A, and in Message3 message, " SFID information " is SFID-B.At ASN-GW, receive after Message2 message, can, according to the correspondence of uplink and downlink SFID, in Message3 message, SFID field be done to corresponding change.
(2) BS-2, after receiving Message3 message, first finds according to SFID-B the SA2 that MS-B is corresponding, " the cryptographic algorithm list " that the cryptographic algorithm that more once SA2 is corresponding and MS-A support.
Here " the cryptographic algorithm list " that have specifically cryptographic algorithm that two comparative result: SA2 are corresponding and MS-A to support do not occur simultaneously, and this just means need to upgrade SA2 and corresponding TEK; The cryptographic algorithm that SA2 is corresponding belongs to a kind of in " cryptographic algorithm list ", now does not need to upgrade SA2, only need to upgrade the TEK of MS-B.
The concrete grammar that upgrades SA2 and corresponding TEK is: from " cryptographic algorithm list ", select the common a kind of cryptographic algorithm supported of MS-A and MS-B, for MS-B selects suitable SA distribution T EK, method is as above shown in Figure 11 again.The method of upgrading TEK for MS-B as above, shown in Figure 12, repeats no more.
B.Message4, Message 5 message are mainly that BS-2 informs BS-1 by the TEK of selected cryptographic algorithm and distribution.The major parameter of two message is as shown in table 6 below:
| SFID information | Selected cryptographic algorithm | TEK information |
Table 6 Message4, Message5 message parameter
His-and-hers watches 6 are explained as follows:
I. in Message4 message, " SFID information " is SFID-B, and in Message5 message, " SFID information " is SFID-A.SFID field is revised equally when through ASN-GW.
II .BS-1 finds corresponding SA1 according to SFID-A after receiving Message5 message, according to " selected cryptographic algorithm " and cryptographic algorithm corresponding to SA1 in table 4-6, relatively whether both are identical, have two results: both are identical, do not need to upgrade SA1, only need to upgrade TEK; Both are different, SA1 is updated to suitable SA according to " selected cryptographic algorithm ", and upgrades TEK.
(3) Message6, Message 7 message are simple acknowledge message.Message6 message is that BS-1 confirms the message of having received smoothly that ASN-GW sends to ASN-GW, and Message7 message is that ASN-GW confirms the message of having received smoothly that BS-2 sends to BS-2.The major parameter of two message is as shown in table 7 below.
| SFID information | Confirm sign |
Table 7 Message6, Message7 message parameter
By above-mentioned two kinds of negotiation modes, two communication users in same gateway local route have just adopted identical cryptographic algorithm and encryption key, and this programme core procedure completes.
In addition, in the synchronous method of the cryptographic algorithm of two communication users that propose for the present invention and communication key, also need to solve two key issues.
Problem one: the synchronous and reproducting periods at two users' TEK, how packet is processed.
Here explain, TEK has life cycle, it can within the cycle of default, (WiMAX standard be stipulated the shortest 30min, the longest 7 days) upgrade, therefore sometime, certain mobile subscriber is (i.e. so-called new, the old TEK) that simultaneously has two TEK, and user can be encrypted packet with these two TEK.Meanwhile, when this programme is implemented, from judge two users whether be in same gateway to two users' cryptographic algorithm and encryption key, be synchronously need the time (although time compole short, transmission time of signaling namely).During this period of time, still can be useful the packet encrypted of old TEK can deliver to base station BS place.This part packet does not preferably abandon.So base station this how to process these packets, so this programme has designed relevant treatment mechanism.
At two communication users, through consulting, after adopting identical cryptographic algorithm and encryption key, for upstream data, base station can directly forward packet and be left intact to upper strata; For downlink data, base station is not done encryption and decryption yet and is processed, and directly by eating dishes without rice or wine, gives user.
Between two users' TEK sync period, the encryption key TEK of two communication users is different, so base station needs still according to common processing data packets flow processing.
Same, at a certain user's TEK reproducting periods, the encryption of packet may adopt new TEK, also may adopt old TEK, and the new and old base station of TEK can be identified by the EKS field of mac frame head.Therefore when the user of gateway local route carries out TEK renewal, between base station, still can carry out the synchronous of TEK by the Message message in Figure 13 and Figure 10.Such as, when user MS-A will upgrade TEK, can synchronize by the Message3 in the Message4 in Figure 13, Message5, Message6, Message7 message or Figure 10, Message4 message new TEK in base station BS-1 with the TEK that base station BS-2 communicate user, after user's TEK upgrades, still can adopt identical TEK to be encrypted like this, the synchronizing process of TEK reproducting periods completes.Same, at TEK reproducting periods, also there is above-mentioned problem that can not Complete Synchronization, solve thinking and remain within this extremely short time (being several signaling interaction time between base station), packet is walked common packet flow process.
Consider that actual equipment conventionally adopts the form of transmitting when forwarding, we have designed table 8 and have solved problem one.Its major parameter is as shown in the table.
| The up CID-A of MS | The descending CID-B of MS | (0-is different for TEK flag bit; 1-is identical) | (0-does not upgrade TEK ID flag bit; 1-upgrades) |
Table 8 TEK is synchronous, renewal front and back processing data packets reference table
His-and-hers watches 8 are explained as follows:
(1) connection of WiMAX standard regulation uplink and downlink can adopt different CID, therefore front two parameters of table 8 are cid information, it is exactly for can completely, to identify the data interaction path of a local routing that two CID list items are set here, can comprise that upstream data path also comprises downlink data path.If for a certain user, this user's up-downgoing connects the same CID of employing, and table 8 can, by front two merging, only have a cid information list item.Table 8 has several cid information list items, depends on concrete WiMAX system implementation, can have 1 CID list item also can have 2 CID list items.
(2) " TEK flag bit " initial value in list item is " 0 ", represents that the TEK of two communication users is asynchronous; If this sign place value is " 1 ", represent that two users' TEK is synchronous.
" TEK flag bit " is carved with two while upgrading: one, between base station, complete after negotiations process, and the TEK flag bit in base station meeting automatic filling table 8, makes it to become " 1 ", otherwise is " 0 " always.Its two, at user's TEK, start reproducting periods, TEK flag bit is filled to " 0 ".After having carried out upgrading the negotiation of TEK between base station, the TEK flag bit in base station meeting automatic filling table 8, makes it to become " 1 ", shows that the synchronizing process of TEK reproducting periods completes.
(3) list item " TEK ID flag bit " is to synchronize with the renewal of TEK, exactly in order whether to identify TEK in reproducting periods.If TEK is in reproducting periods, " TEK ID flag bit " automatic filling is " 1 ", otherwise is " 0 " always.It is to manage for the ease of base station BS that this flag bit is set, and by the combination of " TEK ID flag bit " and " TEK flag bit ", just can obviously find out user's TEK state.
Here illustrate, list item " TEK flag bit " is such with the value relation of list item " TEK ID flag bit ": at TEK reproducting periods, " TEK ID flag bit " is " 1 ", and list item " TEK flag bit " is " 0 "; If not at TEK reproducting periods, " TEK ID flag bit " is " 0 ", and list item " TEK flag bit " carrys out value according to whether completing negotiations process, its updated time has two, completes and between negotiations process and base station, complete the negotiations process that TEK upgrades between base station.
The flow process how base station BS carrys out handle packet according to table 8 as shown in figure 14.
Figure 14 is done to following explanation:
(1) base station BS is received after packet, from packet head, takes out CID, and whether 8 known these packets of tabling look-up are to need packet to be processed.
(2) if need packet to be processed, then check " TEK flag bit " in table 8, if " 1 ", the TEK that two communication users are described is synchronous, is left intact and directly forwards.If " 0 ", illustrates that two users' TEK is asynchronous, packet is through common handling process.
(3) for the ease of base station BS, manage, can further check " TEK ID flag bit " in table 8, if this flag bit is " 1 ", show to be in TEK reproducting periods, if this flag bit is " 0 ", show to be between TEK sync period.In fact, under both of these case, packet is all walked common handling process.
By the foundation of table 8, base station BS can well classify, forward packet, and by the more new management to flag bit, we have carried out good solution to problem one.
Problem two: how base station BS tells gateway A SN-GW which packet need not be processed, and can directly transmit.
Packet from base station BS to gateway A SN-GW can be to encrypt and (encryption of this part packet is the IP packet encryption of network layer substantially, as IPSec etc.) of tunnel encapsulation.After present design realizes, two communication users under same ASN-GW have adopted identical cryptographic algorithm and encryption key, this communication data packet that just means two users is to being completely transparent each other, the encrypt data bag that is a certain user can directly be delivered to another user, and this user just can decipher these packets completely with the key of oneself, obtain communication expressly.
According to WiMAX standard-required, terminal is delivered to the Frame of BS and is encrypted through payload by eating dishes without rice or wine, so this part packet that BS receives is exactly the communication ciphertext with the secret key encryption of terminal.After this programme is implemented, because the data that transmit between two communication users can be deciphered mutually, so this has just reached an object: with regard to upstream data path, BS delivers to the data of ASN-GW, can be left intact, directly deliver to gateway A SN-GW place; For downlink data path, the data that ASN-GW delivers to BS are also left intact, and directly deliver to BS place, then by eating dishes without rice or wine, are handed down to Correspondent Node by BS.Correspondent Node obviously can be deciphered after receiving packet.Like this, up BS has save deciphering, encryption, encapsulation process in place, and ASN-GW has save at place decapsulation, encapsulation process, and descending BS has save decapsulation, deciphering, ciphering process in place, and the data transfer overhead of WiMAX network reduces, and treatment effeciency significantly improves.
This processing procedure is not to go on always, because having sub-fraction packet is not yet to send between sync period at the TEK of TEK reproducting periods and two communication users, this partial data bag still needs to continue the flow processing (as shown in Figure 4) according to WiMAX standard regulation.Therefore,, when BS gives ASN-GW packet, BS need to tell ASN-GW which packet need not be processed, and can directly transmit.The related problem two of this programme that Here it is.
After gateway routing safety scheme implementation due to the present invention's proposition, base station is directly packet to be sent to gateway, gateway is also direct forwarding without any need for processing, and TEK not between sync period and TEK reproducting periods packet through common packet flow process, be that upwards transmit packet deciphering, tunnel encapsulation after encrypting base station again again, now, gateway need to carry out to packet the processing such as decapsulation.Therefore,, in the process of whole scheme implementation, gateway need to be done above two kinds of different processing procedures to the packet in whole communication process.Therefore, base station need to tell which packet of gateway to process, and can directly forward.
The method the present invention proposes below solves problem two, and the mac frame head at packet arranges flag bit.Introduce this mode below.
WiMAX standard regulation, the encryption of packet is the encryption to its mac frame payload, so the network layer of packet encrypted completely, comprises IP head.Therefore,, when flag bit is set, can only start with from the MAC layer of packet.We have two kinds of common selections when selection marker position: the reservation bit of certain field in the reservation position in Frame and Frame.Only need to choose wherein as a token of position of 1 bit, if this flag bit is " 0 ", represent that this packet is conventional data bag; If this flag bit is " 1 ", represent that this packet is gateway local route data packets.The filling of flag bit is responsible for by base station, after gateway is received the packet of local routing, by checking that this flag bit just can know whether packet can directly forward.
In actual network, the double layer network between base station and gateway mostly is Ethernet or MPLS network etc., and the reservation position that choose therein 1 bit as a token of position is feasible.By the method, process in problem two processes, base station and gateway are to the handling process of packet as shown in figure 15.
Figure 15 is explained as follows:
(1) direction of tentation data stream is from base station BS-1 to base station BS-2, base station BS-1 is when handle packet, by the CID field in packet header, can judge the packet of gateway local route, then check whether " TEK flag bit " in table 8 is " 1 ", " 1 " if, just represents that packet can directly forward, now, base station BS-1 is set flag bit by these packets according to method one, and value is " 1 ", is intended to tell these packets of gateway directly to forward.And the packet that base station can not directly forward, selected flag bit is set as " 0 ".
(2) gateway A SN-GW receives after packet, checks the flag bit that data frame head is set, if " 1 ", gateway directly forwards this packet, if " 0 ", packets need is through conventional handling process.
(3) receiving terminal BS-2 receives after packet, checks " TEK flag bit " in table 4-8, if " 1 " directly forwards downwards by eating dishes without rice or wine; " if 0 ", packets need is through conventional handling process.In fact, base station BS-2 can also be by checking that the flag bit that packet is set judges, here using flag bit as further confirmation means, checks the flag bit of further checking again setting on the basis of table 8.If flag bit is " 1 ", illustrate that packet can directly forward.
Here underline, packet is walked generalized flowsheet, at up base station end (as the BS-1 place in Figure 15), show as packets need transmits to upper strata gateway after deciphering, tunnel encapsulation, encryption again, gateway shows as packets need through separating tunnel encapsulation, deciphering and encrypt the end transmission of backward descending base station again, and descending base station end (as the BS-2 place in Figure 15) shows as packets need could give by eating dishes without rice or wine terminal through separating after tunnel encapsulation, deciphering are encrypted again.In problem one, the synchronous and TEK reproducting periods at TEK, packet is walked generalized flowsheet, and the packet generalized flowsheet in problem two is also like this.
So far, the design's detailed protocol finishes.
Claims (1)
1. the cipher key synchronization method that in WIMAX system, under same IAD, two users communicate by letter, is characterized in that, comprises the following steps:
Step 1: judge that two users communicating by letter whether under same gateway (ASN-GW), if judged result is not under same gateway, exit; If at the next next step that enters of same gateway;
Step 2: be that two users that communicate set up independent data path based on connection identifier (CID) and gap marker (DPID);
Step 3: two cryptographic algorithm and encryption keys that communicate between user are carried out synchronously, if the first communication user (MS-A) belongs to the first base station (BS-1) management, second communication user (MS-B) belongs to the second base station (BS-2) management, and concrete synchronous method is as follows:
A. gateway (ASN-GW) does not participate in the negotiation of secure group (SA) and encryption key (TEK), comprises the following steps:
A-1, by gateway (ASN-GW), to the first base station (BS-1), send a message, this message comprises the IP address of the second base station (BS-2), the service flow sign (SFID-A) that the first base station is set up, the service flow sign (SFID-B) that the second base station is set up;
A-2, receive after the message of gateway (ASN-GW) transmission the first base station (BS-1), the first secure group (SA1) that finds the first communication user (MS-A) to be mapped to according to service flow sign (SFID-A), and the cryptographic algorithm collection of the first communication user (MS-A) support is included in the second message field, start to prepare next step negotiation;
A-3, by the first base station (BS-1), to the second base station (BS-2), send a message, this message comprises algorithm set, the service flow sign (SFID-A) of the first base station foundation, the service flow sign (SFID-B) of the second base station foundation that the first communication user (MS-A) is supported;
A-4, receive after the message of the first base station (BS-1) transmission the second base station (BS-2), the second secure group (SA2) that finds second communication user (MS-B) to be mapped to according to service flow sign (SFID-B), and compare the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support;
When the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support is not occured simultaneously, the algorithm set of supporting from the first communication user (MS-A), select the common a kind of cryptographic algorithm supported of the first communication user (MS-A) and second communication user (MS-B), again for second communication user (MS-B), select suitable secure group and distribute encryption key;
When cryptographic algorithm corresponding to the second secure group (SA2) belongs to a kind of in the algorithm set that the first communication user (MS-A) supports, adopt the corresponding cryptographic algorithm of the second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;
A-5, by the second base station (BS-2), to the first base station (BS-1), send a message, this message comprises: the cryptographic algorithm that the service flow sign (SFID-A) that the service flow sign (SFID-B) that the second base station is set up, the first base station are set up, second communication user (MS-B) select and the encryption key of distribution;
The cryptographic algorithm that second communication user (MS-B) is selected in the first base station (BS-1) cryptographic algorithm corresponding with first secure group (SA1) of the first communication user (MS-A) mapping compares, and has two comparative results:
Both are identical, do not need to upgrade the first secure group (SA1), only need to upgrade TEK for the first communication user (MS-A);
Both are different, and the cryptographic algorithm that the first secure group (SA1) is selected according to second communication user (MS-B) is updated to suitable secure group (SA), and according to list item TEK information updating TEK;
A-6, sends an acknowledge message by the first base station (BS-1) to the second base station (BS-2), and expression the first base station (BS-1) has been received the message that the second base station (BS-2) sends before smoothly;
B. gateway (ASN-GW) participates in the negotiation of secure group (SA) and encryption key (TEK), comprises the following steps:
B-1, sends a message by gateway (ASN-GW) to the first base station (BS-1), and this message comprises the service flow sign (SFID-A) of setting up the first base station;
B-2, (BS-1) receives after message in the first base station, the first secure group (SA1) that finds the first communication user (MS-A) to be mapped to according to service flow sign (SFID-A), and the cryptographic algorithm collection of the first communication user (MS-A) support is included in the second message field, start to prepare next step negotiation;
B-3, sends a message by the first base station (BS-1) to gateway (ASN-GW), and this message comprises the algorithm set of the first communication user (MS-A) support, the service flow sign (SFID-A) that the first base station is set up;
B-4, gateway (ASN-GW) is received after message, the service flow sign (SFID-A) of being set up is revised as to the service flow sign (SFID-B) of setting up the second base station in message by the first base station, then amended message is sent to the second base station (BS-2);
B-5, (BS-2) receives after message in the second base station, the second secure group (SA2) that finds second communication user (MS-B) to be mapped to according to service flow sign (SFID-B), and compare the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support;
When the algorithm set of cryptographic algorithm corresponding to the second secure group (SA2) and the first communication user (MS-A) support is not occured simultaneously, the algorithm set of supporting from the first communication user (MS-A), select the common a kind of cryptographic algorithm supported of the first communication user (MS-A) and second communication user (MS-B), again for second communication user (MS-B), select suitable secure group and distribute encryption key;
When cryptographic algorithm corresponding to the second secure group (SA2) belongs to a kind of in the algorithm set that the first communication user (MS-A) supports, adopt the corresponding cryptographic algorithm of the second secure group (SA2) to upgrade second communication user's (MS-B) encryption key;
B-6, sends a message by the second base station (BS-2) to gateway (ASN-GW), and this message comprises: the cryptographic algorithm that the service flow sign (SFID-B) that the second base station is set up, second communication user (MS-B) select and the encryption key of distribution;
B-7, gateway (ASN-GW) is received after message, the service flow sign (SFID-B) of being set up is revised as to the service flow sign (SFID-A) of setting up the first base station in message by the second base station, then amended message is sent to the first base station (BS-1);
B-8, the first base station (BS-1) receives after message, the cryptographic algorithm that the cryptographic algorithm of selecting in message is corresponding with the first secure group (SA1) compares,
The cryptographic algorithm corresponding when the first secure group (SA1) is identical with the cryptographic algorithm of selecting in message, adopts cryptographic algorithm corresponding to the first secure group (SA1) to upgrade the encryption key of the first communication user (MS-A);
The cryptographic algorithm corresponding when the first secure group (SA1) is not identical with the cryptographic algorithm of selecting in message, adopts the cryptographic algorithm of selecting in message to upgrade the encryption key of the first communication user (MS-A);
B-9, sends an acknowledge message that comprises service flow sign SFID-A by the first base station (BS-1) to gateway (ASN-GW), represents the message that it has received gateway transmission before smoothly; Then by gateway (ASN-GW), to the second base station (BS-2), send an acknowledge message that comprises service flow sign SFID-B, represent its received smoothly before the message that sends of the second base station.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210001450.3A CN102572829B (en) | 2012-01-05 | 2012-01-05 | Key synchronization method for communication between two users accessing same access gateway in WIMAX system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210001450.3A CN102572829B (en) | 2012-01-05 | 2012-01-05 | Key synchronization method for communication between two users accessing same access gateway in WIMAX system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102572829A CN102572829A (en) | 2012-07-11 |
| CN102572829B true CN102572829B (en) | 2014-07-16 |
Family
ID=46417037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210001450.3A Expired - Fee Related CN102572829B (en) | 2012-01-05 | 2012-01-05 | Key synchronization method for communication between two users accessing same access gateway in WIMAX system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102572829B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821435A (en) * | 2012-08-07 | 2012-12-12 | 南京邮电大学 | Local routing method for establishing data route in segmented mode in WiMAX (wireless metropolitan area network) system |
| CN113132924B (en) * | 2021-04-19 | 2022-01-21 | 北京达源环保科技有限公司 | Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217364A (en) * | 2007-12-28 | 2008-07-09 | 中国科学院计算技术研究所 | An organization structure and maintenance method of security context in media accessing control system |
| CN102036230A (en) * | 2010-12-24 | 2011-04-27 | 华为终端有限公司 | Method for implementing local route service, base station and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100879982B1 (en) * | 2006-12-21 | 2009-01-23 | 삼성전자주식회사 | Security system and method in mobile WiMax network system |
| KR20100069382A (en) * | 2008-12-16 | 2010-06-24 | 한국전자통신연구원 | Updating apparatus and method for traffic encryption key using docsis system synchronization |
| US8707045B2 (en) * | 2009-02-12 | 2014-04-22 | Lg Electronics Inc. | Method and apparatus for traffic count key management and key count management |
-
2012
- 2012-01-05 CN CN201210001450.3A patent/CN102572829B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217364A (en) * | 2007-12-28 | 2008-07-09 | 中国科学院计算技术研究所 | An organization structure and maintenance method of security context in media accessing control system |
| CN102036230A (en) * | 2010-12-24 | 2011-04-27 | 华为终端有限公司 | Method for implementing local route service, base station and system |
Non-Patent Citations (2)
| Title |
|---|
| Security Concerns in WiMAX;Syed Shabih Hasan;《Internet, 2009. AH-ICI 2009. First Asian Himalayas International Conference》;20091105;正文第1-5页 * |
| Syed Shabih Hasan.Security Concerns in WiMAX.《Internet, 2009. AH-ICI 2009. First Asian Himalayas International Conference》.2009, |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102572829A (en) | 2012-07-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113630773B (en) | Safety implementation method, equipment and system | |
| CN103155512B (en) | System and method for providing secure access to service | |
| CN102036230B (en) | Method for implementing local route service, base station and system | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| US7945777B2 (en) | Identification information protection method in WLAN inter-working | |
| US8386772B2 (en) | Method for generating SAK, method for realizing MAC security, and network device | |
| KR100749846B1 (en) | Device for realizing security function in mac of portable internet system and authentication method using the device | |
| CN101227376B (en) | Equipment and method for virtual special-purpose network multi-case safe access | |
| CN109314638A (en) | Cipher key configuration and security strategy determine method, apparatus | |
| CN108810884A (en) | Cipher key configuration method, apparatus and system | |
| CN102045210B (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| WO2010012203A1 (en) | Authentication method, re-certification method and communication device | |
| WO2003084177A1 (en) | Security transmission protocol for a mobility ip network | |
| EP2919498B1 (en) | Method, device and system for packet processing through a relay | |
| KR20080086127A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
| CN101715190B (en) | System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network) | |
| CN105325020B (en) | For the communication means and femto access point between femto access point | |
| CN102572829B (en) | Key synchronization method for communication between two users accessing same access gateway in WIMAX system | |
| KR101451937B1 (en) | Method of protecting an identity of a mobile station in a communications network | |
| JP4158972B2 (en) | Multi-hop communication method | |
| CN115037504A (en) | Communication method and device | |
| CN1996838A (en) | AAA certification and optimization method for multi-host WiMAX system | |
| CN113766497B (en) | Key distribution method, device, computer readable storage medium and base station | |
| CN116249110A (en) | Safe network distribution method and intelligent device | |
| CN114302503A (en) | Data transmission method based on non-3GPP access function network element and non-3GPP access function network element |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20120711 Assignee: Jiangsu Nanyou IOT Technology Park Ltd. Assignor: Nanjing Post & Telecommunication Univ. Contract record no.: 2016320000207 Denomination of invention: Key synchronization method for communication between two users accessing same access gateway in WIMAX system Granted publication date: 20140716 License type: Common License Record date: 20161109 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| EC01 | Cancellation of recordation of patent licensing contract |
Assignee: Jiangsu Nanyou IOT Technology Park Ltd. Assignor: Nanjing Post & Telecommunication Univ. Contract record no.: 2016320000207 Date of cancellation: 20180116 |
|
| EC01 | Cancellation of recordation of patent licensing contract | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140716 Termination date: 20180105 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |