CN104205898A - Method and system for group based service bootstrap in M2M environment - Google Patents
Method and system for group based service bootstrap in M2M environment Download PDFInfo
- Publication number
- CN104205898A CN104205898A CN201280072421.4A CN201280072421A CN104205898A CN 104205898 A CN104205898 A CN 104205898A CN 201280072421 A CN201280072421 A CN 201280072421A CN 104205898 A CN104205898 A CN 104205898A
- Authority
- CN
- China
- Prior art keywords
- key
- group
- service
- access network
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
This invention relates to a method for provisioning group service credentials during access network assisted M2M service bootstrap procedure. This method comprises the following steps: carrying out access network registration of a group of M2M devices, establishing temporary session keys based on access network credentials of the access network, establishing a group key and/or individual keys authenticated by means of the temporary session keys, and provisioning group service credentials under the protection of the group key. This invention also relates to a system for provisioning group service credentials during access network assisted M2M service bootstrap procedure.
Description
Technical field
Relate generally to of the present invention is for the method and system of machine guide service (bootstrap) based on group (group) to machine (M2M) environment.Especially, the present invention relates to for the method and system of group service certificate (credential) is provided during the auxiliary M2M guide service process (procedure) of Access Network.
Background technology
M2M refers to the technology that allows other equipment wireless and wired system and same capabilities to communicate.M2M is used equipment (such as transducer or instrument) to carry out capture events (such as temperature, inventory level (level) etc.), described event is relayed to application (software program) by network (wireless, wired or mixing), and described application converts the event capturing to significant information.
In M2M environment, expectation be to equipment, to provide certificate of service during equipment guiding and registration process.M2M guide service provides permanent M2M certificate of service (identifier, root key etc.), and described permanent M2M certificate of service will be used to connect M2M service layer and to its registration.
ETSI's technical specification (ETSI TS) 102 690 according to the business relations standardization between M2M service provider and network provider two methods of M2M guide service: the M2M guide service that the M2M guide service that Access Network is auxiliary and Access Network are irrelevant.ETSI TS 102 690 standardization have defined that M2M provides and bootup process.It is declared: " M2M guide service and M2M service registry for M2M equipment and M2M gateway are such mechanism, by this: to M2M equipment (or M2M gateway), provide the certificate of the service layer such as persistent identifier and root key ".
Several methods of the M2M guide service process that ETSI is defined Access Network is auxiliary, such as the M2M guide service process based on universal guiding structure (GBA), bootup process based on Extensible Authentication Protocol (EAP) (it utilizes certificate based on subscriber identity module (SIM)/authentication and key agreement (AKA)), utilize the bootup process based on EAP network access authentication (ETSI TS 102 690).GBA has described mechanism and the security feature that guides the Authentication and Key Agreement (agreement) for application safety according to the 3rd generation partner program (3GPP) AKA mechanism.3GPP authentication infrastructures (infrastructure) is the very valuable assets of 3GPP operator, and it comprises 3GPP authentication center (AuC), universal subscriber identity module (USIM) or IP multimedia service identity module (ISIM) and the 3GPP AKA agreement of moving between them.Have realized that and can utilize (leverage) this infrastructure so that can set up shared key with the application function of user's side in network.Therefore, 3GPP can provide " guiding of application safety " with by defining GBA and user is authenticated based on AKA agreement.In 3GPP TS 33.220, can find these ins and outs.
Yet the current method defining in ETSI is all in individual (individual) level.A bootup process will only be supplied an equipment.In them, neither one is considered group's requirement.If there are a large amount of M2M equipment that there is identical M2M service ability or move identical M2M application, will have a large amount of bootup process.And all bootup process provide identical M2M certificate of service.This is repetition and poor efficiency.Better idea is in a bootup process based on group, to complete all certificates to provide.Exist M2M equipment to be divided into the situation of group.Can be in order to control, to manage or charging convenient etc. and M2M equipment is grouped in together to meet the needs of operator.This optimization can provide in easier pattern Yi group's granularity (granularity) to M2M equipment control/upgrade/charge, this can reduce redundancy signaling with avoid congestion.And use the optimization based on group to save Internet resources in the time of can be very large by the number at M2M equipment.
Internet engineering task group (IETF) has proposed a series of file (for example Request for Comment (RFC) 2093, RFC 2094, RFC 4046) about group key management agreement.These files have provided detailed report how to manage the group key problem such as group key distribution (distribution), group key rekey (rekey).Yet neither one agreement is considered the characteristic of M2M application.They may be also improper in M2M environment due to energy, calculating restriction or other special characteristics of M2M equipment.For example, some in them need the support of asymmetric signature system, and this requires high computing capability and is difficult to dispose (RFC 2093, RFC 2094 etc.).Some in them need particular demographic control or key server (GCKS) to define and to implement membership for group, key management and other events.The appropriate technical solution of fulfiling the function of GCKS in M2M environment does not exist.
By utilize Access Network certificate in service layer, it will re-use existing resource and reduce lower deployment cost.And by introducing group's framework, it will reduce data flow significantly.Therefore it will be valuable, providing the bootstrap technique based on group that utilizes Access Network to assist.
Summary of the invention
For this reason, the problem to be solved in the present invention is how in the auxiliary Xia of Access Network group level, for M2M equipment group, to carry out guide service.
The present invention proposes for the method for group service certificate is provided during the auxiliary M2M guide service process of Access Network.
Method of the present invention comprises the following steps:
Carry out the access net registration of M2M equipment group,
Access Network certificate based on described Access Network is set up interim conversation key,
Group key and/or individual key that foundation authenticates by means of described interim conversation key, and
Group service certificate is provided under the protection of described group key.
Preferably, in the realization providing for Access Network certificate, use universal guiding structure (GBA) process.
Preferably, described interim conversation key be from GBA process, derive and can be the specific key of network application function (NAF).
More preferably, in setting up the step of group key, with the specific key of NAF, carry out HTTP(Hypertext Transport Protocol) summary (Digest) authentication.
According to a preferred embodiment of the present invention, can realize the step of setting up group key by group key agreement process, wherein can obtain group key according to the special use of all M2M equipment (private) data.Can use Burmester-Desmedt group key agreement process or the modified Diffie-Hellman of group agreement No. 3(GDH.3) group key agreement process sets up group key.In modified GDH.3 group key agreement process, M2M guide service function (MSBF) generates for generating the new random value of individual key.
In service layer, carry out group key agreement process.
According to another preferred embodiment of the invention, can realize the step of setting up group key by group key distribution procedure, wherein, KDC is responsible for generating and distributing one or more shared keys.
In addition the present invention proposes for the system of group service certificate is provided during the auxiliary M2M guide service process of Access Network.Described system comprises with lower device:
For carrying out the device of the access net registration of M2M equipment group,
For the Access Network certificate based on described Access Network, set up the device of interim conversation key,
For setting up the group key that authenticates by means of described interim conversation key and/or the device of individual key, and
For the device of group service certificate is provided under the protection of described group key.
Therefore, compared with prior art, proposed the bootstrap technique based on group and provide group's level service certificate to all M2M equipment/gateways.Boot policy is flexibly.Different option (group key agreement (GKA) contrast group key distribution (GKD), group's level provide contrast individual level to provide, relate to gateway contrast do not relate to gateway etc.) is provided different in the situation that.The security intensity of the certificate of service that provides can be independent of the security intensity of Access Network, this means that it can be stronger than the security intensity of Access Network.Can control neatly execution flow process.M2M gateway configuration can be become carry out control procedure according to network state, for example when M2M gateway energy control time window answers M2M equipment.Most of communication can be after M2M gateway.Its will be not can network side cause signaling or data service crowded.
Therefore,, by realizing the method and system being proposed by the present invention, group member can intercom safely mutually.And M2M application server does not need to use sets up security association (association) to the specific method of connection group group membership's local area network (LAN).
Accompanying drawing explanation
With reference to the following drawings, the present invention is described in more detail, in the accompanying drawings:
Fig. 1 illustrates the system architecture of using in the present invention;
Fig. 2 illustrates group service certificate according to the present invention process is provided;
Fig. 3 illustrates according to the group service certificate of the first embodiment of the present invention process is provided;
The group service certificate that Fig. 4 illustrates according to a second embodiment of the present invention provides process;
The group service certificate that Fig. 5 illustrates a third embodiment in accordance with the invention provides process.
Embodiment
In the present invention, suppose Access Network provider and M2M service provider's shared service relation, or Access Network provider provides M2M service.
Fig. 1 is illustrated in the system architecture of using in M2M environment.Much M2M equipment and M2M gateway are assigned to group.By M2M gateway, realize all communication the between M2M equipment and core network.M2M equipment is connected to M2M gateway by M2M regional network (WiFi, ZigBee etc.).M2M gateway can be normal M2M equipment, and it also moves M2M application or M2M service ability, is similar to other group members, or can is special installation.
Core concept of the present invention is that M2M service and M2M equipment/gateway are realized by setting up with the group key that Access Network certificate authenticates, and to set up, shares group's privacy key.Then, can protect group service certificate that process is provided with this privacy key.This process is shown in Figure 2.
As shown in Figure 2, this type of high-level process comprises the following steps:
In step 21, M2M equipment/gateway is carried out access net registration.
In step 22, network provides Access Network certificate to M2M service.In this connection, network provider and M2M service provider should have business relations.
In step 23, M2M equipment/gateway and M2M service are based on setting up interim conversation key in Access Network certificate Er service layer.
In step 24, M2M service and M2M equipment/gateway are carried out certified group key process of establishing in service layer.When process finishes, among all participants, will exist and share group key.And where necessary, between each M2M equipment/gateway and service, can exist and share individual privacy key.Should protect each message by the interim conversation key of setting up in step 23.Should provide integrality or confidentiality according to specific service condition.
In step 25, under the protection of the group key that service and M2M equipment/gateway are set up in step 24, realize group service certificate process is provided.
Among the group of group key foundation (GKE) Shi Jiang each side, set up the method for shared secret.According to adopted technology, GKE can be subdivided into two different mechanism: GKD and GKA.
In GKD, there are some central key management entities, such as KDC (KDC), it is responsible for generating and distributing to equity side one or more shared keys.In M2M environment, M2M service provider can play the part of the role of KDC.Group service certificate in Fig. 2 provides in the step 24 of process, and M2M service provider can generate random key and be distributed to all M2M equipment/gateways.Easily dispose and almost do not calculate and communications cost.But exist key to be exposed to the potential risk of Access Network provider.If M2M service provider trusts Access Network provider (their shared service relations etc.), it can adopt GKD method.In GKD, the security intensity of the key of distribution depends on the security intensity of Access Network.
In GKA, each entity in group has contribution to the generation of shared key.Group key can be regarded as adopting the exclusive data of all entities as the output of the function (function) of input.In GKA, only have the participant can computed secret key.If only carry out GKA process among M2M service and M2M equipment/gateway, key is also even secret for Access Network provider.If M2M service provider distrusts Access Network provider, it can adopt GKA method.In addition, GKA can obtain the key that its security intensity is better than the security intensity of Access Network.
In GKA method, there are two options in the role due to M2M gateway also.
Option i:M2M gateway participates in group key agreement process.
Option ii:M2M gateway does not participate in group key agreement process.It only plays the part of the role of message transfer.
Owing to also there are two options in the level of certificate of service.
Option a: group's level service certificate is only provided.
Option b: the certificate of service that has two levels that are provided.Group's level service certificate not only, and be also provided for the individual level certificate of service of each equipment.
GKD, GKA, option i, ii and option a, b are the separated options of seeing from different viewpoints.Therefore we have six options: GKD & a, GKD & b, GKA & i & a, GKA & i & b, GKA & ii & a, GKA & ii & b.Below, by three that explain in detail in them: GKD & a, GKA & i & a, GKA & ii & b.Can derive other three options by identical technology.
In the first preferred embodiment of the present invention, M2M service creation group key is also distributed to all M2M equipment/gateways.When M2M equipment very limited and Access Network provider aspect energy and computing capability obtains service provider and trusts completely, can realize this embodiment.
First, Access Network authenticates M2M equipment/gateway in network layer.And then,, according to the request of M2M service, network provides Access Network certificate to M2M service.The group key that M2M service creation is required also sends it to M2M equipment/gateway under the protection of Access Network certificate.Then M2M service can provide group service certificate under the protection of group key.This process is shown in Figure 3.
Therefore, this high level process is comprised of following steps:
Step 30 is off line (offline) steps.The foreign identifiers defining in the 3GPP TR23.888 of M2M equipment or M2M gateway is provided to M2M service provider.Foreign identifiers can be mapped to M2M node ID, and is provided in Access Network, and making it is that boortstrap server function (BSF) is local addressable.
In step 31, after Access Network is successfully registered, M2M equipment/gateway is used the authentication vector (AV) that BSF obtains from home subscriber system (HSS) and BSF is carried out to GBA bootup process.The HSS retrieval GBA user securitysettingup (USS) that BSF also arranges from comprising M2M particular safety.
In step 32, the specific key of NAF can be used as interim conversation key, and it is derived from GBA.The specific key of this type of NAF can be used for protecting the authenticity and integrity of the data that exchange between M2M service and M2M equipment/gateway.M2M equipment/gateway and M2M guide service function (MSBF)/NAF carry out HTTP digest authentication with the specific key of NAF.If the success of HTTP digest authentication, each member of the M2M equipment in group and gateway shares the specific key of NAF with MSBF/NAF respectively.MSBF will promote the guiding of the permanent M2M service layer safety certificate in M2M equipment (or M2M gateway) and the M2M service ability in network domains.And M2M certificate server (MAS) is used to storage by using the permanent safety certificate of MSBF guiding.
In step 33, M2M service creation random key is as group key.And then M2M service sends to each M2M equipment/gateway individually by group key.Should utilize the shared secret of setting up in step 33 to protect each message.
In step 34, M2M service provides group service certificate to all M2M equipment/gateways under the protection of group key.
This type of embodiment is more efficient than key agreement in communication aspects, because only transmit N message on network in group key establishment stage, wherein N is the number of equipment/gateway.And then, all devices/gateway will be shared group key with service.
In addition, because equipment only receives and decipher (decrypt) message at group key establishment stage, so this type of embodiment requires lower equipment calculated performance.And M2M equipment does not participate in key generative process.
The second preferred embodiment of the present invention provides group's level service certificate to M2M equipment/gateway.In following situation, use this embodiment: M2M equipment has the computing capability of asymmetric cryptography (cryptography).In addition, the member of M2M gateway Ye Shi group and its are also known group key.Service provider not exclusively trusts Access Network provider.
First this implementation provides Access Network certificate with GBA method Lai Xiang service layer, then by Burmester-Desmedt GKA method, carrys out abelian group group key.Gateway participates in GKA process.Group's level service certificate is only provided.This process is shown in Figure 4.
The high-level process of Fig. 4 is comprised of following steps:
Step 40 is off line steps.The foreign identifiers defining in the 3GPP TR23.888 of M2M equipment or M2M gateway is provided to M2M service provider.Foreign identifiers can be mapped to M2M node ID, and is provided in Access Network, and making it is that BSF this locality is addressable.
In step 41, after Access Network is successfully registered, M2M equipment/gateway is used the authentication vector (AV) that BSF obtains from HSS and BSF is carried out to GBA bootup process.The HSS retrieval GBA user securitysettingup (USS) that BSF also arranges from comprising M2M particular safety.
In step 42, M2M equipment/gateway and MSBF/NAF carry out HTTP digest authentication with the specific key of NAF.If the success of HTTP digest authentication, each member of the M2M equipment in group and gateway shares the specific key of NAF with MSBF/NAF respectively.
In step 43, M2M service, M2M equipment and M2M gateway are carried out Burmester-Desmedt group key agreement to set up group key.The specific key of NAF of setting up in step 42 will be used to the message integrity protection of GKA process.From 1 to n-2, M2M equipment is numbered in advance.Gateway is numbered n-1 in advance.
Among the group of Burmester-Desmedt group key agreement Shi each side, exchange the ad hoc approach of key.The group that Burmester-Desmedt method allows not have the each side of mutual priori jointly sets up shared secret key on insecure communication channel.Can be regarded as Diffie-Hellman cipher key change to the expansion of group environment, it allows two sides without mutual priori on insecure communication channel, jointly to set up shared secret key.These ins and outs can be in M. Burmester and Y. Desmedt 9-12 day in May, 1994 at the Pre-proceedings of of gondola Perugia (Perugia) Eurocrypt'94, in " A Secure and Efficient Conference Key Distribution System(safety and efficiently the Conference key distribution system) " of the 279-290 page of Scuola Superiore Guglielmo Reiss Romoli (SSGRR), finds.
In step 44, MSBF/NAF offers M2M equipment/gateway and MAS by the certificate of service that is used in the group key protection of setting up in step 43.
The advantage of this embodiment is: group key never transmits on network.It is the function of the special-purpose random number of all group members.The listener-in of network can not obtain group key.And only have group member just to know group key.In service layer, carry out group key agreement agreement.Network does not participate in this agreement, so it will can not obtain group key.Great majority communication is after gateway.
The 3rd preferred embodiment of the present invention provides group's level service certificate and individual level certificate of service to M2M equipment/gateway.This embodiment can be in the situation that M2M equipment also has the computing capability of asymmetric cryptography uses.Group service guiding and individual services guiding have also been realized.Gateway is the special installation that is only used to transmission of messages.It does not know group key or any individual key.And service provider not exclusively trusts Access Network provider.
First this embodiment provides Access Network certificate with GBA method Lai Xiang service layer, then by modified GDH.3 GKA method, exchanges for the group key of all group members with for the individual key of each group member.Gateway does not participate in GKA process.Fig. 5 shows the process of GKA & ii & b.
This high-level process shown in Fig. 5 comprises the following steps:
Step 50 is off line steps.The foreign identifiers defining in the 3GPP TR23.888 of M2M equipment or M2M gateway is provided to M2M service provider.Foreign identifiers can be mapped to M2M node ID, and is provided in Access Network, and making it is that BSF this locality is addressable.
In step 51, after Access Network is successfully registered, M2M equipment/gateway is used the authentication vector (AV) that BSF obtains from HSS and BSF is carried out to GBA bootup process.The HSS retrieval GBA user securitysettingup (USS) that BSF also arranges from comprising M2M particular safety.
In step 52, M2M equipment/gateway and MSBF/NAF carry out HTTP digest authentication with the specific key of NAF.If the success of HTTP digest authentication, each member of the M2M equipment in group and gateway shares the specific key of NAF with MSBF/NAF respectively.
In step 53, M2M service and M2M equipment are implemented modified GDH.3 group key agreement to set up group key and for the individual key of each M2M equipment.Among the group of GDH.3 group key exchange Shi each side, exchange the ad hoc approach of key.Ins and outs can be at Michael Steiner, Gene Tsudik and the Michael Waidner ACM(ACM in New York, United States New York in 1996, New York, NY, USA) proceedings of the 3
rdin " Diffie-Hellman key distribution extended to group communication(expands to the Diffie-Hellman distribute keys of group communication) " of ACM conference on computer and communications security (CCS'96) 31-37 page, find.
Execution step is as follows in detail:
MSBF generates the new random value g that is used to generate individual key
s.From 1 to n-1, M2M equipment is numbered in advance.
1) a M2M equipment D1 generates random value
r1and to M2M gateway send group's root key request and
g r1 .M2M gateway will
g r1 transfer to the 2nd M2M equipment D2.
2) the 2nd M2M equipment D2 generates random value
r2be worth and calculate
g r1 r2 and then send it to M2M gateway.M2M gateway will
g r1 r2 transfer to the 3rd M2M equipment D3.
……
N-1) n-1 M2M equipment Dn-1 generates random value
rn-1be worth and calculate
g r1 r2 ... rn-1 and send it to M2M gateway.M2M gateway will
g r1 r2 ... rn-1 transfer to all M2M equipment.
N) each M2M equipment Di calculates
g r1 r2 ... rn-1/ri and send it to M2M gateway.M2M gateway will own
g r1 r2 ... rn-1/ri message together with
g r1 r2 ... rn-1 transfer to together M2M server.
N+1) M2M server generates two random values
rn,
s, and calculate for each
g r1 r2 ... rn-1/ri message
g r1r2 ... rn-1rn/ri and will
g s with all
g r1r2 ... rn-1rn/ri send to M2M gateway.M2M gateway will
g s with
g r1r2 ... rn-1rn/ri transfer to each M2M equipment Di.
N+2) M2M server and all M2M equipment calculate identical group key
g r1r2 ... rn-1rn .M2M server and each M2M equipment Di calculate identical individual key
g sri .
In step 54, MSBF/NAF offers M2M equipment/gateway and MAS by group service certificate and individual services certificate.Group service certificate is subject to group key
g r1r2 ... rn-1rn protection.Each individual services certificate is subject to individual key
g sri protection.
The advantage of this embodiment is as follows:
--never on network, transmit group key and individual key.It is the function of the special-purpose random number of all group members.The listener-in of network can not obtain group key.
--group key and individual key are only known by group member.In service layer, take group key agreement agreement.Network does not participate in this agreement, so it will can not obtain group key.
--group key and individual key are all set up in identical process.
--great majority communication is after gateway.
Although described in conjunction with the preferred embodiments the present invention, it will be understood by those of skill in the art that, in the situation that do not depart from the spirit and scope of the claim of enclosing, can carry out many modifications and modification to the present invention.
Claims (11)
1. for a method for group service certificate is provided during the auxiliary machine of Access Network is to machine (M2M) guide service process, said method comprising the steps of:
Carry out the access net registration of M2M equipment group,
Access Network certificate based on described Access Network is set up interim conversation key,
Foundation is by means of group key and/or the individual key of described interim conversation key authentication, and
Group service certificate is provided under the protection of described group key.
2. method according to claim 1, wherein, is used universal guiding structure (GBA) process in the realization providing for Access Network certificate.
3. method according to claim 1 and 2, wherein, described interim conversation key is derived from GBA process.
4. method according to claim 3, wherein, the specific key of described interim conversation key packet includes network application function (NAF).
5. method according to claim 4 wherein, is carried out HTTP(Hypertext Transport Protocol) digest authentication with the specific key of NAF in setting up the step of group key.
6. according to the method described in claim 1-5, wherein, can realize the step of setting up group key by group key agreement process, wherein can obtain described group key according to the exclusive data of all M2M equipment.
7. method according to claim 6, wherein, sets up described group key by Burmester-Desmedt group key agreement process.
8. method according to claim 6, wherein, the modified Diffie-Hellman of group agreement No. 3(GDH.3) group key agreement process is used to set up described group key and individual key, and wherein M2M guide service function (MSBF) generates the new random value that is used to generate described individual key.
9. according to the method described in claim 6-8, wherein, in service layer, carry out described group key agreement process.
10. according to the method described in claim 1-5, wherein, can realize the step of setting up group key by group key distribution procedure, wherein KDC is responsible for generating and distributing one or more shared keys.
11. 1 kinds for providing the system of group service certificate during the auxiliary M2M guide service process of Access Network, and described system comprises with lower device:
For carrying out the device of the access net registration of M2M equipment group,
For the Access Network certificate based on described Access Network, set up the device of interim conversation key,
For setting up by means of the group key of described interim conversation key authentication and/or the device of individual key, and
For the device of group service certificate is provided under the protection of described group key.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2012/000182 WO2013120225A1 (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in m2m environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104205898A true CN104205898A (en) | 2014-12-10 |
Family
ID=48983514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201280072421.4A Pending CN104205898A (en) | 2012-02-16 | 2012-02-16 | Method and system for group based service bootstrap in M2M environment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104205898A (en) |
| WO (1) | WO2013120225A1 (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2518257A (en) | 2013-09-13 | 2015-03-18 | Vodafone Ip Licensing Ltd | Methods and systems for operating a secure mobile device |
| US9756030B2 (en) | 2014-08-08 | 2017-09-05 | Eurotech S.P.A. | Secure cloud based multi-tier provisioning |
| US9491196B2 (en) | 2014-09-16 | 2016-11-08 | Gainspan Corporation | Security for group addressed data packets in wireless networks |
| US9762392B2 (en) | 2015-03-26 | 2017-09-12 | Eurotech S.P.A. | System and method for trusted provisioning and authentication for networked devices in cloud-based IoT/M2M platforms |
| CN106658349B (en) * | 2015-10-30 | 2020-11-20 | 中国电信股份有限公司 | Method and system for automatically generating and updating shared secret key |
| US10575273B2 (en) | 2016-03-31 | 2020-02-25 | Intel Corporation | Registration of devices in secure domain |
| US10298448B2 (en) | 2016-09-20 | 2019-05-21 | At&T Intellectual Property I, L.P. | Method and apparatus for extending service capabilities in a communication network |
| KR20190085627A (en) | 2018-01-11 | 2019-07-19 | 삼성전자주식회사 | Method for providing notification and electronic device for supporting the same |
| US11095653B2 (en) | 2018-05-24 | 2021-08-17 | International Business Machines Corporation | Secure provisioning of unknown devices through trusted third-party devices |
| EP3854025A4 (en) * | 2018-09-17 | 2022-04-06 | Nokia Solutions and Networks Oy | Credentials management |
| GB2579574B (en) * | 2018-12-03 | 2021-08-11 | Advanced Risc Mach Ltd | Bootstrapping with common credential data |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238484A (en) * | 2010-04-22 | 2011-11-09 | 中兴通讯股份有限公司 | Method and system for group-based authentication in machine to machine communication systems |
| US20110307694A1 (en) * | 2010-06-10 | 2011-12-15 | Ioannis Broustis | Secure Registration of Group of Clients Using Single Registration Procedure |
| CN102469458A (en) * | 2010-11-19 | 2012-05-23 | 中兴通讯股份有限公司 | Group authentication method and group authentication system in M2M communication |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6601171B1 (en) * | 1999-02-18 | 2003-07-29 | Novell, Inc. | Deputization in a distributed computing system |
| US7185199B2 (en) * | 2002-08-30 | 2007-02-27 | Xerox Corporation | Apparatus and methods for providing secured communication |
| EP1915837B1 (en) * | 2005-08-19 | 2020-04-22 | Samsung Electronics Co., Ltd. | Method for performing multiple pre-shared key based authentication at once and system for executing the method |
| CN102026180A (en) * | 2009-09-15 | 2011-04-20 | 中国移动通信集团公司 | M2M transmission control method, device and system |
| CN102215560B (en) * | 2010-04-08 | 2015-06-10 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
-
2012
- 2012-02-16 WO PCT/CN2012/000182 patent/WO2013120225A1/en active Application Filing
- 2012-02-16 CN CN201280072421.4A patent/CN104205898A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102238484A (en) * | 2010-04-22 | 2011-11-09 | 中兴通讯股份有限公司 | Method and system for group-based authentication in machine to machine communication systems |
| US20110307694A1 (en) * | 2010-06-10 | 2011-12-15 | Ioannis Broustis | Secure Registration of Group of Clients Using Single Registration Procedure |
| CN102469458A (en) * | 2010-11-19 | 2012-05-23 | 中兴通讯股份有限公司 | Group authentication method and group authentication system in M2M communication |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2013120225A1 (en) | 2013-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104205898A (en) | Method and system for group based service bootstrap in M2M environment | |
| US11240218B2 (en) | Key distribution and authentication method and system, and apparatus | |
| Wang et al. | Privacy-preserving authentication and key agreement protocols for D2D group communications | |
| JP6641029B2 (en) | Key distribution and authentication method and system, and device | |
| Wang et al. | UAKA-D2D: Universal authentication and key agreement protocol in D2D communications | |
| US10841784B2 (en) | Authentication and key agreement in communication network | |
| EP3668048B1 (en) | Methods and apparatuses for bootstrapping machine-to-machine service | |
| CN105706390B (en) | Method and apparatus for performing device-to-device communication in a wireless communication network | |
| Cao et al. | GBAAM: group‐based access authentication for MTC in LTE networks | |
| CN106936570A (en) | A kind of cipher key configuration method and KMC, network element | |
| CN109768861B (en) | Massive D2D anonymous discovery authentication and key agreement method | |
| Park et al. | Inter-authentication and session key sharing procedure for secure M2M/IoT environment | |
| Liu et al. | A secure and efficient authentication protocol for satellite-terrestrial networks | |
| JP2016519873A (en) | Establishing secure voice communication using a generic bootstrapping architecture | |
| Gharsallah et al. | An efficient authentication and key agreement protocol for a group of vehicles devices in 5G cellular networks | |
| Sathi et al. | Novel protocols to mitigate network slice topology learning attacks and protect privacy of users’ service access behavior in softwarized 5G networks | |
| Maccari et al. | Security analysis of IEEE 802.16 | |
| CN105848140A (en) | Safe end-to-end establishment method capable of achieving communication supervision in 5G network | |
| Gerdes et al. | Delegated authenticated authorization for constrained environments | |
| CN103796200A (en) | Method for achieving key management in wireless mobile ad hoc network based on identities | |
| Goswami et al. | An esim-based remote credential provisioning and authentication protocol for IoT devices in 5G cellular network | |
| Doh et al. | Key establishment and management for secure cellular machine-to-machine communication | |
| Khumalo et al. | Services and applications security in IoT enabled networks | |
| Byun et al. | Constant-round password-based group key generation for multi-layer ad-hoc networks | |
| Broustis et al. | Group authentication: A new paradigm for emerging applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141210 |