CN105592073B - Key updating method, key server and group membership's equipment - Google Patents
Key updating method, key server and group membership's equipment Download PDFInfo
- Publication number
- CN105592073B CN105592073B CN201510807942.5A CN201510807942A CN105592073B CN 105592073 B CN105592073 B CN 105592073B CN 201510807942 A CN201510807942 A CN 201510807942A CN 105592073 B CN105592073 B CN 105592073B
- Authority
- CN
- China
- Prior art keywords
- behalf
- level
- key
- message
- acts
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
- H04L63/064—Hierarchical key distribution, e.g. by multi-tier trusted parties
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of key updating method, this method comprises: key server KS determines that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM;GM is acted on behalf of for each, this determined is acted on behalf of into the corresponding second level GM address information of GM and informs that this acts on behalf of GM;When carrying out key updating, KS sends key PUSH message to GM is acted on behalf of, and the key PUSH message is transmitted to itself corresponding each second level GM so that acting on behalf of GM.
Description
Technical field
The present invention relates to fields of communication technology, more particularly to a kind of key updating method, key server and group membership
Equipment.
Background technique
GD VPN (Group Domain Virtual Private Network organizes domain Virtual Private Network) is a kind of realization
The solution of key and security strategy centralized management.Traditional IPsec VPN (Internet Protocol security
The privately owned net of Virtual Private Network, IP secure virtual) be a kind of point-to-point tunnel connection, and GD VPN is one
The point-to-multipoint non-tunnel connection of kind.The typical case of GD VPN is presented as the protection to flux of multicast, such as audio, video are wide
Broadcast the safe transmission with Multicast File.
GD VPN provides a kind of new IPsec security model based on group.Group is the set of a security strategy, is belonged to
Same group of all members share identical security strategy and key.As shown in Figure 1, GD VPN by KS (Key Server, it is close
Key server) and GM (Group Member, group membership) composition, wherein KS manages different peaces by dividing different groups
Full strategy and key, GM obtain security strategy and key by being added corresponding group, from KS, and be responsible for data Traffic Encryption and
Decryption.
In GD VPN networking, GM needs to register to KS, this registration process successively includes the negotiation in two stages:
1, a stage IKE (Internet Key Exchange, internet key exchange) negotiates: GM holds consultation with KS,
The authentication for carrying out both sides after authentication passes through, is generated for protecting two-stage GDOI (Group Domain of
Interpretation, organize the domain of interpretation) negotiate IKE SA (Security Association, Security Association).
2, two-stage GDOI negotiates: by its negotiations process of GDOI protocol definition, this is a GM " drawing " strategy from KS
Process.
Specifically, above-mentioned registration process includes the following steps
(1) GM and KS carries out stage ike negotiation;
(2) mark (ID) organized where GM is sent to KS;
(3) the group ID that KS is provided according to GM sends security strategy (traffic flow information of protection, encryption calculation of respective sets to GM
Method, identifying algorithm, encapsulation mode etc.);
(4) GM verifies the security strategy received, if these strategies be acceptable (such as security protocol and plus
Close algorithm is supported), then confirmation message is sent to KS;
(5) after KS receives the confirmation message of GM, key information, the key (Key including encryption key are sent to GM
Encryption Key, KEK) and encryption flow key (Traffic Encryption Key, TEK).
By the above process, GM on KS SA strategy and key " drawing " arrived local.When GM obtain security strategy and
After key, so that it may the Encrypt and Decrypt data between GM.
After completing registration, KS can periodically push new key, the lifetime of period KEK, TEK to GM.Push new key
It is completed by Group Key-Push (push of group domain key) message, which is sent to GM by KS, and GM is not to Group Key-
Push message responds Group Key-Push ACK (Acknowledgement, confirmation) message, and KS is at a time interval, heavy
Recurrence send several times Group Key-Push message terminate, it is believed that push new key completed.
But this processing method does not ensure that the Group Key-Push message of push new key is centainly received by GM
It arrives, can only guarantee be received by GM under normal conditions, is i.e. KS can not know whether GM is properly received Group Key-Push and disappears
Breath.
In this regard, the prior art is to ensure GM centainly to receive Group Key-Push message, a kind of Group is introduced
After Key-Push ACK message, i.e. GM are successfully received the Group Key-Push message of KS transmission, Group Key- is responded
Push ACK message is to KS, if after KS sends Group Key-Push message, not receiving GM reply within a certain period of time
Group Key-Push ACK message can then retransmit Group Key-Push message, if still without receipts after retransmitting several times
To Group Key-Push ACK message, then it is assumed that the GM is offline, to GM push new key failure.But this processing
There are drawbacks: under large-scale network-estabilishing environment, more than GM quantity reaches thousands of, GM is to KS registration process relative distribution, and KS is to GM
Push the process Relatively centralized of new key, it is desirable that KS sends Group Key-Push message to thousands of above GM simultaneously, and connects
The Group Key-Push ACK message that thousands of above GM are replied is received, will cause KS, over-burden, so as to part GM
Push new key failure.
Summary of the invention
In view of this, the invention proposes a kind of key updating method, key server and group membership's equipment, key more
The burden of KS is effectively reduced when new.
Technical solution proposed by the present invention is:
A kind of key updating method, this method comprises:
Key server KS determines that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM;
GM is acted on behalf of for each, this determined is acted on behalf of into the corresponding second level GM address information of GM and informs that this acts on behalf of GM;
When carrying out key updating, KS sends key PUSH message to GM is acted on behalf of, and key push disappears so that acting on behalf of GM
Breath is transmitted to itself corresponding each second level GM.
A kind of key updating method, this method comprises:
It acts on behalf of group membership GM and receives the key PUSH message that key server KS is sent;
The GM that acts on behalf of receives the KS transmission second level GM notification message, and the second level GM notification message carries the agency
The address information of the corresponding second level GM of GM determines itself corresponding second level GM according to the second level GM notification message;Alternatively, described
The address information for acting on behalf of the corresponding second level GM of GM is stated in the carrying of key PUSH message, determines that itself is right according to the key PUSH message
The second level GM answered;
Forward the key PUSH message to itself corresponding second level GM.
A kind of key server equipment, the equipment include:
Processing module, for determining that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM;
This determined is acted on behalf of the corresponding second level GM address information of GM and accused by sending module for acting on behalf of GM for each
Know that this acts on behalf of GM;
When carrying out key updating, key PUSH message is sent to GM is acted on behalf of, so that acting on behalf of GM for the key PUSH message
It is transmitted to itself corresponding each second level GM.
A kind of group membership's equipment, the equipment are when acting on behalf of GM, comprising:
Receiving module, for receiving the key PUSH message of key server KS transmission;
It is also used to receive the KS and sends second level GM notification message, the second level GM notification message carrying is described to act on behalf of GM pairs
The address information of the second level GM answered determines itself corresponding second level GM according to the second level GM notification message;Alternatively, the key
The address information for acting on behalf of the corresponding second level GM of GM is stated in PUSH message carrying, determines that itself is corresponding according to the key PUSH message
Second level GM;
Sending module, for forwarding the key PUSH message to itself corresponding second level GM.
To sum up, the invention proposes a kind of key updating method, KS determines to act on behalf of GM and each to act on behalf of GM corresponding
Second level GM, and the corresponding second level GM address information of GM of acting on behalf of determined is informed that this acts on behalf of GM, when carrying out key updating, KS hair
It send key PUSH message to GM is acted on behalf of, the key PUSH message is transmitted to itself corresponding each second level GM so that acting on behalf of GM,
In this method, KS only needs to send key PUSH message to GM is acted on behalf of, and key PUSH message is transmitted to itself correspondence by acting on behalf of GM
Second level GM, greatly reduce KS carry out key updating when burden.
Detailed description of the invention
Fig. 1 is GD VPN networking structure schematic diagram;
Fig. 2 is the flow chart of technical solution of the present invention;
Fig. 3 is the networking structure figure of embodiment of the present invention method;
Fig. 4 is the structure chart of KS equipment in the embodiment of the present invention;
Fig. 5 is the structure chart of GM equipment in the embodiment of the present invention.
Specific embodiment
Technical solution of the present invention proposes a kind of key updating method, and KS is by carrying out Agent Domain division to GM, only to every
The GM that acts on behalf of of a Agent Domain sends key PUSH message, is received from acting on behalf of second level GM forwarding of the GM into Agent Domain where it
Key PUSH message can substantially reduce burden when KS carries out key updating in this way.
The present invention proposes a kind of key updating method, and the technical solution of the embodiment of the present invention is:
Fig. 2 is the flow chart of technical solution of the present invention, as shown in Fig. 2, this method is applied to KS, comprising the following steps:
Step 201:KS determines that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM.
In this step, GM is carried out Agent Domain division by KS;
A GM is selected to be determined as acting on behalf of GM in each Agent Domain marked off, other GM in the Agent Domain are determined as
The corresponding second level GM of GM is acted on behalf of in the Agent Domain.
When KS carries out Agent Domain division, not intersecting between any two Agent Domain is the best reality of the invention for dividing Agent Domain
Example is applied, i.e., each GM belongs to unique agent domain.Also, all GM in the present embodiment belong to same group.
Specifically, when KS carries out Agent Domain division, following three kinds of methods are included at least:
(1) Agent Domain is divided according to address field or network segment, belong to same address field or same network segment GM be divided into it is same
Agent Domain.For example, GM address range is 1.1.1.1-1.1.1.10,1.1.1.11-1.1.1.20,1.1.1.21-
1.1.1.30,1.2.3.0/24, then 1.1.1.1-1.1.1.10 is divided into Agent Domain 1 by KS, and 1.1.1.11-1.1.1.20 is drawn
It is divided into Agent Domain 2,1.1.1.21-1.1.1.30 is divided into Agent Domain 3,1.2.3.0/24 is divided into Agent Domain 4.
(2) KS divides Agent Domain according to preset address number, and the GM number that each Agent Domain includes is no more than preset
Address number.For example, it includes 256 addresses that KS, which presets each Agent Domain, then GM all in networking are divided into several Agent Domains,
The address number that each Agent Domain includes is no more than 256.
(3) KS presets the number of Agent Domain, all GM is divided at least one Agent Domain, the Agent Domain number of division is not
More than preset Agent Domain number.
The above are three preferred embodiments in the division methods of Agent Domain, and in addition to this there is also other achievable generations
Manage domain classification method.
Step 202: act on behalf of GM for each, KS by determine this act on behalf of that the corresponding second level GM address information of GM informs should
Act on behalf of GM;When carrying out key updating, KS sends key PUSH message to GM is acted on behalf of, so that acting on behalf of GM for the key PUSH message
It is transmitted to itself corresponding each second level GM.
In this step, the corresponding second level GM address information of KS notification agent GM can be realized by two ways:
Mode one acts on behalf of GM for each, and KS sends second level GM notification message and acts on behalf of GM, the second level GM notice to this
Message carries this and acts on behalf of the address information of the corresponding second level GM of GM, knows that itself is right according to second level GM notification message so as to act on behalf of GM
The secondary agent GM answered.
Mode two, if KS will not act on behalf of the address corresponding second level GM GM letter by the way of sending second level GM notification message
Breath, which is informed, acts on behalf of GM, then carries the address for acting on behalf of the corresponding second level GM of GM into the key PUSH message for acting on behalf of GM transmission in KS
Information acts on behalf of GM according to key PUSH message and knows itself corresponding second level GM address information.This mode, KS are sent without additional
Second level GM notification message, it is possible to reduce KS sends message number.
Further, after acting on behalf of the key PUSH message that GM receives KS transmission, key push confirmation message is responded to KS,
Inform that KS itself has been properly received key PUSH message.If KS is not received by the key for acting on behalf of GM response within a preset time
Confirmation message is pushed, key PUSH message is retransmitted to key push confirmation message is not responded and acts on behalf of GM;If number of retransmissions reaches
Key push confirmation message is not received yet to upper limit value, it is determined that the GM that acts on behalf of for not responding key push confirmation message is failure
Act on behalf of GM, act on behalf of to redefine in Agent Domain belonging to GM from the failure and act on behalf of GM, by redefine out to act on behalf of GM corresponding
Second level GM address information informs that this acts on behalf of GM, and sends key PUSH message and act on behalf of GM to what is redefined out.
Further, it after second level GM receives the key PUSH message for acting on behalf of GM forwarding, sends key push confirmation and disappears
It ceases and acts on behalf of GM to corresponding, act on behalf of the key push confirmation message that GM receives second level GM response, illustrate that second level GM successfully connects
Key PUSH message is received, if acting on behalf of the key push confirmation message that GM does not receive some second level GM response, then it is assumed that this two
Grade GM is not successfully received key PUSH message, records the address information of second level GM, and by itself affiliated Agent Domain it is all not
Be properly received key PUSH message the address second level GM be carried on key push results messages in is sent to KS, convenient for KS to not at
The second level GM that function receives key PUSH message is for further processing.
Above-mentioned key updating method is described in detail combined with specific embodiments below.
Fig. 3 is the networking structure figure of the present embodiment, as shown in figure 3, group membership's equipment in GD VPN networking includes: GM1
~GM60, and GM1~GM60 belongs to same group, shares identical security strategy and key.Assuming that GM1~GM60 is completed
It is registered to KS, the present embodiment is illustrated technical solution of the present invention so that KS pushes new key to each GM as an example.
Firstly, KS divides Agent Domain, determines and act on behalf of GM and each act on behalf of the corresponding second level GM of GM.
Assuming that GM1~GM20 is divided into Agent Domain 1, GM21~GM40 is divided into Agent Domain 2, GM41~GM60 is drawn
It is divided into Agent Domain 3, GM1 is determined as to the GM that acts on behalf of of Agent Domain 1, GM2~GM20 is then the corresponding second level GM of GM1, and GM21 is true
It is set to the GM that acts on behalf of of Agent Domain 2, GM22~GM40 is then the corresponding second level GM of GM21, and GM41 is determined as to the agency of Agent Domain 3
GM, GM42~GM60 are then the corresponding second level GM of GM41.
GM is acted on behalf of with after corresponding second level GM determination, KS can periodically carry out key updating, when carrying out key updating, for
Each acts on behalf of GM, and KS sends key PUSH message to acting on behalf of GM, and carries in key PUSH message and act on behalf of the corresponding second level of GM
The address information of GM.Specifically, the key PUSH message that KS is sent to GM1 carries the address information of GM2~GM20, is sent to
The key PUSH message of GM21 carries the address information of GM22~GM40, be sent to GM41 key PUSH message carry GM42~
The address information of GM60.
GM is acted on behalf of for each separately below to be illustrated the present invention program.
For GM1, it is assumed that GM1 is successfully received key PUSH message, according to the GM2 carried in key PUSH message~
The key PUSH message received is transmitted to GM2~GM20 by the address information of GM20, and send key push confirmation message to
The step of KS, wherein key PUSH message is transmitted to GM2~GM20 by GM1 and GM1 send key push confirmation message to KS's
Step is in no particular order.
After GM2~GM20 receives the key PUSH message of GM1 forwarding, key is sent to GM1 respectively and pushes confirmation message,
Inform that GM1 itself is properly received key PUSH message, if in preset time GM1 do not receive some or certain several itself is corresponding
The key that second level GM is responded pushes confirmation message, then records itself corresponding second level GM's for not responding key push confirmation message
Address information, and the address information of the second level GM for not responding key push confirmation message of record is carried on key push result
It is sent to KS in message, informs the second level GM for being not successfully received key PUSH message in KS Agent Domain 1, convenient for KS to not receiving
The second level GM of new key is for further processing.
For GM21, it is assumed that GM21 is unsuccessfully received the key PUSH message of KS transmission, i.e. KS is within a preset time not
The key push confirmation message of GM21 transmission is received, KS judges the number (number of retransmissions that key PUSH message is retransmitted to GM21
Initial value is 0) to be less than preset maximum value (assuming that preset maximum value is 4), then retransmits key PUSH message to GM21, and enable re-transmission
Number adds 1.Assuming that GM21 receives the key PUSH message that KS is retransmitted for the first time, then according to the GM22 carried in key PUSH message
Key PUSH message is transmitted to GM22~GM40 by the address information of~GM40 respectively, and send key push confirmation message to
KS informs that KS itself is properly received key PUSH message, and wherein key PUSH message is transmitted to the step of GM22~GM40 by GM21
Suddenly the step of key push confirmation message is to KS is sent with GM21 in no particular order.
After GM22~GM40 receives the key PUSH message of GM21 forwarding, key push confirmation is sent to GM21 respectively and is disappeared
Breath, inform GM21 be properly received key PUSH message, if in preset time GM21 do not receive some or certain it is several itself correspond to
Second level GM respond key push confirmation message, then record itself it is corresponding do not respond key push confirmation message second level GM
Address information, and by record do not respond key push confirmation message second level GM address information be carried on key push knot
It is sent to KS in fruit message, informs the second level GM for being not successfully received key PUSH message in KS Agent Domain 2, convenient for KS to not receiving
Second level GM to new key is for further processing.
For GM41, it is assumed that GM41 is unsuccessfully received the key PUSH message of KS transmission, i.e. KS is within a preset time not
The key push confirmation message of GM41 transmission is received, then KS judges that the number that key PUSH message is retransmitted to GM41 (retransmits secondary
Number initial value is 0) whether to be less than preset maximum value (assuming that preset maximum value is 4), is given if it is, retransmitting key PUSH message
GM41, and number of retransmissions is enabled to add 1.Assuming that KS is still the key push for receiving GM41 response when number of retransmissions reaches maximum preset value
Confirmation message, it is determined that GM41 is that GM is acted on behalf of in failure, then redefines from the affiliated Agent Domain of GM41 (Agent Domain 3) and act on behalf of GM,
A GM is selected to be determined as new acting on behalf of GM i.e. from GM42~GM60, it is assumed that GM42 is determined as to the new GM that acts on behalf of, then is sent
Key PUSH message carries the address information of GM43~GM60 to GM42, and in the key PUSH message.Assuming that GM42 successfully connects
The key PUSH message is received, then according to the address information of the GM43~GM60 carried in key PUSH message, key push is disappeared
Breath is transmitted to GM43~GM60 respectively, and sends key push confirmation message to KS, informs that KS is successfully received key push and disappears
Breath, and the step of key PUSH message is transmitted to GM43~GM60 by GM42 and GM43 send key push confirmation message to KS's
Step is in no particular order.
After GM43~GM60 receives the key PUSH message of GM42 forwarding, key push confirmation is sent to GM42 respectively and is disappeared
Breath, inform GM42 be properly received key PUSH message, if in preset time GM42 do not receive some or certain it is several itself correspond to
Second level GM respond key push confirmation message, then record itself it is corresponding do not respond key push confirmation message second level GM
Address information, and by record do not respond key push confirmation message second level GM address information be carried on key push knot
It is sent to KS in fruit message, informs the second level GM for being not successfully received key PUSH message in KS Agent Domain 3, convenient for KS to not receiving
Second level GM to new key is for further processing.
In the present embodiment, GM is divided into several Agent Domains by KS, and each GM belongs to unique agent domain, each Agent Domain selection
For one GM as GM is acted on behalf of, the GM for being not chosen as acting on behalf of GM in the Agent Domain is then to act on behalf of the corresponding second level GM of GM.Carry out key
When update, KS only to GM transmission key PUSH message is acted on behalf of, if acting on behalf of GM successful reception key PUSH message, forwards this close
Key PUSH message gives itself corresponding second level GM, and sends key push confirmation message to KS;If KS does not have within a preset time
Have and receive the key push confirmation message for acting on behalf of GM response, then retransmits key PUSH message to what is do not responded and act on behalf of GM, if weight
It passes number and reaches preset maximum value, then it is assumed that this is acted on behalf of GM and acts on behalf of GM for failure, acts on behalf of its of the place GM Agent Domain from the failure
It is redefined in his second level GM and acts on behalf of GM, and sent key PUSH message and act on behalf of GM to what is newly determined.Meanwhile second level GM successfully connects
Also key push confirmation message is responded to GM is acted on behalf of after receiving key PUSH message, act on behalf of GM in this way and can count and connect not successfully
The second level GM of key PUSH message is received, and reports KS.This method makes KS clearly know whether GM receives new key, and big
The burden of KS is reduced greatly.
For the above method, invention additionally discloses a kind of KS equipment, Fig. 4 is the structure chart of the equipment, as shown in figure 4, should
Equipment includes:
Processing module 410, for determining that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM.
This determined is acted on behalf of the corresponding second level GM address information of GM for acting on behalf of GM for each by sending module 420
Inform that this acts on behalf of GM.
When carrying out key updating, key PUSH message is sent to GM is acted on behalf of, so that acting on behalf of GM for the key PUSH message
It is transmitted to itself corresponding each second level GM.
Processing module 410 further include:
Agent Domain divides submodule 411, for GM to be carried out Agent Domain division.
It acts on behalf of GM and determines submodule 412, for selecting a GM to be determined as acting on behalf of GM in each Agent Domain marked off,
Other GM in the Agent Domain are determined as acting on behalf of the corresponding second level GM of GM in the Agent Domain.
Agent Domain divides submodule 411 and is further used for:
Agent Domain is divided according to address field or network segment, the GM for belonging to same address field or same network segment is divided into the same generation
Manage domain;
Alternatively, dividing Agent Domain according to preset address number, the GM number that each Agent Domain includes is no more than describedly
Location number;
Alternatively, all GM are divided at least one Agent Domain, the Agent Domain number of division is no more than preset Agent Domain
Number.
The equipment further include:
Receiving module 430 pushes confirmation message for the Receiving Agent GM key sent, and the key pushes confirmation message
It is to act on behalf of after GM receives the key PUSH message that the sending module is sent to be sent to the KS;
Sending module 420 is also used to, if receiving module 430 is not received by within a preset time acts on behalf of the close of GM response
Key pushes confirmation message, retransmits key PUSH message to key push confirmation message is not responded and acts on behalf of GM;
If number of retransmissions reaches upper limit value does not receive the key push confirmation message yet, acts on behalf of GM and determine submodule
411 are also used to, and determine that the GM that acts on behalf of for not responding key push confirmation message acts on behalf of GM for failure, act on behalf of GM institute from the failure
It is redefined in the Agent Domain of category and acts on behalf of GM.
Sending module 420 is further used for, and the corresponding second level GM address information informing of GM of acting on behalf of redefined out is somebody's turn to do
GM is acted on behalf of, and sends key PUSH message and acts on behalf of GM to what is redefined out.
GM is acted on behalf of for each, this determined is acted on behalf of the corresponding second level GM address information of GM, and to inform that this acts on behalf of GM specific
Include:
GM is acted on behalf of for each, sending module 420 sends second level GM notification message and acts on behalf of GM to this, and the second level GM is logical
Know that message carries the address information for acting on behalf of the corresponding second level GM of GM.
GM is acted on behalf of for each, this determined is acted on behalf of into the corresponding second level GM address information of GM and informs that this acts on behalf of GM;Into
When row key updating, key PUSH message is sent to GM is acted on behalf of, the key PUSH message is transmitted to itself so that acting on behalf of GM
Corresponding each second level GM is specifically included:
When carrying out key updating, GM is acted on behalf of for each, sending module 420 sends key PUSH message and gives the agency
GM is sent to the key PUSH message for acting on behalf of GM and carries the address information for acting on behalf of the corresponding second level GM of GM, so that the agency
GM knows itself corresponding second level GM, and the key PUSH message is transmitted to itself corresponding second level GM.
For the above method, invention additionally discloses a kind of GM equipment, which is when acting on behalf of GM, and Fig. 5 is the knot of the equipment
Composition, as shown in figure 5, the equipment includes:
Receiving module 501, for receiving the key PUSH message of key server KS transmission;
It is also used to receive the KS and sends second level GM notification message, the second level GM notification message carrying is described to act on behalf of GM pairs
The address information of the second level GM answered determines itself corresponding second level GM according to the second level GM notification message;Alternatively, the key
The address information for acting on behalf of the corresponding second level GM of GM is stated in PUSH message carrying, determines that itself is corresponding according to the key PUSH message
Second level GM;
Sending module 502, for forwarding the key PUSH message to itself corresponding second level GM.
Receiving module 501 is also used to:
The key push confirmation message that itself corresponding second level GM is responded is received, the key push confirmation message is described
It acts on behalf of after the corresponding second level GM of GM receives the key PUSH message and is sent to the receiving module.
The equipment further comprises:
Processing module 503, for determining the second level GM for not responding key push confirmation message;
Sending module 502 is further used for, and sends key push results messages to the KS, the key push result disappears
Breath carries the address information of the second level GM for not responding key push confirmation message determined.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Any modification, equivalent substitution, improvement and etc. done within mind and principle, should be included within the scope of the present invention.
Claims (18)
1. a kind of key updating method, which is characterized in that this method comprises:
Key server KS determines that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM;
GM is acted on behalf of for each, this determined is acted on behalf of into the corresponding second level GM address information of GM and informs that this acts on behalf of GM;
When carrying out key updating, KS sends key PUSH message to GM is acted on behalf of, and turns the key PUSH message so that acting on behalf of GM
Issue itself corresponding each second level GM.
2. the method according to claim 1, wherein the key server KS determines at least one agency's composition
Member GM and it is each act on behalf of the corresponding second level GM of GM, specifically include:
GM is carried out Agent Domain division by the KS;
A GM is selected to be determined as acting on behalf of GM in each Agent Domain marked off, other GM in the Agent Domain are determined as the generation
Reason acts on behalf of the corresponding second level GM of GM in domain.
3. according to the method described in claim 2, it is characterized in that, GM progress Agent Domain division is included: by the KS
The KS divides Agent Domain according to address field or network segment, the GM for belonging to same address field or same network segment is divided into same
Agent Domain;
Alternatively, the KS divides Agent Domain according to preset address number, the GM number that each Agent Domain includes is no more than described
Address number;
Alternatively, all GM are divided at least one Agent Domain, the Agent Domain number of division is no more than preset Agent Domain number.
4. according to the method described in claim 2, it is characterized in that, this method further comprises:
If the KS is not received by the key push confirmation message for acting on behalf of GM response within a preset time, the key is retransmitted
PUSH message gives the GM that acts on behalf of for not responding key push confirmation message, and the key push confirmation message is to act on behalf of GM to receive institute
It is sent to the KS's after stating key PUSH message;
If number of retransmissions reaches upper limit value does not receive the key push confirmation message yet, it is determined that the key of not responding pushes away
It send the GM that acts on behalf of of confirmation message to act on behalf of GM for failure, acts on behalf of to redefine in Agent Domain belonging to GM from the failure and act on behalf of GM, it will
The corresponding second level GM address information of GM of acting on behalf of redefined out informs that this acts on behalf of GM, and sends key PUSH message to again true
That makes acts on behalf of GM.
5. the method according to claim 1, wherein described be directed to each agency that acts on behalf of GM, will determine
The corresponding second level GM address information of GM informs that this is acted on behalf of GM and specifically includes:
GM is acted on behalf of for each, the KS sends second level GM notification message and acts on behalf of GM to this, and the second level GM notification message is taken
The address information of the corresponding second level GM of GM is acted on behalf of with this.
6. the method according to claim 1, wherein described be directed to each agency that acts on behalf of GM, will determine
The corresponding second level GM address information of GM informs that this acts on behalf of GM;When carrying out key updating, KS sends key PUSH message to acting on behalf of GM,
It is specifically included so that acting on behalf of GM and the key PUSH message being transmitted to itself corresponding each second level GM:
When carrying out key updating, GM is acted on behalf of for each, the KS sends key PUSH message and acts on behalf of GM to this, is sent to this
The key PUSH message for acting on behalf of GM carries the address information for acting on behalf of the corresponding second level GM of GM, so that this, which acts on behalf of GM, knows that itself is right
The second level GM answered, and the key PUSH message is transmitted to itself corresponding second level GM.
7. a kind of key updating method, which is characterized in that this method comprises:
It acts on behalf of group membership GM and receives the key PUSH message that key server KS is sent;
The GM that acts on behalf of receives the KS transmission second level GM notification message, and the second level GM notification message carrying is described to act on behalf of GM pairs
The address information of the second level GM answered determines itself corresponding second level GM according to the second level GM notification message;Alternatively, the key
PUSH message carries the address information for acting on behalf of the corresponding second level GM of GM, determines that itself is corresponded to according to the key PUSH message
Second level GM;
Forward the key PUSH message to itself corresponding second level GM.
8. the method according to the description of claim 7 is characterized in that this method further comprises:
The GM that acts on behalf of receives the key push confirmation message that itself corresponding second level GM is responded, and the key pushes confirmation message
It is that described act on behalf of after the corresponding second level GM of GM receives the key PUSH message is sent to the KS.
9. according to the method described in claim 8, it is characterized in that, this method further comprises:
The GM that acts on behalf of determines the second level GM for not responding key push confirmation message;
Key push results messages are sent to the KS, the key push results messages carry the key of not responding determined and push away
Send the address information of the second level GM of confirmation message.
10. a kind of key server KS equipment, which is characterized in that the equipment includes:
Processing module, for determining that at least one is acted on behalf of group membership GM and each acts on behalf of the corresponding second level GM of GM;
Sending module, for acting on behalf of GM for each, this determined is acted on behalf of the corresponding second level GM address information informing of GM should
Act on behalf of GM;
When carrying out key updating, key PUSH message is sent to GM is acted on behalf of, forwards the key PUSH message so that acting on behalf of GM
Give itself corresponding each second level GM.
11. equipment according to claim 10, which is characterized in that the processing module further include:
Agent Domain divides submodule, for GM to be carried out Agent Domain division;
It acts on behalf of GM and determines submodule, for selecting a GM to be determined as acting on behalf of GM in each Agent Domain marked off, the agency
Other GM in domain are determined as acting on behalf of the corresponding second level GM of GM in the Agent Domain.
12. equipment according to claim 11, which is characterized in that the Agent Domain divides submodule and is further used for:
Agent Domain is divided according to address field or network segment, the GM for belonging to same address field or same network segment is divided into same agency
Domain;
Alternatively, dividing Agent Domain according to preset address number, the GM number that each Agent Domain includes is no more than the address
Number;
Alternatively, all GM are divided at least one Agent Domain, the Agent Domain number of division is no more than preset Agent Domain number.
13. equipment according to claim 11, which is characterized in that the equipment further include:
Receiving module pushes confirmation message for the Receiving Agent GM key sent, and the key push confirmation message is agency
GM is sent to the KS's after receiving the key PUSH message that the sending module is sent;
The sending module is also used to, if the receiving module is not received by the key for acting on behalf of GM response within a preset time
Confirmation message is pushed, the key PUSH message is retransmitted to key push confirmation message is not responded and acts on behalf of GM;
If number of retransmissions reaches upper limit value does not receive the key push confirmation message yet, the GM that acts on behalf of determines submodule also
For determining that the GM that acts on behalf of for not responding key push confirmation message acts on behalf of GM for failure, being acted on behalf of belonging to GM from the failure
It is redefined in Agent Domain and acts on behalf of GM;
The sending module is further used for, and the corresponding second level GM address information of GM of acting on behalf of redefined out is informed the agency
GM, and send key PUSH message and act on behalf of GM to what is redefined out.
14. equipment according to claim 10, which is characterized in that described to be directed to each generation acting on behalf of GM, determining
The corresponding second level GM address information of reason GM informs that this is acted on behalf of GM and specifically includes:
GM is acted on behalf of for each, the sending module sends second level GM notification message and acts on behalf of GM, the second level GM notice to this
Message carries the address information for acting on behalf of the corresponding second level GM of GM.
15. equipment according to claim 10, which is characterized in that described to be directed to each generation acting on behalf of GM, determining
The corresponding second level GM address information of reason GM informs that this acts on behalf of GM;When carrying out key updating, key PUSH message is sent to acting on behalf of GM,
It is specifically included so that acting on behalf of GM and the key PUSH message being transmitted to itself corresponding each second level GM:
When carrying out key updating, GM is acted on behalf of for each, the sending module sends key PUSH message and acts on behalf of GM to this, sends out
It gives the key PUSH message for acting on behalf of GM and carries the address information for acting on behalf of the corresponding second level GM of GM, know so that this acts on behalf of GM
Itself corresponding second level GM, and the key PUSH message is transmitted to itself corresponding second level GM.
16. a kind of group membership GM equipment, which is characterized in that the equipment is when acting on behalf of GM, which includes:
Receiving module, for receiving the key PUSH message of key server KS transmission;
It is also used to receive the KS and sends second level GM notification message, the second level GM notification message carries that described to act on behalf of GM corresponding
The address information of second level GM determines itself corresponding second level GM according to the second level GM notification message;Alternatively, the key push
Message carries the address information for acting on behalf of the corresponding second level GM of GM, according to the key PUSH message determine itself corresponding two
Grade GM;
Sending module, for forwarding the key PUSH message to itself corresponding second level GM.
17. equipment according to claim 16, which is characterized in that the receiving module is also used to:
The key push confirmation message that itself corresponding second level GM is responded is received, the key push confirmation message is the agency
The corresponding second level GM of GM is sent to the receiving module after receiving the key PUSH message.
18. equipment according to claim 16, which is characterized in that the equipment further comprises:
Processing module, for determining the second level GM for not responding key push confirmation message;
The sending module is further used for, and sends key push results messages to the KS, the key pushes results messages
Carry the address information of the second level GM for not responding key push confirmation message determined.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510807942.5A CN105592073B (en) | 2015-11-20 | 2015-11-20 | Key updating method, key server and group membership's equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510807942.5A CN105592073B (en) | 2015-11-20 | 2015-11-20 | Key updating method, key server and group membership's equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105592073A CN105592073A (en) | 2016-05-18 |
| CN105592073B true CN105592073B (en) | 2019-01-08 |
Family
ID=55931288
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510807942.5A Active CN105592073B (en) | 2015-11-20 | 2015-11-20 | Key updating method, key server and group membership's equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592073B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106878010A (en) * | 2017-02-22 | 2017-06-20 | 美的智慧家居科技有限公司 | Encryption and decryption method and device based on security chip key pair |
| CN107171786A (en) * | 2017-05-19 | 2017-09-15 | 成都极玩网络技术有限公司 | Network agent account control method |
| CN109274494B (en) * | 2018-11-27 | 2022-06-21 | 新华三技术有限公司 | Method and device for maintaining secret key |
| CN110351249A (en) * | 2019-06-18 | 2019-10-18 | 五邑大学 | A kind of industry internet multimedia flow security system, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645833A (en) * | 2009-09-02 | 2010-02-10 | 北京科技大学 | Multicast routing method based on sparse splitting network |
| CN103532952A (en) * | 2013-10-15 | 2014-01-22 | 杭州华三通信技术有限公司 | Method and equipment for informing key data |
| CN104270350A (en) * | 2014-09-19 | 2015-01-07 | 杭州华三通信技术有限公司 | Key information transmission method and equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8160255B2 (en) * | 2006-04-24 | 2012-04-17 | Cisco Technology, Inc. | System and method for encrypted group network communication with point-to-point privacy |
| US8447039B2 (en) * | 2007-09-26 | 2013-05-21 | Cisco Technology, Inc. | Active-active hierarchical key servers |
-
2015
- 2015-11-20 CN CN201510807942.5A patent/CN105592073B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645833A (en) * | 2009-09-02 | 2010-02-10 | 北京科技大学 | Multicast routing method based on sparse splitting network |
| CN103532952A (en) * | 2013-10-15 | 2014-01-22 | 杭州华三通信技术有限公司 | Method and equipment for informing key data |
| CN104270350A (en) * | 2014-09-19 | 2015-01-07 | 杭州华三通信技术有限公司 | Key information transmission method and equipment |
Non-Patent Citations (2)
| Title |
|---|
| "GET VPN技术及应用";尹淑玲;《计算机安全》;20140115(第1期);第51-53页 |
| "组加密传输虚拟专用网的设计与实现";王文龙;《中国优秀硕士学位论文全文数据库(信息科技辑)》;20140615(第6期);I138-244 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105592073A (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9544282B2 (en) | Changing group member reachability information | |
| CN1756234B (en) | Server, VPN client, VPN system | |
| CN102263648B (en) | System and method for grouping multiple VLANs into a single 802.11 IP multicast domain | |
| CN105592073B (en) | Key updating method, key server and group membership's equipment | |
| US7680878B2 (en) | Apparatus, method and computer software products for controlling a home terminal | |
| EP1994673B1 (en) | Role aware network security enforcement | |
| CN103460648B (en) | Methods and systems for screening Diameter messages within a Diameter signaling router (DSR) | |
| US7516480B2 (en) | Secure remote configuration of targeted devices using a standard message transport protocol | |
| US7509491B1 (en) | System and method for dynamic secured group communication | |
| CN101103593B (en) | Method of authenticating multicast messages | |
| JP2001265729A (en) | Multicast system, authentication server terminal, multicast recipient terminal managing method and recording medium | |
| WO2008043289A1 (en) | A key sharing method and corresponding system | |
| CN101558599A (en) | Client device, mail system, program, and recording medium | |
| CN104539517A (en) | Chatting method and system based on intelligent terminal local server | |
| Abdullaziz et al. | Network packet payload parity based steganography | |
| CN110505240A (en) | One kind being based on server and client side's communication protocol implementation method | |
| US10630479B2 (en) | Network communication method having function of recovering terminal session | |
| CN110336776B (en) | Multi-point cooperative authentication system and method based on intelligent user image acquisition | |
| CN114173332A (en) | Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot | |
| JP2002521970A (en) | Message management system with security | |
| CN102136985A (en) | Access method and equipment | |
| CA2390817A1 (en) | Method for the moderately secure transmission of electronic mail | |
| CN100359900C (en) | System and method for implementing transaction identifier assignment of media gateway control protocol | |
| CN112261055A (en) | Method, system and gateway equipment for directionally pushing real-time data | |
| CN114513357B (en) | Integrated control method and system for embedded equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |