CN104852891A - Secret key generation method, equipment and system - Google Patents

Secret key generation method, equipment and system Download PDF

Info

Publication number
CN104852891A
CN104852891A CN201410057184.5A CN201410057184A CN104852891A CN 104852891 A CN104852891 A CN 104852891A CN 201410057184 A CN201410057184 A CN 201410057184A CN 104852891 A CN104852891 A CN 104852891A
Authority
CN
China
Prior art keywords
key
identifier
location server
domain
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410057184.5A
Other languages
Chinese (zh)
Other versions
CN104852891B (en
Inventor
何文裕
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201410057184.5A priority Critical patent/CN104852891B/en
Priority to PCT/CN2014/080987 priority patent/WO2015123953A1/en
Publication of CN104852891A publication Critical patent/CN104852891A/en
Application granted granted Critical
Publication of CN104852891B publication Critical patent/CN104852891B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a Secret key generation method, equipment and system and relates to the communication field. A session key is derived step by step, and confidentiality and integrity are provided for data transmission between user equipment and a router in a UIP network. The method provided by the embodiment of the invention comprises the steps that an objective router receives a switching request message sent by a source router and sends an access request message to a position server; the objective router receives an access response message sent by the position server, wherein the access response message contains related equipment secret keys, the related equipment secret keys are derived by the position server according to random values, a root key and one or more of the following parameters: equipment identifiers of user equipment, an identifier of the domain of the position server and an identifier of the objective router; and the objective router derives the session key according to the related equipment secret keys in the access response message.

Description

Method, device and system for generating secret key
Technical Field
The present invention relates to the field of communications, and in particular, to a method, device, and system for generating a secret key.
Background
For a long time, an Internet Protocol Address (IP Address for short) plays a dual role of an identifier (i.e., host identity) and a locator (i.e., network location identifier), which makes the separation of a transport layer and a network layer in a TCP/IP Protocol architecture incomplete, and brings certain limitations to the aspects of implementing the movement of a terminal host and ensuring communication security; in order to solve the above problem, it is necessary to separate the identifier and the locator of the IP address, where a User Identity Protocol (UIP) is a scheme for implementing separation of the identifier and the locator of the IP address.
Fig. 1 is a schematic diagram of a network architecture of a UIP, as shown in fig. 1, the UIP network is composed of one or more UIP domains, one UIP Domain is composed of a Subscriber Location Server (SLS) and one or more routers (DR), where the routers in the UIP Domain and between different UIP domains are linked to each other, and the location Server and the Router in the UIP Domain are linked to each other, where the Router stores a mapping relationship between a User identifier (User ID) of a User equipment and a Locator (Locator) of the User equipment, and implements User data forwarding and message address transformation; the location server stores the mapping relation between the UserID and the current router (namely, the source router) of the user equipment; a User Equipment (UE) accesses to the UIP domain through a radio access network, as shown in fig. 1, a solid line indicates a User Plane (UP) of the UIP network, and transmits service data, a dotted line indicates a Control Plane (CP) of the UIP network, and transmits Control signaling.
However, in the UIP network, data transmission is directly performed between the user equipment and the router, and confidentiality and integrity cannot be provided for data transmission between the user equipment and the router.
Disclosure of Invention
Embodiments of the present invention provide a method, device, and system for key generation, which derive a session key step by step, and provide confidentiality and integrity for data transmission between a user device and a router in a UIP network.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for generating a key, including:
a destination router receives a switching request message sent by a source router, wherein the switching request message contains a user identifier of user equipment and a device identifier of the user equipment;
the destination router sends an access request message to a location server, wherein the access request contains a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router;
the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key; the root key is obtained by the location server according to the user identifier;
and the destination router derives a session key according to the equipment-related key in the access response message.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the deriving, by the destination router, a session key according to the device-dependent key in the access response message includes:
the destination router derives a temporary key according to the device-related key in the access response message;
and the destination router derives a session key according to the temporary key.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the device-related key is derived by the location server according to a random value, a root key, and a device identifier of the user equipment;
the destination router derives a session key according to the device-related key in the access response message, including:
the destination router derives a temporary key according to the device-related key and the count value; wherein the count value is obtained by the destination router;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the destination router derives a temporary key according to the device-related key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key;
or,
the destination router derives a temporary key according to the device-related key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
the destination router derives a temporary key according to the device-related key;
and deriving a session key according to the temporary key, the counting value, the identifier of the domain where the position server is located and the identifier of the destination router.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the device-related key is derived by the location server according to a random value, a root key, a device identifier of the user equipment, an identifier of a domain where the location server is located, and an identifier of the destination router;
the destination router derives a session key according to the device-related key in the access response message, including:
the destination router derives a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
the destination router derives a temporary key according to the device-related key;
and deriving a session key according to the temporary key and the counting value.
With reference to any one implementation manner of the first aspect to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:
the destination router receives an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
and the destination router sends an authentication request message to the user equipment, wherein the authentication request message comprises the random value, the identifier of the domain where the location server is located and the identifier of the destination router, so that the user equipment returns an authentication response message and generates a device-related key and a session key.
In a second aspect, an embodiment of the present invention provides a method for key generation, including:
the method comprises the steps that a position server receives an access request message sent by a destination router, wherein the access request message comprises a user identifier of user equipment, a device identifier of the user equipment and an identifier of the destination router;
the location server sending an authentication request message to the destination router, wherein the authentication request message contains a random value and an identifier of a domain where the location server is located, and the random value is generated by the location server and used for authenticating the user equipment and generating an equipment-dependent key;
the location server receives the authentication response message sent by the destination router, and derives the device-related key according to the root key, the random value and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router; the root key is obtained by the location server according to the user identifier;
and the position server sends an access response message to the destination router, wherein the access response message contains the equipment-related key.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the location server derives the device-related key according to a root key, the random value, and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain where the location server is located, and the identifier of the destination router include:
the location server deriving the device-dependent key from a root key, the random value and a device identifier of the user equipment;
or,
the location server derives the device-dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router.
In a third aspect, an embodiment of the present invention provides a method for generating a key, including:
the user equipment receives an authentication request message sent by a destination router, wherein the authentication request message contains the random value, an identifier of a domain where the location server is located and the identifier of the destination router;
the user equipment derives the equipment-related key according to the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the user equipment derives a device-dependent key according to a root key, the random value, and one or more of the following parameters: deriving a session key from the device-dependent key, based on the device identifier of the user equipment, the identifier of the domain in which the location server is located, and the identifier of the destination router, comprising:
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key and the counting value;
the user equipment derives a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
the user equipment derives a session key according to the temporary key;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key, the identifier of the domain where the location server is located and the identifier of the destination router;
the user equipment derives a session key according to the temporary key and the counting value;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key;
the user equipment derives a session key according to the temporary key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the user equipment derives an equipment-related key according to a root key, the random value, an equipment identifier of the user equipment, an identifier of a domain where the location server is located and an identifier of the destination router;
the user equipment derives a temporary key according to the equipment-related key and the counting value;
the user equipment derives a session key according to the temporary key;
or,
the user equipment derives an equipment-related key according to a root key, the random value, an equipment identifier of the user equipment, an identifier of a domain where the location server is located and an identifier of the destination router;
the user equipment derives a temporary key according to the equipment-related key;
and the user equipment derives a session key according to the temporary key and the counting value.
In a fourth aspect, an embodiment of the present invention provides a destination router, including:
a receiving module, configured to receive a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and a device identifier of the user equipment;
a sending module, configured to send an access request message to a location server when the receiving module receives a handover request message, where the access request message includes a user identifier of the user equipment, a device identifier of the user equipment, and an identifier of the destination router;
the receiving module is further configured to receive an access response message sent by the location server, where the access response message includes an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key, and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router;
a generation module: and the session key is derived according to the device-related key when the receiving module receives the access response message.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the generating module is specifically configured to:
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key.
With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, the device-related key is derived by the location server according to a random value, a root key, and a device identifier of the user equipment;
correspondingly, the generating module is specifically configured to:
deriving a temporary key according to the device-related key and the count value; wherein the count value is obtained by the destination router;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a temporary key according to the device-related key, a counting value, an identifier of a domain where the location server is located and an identifier of the destination router;
deriving a session key according to the temporary key;
or,
deriving a temporary key according to the device-dependent key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key, the counting value, the identifier of the domain where the position server is located and the identifier of the destination router.
With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, the device-dependent key is derived by the location server according to a random value, a root key, a device identifier of the user equipment, an identifier of a domain where the location server is located, and an identifier of the destination router,
correspondingly, the generating module is specifically configured to:
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key and the counting value.
With reference to any one implementation manner of the third possible implementation manner of the fourth aspect to the fourth aspect, in a fourth possible implementation manner of the fourth aspect,
the receiving module is further configured to: receiving an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
the sending module is further configured to: and when the receiving module receives an authentication request message, sending the authentication request message to the user equipment, wherein the authentication request message comprises the random value, the identifier of the domain where the location server is located and the identifier of the destination router, so that the user equipment returns an authentication response message and generates an equipment-related key and a session key.
In a fifth aspect, an embodiment of the present invention provides a location server, including:
a receiving module, configured to receive an access request message sent by a destination router, where the access request message includes a user identifier of a user equipment, a device identifier of the user equipment, and an identifier of the destination router;
a sending module, configured to send an authentication request message to the destination router when the receiving module receives an access request message, where the authentication request message includes a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating an equipment dependent key;
the receiving module is further configured to receive an authentication response message sent by the destination router;
a generating module, configured to derive the device-related key according to a root key, the random value, and one or more of the following parameters when the receiving module receives the authentication response message: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router; the root key is obtained by the location server according to the user identifier;
the sending module is further configured to send an access response message to the destination router when the generating module generates the device-related key, where the access response message includes the device-related key.
With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect,
the generation module is specifically configured to:
deriving the device dependent key from a root key, the random value and a device identifier of the user device;
or,
the device-dependent key is derived from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router.
In a sixth aspect, an embodiment of the present invention provides a user equipment, including:
a receiving module: the authentication server is used for receiving an authentication request message sent by a destination router, wherein the authentication request message contains the random value, an identifier of a domain where the location server is located and an identifier of the destination router;
a generation module: the device-related key is derived by the receiving module according to a root key, the random value and one or more of the following parameters when the receiving module receives an authentication request message: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect,
the generation module is specifically configured to:
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a device dependent key from a root key, the random value, and a device identifier of the user device;
deriving a temporary key according to the device-related key, a counting value, an identifier of a domain where the location server is located and an identifier of the destination router;
deriving a session key according to the temporary key;
or,
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key according to the device-dependent key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key from the device-dependent key;
deriving a session key according to the temporary key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a device dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router;
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
deriving a device dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router;
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key and the counting value.
In a seventh aspect, an embodiment of the present invention provides a key generation system, including: a source router, a destination router as described in any one of the fourth possible implementations of the fourth aspect to the fourth aspect, a location server as described in any one of the first possible implementations of the fifth aspect to the fifth aspect, and a user equipment as described in any one of the first possible implementations of the sixth aspect to the sixth aspect.
It can be seen from the above that, the embodiments of the present invention provide a method, device, and system for key generation, where a destination router receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment, and a device identifier of the user equipment; the destination router sends an access request message to a location server, wherein the access request message contains a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router; the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key; the root key is obtained by the location server according to the user identifier; and the destination router derives a session key according to the equipment-related key in the access response message. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of the network architecture of a UIP;
FIG. 2 is a schematic diagram of the ID model of the UIP network;
FIG. 3 is a schematic diagram of mobility management of the UIP network;
FIG. 4 is a schematic diagram of the UIP network key hierarchy structure provided by an embodiment of the present invention;
fig. 5 is a flowchart of a method for key generation according to an embodiment of the present invention;
fig. 6 is a flowchart of a method for key generation according to an embodiment of the present invention;
fig. 7 is a flowchart of a method for key generation according to an embodiment of the present invention;
FIG. 8 is a flow chart of another method for key generation provided by embodiments of the present invention;
FIG. 9 is a flow chart of another method for key generation according to an embodiment of the present invention;
FIG. 10 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 11 is a flow chart of another method for key generation according to an embodiment of the present invention;
FIG. 12 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 13 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 14 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 15 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 16 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 17 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 18 is a flow chart of another method of key generation provided by embodiments of the present invention;
FIG. 19 is a flow chart of another method of key generation provided by embodiments of the present invention;
fig. 20 is a block diagram of a destination router according to an embodiment of the present invention;
fig. 21 is a block diagram of a location server according to an embodiment of the present invention;
fig. 22 is a structural diagram of a user equipment according to an embodiment of the present invention;
fig. 23 is a block diagram of another destination router according to an embodiment of the present invention;
fig. 24 is a block diagram of another location server provided by an embodiment of the present invention;
fig. 25 is a block diagram of another ue according to an embodiment of the present invention;
fig. 26 is a block diagram of a key generation system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method for generating the secret key is suitable for a User Identity Protocol network (UIP network for short), and can be also suitable for any network for realizing data secure transmission; the embodiment of the present invention does not limit this, and the embodiment of the present invention is described only by taking the UIP network as an example.
Example one
Fig. 5 is a flowchart of a method for generating a key according to an embodiment of the present invention, as shown in fig. 5, which may include the following steps:
501: the method comprises the steps that a destination router receives a switching request message sent by a source router, wherein the switching request message contains a user identifier of user equipment and a device identifier of the user equipment.
The source router and the destination router are relative concepts, and are determined according to a switching condition of User Equipment (UE), wherein the source router is a router which performs data communication with the UE before the UE is switched, and the destination router is a router which performs data communication with the UE after the UE is switched; wherein the handover is a movement of the UE from a coverage area of one router to a coverage area of another router; in the embodiment of the invention, the source router and the destination router can be in the same UIP domain or different UIP domains, and when the source router and the destination router are in the same UIP domain, the UE is in a state of moving in the domain; when the source router and the destination router are in different UIP domains, the UE is in an inter-domain moving state; for example, fig. 2 is a schematic diagram of mobility management of user equipment in the UIP network, and as shown in fig. 2, the UE connected to the UIP network may have the following two mobility situations: (1) intra-domain movement, such as movement of a UE from the coverage area of a router 2 to the coverage area of a router 1, wherein the router 2 is a source router and the router 1 is a destination router; (2) inter-domain mobility, such as UE mobility from the coverage area of router 2 to the coverage area of router 3, where router 2 is the source router and router 3 is the destination router.
In one embodiment of the present invention, when a UE moves from a coverage area of a source router to a coverage area of a destination router, the destination router receives a handover request message sent by the source router, wherein the handover request message comprises a user identifier of the user equipment, a device identifier of the user equipment, or the handover request comprises the user identifier of the user equipment, the device identifier of the user equipment, and a locator.
Wherein, the User identifier (User ID) of the User equipment, the Device identifier (Device ID) of the User equipment and the Locator (Locator) are three identifiers (identification, ID) of the UIP network protocol partition; user ID is assigned by the operator and is permanently unchanged; device IDs are assigned by the Device manufacturer or operator, such as International Mobile Equipment Identity (IMEI), and one User ID may associate multiple Device IDs; a Locator is usually an IP address, and is assigned by an operator or specified by user equipment, and one Device ID may be associated with a plurality of locators; the user identifier of the user equipment, the device identifier of the user equipment, and the locator may be saved in a source router during an initialization process in which the UE communicates data with the source router; for example, fig. 3 is a schematic diagram of an ID model of a UIP network, and as shown in fig. 3, for a scenario where one User has multiple devices, the ID of the UIP network may be divided into a User identifier (User ID), multiple Device identifiers (Device IDs), and multiple locators (locators).
502: the destination router sends an access request message to a location server, wherein the access request message contains a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router.
Wherein the identifier of the destination router is stored in the destination router for identifying the destination router.
The location server is a home location server and/or a visitor location server of the user equipment; the home location server of the user equipment is a location server in a home domain, and the visiting location server is a location server in a visiting domain; the attribution domain is a UIP domain to which a user appointed when the user signs a contract with an operator belongs, and the attribution domain is unique and unchangeable in the communication process of the user equipment; the visit domain is a domain where the UE is in a roaming state; the roaming state means that the UIP domain where the UE is currently located is not a home domain; for example, as shown in fig. 2, assuming that the home domain of the UE is UIP domain-1, the location server SLS-1 is a home location server, and when the UE moves to the coverage area of the router 3 within the UIP domain-2, i.e. leaves the home domain, the UE is in a roaming state, the UIP domain-2 is a visited domain, and the location server SLS-2 is a visited location server.
In an embodiment of the present invention, the destination router may send an access request message to a home location server and/or a visitor location server of the UE according to a situation of a domain where the UE is currently located;
as can be seen from the mobility of the UE in the UIP network and the UIP domain shown in fig. 2, the mobility of the UE may be any one of the following five mobility situations: the UE is currently located in a home domain, an inter-domain mobility of a visited domain to a home domain, an inter-domain mobility of a home domain to a visited domain, and an inter-domain mobility of a visited domain to a visited domain.
Illustratively, when the domain in which the UE is currently located is a home domain,
and the destination router sends access request information to the home location server.
Illustratively, when the domain where the UE is currently located is a visited domain,
and the destination router sends access request information to a visiting location server so that the visiting location server sends the access request information to the home location server.
503: the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key.
The root key is a shared key of the UE and a home location server of the UE in the UIP network, and is stored in the UE and the home location server, and the root key corresponds to a User identifier (User ID) of the UE, each UE has a unique root key, and is obtained by querying by the location server according to the User identifier to derive an equipment-related key, where the root key K may be preset by an operator, which is not limited in the embodiment of the present invention.
The identifier of the domain where the location server is located is the identifier of the domain where the home location server is located, is stored in the home location server of the UE and is used for identifying the home domain of the UE; in an embodiment of the present invention, the identifier of the domain where the location server is located may be sent to the destination router by a home location server of the user equipment, and may also be obtained by the destination router through another configuration manner, which is not limited in this embodiment of the present invention.
In one embodiment of the invention, the device dependent key (Kdev) may be derived by the home server of the UE from a random value (nonce), a root key and one or more of the following parameters: the Device identifier (Device ID) of the user equipment, the Domain ID of the Domain where the location server is located, and the DRID of the destination router, are implemented in a scenario where one user has multiple devices, and different devices have different Device-dependent keys Kdev.
Illustratively, the Device dependent Key Kdev may be derived by the home location server from a random value, a root Key, and a Device identifier (Domain ID) of the user Device using a Key Derivation Function (KDF), e.g., Kdev = KDF (K, Device ID, nonce);
alternatively, deriving, by the home location server, a Key Derivation Function (KDF) from the random value nonce, the root Key K, the Device identifier (Device ID) of the user equipment, the identifier of the Domain where the location server is located (Domain ID), and the identifier of the destination router (DR ID), for example, Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID).
In an embodiment of the present invention, the destination router may receive an access response message sent by a home location server and/or a visitor location server of the user equipment according to a situation of a domain where the UE is currently located.
Illustratively, when the domain in which the UE is currently located is a home domain,
and the destination router receives the access response message sent by the home location server.
Illustratively, when the domain where the UE is currently located is a visited domain,
the destination router receives an access response message sent by the visiting location server; wherein the access response message is sent to the visitor location server by the home location server.
504: and the destination router derives a session key according to the equipment-related key in the access response message.
In one embodiment of the present invention, the destination router derives a temporary key according to the device-dependent key in the access response message; and deriving a session key according to the temporary key. For example, fig. 4 is a schematic structural diagram of a key hierarchy of the UIP network according to the embodiment of the present invention, and as shown in fig. 4, a key of the UIP network includes a root key K, a device-dependent key Kdev, a temporary key Kdev', and a session key Ksession; the device-related key Kdev is derived from the root key K, the temporary key Kdev 'is derived from the device-related key Kdev, and the session key Ksession is derived from the temporary key Kdev', so that session keys are derived step by step, and confidentiality and integrity protection are provided for data transmission between the destination router and the user equipment.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, and a device identifier of the user device; for example, the Device-related key Kdev = KDF (K, Device ID, nonce);
accordingly, the destination router may derive the session key by the following methods (1) to (4), which are described below:
(1) the destination router derives a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value; the counter value is obtained by the destination router, and the counter value is generated by a counter maintained by the router and the user equipment in the UIP system network;
a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), is derived from the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router.
(2) The destination router derives a temporary key, for example, Kdev' = KDF (Kdev, counter, Domain ID, DR ID), from the device-dependent key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
a session key is derived from the temporary key, e.g., Ksession = KDF (Kdev').
(3) The destination router derives a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device-dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) the destination router derives a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), is derived from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, a device identifier of the user device, an identifier of a domain in which the location server is located, and an identifier of the destination router; for example, the Device-related key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID),
accordingly, the destination router may derive the session key by the following two methods (1) to (2), which are described below:
(1) the destination router derives a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(2) the destination router derives a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
Further, the method further comprises:
the destination router receives an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
and the destination router sends an authentication request message to the user equipment, wherein the authentication request message comprises the random value, the identifier of the domain where the location server is located and the identifier of the destination router, so that the user equipment returns an authentication response message and generates a device-related key and a session key.
As can be seen from the above, an embodiment of the present invention provides a method for generating a key, where a destination router receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and a device identifier of the user equipment; the destination router sends an access request message to a location server, wherein the access request message contains a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router; the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key; the root key is obtained by the location server according to the user identifier; and the destination router derives a session key according to the equipment-related key in the access response message. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example two
Fig. 6 is a flowchart of a method for generating a key according to an embodiment of the present invention, as shown in fig. 6, which may include the following steps:
601: the location server receives an access request message sent by a destination router, wherein the access request message comprises a user identifier of user equipment, a device identifier of the user equipment and an identifier of the destination router.
Wherein, the location server comprises a home location server and/or a visiting location server;
in one embodiment of the present invention, when the current domain of the UE is a home domain, the location server is a home location server of the user equipment;
and the home location server receives the access request message sent by the destination router.
When the current domain of the UE is a visiting domain, the location server is a home location device and a visiting location server of the user equipment;
the visiting location server receives the access request message sent by the destination router, so that the visiting location server sends the access request message to the home location server.
602: the location server sends an authentication request message to the destination router, wherein the authentication request message contains a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating an equipment dependent key;
in one embodiment of the present invention, when the current domain of the UE is a home domain, the location server is a home location server of the user equipment;
the home location server sends an authentication request message to the destination router.
When the current domain of the UE is a visiting domain, the location server is a home location device and a visiting location server of the user equipment;
the visit location server sends the authentication request to a destination router; wherein the authentication request message is sent by a home location server to a visitor location server.
603: the location server receives the authentication response message sent by the destination router, and derives the device-related key according to the root key, the random value and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router.
In one embodiment of the present invention, when the current domain of the UE is a home domain, the location server is a home location server of the user equipment;
and the home location server receives the authentication response message sent by the destination router, and derives the device-related key according to the following two ways (1) to (2).
When the current domain of the UE is a visiting domain, the location server is a home location device and a visiting location server of the user equipment;
the visiting location server receives an authentication response message sent by the destination router;
the visiting location server sends the authentication response message to the home location server;
and the home location server receives the authentication response message sent by the visiting location server and derives the device related key according to the following two modes (1) to (2).
These two modes are explained below:
(1) the home location server derives the Device dependent key from the root key, the random value and the Device identifier of the user equipment, e.g. Device dependent key Kdev = KDF (K, Device ID, nonce);
(2) the home location server derives the Device dependent key, e.g. Device ID Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the root key, the random value, the Device identifier of the user equipment, the identifier of the Domain where the location server is located and the identifier of the destination router.
604: and the location server sends an access response message to the destination router, wherein the access response message contains the equipment-related key.
In one embodiment of the present invention, when the current domain of the UE is a home domain, the location server is a home location server of the user equipment;
and the home location server sends an access response message to the destination router.
When the current domain of the UE is a visiting domain, the location server is a home location device and a visiting location server of the user equipment;
the home location server sends an access response message to the visit location server;
and the visiting location server receives the access response message sent by the home location server and sends the access response message to the destination router.
It can be seen from the above that, in the method for key agreement provided in the embodiments of the present invention, a location server receives an access request message sent by a destination router, where the access request message includes a user identifier of a user equipment and a device identifier of the user equipment; the location server sends an authentication request message to the destination router, wherein the authentication request message contains a random value and an identifier of a domain where the location server is located, and the random value is generated by the location server and used for authenticating the user equipment and generating an equipment-related key; the location server receives the authentication response message sent by the destination router, and derives the device-related key according to the root key, the random value and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router. Thus, the location server sends and generates the device-related key, so that the destination router generates the session key according to the device-related key, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network can not provide confidentiality and integrity for data transmission between the end user and the router are overcome.
EXAMPLE III
Fig. 7 is a flowchart of a method for generating a key according to an embodiment of the present invention, as shown in fig. 7, which may include the following steps:
701: and the user equipment receives an authentication request message sent by a destination router, wherein the authentication request message contains the random value, the identifier of the domain where the location server is located and the identifier of the destination router.
702: the user equipment derives the equipment-related key according to the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
In one embodiment of the present invention, the user equipment may derive the session key according to the following six ways (1) - (6); the following describes the six modes:
(1) the user equipment derives a device dependent key from the random value, the root key and a device identifier of the user equipment, e.g. Kdev = KDF (K, DeviceID, nonce);
deriving, by the ue, a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
the user equipment derives a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), according to the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(2) the user equipment derives a device dependent key from the random value, the root key, and a device identifier of the user equipment, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter, DomainID, DR ID), from the device-dependent key, the count value, the identifier of the domain where the location server is located, and the identifier of the destination router;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(3) the user equipment derives a device dependent key from the random value, the root key, and a device identifier of the user equipment, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) the user equipment derives a device dependent key from the random value, the root key, and a device identifier of the user equipment, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
deriving a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(5) the user Device derives a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, DomainID, DR ID), from the random value, the root key, the Device identifier of the user Device, the identifier of the domain where the location server is located, and the identifier of the destination router;
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(6) the user Device derives a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the random value, the root key, the Device identifier of the user Device, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
As can be seen from the above, in the method for generating a key, a user equipment receives an authentication request message sent by a destination router, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router; the user equipment derives the equipment-related key according to the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain where the location server is located and the identifier of the destination router derive a temporary key from the device-dependent key, and derive a session key from the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network can not provide confidentiality and integrity for data transmission between the end user and the router are overcome.
A key generation method provided in an embodiment of the present invention is specifically described below, where in the following embodiment, a router is represented by DR, a location server is represented by SLS, and a user equipment is represented by UE.
Example four
Fig. 8 is a flowchart of a key generation method provided in an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, and an SLS shown in fig. 8 is a home SLS, as shown in fig. 8, the method may include the following steps:
801: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
802: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
803: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
804: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID; the Domain ID is stored within the SLS;
805: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
806: the UE sends an authentication response message to the target DR so that the target DR feeds the authentication response message back to the SLS;
807: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
808: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
809: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
810: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
811: the target DR generates a temporary key Kdev '= KDF (Kdev, counter) and a session key Ksession = KDF (Kdev', Domain ID, DR ID);
812: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev, counter) and session key Ksession = KDF (Kdev', Domain ID, DR ID);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
813: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
814: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
815: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
816: the target DR saves the mapping relation between the User ID and the Locator of the UE;
817: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that step 812 is a process of generating a key by the UE, step 809 and 811 are processes of generating a key by the target DR, and step 812 and step 809 and 811 are not in sequence.
It can be seen from the above that, the embodiments of the present invention provide a method, a device, and a system for key generation, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and a device identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request message includes a user identifier of the UE and a device identifier of the UE, the SLS is a home SLS of the UE, and the access response message includes a device-related key, which is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
EXAMPLE five
Fig. 9 is a flowchart of a key generation method according to an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, where the SLS shown in fig. 9 is a home SLS, and as shown in fig. 9, the method may include the following steps:
901: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
902: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
903: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
904: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID, and the Domain ID is stored in the SLS;
905: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
906: the UE sends an authentication response message to the target DR; so that the target DR feeds back the authentication response message to the SLS;
907: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
908: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
909: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
910: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
911: the target DR generates a temporary key Kdev '= KDF (Kdev, counter) and a session key Kcost = KDF (Kdev');
912: the UE generates a Device-dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), a temporary key Kdev '= KDF (Kdev, counter), and a session key Ksession = KDF (Kdev');
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage area of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
913: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
914: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
915: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
916: the target DR stores the mapping relation between the User ID and the Locator;
917: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 912 is a process of generating a key for the UE, step 909-911 is a process of generating a key for the target DR, and step 912 and step 909-911 are not in sequence.
It can be seen from the above that, the embodiments of the present invention provide a method, a device, and a system for key generation, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and a device identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request message includes a user identifier of the UE and a device identifier of the UE, the SLS is a home SLS of the UE, and the access response message includes a device-related key, which is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
EXAMPLE six
Fig. 10 is a flowchart of another key generation method provided in an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, where the SLS shown in fig. 10 is a home SLS, as shown in fig. 10, the method may include the following steps:
1001: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1002: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1003: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1004: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID; the Domain ID is stored within the SLS;
1005: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1006: the UE sends an authentication response message to the target DR; so that the target DR feeds back the authentication response message to the SLS;
1007: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
1008: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
1009: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1010: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1011: the target DR generates a temporary key Kdev '= KDF (Kdev, counter, DomainID, DR ID) and a session key Kssesion = KDF (Kdev');
1012: the UE generates a Device-dependent key Kdev = KDF (K, Device ID, nonce), a temporary key Kdev '= KDF (Kdev, counter, Domain ID, DR ID), and a session key Ksession = KDF (Kdev');
further, since the destination DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the moving range of the destination DR, and the UE has not established contact with the destination DR, in order to establish contact between the UE and the destination DR, the method further includes:
1013: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
1014: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1015: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
1016: the target DR stores the mapping relation between the User ID and the Locator;
1017: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that step 1012 is a process of generating a key for the UE, step 1009 and 1011 are processes of generating a key for the target DR, and step 1012 and step 1009 and 1011 are not in sequence.
As can be seen from the above, an embodiment of the present invention provides a method for generating a key, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and an equipment identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request message includes a user identifier of the UE and a device identifier of the UE, and the access response message includes a device-dependent key, which is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the end user and the DR are overcome.
EXAMPLE seven
Fig. 11 is a flowchart of another key generation method provided in an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, where the SLS shown in fig. 11 is a home SLS, as shown in fig. 11, the method may include the following steps:
1101: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1102: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1103: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1104: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID; the Domain ID is stored within the SLS;
1105: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1106: the UE sends an authentication response message to the target DR; so that the target DR feeds back the authentication response message to the SLS;
1107: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
1108: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
1109: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
1110: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1111: the target DR generates a temporary key Kdev '= KDF (Kdev) and a session key Kesseion = KDF (Kdev', counter);
1112: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '= KDF (Kdev), and session key Ksession = KDF (Kdev', counter);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage area of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1113: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
1114: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1115: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
1116: the target DR stores the mapping relation between the User ID and the Locator;
1117: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that step 1112 is a process of generating a key for the UE, step 1109-.
It can be seen from the above that, the embodiments of the present invention provide a method, a device, and a system for key generation, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and a device identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request message includes a user identifier of the UE and a device identifier of the UE, the SLS is a home SLS of the UE, and the access response message includes a device-related key, which is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the end user and the DR are overcome.
Example eight
Fig. 12 is a flowchart of another key generation method according to an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, where the SLS shown in fig. 12 is a home SLS, and as shown in fig. 12, the method may include the following steps:
1201: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1202: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1203: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1204: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID; the Domain ID is stored within the SLS;
1205: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1206: the UE sends an authentication response message to the target DR; so that the target DR feeds back the authentication response message to the SLS;
1207: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
1208: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
1209: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1210: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1211: the target DR generates a temporary key Kdev '= KDF (Kdev, Domain ID, DR ID) and a session key Ksession = KDF (Kdev', counter);
1212: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev, Domain ID, DR ID) and session key Ksession = KDF (Kdev', counter);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1213: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
1214: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1215: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
1216: the target DR stores the mapping relation between the User ID and the Locator;
1217: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 1212 is a process of generating a key for the UE, step 1209-1211 is a process of generating a key for the destination DR, and step 1212 and step 1209-1211 are not in sequence.
It can be seen from the above that, the embodiments of the present invention provide a method, a device, and a system for key generation, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and a device identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request message includes a user identifier of the UE and a device identifier of the UE, the SLS is a home SLS of the UE, and the access response message includes a device-related key, which is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the UE and the DR are overcome.
Example nine
Fig. 13 is a flowchart of another key generation method provided in an embodiment of the present invention, where the method is applied in a scenario where a UE is in a home domain, where the SLS shown in fig. 13 is a home SLS, as shown in fig. 13, the method may include the following steps:
1301: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1302: the target DR sends an access request message to the SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1303: the SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1304: the SLS sends an authentication request message to the target DR; wherein the authentication request message contains a nonce, a Domain ID; the Domain ID is stored within the SLS;
1305: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1306: the UE sends an authentication response message to the target DR; so that the target DR feeds back the authentication response message to the SLS;
1307: the target DR sends an authentication response message to the SLS; wherein the authentication response message is used to inform the SLS of completing an authentication process;
1308: the SLS queries according to the User ID of the UE to obtain a root key K shared by the SLS and the UE;
1309: SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1310: the SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1311: the target DR generates a temporary key Kdev '= KDF (Kdev) and a session key Ksession = KDF (Kdev', counter, Domain ID, DR ID);
1312: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev), and session key Ksession = KDF (Kdev', counter, Domain ID, DR ID);
further, since the destination DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the moving range of the destination DR, and the UE has not established contact with the destination DR, in order to establish contact between the UE and the destination DR, the method further includes the following steps:
1313: the target DR sends an update request message to the SLS; wherein the update request message includes a DR ID of the target DR;
1314: the SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1315: the SLS sends an update response message to the target DR; wherein the update response message is used for notifying that the target DR information update is completed;
1316: the target DR stores the mapping relation between the User ID and the Locator;
1317: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, the step 1312 is a process of generating a key for the UE, the step 1309-.
It can be seen from the above that, an embodiment of the present invention provides another method, device and system for generating a key, where a target DR receives a handover request message sent by a source DR, where the handover request message includes a user identifier of a UE and a device identifier of the UE; the target DR sends an access request message to an SLS, wherein the access request comprises a user identifier of the UE and an equipment identifier of the UE, and the SLS is a home SLS of the UE; the target DR receives an access response message sent by the SLS, wherein the access response message contains a device-dependent key, and the device-dependent key is derived by the SLS according to a random value, a root key and one or more of the following parameters: the equipment identifier of the UE, the domain identification of the domain where the target DR is located, and the identifier of the target DR; and the target DR derives a temporary key according to the device-related key in the access response message and derives a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the UE and the DR are overcome.
Example ten
Fig. 14 is a flowchart of another method for generating a key according to an embodiment of the present invention, where the method is applicable to a scenario where the UE is in a visited domain, that is, the UE is in a roaming state, as shown in fig. 14, the method includes the following steps:
1401: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1402: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1403: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1404: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1405: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1406: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1407: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1408: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1409: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1410: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1411: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1412: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1413: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1414: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1415: the target DR generates a temporary key Kdev '= KDF (Kdev, counter) and a session key Ksession = KDF (Kdev', Domain ID, DR ID);
1416: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev, counter) and session key Ksession = KDF (Kdev', Domain ID, DR ID);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1417: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1418: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1419: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1420: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1421: the visiting SLS sends an updating response message to the target DR;
1422: the target DR stores the mapping relation between the User ID and the Locator;
1423: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 1416 is a process of generating a key for the UE, step 1411-.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the UE and the DR in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the UE and the DR are overcome.
EXAMPLE eleven
Fig. 15 is a flowchart of another method for generating a key according to an embodiment of the present invention, where the method is applicable to a scenario where the UE is in a visited domain, that is, the UE is in a roaming state, as shown in fig. 15, the method includes the following steps:
1501: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1502: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1503: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1504: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1505: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1506: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1507: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1508: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1509: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1510: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1511: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1512: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
1513: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1514: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1515: the target DR generates a temporary key Kdev '= KDF (Kdev, counter) and a session key Kcost = KDF (Kdev');
1516: the UE generates a Device-dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), a temporary key Kdev '= KDF (Kdev, counter), and a session key Ksession = KDF (Kdev');
further, when the UE moves to the coverage area of the destination DR, the destination DR has no mapping relationship between the User ID and the Locator of the UE, and the UE has not established contact with the destination DR yet, so that the method further includes the following steps:
1517: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1518: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1519: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1520: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1521: the visiting SLS sends an updating response message to the target DR;
1522: the target DR stores the mapping relation between the User ID and the Locator;
1523: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 1516 is a process of generating a key by the UE, step 1511 and 1515 are processes of generating a key by the target DR, and step 1516 and step 1511 and 1515 are not in sequence.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example twelve
Fig. 16 is another method for generating a key according to an embodiment of the present invention, where the method is applied in a scenario where the UE is in a visited domain, that is, the UE is in a roaming state, and as shown in fig. 16, the method includes the following steps:
1601: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1602: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1603: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1604: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1605: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1606: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1607: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1608: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1609: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1610: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1611: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1612: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1613: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1614: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1615: the target DR generates a temporary key Kdev '= KDF (Kdev, counter, DomainID, DR ID) and a session key Kssesion = KDF (Kdev');
1616: the UE generates a Device-dependent key Kdev = KDF (K, Device ID, nonce), a temporary key Kdev '= KDF (Kdev, counter, Domain ID, DR ID), and a session key Ksession = KDF (Kdev');
further, when the UE moves to the coverage of the destination DR, the destination DR has no mapping relationship between the User ID and the Locator of the UE, and the UE has not established contact with the destination DR yet, so that the method further includes the following steps:
1617: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1618: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1619: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1620: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1621: the visiting SLS sends an updating response message to the target DR;
1622: the target DR stores the mapping relation between the User ID and the Locator;
1623: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, the step 1616 is a process of generating a key for the UE, the step 1611 and the step 1615 are processes of generating a key for the target DR, and the step 1616 and the step 1611 and the step 1615 are not in sequence.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
EXAMPLE thirteen
Fig. 17 is a flowchart of another method for generating a key according to an embodiment of the present invention, where the method is applicable to a scenario where the UE is in a visited domain, that is, the UE is in a roaming state, as shown in fig. 17, the method includes the following steps:
1701: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1702: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1703: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1704: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1705: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1706: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1707: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1708: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1709: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1710: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1711: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1712: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
1713: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1714: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1715: the target DR generates a temporary key Kdev '= KDF (Kdev) and a session key Kesseion = KDF (Kdev', counter);
1716: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '= KDF (Kdev), and session key Ksession = KDF (Kdev', counter);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage area of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1717: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1718: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1719: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1720: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1721: the visiting SLS sends an updating response message to the target DR;
1722: the target DR stores the mapping relation between the User ID and the Locator;
1723: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that step 1716 is a process of generating a key for the UE, step 1711-.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example fourteen
Fig. 18 is a flowchart of another method for generating a key according to an embodiment of the present invention, where the method is applicable to a scenario where the UE is in a visited domain, that is, the UE is in a roaming state, as shown in fig. 18, the method includes the following steps:
1801: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1802: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1803: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID and Device ID;
1804: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1805: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1806: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1807: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1808: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1809: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1810: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1811: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1812: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1813: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1814: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1815: the target DR generates a temporary key Kdev '= KDF (Kdev, Domain ID, DR ID) and a session key Ksession = KDF (Kdev', counter);
1816: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev, Domain ID, DR ID) and session key Ksession = KDF (Kdev', counter);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1817: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1818: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1819: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1820: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1821: the visiting SLS sends an updating response message to the target DR;
1822: the target DR stores the mapping relation between the User ID and the Locator;
1823: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 1816 is a process of generating a key for the UE, step 1811-.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example fifteen
Fig. 19 is a flowchart of another method for generating a key according to an embodiment of the present invention, where the method is applied in a scenario where a UE is currently in a visited domain, that is, the UE is in a roaming state, as shown in fig. 19, and the method includes the following steps:
1901: the source DR sends a switching request message to the target DR; wherein, the switching request information comprises User ID and Device ID;
1902: the target DR sends an access request message to the visiting SLS; wherein, the access request message contains User ID, Device ID and DR ID; the visiting SLS is the SLS of the domain where the target DR is located;
1903: the visiting SLS sends an access request message to the home SLS; wherein, the access request message contains User ID, Device ID and DR ID;
1904: the attribution SLS generates a random value nonce; the random value nonce is used for authenticating the UE and generating a device-related key Kdev;
1905: the ascription SLS sends the authentication request message to the visit SLS; wherein the authentication request message contains the random value nonce, Domain ID; the Domain ID is stored within the home SLS;
1906: the visiting SLS sends an authentication request message to the target DR; the authentication request message contains a nonce, Domain ID;
1907: the target DR sends an authentication request message to the UE; the authentication request message contains nonce, Domain ID and DR ID, so that the UE derives a device-related key Kdev, a temporary key Kdev' and a session key Ksession according to nonce, Domain ID, DR ID, root key K and count value counter;
1908: the UE sends an authentication response message to the target DR; so that the destination DR feeds back the authentication response message to the visiting SLS;
1909: the target DR sends an authentication response message to the visiting SLS; so that the visiting SLS feeds back the authentication response message to the home SLS;
1910: the visiting SLS sends an authentication response message to the attributive SLS; wherein, the authentication response message is used for notifying the home SLS to complete the authentication process;
1911: the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE;
1912: home SLS generates Device dependent key Kdev = KDF (K, Device ID, nonce);
1913: the ascription SLS sends an access response message to the visit SLS; wherein the access response message contains the device dependent key Kdev;
1914: the visiting SLS sends an access response message to the target DR; wherein the access response message contains the device dependent key Kdev;
1915: the target DR generates a temporary key Kdev '= KDF (Kdev) and a session key Ksession = KDF (Kdev', counter, Domain ID, DR ID);
1916: UE generates Device-dependent key Kdev = KDF (K, Device ID, nonce), temporary key Kdev '= KDF (Kdev), and session key Ksession = KDF (Kdev', counter, Domain ID, DR ID);
further, since the target DR has no mapping relationship between the User ID and the Locator of the UE when the UE moves to the coverage of the target DR, and the UE has not established contact with the target DR, in order to establish contact between the UE and the target DR, the method further includes the following steps:
1917: the target DR sends an updating request message to the visiting SLS; wherein the update request message includes a DR ID of the target DR;
1918: the target DR sends an update request message to the attributive SLS; wherein the update request message includes a DR ID of the target DR;
1919: the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR);
1920: the home SLS sends an update response message to the visit SLS, wherein the update response message is used for informing that the target DR information update is completed;
1921: the visiting SLS sends an updating response message to the target DR;
1922: the target DR stores the mapping relation between the User ID and the Locator;
1923: the target DR sends a switching response message to the source DR; wherein the handover response message is used to notify the source DR that the handover is completed.
It should be noted that, step 1916 is a process of generating a key for the UE, step 1911-.
As can be seen from the above, in another method for generating a key provided in the embodiments of the present invention, a source DR sends a handover request message to a destination DR; the target DR sends an access request message to the visiting SLS; the visiting SLS sends an access request message to the home SLS; the attribution SLS generates a random value nonce; the ascription SLS sends the authentication request message to the visit SLS; the visiting SLS sends an authentication request message to the target DR; the target DR sends an authentication request message to the UE; the UE sends an authentication response message to the target DR; the target DR sends an authentication response message to the visiting SLS; the visiting SLS sends an authentication response message to the attributive SLS; the home SLS queries a root key K shared by the home SLS and the UE according to the User ID of the UE; the attribution SLS generates a device-dependent key; the ascription SLS sends an access response message to the visit SLS; the visiting SLS sends an access response message to the target DR; the target DR generates a temporary key and a session key; UE generates a device-related key, a temporary key and a session key; the target DR sends an updating request message to the visiting SLS; the target DR sends an update request message to the attributive SLS; the home SLS stores the mapping relationship between the UE and the current DR ID (namely the DR ID of the target DR); the home SLS sends an update response message to the visited SLS, and the visited SLS sends the update response message to the target DR; the target DR stores the mapping relation between the User ID and the Locator; the destination DR transmits a handover response message to the source DR. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example sixteen
Fig. 20 is a destination router 200 according to an embodiment of the present invention, as shown in fig. 20, including:
the receiving module 2001: the router is configured to receive a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and a device identifier of the user equipment.
The source router and the destination router are relative concepts, and are determined according to a switching condition of User Equipment (UE), wherein the source router is a router which performs data communication with the UE before the UE is switched, and the destination router is a router which performs data communication with the UE after the UE is switched; wherein the handover is a movement of the UE from a coverage area of one router to a coverage area of another router; in the embodiment of the invention, the source router and the destination router can be in the same UIP domain or different UIP domains, and when the source router and the destination router are in the same UIP domain, the UE is in a state of moving in the domain; when the source router and the destination router are in different UIP domains, the UE is in an inter-domain moving state; for example, fig. 2 is a schematic diagram of mobility management of user equipment in the UIP network, and as shown in fig. 2, the UE connected to the UIP network may have the following two mobility situations: intra-domain movement, such as movement of a UE from the coverage area of router 2 to the coverage area of router 1, where router 2 is the source router and router 1 is the destination router; inter-domain mobility, such as UE mobility from the coverage area of router 2 to the coverage area of router 3, where router 2 is the source router and router 3 is the destination router.
In one embodiment of the present invention, when the UE moves from the coverage area of the source router to the coverage area of the destination router 200, the receiving module 2001 receives a handover request message sent by the source router, wherein the handover request message includes the user identifier of the user equipment, the device identifier of the user equipment, or the handover request message includes the user identifier of the user equipment, the device identifier of the user equipment, and the locator.
Wherein, the User identifier (User ID) of the User equipment, the Device identifier (Device ID) of the User equipment and the Locator (Locator) are three identifiers (identification, ID) of the UIP network protocol partition; user ID is assigned by the operator and is permanently unchanged; device IDs are assigned by the Device manufacturer or operator, such as International Mobile Equipment Identity (IMEI), and one User ID may associate multiple Device IDs; a Locator is usually an IP address, and is assigned by an operator or specified by user equipment, and one Device ID may be associated with a plurality of locators; the user identifier of the user equipment, the device identifier of the user equipment, and the locator may be saved in a source router during an initialization process in which the UE communicates data with the source router; for example, fig. 3 is a schematic diagram of an ID model of a UIP network, and as shown in fig. 3, for a scenario where one User has multiple devices, the ID of the UIP network may be divided into a User identifier (User ID), multiple Device identifiers (Device IDs), and multiple locators (locators).
The sending module 2002: and the receiving module is configured to send an access request message to a location server when receiving a handover request message, where the access request message includes a user identifier of the user equipment, a device identifier of the user equipment, and an identifier of the destination router.
Wherein the identifier of the destination router is stored in the destination router for identifying the destination router.
The location server is a home location server and/or a visitor location server of the user equipment; the home location server of the user equipment is a location server in a home domain, and the visiting location server is a location server in a visiting domain; the attribution domain is a UIP domain to which a user appointed when the user signs a contract with an operator belongs, and the attribution domain is unique and unchangeable in the communication process of the user equipment; the visit domain is a domain where the UE is in a roaming state; the roaming state means that the UIP domain where the UE is currently located is not a home domain; for example, as shown in fig. 2, assuming that the home domain of the UE is UIP domain-1, the location server SLS-1 is a home location server, and when the UE moves to the coverage area of the router 3 within the UIP domain-2, i.e. leaves the home domain, the UE is in a roaming state, the UIP domain-2 is a visited domain, and the location server SLS-2 is a visited location server.
The receiving module 2001 is further configured to receive an access response message sent by the location server, where the access response message includes a device-related key, and the device-related key is derived by the location server according to a random value, a root key, and one or more of the following parameters: a device identifier of the user equipment, a domain identity of a domain in which the location server is located, and an identifier of the destination router.
Wherein the random value is generated by the location server for authenticating the user equipment and generating a device dependent key;
the root key is a shared key of the UE and a home location server of the UE in the UIP network, and is stored in the UE and the home location server, the root key corresponds to a User identifier (User ID) of the UE, each UE has a unique root key, and the root key is obtained by querying the location server according to the User identifier and is used for deriving an equipment-related key, and the root key K can be preset by an operator, which is not limited in the embodiment of the present invention.
The identifier of the domain where the location server is located is the identifier of the domain where the home location server is located, is stored in the home location server of the UE and is used for identifying the home domain of the UE; in an embodiment of the present invention, the identifier of the domain where the location server is located may be sent to the destination router by a home location server of the user equipment, and may also be obtained by the destination router through another configuration manner, which is not limited in this embodiment of the present invention.
The device dependent key (Kdev) may be derived by the home server of the UE from a random value (nonce), a root key and one or more of the following parameters: the Device identifier (Device ID) of the user equipment, the Domain ID of the Domain where the location server is located, and the DR ID of the destination router are implemented in a scenario where one user has multiple devices, and different devices have different Device-dependent keys Kdev.
In one embodiment of the present invention, the Device dependent Key Kdev may be derived by the home location server from a random value, a root Key and a Device identifier (Domain ID) of the user equipment using a Key Derivation Function (KDF), for example, Kdev = KDF (K, Device ID, nonce);
alternatively, deriving, by the home location server, a Key Derivation Function (KDF) from the random value nonce, the root Key K, the Device identifier (Device ID) of the user equipment, the identifier of the Domain where the location server is located (Domain ID), and the identifier of the destination router (DR ID), for example, Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID).
A generating module 2003, configured to derive a session key according to the device-related key when the receiving unit 2001 receives the access response message.
Further, the sending module 2001 is specifically configured to send an access request message to a home location server and/or a visited location server of the UE according to a situation of a domain where the UE is currently located.
In the embodiment of the present invention, as can be known from the mobility of the UE in the UIP network and the situation of the UIP domain shown in fig. 2, the mobility situation of the UE may be any one of the following five mobility situations: the UE is currently located in a home domain, an inter-domain mobility of a visited domain to a home domain, an inter-domain mobility of a home domain to a visited domain, and an inter-domain mobility of a visited domain to a visited domain.
Illustratively, the sending module 2001 sends the access request information to the home location server when the domain where the UE is currently located is the home domain.
Illustratively, when the domain where the UE is currently located is a visited domain, the sending module 2001 sends access request information to a visited location server, so that the visited location server sends the access request information to the home location server.
Further, the generating module 2003 is specifically configured to derive a temporary key according to the device-related key in the access response message; and deriving a session key according to the temporary key. For example, fig. 4 is a schematic structural diagram of a key hierarchy of the UIP network according to the embodiment of the present invention, and as shown in fig. 4, a key of the UIP network includes a root key K, a device-dependent key Kdev, a temporary key Kdev', and a session key Ksession; the device-related key Kdev is derived from the root key K, the temporary key Kdev 'is derived from the device-related key Kdev, and the session key Ksession is derived from the temporary key Kdev', so that session keys are derived step by step, and confidentiality and integrity protection are provided for data transmission between the destination router and the user equipment.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, and a device identifier of the user device; for example, the Device-related key Kdev = KDF (K, Device ID, nonce);
the generating module 2003 is specifically configured to derive the session key by the following four methods (1) to (4), which are described below:
(1) deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value; wherein, the counter value is a counter value generated by a counter maintained by a router and user equipment in the UIP system network;
a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), is derived from the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router.
(2) Deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter, Domain ID, DR ID), from the device-dependent key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
a session key is derived from the temporary key, e.g., Ksession = KDF (Kdev').
(3) Deriving a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), is derived from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, a device identifier of the user device, an identifier of a domain in which the location server is located, and an identifier of the destination router; for example, the Device-related key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
the generating module 2003 is specifically configured to derive the session key by the following two methods (1) - (2), which are described below:
(1) deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(2) deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
Further, the receiving module 2001 is further configured to receive an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
the sending module 2002 is further configured to, when the receiving module 2001 receives an authentication request message, send the authentication request message to the user equipment, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router, so that the user equipment returns an authentication response message and generates a device-dependent key and a session key.
As can be seen from the above, an embodiment of the present invention provides a destination router 200, which receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment, and an equipment identifier of the user equipment; sending an access request message to a location server, wherein the access request includes a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router; receiving an access response message sent by the location server, wherein the access response message contains a device-related key, and the device-related key is derived by the location server according to the random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; and deriving a session key according to the equipment-related key in the access response message. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example seventeen
Fig. 21 is a location server 210 according to an embodiment of the present invention, as shown in fig. 21, including:
a receiving module 2101 is configured to receive an access request message sent by a destination router, where the access request message includes a user identifier of a user equipment, a device identifier of the user equipment, and an identifier of the destination router.
A sending module 2102, configured to send an authentication request message to the destination router when the receiving module receives access request information, where the authentication request includes a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating an equipment dependent key.
The receiving module 2101 is further configured to receive an authentication response message sent by the destination router,
a generating module 2103, configured to derive the device-related key according to a root key, the random value, and one or more of the following parameters when the receiving module receives the authentication response message sent by the destination router: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router.
The sending module 2102 is further configured to send an access response message to the destination router when the generating module generates the device-related key, where the access response message includes the device-related key.
Further, the generating module 2103 is specifically configured to derive the device-related key in the following two manners (1) - (2), which are described below:
(1) deriving the device dependent key from a root key, the random value and a device identifier of the user device, e.g. device dependent key Kdev = KDF (K, DeviceID, nonce);
(2) the Device dependent key is derived from a root key, the random value, a Device identifier of the user Device, an identifier of the Domain where the location server is located and an identifier of the destination router, e.g. Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID).
As can be seen from the above, the embodiment of the present invention provides a destination router 230, which receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment, and an equipment identifier of the user equipment; sending an access request message to a location server, wherein the access request includes a user identifier of the user equipment and an equipment identifier of the user equipment, and the location server is a home location server and/or a visited location server of the user equipment; receiving an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: the device identifier of the user equipment, the domain identifier of the domain where the destination router is located and the identifier of the destination router; and deriving a temporary key according to the device-related key in the access response message, and deriving a session key according to the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that no session key exists in the communication process of the existing UIP network, and confidentiality and integrity cannot be provided for data transmission between the terminal user and the router are overcome.
EXAMPLE eighteen
Fig. 22 is a user equipment 220 according to an embodiment of the present invention, as shown in fig. 22, including:
the receiving module 2201: and the terminal is used for receiving an authentication request message sent by a destination router, wherein the authentication request message contains the random value, the identifier of the domain where the location server is located and the identifier of the destination router.
A generation module 2202: the device-related key is derived by the receiving module according to a root key, the random value and one or more of the following parameters when the receiving module receives an authentication request message: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
Further, the generating module 2202 is specifically configured to derive a temporary key according to the device-related key, and derive a session key according to the temporary key.
Illustratively, the generating module 2202 derives the session key through the following six ways (1) to (6), which are described below:
(1) deriving a device dependent key from the random value, the root key and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), from the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(2) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter, DomainID, DR ID), from the device-dependent key, the count value, the identifier of the domain where the location server is located, and the identifier of the destination router;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(3) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
deriving a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(5) deriving a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the Device identifier of the random value, root key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(6) deriving a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the Device identifier of the random value, root key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
As can be seen from the above, the embodiment of the present invention provides a user equipment 220, which receives an authentication request message sent by a destination router, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router; deriving a device dependent key from the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example nineteen
Referring to fig. 23, another destination router 230 provided for the embodiment of the present invention is, as shown in fig. 23, the apparatus including: a processor 2301, a memory 2302, a communication unit 2303, at least one communication bus 2304 for enabling connection and intercommunication among these devices;
the processor 2301 may be a Central Processing Unit (CPU);
the memory 2302 may be a volatile memory (RAM), such as a random-access memory (RAM); or a non-volatile memory (english: non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); or a combination of the above types of memories, and provides instructions and data to the processor 1001;
the communication unit 2303 is configured to receive a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and an equipment identifier of the user equipment.
The source router and the destination router are relative concepts, and are determined according to a switching condition of User Equipment (UE), wherein the source router is a router which performs data communication with the UE before the UE is switched, and the destination router is a router which performs data communication with the UE after the UE is switched; wherein the handover is a movement of the UE from a coverage area of one router to a coverage area of another router; in the embodiment of the invention, the source router and the destination router can be in the same UIP domain or different UIP domains, and when the source router and the destination router are in the same UIP domain, the UE is in a state of moving in the domain; when the source router and the destination router are in different UIP domains, the UE is in an inter-domain moving state; for example, fig. 2 is a schematic diagram of mobility management of user equipment in the UIP network, and as shown in fig. 2, the UE connected to the UIP network may have the following two mobility situations: inter-router movement within the domain, such as movement of the UE from the coverage area of the router 2 to the coverage area of the router 1, where the router 2 is a source router and the router 1 is a destination router; inter-domain router movement, such as movement of a UE from the coverage area of router 2 to the coverage area of router 3, where router 2 is the source router and router 3 is the destination router.
In one embodiment of the present invention, when the UE moves from the coverage area of the source router to the coverage area of the destination router 200, the receiving module 2001 receives a handover request message sent by the source router, wherein the handover request message includes the user identifier of the user equipment, the device identifier of the user equipment, or the handover request message includes the user identifier of the user equipment, the device identifier of the user equipment, and the locator.
Wherein, the User identifier (User ID) of the User equipment, the Device identifier (Device ID) of the User equipment and the Locator (Locator) are three identifiers (identification, ID) of the UIP network protocol partition; user ID is assigned by the operator and is permanently unchanged; device IDs are assigned by the Device manufacturer or operator, such as International Mobile Equipment Identity (IMEI), and one User ID may associate multiple Device IDs; a Locator is usually an IP address, and is assigned by an operator or specified by user equipment, and one Device ID may be associated with a plurality of locators; the user identifier of the user equipment, the device identifier of the user equipment, and the locator may be saved in a source router during an initialization process in which the UE communicates data with the source router; for example, fig. 3 is a schematic diagram of an ID model of a UIP network, and as shown in fig. 3, for a scenario where one User has multiple devices, the ID of the UIP network may be divided into a User identifier (User ID), multiple Device identifiers (Device IDs), and multiple locators (locators).
The communication unit 2303 is further configured to send an access request message to a location server when receiving a handover request message, where the access request message includes a user identifier of the user equipment, a device identifier of the user equipment, and an identifier of the destination router.
Wherein the identifier of the destination router is stored in the destination router for identifying the destination router.
The location server is a home location server and/or a visitor location server of the user equipment; the home location server of the user equipment is a location server in a home domain, and the visiting location server is a location server in a visiting domain; the attribution domain is a UIP domain to which a user appointed when the user signs a contract with an operator belongs, and the attribution domain is unique and unchangeable in the communication process of the user equipment; the visit domain is a domain where the UE is in a roaming state; the roaming state means that the UIP domain where the UE is currently located is not a home domain; for example, as shown in fig. 2, assuming that the home domain of the UE is UIP domain-1, the location server SLS-1 is a home location server, and when the UE moves to the coverage area of the router 3 within the UIP domain-2, i.e. leaves the home domain, the UE is in a roaming state, the UIP domain-2 is a visited domain, and the location server SLS-2 is a visited location server.
The communication unit 2303 is further configured to receive an access response message sent by the location server, where the access response message includes a device-related key, and the device-related key is derived by the location server according to a random value, a root key, and one or more of the following parameters: a device identifier of the user equipment, a domain identity of a domain in which the location server is located, and an identifier of the destination router.
Wherein the random value is generated by the location server for authenticating the user equipment and generating a device dependent key;
the root key is a shared key of the UE and a home location server of the UE in the UIP network, and is stored in the UE and the home location server, the root key corresponds to a User identifier (User ID) of the UE, each UE has a unique root key, and the root key is obtained by querying the location server according to the User identifier and is used for deriving an equipment-related key, and the root key K can be preset by an operator, which is not limited in the embodiment of the present invention.
The identifier of the domain where the location server is located is the identifier of the domain where the home location server is located, is stored in the home location server of the UE and is used for identifying the home domain of the UE; in an embodiment of the present invention, the identifier of the domain where the location server is located may be sent to the destination router by a home location server of the user equipment, and may also be obtained by the destination router through another configuration manner, which is not limited in this embodiment of the present invention.
The device dependent key (Kdev) may be derived by the home server of the UE from a random value (nonce), a root key and one or more of the following parameters: the Device identifier (Device ID) of the user equipment, the Domain ID of the Domain where the location server is located, and the DR ID of the destination router are implemented in a scenario where one user has multiple devices, and different devices have different Device-dependent keys Kdev.
In one embodiment of the present invention, the Device dependent Key Kdev may be derived by the home location server from a random value, a root Key and a Device identifier (Domain ID) of the user equipment using a Key Derivation Function (KDF), for example, Kdev = KDF (K, Device ID, nonce);
alternatively, deriving, by the home location server, a Key Derivation Function (KDF) from the random value nonce, the root Key K, the Device identifier (Device ID) of the user equipment, the identifier of the Domain where the location server is located (Domain ID), and the identifier of the destination router (DR ID), for example, Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID).
A processor 2301, configured to derive a session key according to the device-related key when the communication unit 2303 receives the access response message.
Further, the processor 2301 is specifically configured to derive a temporary key according to the device-related key in the access response message; and deriving a session key according to the temporary key.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, and a device identifier of the user device; for example, the Device-related key Kdev = KDF (K, Device ID, nonce);
the processor 2301 is specifically configured to derive the session key through the following four methods (1) to (4), which are described below:
(1) deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value; wherein, the counter value is a counter value generated by a counter maintained by a router and user equipment in the UIP system network;
a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), is derived from the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router.
(2) Deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter, Domain ID, DR ID), from the device-dependent key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
a session key is derived from the temporary key, e.g., Ksession = KDF (Kdev').
(3) Deriving a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), is derived from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router.
Illustratively, the device-dependent key is derived by the location server from a random value, a root key, a device identifier of the user device, an identifier of a domain in which the location server is located, and an identifier of the destination router; for example, the Device-related key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID);
the processor 2301 is specifically configured to derive the session key by the following two methods (1) to (2), which are described below:
(1) deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(2) deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
Further, the communication unit 2303 is further configured to receive an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
the communication unit 2303 is further configured to, when the communication unit 2303 receives an authentication request message, send the authentication request message to the user equipment, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router, so that the user equipment returns an authentication response message and generates a device-related key and a session key.
As can be seen from the above, another destination router 230 according to an embodiment of the present invention receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment, and an equipment identifier of the user equipment; sending an access request message to a location server, wherein the access request includes a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router; receiving an access response message sent by the location server, wherein the access response message contains a device-related key, and the device-related key is derived by the location server according to the random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; and deriving a session key according to the equipment-related key in the access response message. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example twenty
Fig. 24 is another location server 240 according to an embodiment of the present invention, and as shown in fig. 24, the apparatus includes: a processor 2401, a memory 2402, a communication unit 2403, at least one communication bus 2404 for implementing connection and intercommunication among these devices;
processor 2401 may be a Central Processing Unit (CPU);
the memory 2402 may be a volatile memory (RAM), such as a random-access memory (RAM); or a non-volatile memory (english: non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); or a combination of the above types of memories, and provides instructions and data to the processor 1001;
the communication unit 2403 is configured to receive an access request message sent by a destination router, where the access request message includes a user identifier of a user equipment, a device identifier of the user equipment, and an identifier of the destination router.
The communication unit 2403 is further configured to send an authentication request message to the destination router when receiving an access request message, where the authentication request message includes a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating an equipment dependent key.
The communication unit 2403 is further configured to receive an authentication response message sent by the destination router.
The processor 2401 is configured to derive the device-related key according to a root key, the random value, and one or more of the following parameters when the communication unit 2403 receives the authentication response message: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router.
The communication unit 2403 is further configured to send an access response message to the destination router when the processor 2401 generates a device-related key, where the access response message includes the device-related key.
Further, the processor 2401 is specifically configured to derive the device-related key in the following two manners (1) to (2), which are described below:
(1) the device dependent key is derived from a root key, the random value and a device identifier of the user device, e.g. device dependent key Kdev = KDF (K, DeviceID, nonce).
(2) The Device dependent key is derived from a root key, the random value, a Device identifier of the user Device, an identifier of the Domain where the location server is located and an identifier of the destination router, e.g. Device dependent key Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID).
As can be seen from the above, another location server 240 is provided in the embodiments of the present invention, and receives an access request sent by a destination router, where the access request includes a user identifier of a user equipment, a device identifier of the user equipment, and an identifier of the destination router, and sends an authentication request to the destination router, where the authentication request includes a random value and an identifier of a domain where the location server is located, and the random value is generated by the location server and is used to authenticate the user equipment and generate a device-related key; receiving an authentication response message sent by the destination router, and deriving the device-related key according to a root key, the random value and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example twenty one
Fig. 25 is another user equipment 250 according to an embodiment of the present invention, as shown in fig. 25, the user equipment includes: a processor 2501, a memory 2502, a communication unit 2503, at least one communication bus 2504 for implementing connection and intercommunication among these devices;
the processor 2501 may be a Central Processing Unit (CPU);
the memory 2502 may be a volatile memory (RAM), such as a random-access memory (RAM); or a nonvolatile memory (english: non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD), or a solid-state DRive (SSD); or a combination of the above types of memories, and provides instructions and data to the processor 1001;
the communication unit 2503 is configured to receive an authentication request message sent by a destination router, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router.
The processor 2501 is configured to derive a device-related key according to a root key, the random value, and one or more of the following parameters when the communication unit 2503 receives the authentication request message: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
Further, the processor 2501 is specifically configured to: and deriving a temporary key according to the device-related key, and deriving a session key according to the temporary key.
Illustratively, the processor 2501 derives the session key by the following six ways (1) to (6), which are described below:
(1) deriving a device dependent key from the random value, the root key and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key, for example, Ksession = KDF (Kdev', Domain ID, DR ID), from the temporary key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(2) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter, DomainID, DR ID), from the device-dependent key, the count value, the identifier of the domain where the location server is located, and the identifier of the destination router;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(3) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key, e.g., Kdev' = KDF (Kdev, Domain ID, DR ID), from the device dependent key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a session key, e.g., Ksession = KDF (Kdev', counter), from the temporary key and the count value;
(4) deriving a device dependent key from the random value, the root key, and the device identifier, e.g., Kdev = KDF (K, DeviceID, nonce);
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
deriving a session key, for example, Ksession = KDF (Kdev', counter, Domain ID, DR ID), from the temporary key, the count value, the identifier of the Domain where the location server is located, and the identifier of the destination router;
(5) deriving a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the Device identifier of the random value, root key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a temporary key, e.g., Kdev' = KDF (Kdev, counter), from the device-dependent key and the count value;
deriving a session key from the temporary key, e.g., Ksession = KDF (Kdev');
(6) deriving a Device dependent key, e.g., Kdev = KDF (K, Device ID, nonce, Domain ID, DR ID), from the Device identifier of the random value, root key, the identifier of the Domain where the location server is located, and the identifier of the destination router;
deriving a temporary key from the device-dependent key, e.g., Kdev' = kdf (Kdev);
a session key, e.g., Ksession = KDF (Kdev', counter), is derived from the temporary key and the count value.
As can be seen from the above, another user equipment 250 is provided in the embodiment of the present invention, and receives an authentication request message sent by a destination router, where the authentication request message includes the random value, an identifier of a domain where the location server is located, and an identifier of the destination router; deriving a device dependent key from the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain where the location server is located and the identifier of the destination router derive a temporary key from the device-dependent key, and derive a session key from the temporary key. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
Example twenty two
Fig. 26 is a key generation system 26 according to an embodiment of the present invention, as shown in fig. 26, including: a user equipment 261, a source router 262, a destination router 263, and a location server 264.
The source router 262 and the destination router 263 have the same functions, and the functions of the user equipment 261, the destination router 263 and the location server 264 are as described in the foregoing description of the user equipment 250, the destination router 230 and the location server 240, and are not described herein again.
As can be seen from the above, in the key generation system 26 provided in the embodiment of the present invention, a destination router receives a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and an equipment identifier of the user equipment; the destination router sends an access request message to a location server, wherein the access request includes a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router; the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, a domain identification of a domain in which the location server is located, and an identifier of the destination router; and the destination router derives a session key according to the equipment-related key in the access response message. Thus, the session key is derived step by step, and confidentiality and integrity are provided for data transmission between the user equipment and the router in the UIP network; the defects that the existing UIP network cannot provide confidentiality and integrity for data transmission between the user equipment and the router are overcome.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described units and systems may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be physically included alone, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program to instruct associated hardware (e.g., a processor), the program may be stored in a computer readable storage medium, and the storage medium may include: read-only memory, random access memory, magnetic or optical disk, and the like.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (19)

1. A method of key generation, comprising:
a destination router receives a switching request message sent by a source router, wherein the switching request message contains a user identifier of user equipment and a device identifier of the user equipment;
the destination router sends an access request message to a location server, wherein the access request message contains a user identifier of the user equipment, a device identifier of the user equipment and an identifier of the destination router;
the destination router receives an access response message sent by the location server, wherein the access response message contains an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key; the root key is obtained by the location server according to the user identifier;
and the destination router derives a session key according to the equipment-related key in the access response message.
2. The method of claim 1, wherein the destination router derives a session key from the device-dependent key in the access response message, comprising:
the destination router derives a temporary key according to the device-related key in the access response message;
and the destination router derives a session key according to the temporary key.
3. A method according to claim 1 or 2, wherein the device dependent key is derived by the location server from a random value, a root key and a device identifier of the user device;
the step of the destination router deriving the session key according to the device-related key in the access response message includes:
the destination router derives a temporary key according to the device-related key and the count value; wherein the count value is obtained by the destination router;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the destination router derives a temporary key according to the device-related key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key;
or,
the destination router derives a temporary key according to the device-related key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
the destination router derives a temporary key according to the device-related key;
and deriving a session key according to the temporary key, the counting value, the identifier of the domain where the position server is located and the identifier of the destination router.
4. The method according to claim 1 or 2, wherein the device-dependent key is derived by the location server from a random value, a root key, a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router;
the step of the destination router deriving the session key according to the device-related key in the access response message includes:
the destination router derives a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
the destination router derives a temporary key according to the device-related key;
and deriving a session key according to the temporary key and the counting value.
5. The method according to any one of claims 1-4, further comprising:
the destination router receives an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
and the destination router sends an authentication request message to the user equipment, wherein the authentication request message comprises the random value, the identifier of the domain where the location server is located and the identifier of the destination router, so that the user equipment returns an authentication response message and generates a device-related key and a session key.
6. A method of key generation, comprising:
the method comprises the steps that a position server receives an access request message sent by a destination router, wherein the access request message comprises a user identifier of user equipment, a device identifier of the user equipment and an identifier of the destination router;
the location server sends an authentication request message to the destination router, wherein the authentication request message contains a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key;
the location server receives the authentication response message sent by the destination router, and derives the device-related key according to the root key, the random value and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router; the root key is obtained by the location server according to the user identifier;
and the position server sends an access response message to the destination router, wherein the access response message contains the equipment-related key.
7. The method according to claim 6, wherein the location server derives the device-dependent key from a root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain where the location server is located, and the identifier of the destination router include:
the location server deriving the device-dependent key from a root key, the random value and a device identifier of the user equipment;
or,
the location server derives the device-dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router.
8. A method of key generation, comprising:
the user equipment receives an authentication request message sent by a destination router, wherein the authentication request message contains the random value, an identifier of a domain where the location server is located and the identifier of the destination router;
the user equipment derives the equipment-related key according to the root key, the random value and one or more of the following parameters: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
9. The method according to claim 8, wherein the user equipment derives the device dependent key from a root key, the random value and one or more of the following parameters: deriving a session key from the device-dependent key, based on the device identifier of the user equipment, the identifier of the domain in which the location server is located, and the identifier of the destination router, comprising:
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key and the counting value;
the user equipment derives a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
the user equipment derives a session key according to the temporary key;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key, the identifier of the domain where the location server is located and the identifier of the destination router;
the user equipment derives a session key according to the temporary key and the counting value;
or,
the user equipment derives an equipment-related key according to a root key, the random value and an equipment identifier of the user equipment;
the user equipment derives a temporary key according to the equipment-related key;
the user equipment derives a session key according to the temporary key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
the user equipment derives an equipment-related key according to a root key, the random value, an equipment identifier of the user equipment, an identifier of a domain where the location server is located and an identifier of the destination router;
the user equipment derives a temporary key according to the equipment-related key and the counting value;
the user equipment derives a session key according to the temporary key;
or,
the user equipment derives an equipment-related key according to a root key, the random value, an equipment identifier of the user equipment, an identifier of a domain where the location server is located and an identifier of the destination router;
the user equipment derives a temporary key according to the equipment-related key;
and the user equipment derives a session key according to the temporary key and the counting value.
10. A destination router, comprising:
a receiving module, configured to receive a handover request message sent by a source router, where the handover request message includes a user identifier of a user equipment and a device identifier of the user equipment;
a sending module, configured to send an access request message to a location server when the receiving module receives a handover request message, where the access request message includes a user identifier of the user equipment, a device identifier of the user equipment, and an identifier of the destination router;
the receiving module is further configured to receive an access response message sent by the location server, where the access response message includes an equipment-related key, and the equipment-related key is derived by the location server according to a random value, a root key, and one or more of the following parameters: a device identifier of the user equipment, an identifier of a domain in which the location server is located, an identifier of the destination router; the random value is generated by the location server for authenticating the user equipment and generating a device dependent key; the root key is obtained by the location server according to the user identifier;
a generation module: and the session key is derived according to the device-related key when the receiving module receives the access response message.
11. The destination router of claim 10, wherein the generating module is specifically configured to:
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key.
12. The destination router according to claim 10 or 11, wherein the device-dependent key is derived by the location server from a random value, a root key and a device identifier of the user equipment;
correspondingly, the generating module is specifically configured to:
deriving a temporary key according to the device-related key and the count value; wherein the count value is obtained by the destination router;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a temporary key according to the device-related key, a counting value, an identifier of a domain where the location server is located and an identifier of the destination router;
deriving a session key according to the temporary key;
or,
deriving a temporary key according to the device-dependent key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key, the counting value, the identifier of the domain where the position server is located and the identifier of the destination router.
13. The destination router according to claim 10 or 11, wherein the device-dependent key is derived by the location server from a random value, a root key, a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router,
correspondingly, the generating module is specifically configured to:
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key and the counting value.
14. The destination router according to any of claims 10-13,
the receiving module is further configured to: receiving an authentication request message sent by the location server; wherein the authentication request message contains the random value and an identifier of a domain in which the location server is located;
the sending module is further configured to: and when the receiving module receives an authentication request message, sending the authentication request message to the user equipment, wherein the authentication request message comprises the random value, the identifier of the domain where the location server is located and the identifier of the destination router, so that the user equipment returns an authentication response message and generates an equipment-related key and a session key.
15. A location server, comprising:
a receiving module, configured to receive an access request message sent by a destination router, where the access request message includes a user identifier of a user equipment, a device identifier of the user equipment, and an identifier of the destination router;
a sending module, configured to send an authentication request message to the destination router when the receiving module receives an access request message, where the authentication request message includes a random value and an identifier of a domain where the location server is located; the random value is generated by the location server for authenticating the user equipment and generating an equipment dependent key;
the receiving module is further configured to receive an authentication response message sent by the destination router;
a generating module, configured to derive the device-related key according to a root key, the random value, and one or more of the following parameters when the receiving module receives the authentication response message: a device identifier of the user equipment, an identifier of a domain in which the location server is located, and an identifier of the destination router; the root key is obtained by the location server according to the user identifier;
the sending module is further configured to send an access response message to the destination router when the generating module generates the device-related key, where the access response message includes the device-related key.
16. The location server of claim 15,
the generation module is specifically configured to:
deriving the device dependent key from a root key, the random value and a device identifier of the user device;
or,
the device-dependent key is derived from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router.
17. A user device, comprising:
a receiving module: the authentication server is used for receiving an authentication request message sent by a destination router, wherein the authentication request message contains the random value, an identifier of a domain where the location server is located and an identifier of the destination router;
a generation module: the device-related key is derived by the receiving module according to a root key, the random value and one or more of the following parameters when the receiving module receives an authentication request message: the device identifier of the user equipment, the identifier of the domain in which the location server is located and the identifier of the destination router, a session key being derived from the device-dependent key.
18. The user equipment of claim 17,
the generation module is specifically configured to:
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a device dependent key from a root key, the random value, and a device identifier of the user device;
deriving a temporary key according to the device-related key, a counting value, an identifier of a domain where the location server is located and an identifier of the destination router;
deriving a session key according to the temporary key;
or,
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key according to the device-dependent key, the identifier of the domain where the location server is located and the identifier of the destination router;
deriving a session key according to the temporary key and the count value;
or,
deriving a device dependent key from a root key, the random value and a device identifier of the user device;
deriving a temporary key from the device-dependent key;
deriving a session key according to the temporary key, the counting value, the identifier of the domain where the location server is located and the identifier of the destination router;
or,
deriving a device dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router;
deriving a temporary key according to the device-related key and the count value;
deriving a session key according to the temporary key;
or,
deriving a device dependent key from a root key, the random value, a device identifier of the user equipment, an identifier of a domain in which the location server is located and an identifier of the destination router;
deriving a temporary key from the device-dependent key;
and deriving a session key according to the temporary key and the counting value.
19. A key generation system, comprising: a source router, a destination router according to any of claims 10-14, a location server according to any of claims 15-16 and a user equipment according to any of claims 17-18.
CN201410057184.5A 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates Active CN104852891B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410057184.5A CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates
PCT/CN2014/080987 WO2015123953A1 (en) 2014-02-19 2014-06-27 Key generation method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410057184.5A CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates

Publications (2)

Publication Number Publication Date
CN104852891A true CN104852891A (en) 2015-08-19
CN104852891B CN104852891B (en) 2018-07-20

Family

ID=53852251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410057184.5A Active CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates

Country Status (2)

Country Link
CN (1) CN104852891B (en)
WO (1) WO2015123953A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917605A (en) * 2014-03-14 2015-09-16 华为技术有限公司 Key negotiation method and device during terminal device switching
CN105426772A (en) * 2015-10-29 2016-03-23 厦门雅迅网络股份有限公司 Method for securely storing root key required by encryption and authentication in FLASH
CN107950001A (en) * 2015-09-29 2018-04-20 华为技术有限公司 Send the server and method of geographical encryption message
CN108418679A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 The method, apparatus and electronic equipment of key are handled under a kind of multiple data centers
CN111008390A (en) * 2019-12-13 2020-04-14 江苏芯盛智能科技有限公司 Root key generation protection method and device, solid state disk and storage medium
CN111093193A (en) * 2019-12-31 2020-05-01 中科芯集成电路有限公司 MAC layer communication security mechanism suitable for Lora network
CN111460455A (en) * 2020-03-20 2020-07-28 北京智芯微电子科技有限公司 Key negotiation method, safety guiding method and system for self-encryption solid state disk
CN113766497A (en) * 2020-06-01 2021-12-07 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499959A (en) * 2008-01-31 2009-08-05 华为技术有限公司 Method, apparatus and system for configuring cipher key
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN102036220A (en) * 2009-09-25 2011-04-27 华为技术有限公司 Mobile management method and device
WO2013060224A1 (en) * 2011-10-26 2013-05-02 中兴通讯股份有限公司 Secure connection method, system and network element
WO2014006295A1 (en) * 2012-07-02 2014-01-09 Orange Implementing a security association during the attachment of an a terminal to an access network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1268093C (en) * 2002-03-08 2006-08-02 华为技术有限公司 Distribution method of wireless local area network encrypted keys
US8774411B2 (en) * 2009-05-29 2014-07-08 Alcatel Lucent Session key generation and distribution with multiple security associations per protocol instance
CN102833747B (en) * 2012-09-17 2015-02-25 北京交通大学 Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499959A (en) * 2008-01-31 2009-08-05 华为技术有限公司 Method, apparatus and system for configuring cipher key
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN102036220A (en) * 2009-09-25 2011-04-27 华为技术有限公司 Mobile management method and device
WO2013060224A1 (en) * 2011-10-26 2013-05-02 中兴通讯股份有限公司 Secure connection method, system and network element
WO2014006295A1 (en) * 2012-07-02 2014-01-09 Orange Implementing a security association during the attachment of an a terminal to an access network

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917605A (en) * 2014-03-14 2015-09-16 华为技术有限公司 Key negotiation method and device during terminal device switching
CN104917605B (en) * 2014-03-14 2018-06-19 华为技术有限公司 The method and apparatus of key agreement during a kind of terminal device switching
CN107950001A (en) * 2015-09-29 2018-04-20 华为技术有限公司 Send the server and method of geographical encryption message
CN107950001B (en) * 2015-09-29 2021-02-12 华为技术有限公司 Server and method for sending geographic encryption message
CN105426772A (en) * 2015-10-29 2016-03-23 厦门雅迅网络股份有限公司 Method for securely storing root key required by encryption and authentication in FLASH
CN105426772B (en) * 2015-10-29 2019-07-02 厦门雅迅网络股份有限公司 A method of root key needed for being authenticated in the encryption of FLASH secure storage
CN108418679A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 The method, apparatus and electronic equipment of key are handled under a kind of multiple data centers
CN111008390A (en) * 2019-12-13 2020-04-14 江苏芯盛智能科技有限公司 Root key generation protection method and device, solid state disk and storage medium
CN111093193A (en) * 2019-12-31 2020-05-01 中科芯集成电路有限公司 MAC layer communication security mechanism suitable for Lora network
CN111460455A (en) * 2020-03-20 2020-07-28 北京智芯微电子科技有限公司 Key negotiation method, safety guiding method and system for self-encryption solid state disk
CN113766497A (en) * 2020-06-01 2021-12-07 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station
CN113766497B (en) * 2020-06-01 2023-03-21 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station

Also Published As

Publication number Publication date
CN104852891B (en) 2018-07-20
WO2015123953A1 (en) 2015-08-27

Similar Documents

Publication Publication Date Title
CN104852891B (en) A kind of method, equipment and system that key generates
CN113490205B (en) Method and apparatus for network architecture and security with simplified mobility procedures
KR102307106B1 (en) Unified subscription identifier management in communication systems
JP5392879B2 (en) Method and apparatus for authenticating a communication device
US20220345307A1 (en) Method, Device, and System for Updating Anchor Key in a Communication Network for Encrypted Communication with Service Applications
EP2676398B1 (en) Wireless device, registration server and method for provisioning of wireless devices
CN111869182B (en) Method for authenticating equipment, communication system and communication equipment
EP3622738B1 (en) Indicator for determination of key for processing message in communication system
TW201703556A (en) Network security architecture
CN107683616B (en) Security improvements in cellular networks
US20220368684A1 (en) Method, Device, and System for Anchor Key Generation and Management in a Communication Network for Encrypted Communication with Service Applications
CN111147421A (en) Authentication method based on General Bootstrapping Architecture (GBA) and related equipment
US20220337408A1 (en) Method, Device, and System for Application Key Generation and Management in a Communication Network for Encrypted Communication with Service Applications
CN104883339B (en) A kind of method, apparatus and system of privacy of user protection
CN107006052A (en) Set up using the OTT connections of the D2D based on infrastructure serviced
CN104917605A (en) Key negotiation method and device during terminal device switching
CN110881020B (en) Authentication method for user subscription data and data management network element
RU2801267C1 (en) Method, device and system for updating a bond key in a communication network for encoded communication with provision applications
CN116545658A (en) Method, system and device for confirming authority

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant