CN106714153A - Key distribution, generation and reception method, and related device - Google Patents

Key distribution, generation and reception method, and related device Download PDF

Info

Publication number
CN106714153A
CN106714153A CN201510780029.0A CN201510780029A CN106714153A CN 106714153 A CN106714153 A CN 106714153A CN 201510780029 A CN201510780029 A CN 201510780029A CN 106714153 A CN106714153 A CN 106714153A
Authority
CN
China
Prior art keywords
key
network element
business
parameter
administrative center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510780029.0A
Other languages
Chinese (zh)
Other versions
CN106714153B (en
Inventor
甘露
张博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201510780029.0A priority Critical patent/CN106714153B/en
Priority to PCT/CN2016/080649 priority patent/WO2017080142A1/en
Publication of CN106714153A publication Critical patent/CN106714153A/en
Application granted granted Critical
Publication of CN106714153B publication Critical patent/CN106714153B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Abstract

The embodiment of the invention discloses a key distribution, generation and reception method, and a related device. The method of the embodiment of the invention comprises the following steps: acquiring service parameters and a service root key of a first network element by a first key management center, wherein the service parameters are parameters in a first service, and the service root key of the first network element is generated according to a key parameter which is obtained after the authentication of the first network element; generating a service key by the first key management center according to the service root key of the first network element and the service parameters, wherein the service key is used for encrypting and/or performing integrity protection on communication data in the first service between the first network element and a second network element; and transmitting the service key to a second key management center, so as to facilitate the second key management center to encrypt and/or perform integrity protection on the service key and after that transmit the service key to the second network element. The embodiment of the invention can prevent the data from being eavesdropped during the transmission process.

Description

Key distribution, generation and method of reseptance and relevant apparatus
Technical field
The present invention relates to mobile communication technology field, more particularly to a kind of distribution of key, generation and recipient Method and relevant apparatus.
Background technology
In existing mobile communication security architecture, data are all by the safeguard protection of network element to Internet Hop-by-hop forms, i.e., complete protection in the form of sectional encryption.And, in existing 2G/3G/4G In mobile framework, it is end-to-end between communication data be also by the way of sectional encryption.Although segmentation adds Close comparing is flexible, but the plaintext of communication data can be obtained due to intermediate node, can not resist communication Data suffer that eavesdropping is attacked, therefore security by the way of sectional encryption is poor.
For example, referring to Fig. 1, Fig. 1 is the schematic diagram of the protocol stack architecture of 4G LTE in the prior art. In Fig. 1, user's network element (English full name:User Equipment, abbreviation:UE) send to packet count According to network (English full name:Packet Data Network, abbreviation:PDN) gateway (English full name:Gateway, Abbreviation:GW data) sequentially pass through base station eNodeB and server gateway (serving from UE GW PDN GW are just reached after).Wherein, PDCP layers of safe machine is used between UE and eNodeB System is encrypted protection, between eNodeB and serving GW, and serving GW and PDN GW Between all protected using the security protocol of IPSec.Because base station is in outdoor scene, attacker can be with Wiretaped by breaking through base station, to get the clear content after PDCP agreements are decrypted.
The content of the invention
Embodiment of the present invention first aspect provides a kind of cryptographic key distribution method, including:
First key administrative center obtains the business root key of service parameter and the first network element, the business ginseng Number is the parameter in first business, and the business root key of first network element is according to first net The key parameter generation obtained after first certification;
Business root key and the service parameter of the first key administrative center according to first network element Generation business cipher key, the business cipher key is used for the first industry between first network element and the second network element Communication data in business is encrypted and/or integrity protection;
The first key administrative center performs one of them of following steps A, step B and step C:
A, the first key administrative center obtain the shared key of second network element, second network element Shared key be used for the first key administrative center and the second network element and communicate;
The first key administrative center is entered using the shared key of second network element to the business cipher key Row encryption and/or integrity protection, generate the first safeguard protection parameter;
The first key administrative center sends to second network element the first safeguard protection parameter;
Being set up between B, the first key administrative center and second network element has a safe lane, and described the One KMC sends to second network element business cipher key by the safe lane;
C, the business cipher key is sent to the second KMC, so as in second key management The heart business cipher key is encrypted and/or integrity protection after send to second network element.
With reference in a first aspect, in the first possible implementation method of first aspect, the first key Administrative center obtains the business root key of the first network element, including:
The first key administrative center authenticates the ginseng of acquisition first by carrying out AKA with first network element Number, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the first preset key derives function, described first The business root key of network element includes that first preset key derives the dependent variable of function;Wherein, described One preset key derives argument of function includes first parameter.
With reference in a first aspect, in second possible implementation method of first aspect, the first key Administrative center obtains the business root key of the first network element, including:
The first key administrative center receives the business of the first network element that mobile management nodes MME sends Root key, wherein, the business root key of first network element is that the MME is calculated by the first parameter, The first parameter MME is obtained by being authenticated with the first network element AKA, first parameter Including at least one in Kasme, Integrity Key and encryption key.
With reference to first aspect, first aspect the first possible implementation method or first aspect second Plant possible implementation method, in the third possible implementation method of first aspect, the first key Administrative center is according to the business root key of first network element and service parameter generation business cipher key, bag Include:
The first key administrative center calculates the dependent variable that the second preset key derives function, the business Key includes that second preset key derives the dependent variable of function;Wherein, second preset key is pushed away The argument of function that spreads out includes the business root key and the service parameter of first network element.
With reference to the third possible implementation method of first aspect, in the 4th kind of possible reality of first aspect Apply in mode, methods described also includes:
The first key administrative center obtains the business root key of the second network element;Second preset key Derive the argument of function also business root key including second network element;
The first key administrative center obtains the shared key of the first network element, first network element it is shared Key is used for the first key administrative center and the first network element communicates;
The first key administrative center is using the shared key of first network element to second network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
The first key administrative center sends to first network element the second safeguard protection parameter, So that the business root of first network element, second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
With reference in a first aspect, in the 5th kind of possible implementation method of first aspect, the first key Administrative center is generated using pre-setting method according to the business root key of first network element and the service parameter Business cipher key, also includes before:
The first key administrative center receives first network element, second network element, gateway or clothes The key request that business device sends, the key request is used to initiate the generation of the business cipher key, described close Identity comprising first network element, the identity of second network element and the industry in key request Business parameter at least one.
With reference in a first aspect, in the 6th kind of possible implementation method of first aspect, when described first close When key administrative center performs the step A, the first key administrative center obtains second network element Shared key, including:
The first key administrative center authenticates the ginseng of acquisition first by carrying out AKA with second network element Number, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the 3rd preset key derives function, described second The shared key of network element includes that the 3rd preset key derives the dependent variable of function;Wherein, the described 3rd Preset key derives argument of function includes first parameter.
With reference in a first aspect, in the 7th kind of possible implementation method of first aspect, when described first close When key administrative center performs the step A, the first key administrative center obtains second network element Shared key, including:
The first key administrative center receives the shared key of the second network element that MME sends, wherein, institute The shared key for stating the second network element is that the MME is calculated by the first parameter, and first parameter is institute State MME by and the second network element AKA authenticate and obtain, first parameter includes Kasme, complete At least one in property key and encryption key.
The method that embodiment of the present invention second aspect provides a kind of generation of key, including:
The business root key of first key administrative center the first network element of acquisition and the business root of the second network element are close Key;
First key administrative center obtains the first shared key and the second shared key, and described first is shared close Key is used for the first key administrative center and the first network element communicates, and second shared key is used for described First key administrative center and the second network element communicate;
The first key administrative center is using first shared key to the business root of second network element Key is encrypted and/or integrity protection, generates the first safeguard protection parameter;
The first key administrative center is using second shared key to the business root of first network element Key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
The first key administrative center sends to first network element the first safeguard protection parameter, So that the business root of first network element, second network element according to the first safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
The first key administrative center sends to second network element the second safeguard protection parameter, So that the business root of second network element, second network element according to the second safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
The method that the embodiment of the present invention third aspect provides a kind of generation of key, including:
First network element by carry out AKA authenticate obtain the first parameter, first parameter include Kasme, At least one in Integrity Key and encryption key;
The business root key of first network element, first network element according to first parameter acquiring;
First network element obtains service parameter, and the service parameter is the parameter in first business;
First network element is according to the business root key of first network element and service parameter generation business Key, the business cipher key be used for the first business between first network element and the second network element in it is logical Letter data is encrypted and/or integrity protection.
With reference to the third aspect, in the first possible implementation method of the third aspect, first network element Business root key and the service parameter generation business cipher key according to first network element, including:
First network element calculates the dependent variable that preset key derives function, and the business cipher key includes described Preset key derives the dependent variable of function;Wherein, the preset key derives argument of function includes institute State the business root key and the service parameter of the first network element.
With reference to the first possible implementation method of the third aspect, in second possible reality of the third aspect Apply in mode, methods described also includes:
First network element obtains the identity of the second network element;
The preset key derives the argument of function also identity including second network element.
With reference to the third aspect, in the third possible implementation method of the third aspect, the key reception Method also includes:
First network element obtains the shared key of the first network element, and the shared key of first network element is used for The first key administrative center and the first network element communicate;
First network element receives the second safeguard protection parameter that the first key administrative center sends;
First network element is using the shared key of first network element to the second safeguard protection parametric solution It is close, obtain the business root key of the second network element;
First network element is according to the business root key of first network element and service parameter generation business Key, including:
First network element is according to the business root key of first network element, the business root of second network element Key and service parameter generation business cipher key.
With reference to the third aspect, in the 4th kind of possible implementation method of the third aspect, first network element Business root key and the service parameter generation business cipher key according to first network element, also includes before:
First network element sends key request to the first key administrative center, and the key request is used In the generation for initiating the business cipher key, the key request include first network element identity, At least one in the identity and the service parameter of second network element.
With reference to the 4th kind of possible implementation method of the third aspect, in the 5th kind of possible reality of the third aspect Apply in mode, first network element sends key request to the first key administrative center, also wraps before Include:
First network element sends service request to service server, wherein, the service server is used for Perform the service management between first network element and second network element;
First network element receives the response message that the service server sends, and the response message includes In designator, the identity of first network element, the mark and the service parameter of second network element At least one, wherein the designator is used to indicate first service authorization success.
With reference to the 4th kind of possible implementation method of the third aspect, in the 6th kind of possible reality of the third aspect Apply in mode, first network element sends key request to the first key administrative center, also wraps before Include:
The business that first network element receives the transmission of service server, gateway, MME or the second network element disappears Breath, the service message is included in the identity of first network element and the mark of second network element At least one.
Embodiment of the present invention fourth aspect provides a kind of method for obtaining key, including:
MME authenticates the 3rd parameter of acquisition by carrying out AKA with the first network element, and the 3rd parameter includes Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, At least one in base station key;
The MME calculates the dependent variable that the first preset key derives function, the key packet of first network element Include the dependent variable that first preset key derives function;Wherein, first preset key derives function Independent variable include first parameter;
The key of first network element is sent key management corresponding to first network element by the MME Center.
The aspect of the embodiment of the present invention the 5th provides a kind of first key administrative center, including:
First acquisition module, the business root key for obtaining service parameter and the first network element, the business Parameter is the parameter in first business, and the business root key of first network element is according to described first The key parameter generation obtained after network element certification;
First generation module, gives birth to for the business root key according to first network element and the service parameter Into business cipher key, the business cipher key is used for the first business between first network element and the second network element In communication data be encrypted and/or integrity protection;
The first key administrative center also includes that the second acquisition module, the second generation module and first send Module, or including the second sending module, and the first key administrative center and second network element it Between set up and have safe lane, or including the 3rd sending module, wherein,
Second acquisition module is used to obtain the shared key of second network element, second network element Shared key is used for the first key administrative center and the second network element communicates;
Second generation module is used to enter the business cipher key using the shared key of second network element Row encryption and/or integrity protection, generate the first safeguard protection parameter;
First sending module is used to send the first safeguard protection parameter to second network element;
Second sending module is used to by the safe lane send the business cipher key to described the Two network elements;
3rd sending module is used to send the business cipher key to the second KMC, so as to Second KMC business cipher key is encrypted and/or integrity protection after send to institute State the second network element.
With reference to the 5th aspect, in the first possible implementation method of the 5th aspect, described first obtains Module specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with first network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the first preset key derives function is calculated, the business root key of first network element includes First preset key derives the dependent variable of function;Wherein, first preset key derives function Independent variable includes first parameter.
With reference to the 5th aspect, in second possible implementation method of the 5th aspect, described first obtains Module specifically for:
The business root key of the first network element that mobile management nodes MME sends is received, wherein, described first The business root key of network element is that the MME is calculated by the first parameter, and first parameter is described MME authenticates what is obtained by with the first network element AKA, and first parameter includes Kasme, integrality At least one in key and encryption key.
With reference to the second of the 5th aspect, the first possible implementation method of the 5th aspect or the 5th aspect Possible implementation method is planted, in the third possible implementation method of the 5th aspect, first generation Module specifically for:
The dependent variable that the second preset key derives function is calculated, the business cipher key includes that described second is preset Key derives the dependent variable of function;Wherein, second preset key derives argument of function includes institute State the business root key and the service parameter of the first network element.
With reference to the third possible implementation method of the 5th aspect, in the 4th kind of possible reality of the 5th aspect Apply in mode, the first key administrative center also includes:
3rd acquisition module, the business root key for obtaining the second network element;Second preset key is pushed away Spread out the argument of function also business root key including second network element;
4th acquisition module, for obtain the first network element shared key, first network element it is shared close Key is used for the first key administrative center and the first network element communicates;
3rd generation module, for using the shared key of first network element to the industry of second network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
4th sending module, for the second safeguard protection parameter to be sent to first network element, with The business root that toilet states the first network element second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
With reference to the 5th aspect, in the 5th kind of possible implementation method of the 5th aspect, the first key Administrative center also includes:
First receiver module, for close according to the business root of first network element in first generation module Before key and service parameter generation business cipher key, receive first network element, second network element, The key request that gateway or server send, the key request is used to initiate the life of the business cipher key Into identity, the identity mark of second network element comprising first network element in the key request Know and at least one in the service parameter.
With reference to the 5th aspect, in the 6th kind of possible implementation method of the 5th aspect, when described first close It is described when key administrative center includes second acquisition module, the second generation module and the first sending module Second acquisition module specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with second network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the 3rd preset key derives function is calculated, the shared key of second network element includes institute State the dependent variable that the 3rd preset key derives function;Wherein, the 3rd preset key derives oneself of function Variable includes first parameter.
With reference to the 5th aspect, in the 7th kind of possible implementation method of the 5th aspect, when described first close It is described when key administrative center includes second acquisition module, the second generation module and the first sending module Second acquisition module specifically for:
The shared key of the second network element that MME sends is received, wherein, the shared key of second network element It is that the MME is calculated by the first parameter, first parameter is that the MME passes through and the second net What first AKA authentications were obtained, first parameter is included in Kasme, Integrity Key and encryption key At least one.
The aspect of the embodiment of the present invention the 6th provides a kind of first key administrative center, including:
First acquisition module, the business root of business root key and the second network element for the first network element of acquisition is close Key;
Second acquisition module, for obtaining the first shared key and the second shared key, described first shares Key is used for the first key administrative center and the first network element communicates, and second shared key is used for institute State first key administrative center and the communication of the second network element;
First generation module, for close to the business root of second network element using first shared key Key is encrypted and/or integrity protection, generates the first safeguard protection parameter;
Second generation module, for close to the business root of first network element using second shared key Key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
First sending module, for the first safeguard protection parameter to be sent to first network element, with The business root that toilet states the first network element second network element according to the first safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Second sending module, for the second safeguard protection parameter to be sent to second network element, with The business root that toilet states the second network element second network element according to the second safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
The aspect of the embodiment of the present invention the 7th provides a kind of first network element, including:
First acquisition module, for authenticating the first parameter of acquisition, the first parameter bag by carrying out AKA Include at least one in Kasme, Integrity Key and encryption key;
Second acquisition module, for the business root key of the first network element according to first parameter acquiring;
3rd acquisition module, for obtaining service parameter, during the service parameter is first business Parameter;
First generation module, gives birth to for the business root key according to first network element and the service parameter Into business cipher key, the business cipher key is used for the first business between first network element and the second network element In communication data be encrypted and/or integrity protection.
With reference to the 7th aspect, in the first possible implementation method of the 7th aspect, first generation Module specifically for:
The dependent variable that preset key derives function is calculated, the business cipher key is derived including the preset key The dependent variable of function;Wherein, the preset key derives argument of function includes first network element Business root key and the service parameter.
With reference to the first possible implementation method of the 7th aspect, in second possible reality of the 7th aspect Apply in mode, first network element also includes:
4th acquisition module, the identity for obtaining the second network element;
The preset key derives the argument of function also identity including second network element.
With reference to the 7th aspect, in the third possible implementation method of the 7th aspect, first network element Also include:
5th acquisition module, for obtain the first network element shared key, first network element it is shared close Key is used for the first key administrative center and the first network element communicates;
First receiver module, for receiving the second safeguard protection ginseng that the first key administrative center sends Number;
6th acquisition module, for the shared key using first network element to second safeguard protection Parameter is decrypted, and obtains the business root key of the second network element;
First generation module is specifically for the business root key according to first network element, described second The business root key of network element and service parameter generation business cipher key.
With reference to the 7th aspect, in the 4th kind of possible implementation method of the 7th aspect, first network element Also include:
First sending module, for close according to the business root of first network element in first generation module Before key and service parameter generation business cipher key, sending key to the first key administrative center please Ask, the key request is used to initiating the generation of the business cipher key, the key request includes described the At least one in the identity of one network element, the identity and the service parameter of second network element.
With reference to the 4th kind of possible implementation method of the 7th aspect, in the 5th kind of possible reality of the 7th aspect Apply in mode, first network element also includes:
Second sending module, for being sent to the first key administrative center in first sending module Before key request, service request is sent to service server, wherein, the service server is used to hold Service management between row first network element and second network element;
Second receiver module, for receiving the response message that the service server sends, the response disappears Breath includes the mark and the business of designator, the identity of first network element, second network element At least one in parameter, wherein the designator is used to indicate the first service authorization success.
With reference to the 4th kind of possible implementation method of the 7th aspect, in the 6th kind of possible reality of the 7th aspect Apply in mode, first network element also includes:
3rd receiver module, for being sent to the first key administrative center in first sending module Before key request, the service message that service server, gateway, MME or the second network element send is received, In the mark of identity and second network element of the service message including first network element at least One.
Embodiment of the present invention eighth aspect provides a kind of mobile management nodes, including:
Acquisition module, for authenticating the 3rd parameter of acquisition, the described 3rd by carrying out AKA with the first network element Parameter includes Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum At least one in encryption key, base station key;
Computing module, the dependent variable of function is derived for calculating the first preset key, first network element Key includes that first preset key derives the dependent variable of function;Wherein, first preset key is pushed away The argument of function that spreads out includes first parameter;
Sending module, for the key of first network element to be sent into key corresponding to first network element Administrative center.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the present invention, first key administrative center obtains the business root key and service parameter of the first network element, And the pre-setting method and first of business root key and service parameter the generation business cipher key using first network element Network element generates the pre-setting method phase of business cipher key according to the business root key and service parameter of first network element Together, therefore first key administrative center and the first network element can generate identical business cipher key, so, One KMC avoids business cipher key in hair without business cipher key is sent to the first network element Situation about being revealed during delivering to the first network element;In addition, first key administrative center uses the second network element Shared key business cipher key is encrypted and/or integrity protection after generate the first safeguard protection parameter Send to the second network element, so as to the second network element according to the shared key of the second network element by first safeguard protection Parameter is reduced into business cipher key, so, when mutually sending communication data between the first network element and the second network element Communication data can be protected using the business cipher key, it is to avoid the communication data meets with transmission process Attacked to eavesdropping.
Brief description of the drawings
Fig. 1 is the schematic diagram of the protocol stack architecture of 4G LTE in the prior art;
Fig. 2 is the structural representation of one embodiment of communication system provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of one embodiment of the key distribution flow of communication system shown in Fig. 2;
Fig. 4 is the schematic flow sheet of another embodiment of the key distribution flow of communication system shown in Fig. 2;
Fig. 5 is the schematic flow sheet of another embodiment of the key distribution flow of communication system shown in Fig. 2
Fig. 6 is the schematic flow sheet of one embodiment of cryptographic key distribution method of the invention;
Fig. 7 is the schematic flow sheet of one embodiment of key generation method of the invention
Fig. 8 is the schematic flow sheet of another embodiment of key generation method of the invention;
Fig. 9 is the schematic flow sheet of one embodiment of the method for acquisition key of the invention;
Figure 10 is the structural representation of one embodiment of first key administrative center of the invention;
Figure 11 is the structural representation of another embodiment of first key administrative center of the invention;
Figure 12 is the structural representation of another embodiment of first key administrative center of the invention;
Figure 13 is the structural representation of another embodiment of first key administrative center of the invention;
Figure 14 is the structural representation of one embodiment of the first network element of the invention;
Figure 15 is the structural representation of another embodiment of the first network element of the invention;
Figure 16 is the structural representation of another embodiment of the first network element of the invention;
Figure 17 is the structural representation of another embodiment of the first network element of the invention;
Figure 18 is the structural representation of another embodiment of the first network element of the invention;
Figure 19 is the structural representation of another embodiment of the first network element of the invention;
Figure 20 is the structural representation of one embodiment of mobile management nodes of the invention;
Figure 21 is the structural representation of one embodiment of first key administrative center of the invention;
Figure 22 is the structural representation of another embodiment of first key administrative center of the invention;
Figure 23 is the structural representation of one embodiment of the first network element of the invention;
Figure 24 is the structural representation of one embodiment of mobile management nodes of the invention.
Specific embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with of the invention real The accompanying drawing in example is applied, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that Described embodiment is only the embodiment of a part of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained under the premise of creative work is not made The every other embodiment for obtaining, should all belong to the scope of protection of the invention.
Term " first ", " second ", " in description and claims of this specification and above-mentioned accompanying drawing Three " " 4th " etc. is for distinguishing different objects, rather than for describing particular order.Additionally, art Language " comprising " and " having " and their any deformations, it is intended that covering is non-exclusive to be included.Example Process, method, system, product or the equipment for such as containing series of steps or unit are not limited to The step of listing or unit, but alternatively also include the step of not listing or unit, or alternatively also Including for these processes, method, product or other intrinsic steps of equipment or unit.
To facilitate understanding of the present embodiment of the invention, introducing herein first during the embodiment of the present invention is described to introduce Communication system.As shown in Fig. 2 Fig. 2 is an implementation of communication system provided in an embodiment of the present invention The structural representation of example.Communication system includes KMC's (English:Key Management System, Abbreviation:KMS) 1, network element 1, KMS 2 and network element 2.
Wherein, network element 1 and network element 2 can be respectively user terminal (English:User equipment, contracting Write:UE), any one in base station, server, gateway, or need logarithm during other transmission data According to encryption and/or the equipment of integrity protection, this is not restricted.KMS 1 and KMS 2 may belong to phase Same operator or different operators, or be the equipment in Internet, this is not restricted.
In the present invention, when network element 1 sends communication data to network element 2, using business cipher key or business is utilized The key that key is obtained after deriving is then forwarded to network element 2 after being protected to the communication data, wherein, to logical Letter data carries out protection includes the key obtained using the business cipher key or after being derived using business cipher key to this Communication data is encrypted and/or integrity protection.Network element 2 is according to the business cipher key or utilizes business cipher key Communication data reduction of the key obtained after deriving to receiving.Therefore, communication data is sent in network element 1 Before, network element 1 and network element 2 need to respectively get business cipher key.
In the present invention, network element 1 and KMS1 obtain the business root key of identical network element 1 respectively, and Identical service parameter is obtained respectively.Network element 1 and KMS1 be respectively adopted again identical pre-setting method according to The business root key and service parameter of network element 1 each calculate business cipher key.KMS1 calculates business cipher key Afterwards, the business cipher key is sent to network element 2 so that network element 1 and network element 2 have identical business close respectively Key, and then can be communicated using the business cipher key.
Fig. 3 is referred to, Fig. 3 is the stream of one embodiment of the key distribution flow of communication system shown in Fig. 2 Journey schematic diagram.As shown in figure 3, the key distribution flow in the present embodiment includes:
S31, network element 1 and KMS1 obtain the business root key of identical network element 1 respectively, and obtain respectively Take identical service parameter.
In the present embodiment, the business root key of network element 1 is used to calculate all industry of network element 1 and other network elements The business cipher key of business.Specifically, after network element 1 and KMS1 get the business root key of network element 1 respectively, When network element 1 and KMS1 obtain the business cipher key of network element 1 and each business of other network elements, use Parameter in the business root key and the business of the network element 1 calculates the business cipher key of the business.
Specifically, in the present embodiment, network element 1 and KMS1 obtain the business root of identical network element 1 respectively Key, and identical service parameter is obtained respectively.Wherein, the service parameter is the spy in the first business Determine parameter, the first business is a business between network element 1 and network element 2.
KMS1 can be obtained by receiving the service parameter of network element 1, network element 2 or service server transmission Take service parameter;Or, the service parameter is preset in KMS1, obtained by reading the service parameter The service parameter is taken, this is not restricted.Network element 1 can be by receiving the business that service server sends Parameter obtains service parameter;Or, the service parameter is preset in network element 1, by reading the business Parameter obtains the service parameter, and this is not restricted.
In the present embodiment, network element 1 is user terminal.Network element 1 and KMS1 obtain identical first respectively The method of the business root key of network element has various, several is illustrated to therein below.
After citing one, network element 1 and KMS1 carry out AKA authentications, network element 1 and KMS1 are obtained respectively To Kasme, Integrity Key (English:Integrity key, abbreviation:IK) and encryption key (English: Cipher key, abbreviation:CK).The process that network element 1, KMS1 carries out AKA authentications is prior art, Will not be repeated here.For be described below conveniently, introduce define " parameter 1 ", the parameter 1 include Kasme, At least one in IK and CK.After network element 1 and KMS1 get parameter 1 respectively, using identical Pre-setting method calculates the business root key of network element 1 according to the parameter 1.
Citing two, network element 1 and mobile management nodes (English:Mobility Management Entity, contracting Write:MME after) carrying out AKA authentications, network element 1 and MME get Kasme, IK and CK respectively. After network element 1 and MME get parameter 1 respectively, calculated according to the parameter 1 using identical pre-setting method The business root key of network element 1.MME sends to KMS1 the business root key of network element 1.
After citing three, network element 1 and MME carry out AKA authentications, network element 1 and MME get respectively Kasme, IK and CK.Network element 1 and MME determine identical parameter 3 respectively, the parameter 3 include Kasme, At least one in IK, CK, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, base station key, Wherein, the Non-Access Stratum Integrity Key is to be calculated by Kasme and NAS protection algorithm integrallties , the Non-Access Stratum encryption key is calculated by Kasme and NAS AESs.Network element 1 With the business root key that MME calculates network element 1 using identical pre-setting method according to the parameter 3.MME The business root key of the network element 1 is sent to KMS1.
After citing four, network element 1 and MME carry out AKA authentications, network element 1 and MME get respectively Kasme, IK and CK.Network element 1 and MME determine parameter 3 respectively, the parameter 3 include Kasme, At least one in IK, CK, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, base station key, Wherein, the Non-Access Stratum Integrity Key is to be calculated by Kasme and NAS protection algorithm integrallties , the Non-Access Stratum encryption key is calculated by Kasme and NAS AESs.MME Parameter 3 is sent to KMS1, network element 1 and KMS1 use identical pre-setting method according to the parameter 3 Calculate the business root key of network element 1.
Citing five, network element 1 and KMS1/MME is carried out after AKA authentication protocols, network element 1 and ownership Assigned user server (English:Home Subscriber Server, abbreviation:HSS) get respectively Kasme、IK、CK.Initial preset has the root key of network element 1 respectively in network element 1 and HSS.For hereafter Description is convenient, introduces and defines " parameter 2 ", and the parameter 2 includes Kasme, IK, CK and network element 1 At least one in root key.It is preset using identical after network element 1 and HSS get parameter 2 respectively Method calculates the business root key of network element 1 according to the parameter 2.Further, optionally, network element 1 and HSS The service parameter of the first business is also obtained, and using identical pre-setting method according to the industry of parameter 2 and first The service parameter of business calculates the business root key of network element 1.HSS obtains the service parameter of the first business Method has various, for example, the service parameter can be sent to HSS by KMS1.
Citing six, network element 1 and KMS1 preset digital certificate or identical key Kx respectively.Network element 1 TLS, IPSec or the authentication mode based on message authentication code can be used to complete mutual and KMS1 between Certification, and get the session key Ky between network element 1 and KMS1 respectively after certification.Or, Network element 1 and KMS1 are directly using shared key Kx as the session key Ky between them.For hereafter Description is convenient, introduces and defines " parameter 4 ", and the parameter 4 includes certification between the network element 1 and KMS Session key Ky afterwards.After network element 1 and KMS1 get parameter 4 respectively, using the preset side of identical Method calculates the business root key of network element 1 according to the parameter 4.
In being illustrated at above-mentioned six, the pre-setting method for calculating the business root key of network element 1 has various.Citing For, the dependent variable of function can be derived by calculating the first preset key, wherein, in citing one and citing First preset key derives argument of function including parameter 1 in two, and this is first preset close in citing five Key derives argument of function includes parameter 2, or including parameter 2 and service parameter, in citing three and act First preset key derives argument of function including parameter 3 in example four, and this is first preset in citing six Key derives argument of function includes parameter 4;The business root key of network element 1 includes first preset key Derive the dependent variable of function.
Optionally, in some possible implementation methods of the present embodiment, first preset key is derived Argument of function also includes other some relevant parameters, such as indicating the business root of network element 1 close Time of the term of validity of key, present system time, fresh parameter (Fresh parameter), random number (nonce, Random number), (SQN ⊕ AK, wherein SQN are sequence number to sequence number XOR Anonymity Key The abbreviation of sequence number, AK for Anonymity Key Anonymity Key abbreviation), RAND (abbreviation of RANDom number) parameter, SN (calculate network element 1 business root key sequence number), Calculate the sequence number of business root key of network element 1, the ID of ID, Kasme of ID, KMS1 of network element 1, At least one of network ID, link ID, APP ID, service ID, session ID, do not make herein Limitation.
For concrete example, K1=KDF (key, in above-mentioned relevant parameter at least one).Wherein, K1 is the business root key of network element 1, and K1=KDF () derives function for the first preset key;In citing Key includes parameter 1 in one and two, and key includes parameter 2 in citing five, the key in citing three and four Including parameter 3, key includes parameter 4 in citing six.
S32, network element 2 and KMS2 obtain identical shared key 2 respectively.
Shared key 2 is used to be encrypted and/or integrity protection the communication data of network element 2 and KMS2. In the present embodiment, network element 2 is user terminal.Network element 2 and KMS2 obtain identical shared key respectively 2 method has various, several is illustrated to therein below.
After citing one, network element 2 and KMS2 carry out AKA authentications, network element 2 and KMS2 are obtained respectively To Kasme, IK and CK.The process that network element 2 and KMS2 carry out AKA authentications is prior art, This is repeated no more.After network element 2 and KMS2 get parameter 1 respectively, using identical pre-setting method root Shared key 2 is calculated according to the parameter 1.
After citing two, network element 2 and MME carry out AKA authentications, network element 2 and MME get respectively Kasme, IK and CK.After network element 2 and MME get parameter 1 respectively, using the preset side of identical Method calculates shared key 2 according to the parameter 1.MME sends to KMS2 shared key 2.
After citing three, network element 2 and MME carry out AKA authentications, network element 2 and MME get respectively Kasme, IK and CK.Network element 2 and MME determine identical parameter 3 respectively, the parameter 3 include Kasme, At least one in IK, CK, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, base station key, Wherein, the Non-Access Stratum Integrity Key is to be calculated by Kasme and NAS protection algorithm integrallties , the Non-Access Stratum encryption key is calculated by Kasme and NAS AESs.Network element 2 Shared key 2 is calculated according to the parameter 3 using identical pre-setting method with MME.MME will share close Key 2 is sent to KMS1.
After citing four, network element 2 and MME carry out AKA authentications, network element 2 and MME get respectively Kasme, IK and CK.Network element 2 and MME determine parameter 3 respectively, the parameter 3 include Kasme, At least one in IK, CK, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, base station key, Wherein, the Non-Access Stratum Integrity Key is to be calculated by Kasme and NAS protection algorithm integrallties , the Non-Access Stratum encryption key is calculated by Kasme and NAS AESs.MME Parameter 3 is sent to KMS2, network element 2 and KMS2 use identical pre-setting method according to the parameter 3 Calculate shared key 2.
After citing five, network element 2 and KMS2/MME carry out AKA authentications, network element 2 and HSS are obtained respectively Get Kasme, IK, CK.Initial preset has the root key of network element 2 respectively for network element 1 and HSS.Network element After 2 and HSS gets parameter 2 respectively, calculate shared according to the parameter 2 using identical pre-setting method Key 2.
Citing six, digital certificate or identical key Kx are preset between network element 2 and KMS2.Network element 2 TLS, IPSec or the authentication mode based on message authentication code can be used to complete mutual and KMS2 between Certification, and get the session key Ky between network element 2 and KMS2 respectively after certification.Or, Network element 2 and KMS2 are directly using shared key Kx as the session key Ky between them.For hereafter Description is convenient, introduces and defines " parameter 4 ", and the parameter 4 includes certification between the network element 1 and KMS Session key Ky afterwards.After network element 2 and KMS2 get parameter 4 respectively, using the preset side of identical Method calculates shared key 2 according to the parameter 4.
In being illustrated at above-mentioned six, the pre-setting method for calculating shared key 2 has various.For example, may be used Derive the dependent variable of function by calculating the second preset key, wherein in citing one and citing two this second Preset key derives argument of function includes parameter 1, and second preset key derives function in citing five Independent variable include parameter 2, citing three and citing four in second preset key derive argument of function Including parameter 3, key includes parameter 4 in citing six;Shared key 2 is pushed away including second preset key Spread out the dependent variable of function.
Optionally, in some possible implementation methods of the present embodiment, second preset key is derived Argument of function also includes other some relevant parameters, such as indicating the effective of shared key 2 The time of phase, fresh parameter (Fresh parameter), random number (nonce/random number), sequence Row number XOR Anonymity Key (SQN ⊕ AK, wherein SQN are the abbreviation of sequence number sequence number, AK for Anonymity Key Anonymity Key abbreviation), RAND (abbreviation of RANDom number) Parameter, present system time, calculate the sequence number of shared key 2, the ID of ID, KMS2 of network element 2, In ID, network ID, link ID, APP ID, service ID, session ID of Kasme at least one Individual, this is not restricted.
For concrete example, K2=KDF (key, in above-mentioned relevant parameter at least one), wherein, K2 is shared key 2, and K2=KDF () derives function for the second preset key, in citing one and two Key includes the first parameter, and key includes parameter 2 in citing five, and key includes ginseng in citing three and four Number 3, key includes parameter 4 in citing six.
After network element 2 and KMS2 get shared key 2 respectively, data are sent to network element 2 in KMS2 When, it is encrypted and/or integrity protection using 2 pairs of data of the shared key.
It is noted that there is no inevitable sequencing between step S31 and step S32.
S33, network element 1 send service request to service server, and the service request is used to apply for the He of network element 1 Network element 2 carries out the first business.
In the present embodiment, service server is used to perform the service management between the first network element and the second network element.
In some possible implementation methods of the invention, network element 2 and service server are same network element, This is not restricted.
In practical application, be may not be in step S33 please from network element 1 to service server transmission business Ask, but from other network elements to service server initiating business request, such as network element 2, server, gateway Or other control network elements, this is not restricted.
S34, service server are authorized to first business, and response message is sent when authorizing successfully To network element 1.
In the present embodiment, corresponding message includes designator, the identity of first network element, described the At least one in the mark of two network elements and the service parameter of first business, wherein the designator is used In instruction the first service authorization success.For example, the designator can include service ID, app ID, At least one in SN, session ID, gateway ID, server ID, link ID and network ID.
In the present embodiment, how service server is prior art to the first service authorization, is no longer gone to live in the household of one's in-laws on getting married herein State.
S35, network element 1 send the key request of the first business to KMS1.
Network element 1 receive service server transmission the first service authorization successfully notify after, to KMS1 Key request is sent, the key request carries out data for initiating network element 1 and network element 2 in the first business The generation of communication business cipher key used.Wherein, network element 1 is the transmitting terminal of data, and network element 2 is data Receiving terminal, the identity (English of the key request including network element 1:Identity, abbreviation:ID).
In practical application, may there be the ID of network element 2 and/or the service parameter of the first business in network element 1; Or the ID of network element 2 and/or the business ginseng of the first business are received from service server or network element 2 Number.In this case, key request can be the ID for including network element 1, the ID of network element 2 and the first industry At least one of the service parameter of business.Because step S36 to the purpose of step S38 is by the ID of network element 2 Send to the ID of network element 1, in the case of network element 1 has had the ID of network element 2, step S36 is extremely Step S38 can be dispensed.
Specifically, the identity of network element 1 and network element 2 can include respectively:International mobile subscriber is recognized Code (English:International Mobile Subscriber Identity, abbreviation:IMSI), the whole world is unique Interim UE marks (English:Globally Unique Temporary UE Identity, abbreviation:GUTI), IP multimedia private identity (English:IP Multimedia Private Identity, abbreviation:IMPI), face When mobile user identification (English:Temporary Mobile Subscriber Identity, abbreviation:TMSI), Interim IP multimedia private identity (English:Temporary IP Multimedia Private Identity, contracting Write:TMPI), IP multimedia public identity (English:IP Multimedia Public Identity, contracting Write:IMPU), service ID, session ID, network ID, link ID, App ID, in gateway ID At least one.When network element is server, the ID of the network element can also include server ID.
The service parameter of the first business can have various.For example, the service parameter of first business can be wrapped The correlation ID in sequence number SN, the correlation time time of the business cipher key, the business in the first business is included, At least one in fresh parameter (Fresh parameter), random number (nonce/random number). Wherein, the correlation ID in the business can include the ID of network element 1, the ID of ID, KMS1 of network element 2, In Service ID, session ID, network ID, link ID, App ID, server ID and PLMN ID At least one.Wherein, the correlation time time of the business cipher key can include what first business started Time, terminate time and the term of validity at least one.The ID of network element 1 and network element 2 can be wrapped respectively In including IMS I, IMPI, TMSI, IMPU, App ID, network ID, service ID and GUTI At least one, this is not restricted.
In practical application, network element 1 may not be to be awarded in the first business for receiving service server transmission Power sends key request after successfully notifying to KMS1, but actively initiates key request.Namely step S33 and step S34 can be dispensed.
In practical application, be may not be in step S35 from network element 1 to KMS1 and send the first business Key request, but from other network elements to KMS1 send key request, such as network element 2, server, Gateway or other control network elements, this is not restricted, wherein, ID of the key request including network element 1, At least one in the service parameter of the ID of network element 2 and the first business.
In practical application, in the case where that need not be authorized to business, step S35 can be dispensed.
S36, network element 2 send the key request of the first business to KMS2.
Network element 2 receive service server transmission the first service authorization successfully notify after, to KMS2 Key request is sent, the key request includes the business of the ID, the ID of network element 2 and the first business of network element 1 At least one of parameter.Specifically, the ID of the ID of network element 1 and network element 2 can include:IMSI、 GUTI, IMPI, TMSI, TMPI, IMPU, Service ID, session ID, network ID, link At least one of ID, App ID and gateway ID.When network element is server, the ID of the network element may be used also With including server ID.
S37, KMS2 send to KMS1 the key request of network element 2.
S38, KMS1 send to network element 1 key request of network element 2.
S39, KMS1 and network element 1 are respectively adopted business root of the identical pre-setting method according to the network element 1 The service parameter generation business cipher key of key and the first business.
In the present embodiment, business cipher key is used for network element 1 and network element 2 apllied the in step S33 Communication data in one business is encrypted and/or integrity protection.
After network element 1 sends key request to KMS1, network element 1 and KMS1 use the preset side of identical Method generates business cipher key according to the business root key of network element 1 and the service parameter of the first business.The present embodiment In, the pre-setting method has various.One kind therein is illustrated below.
KMS1 and network element 1 get the business root key of identical network element 1 and the industry of the first business respectively After business parameter, KMS1 and network element 1 calculate the dependent variable that the second preset key derives function respectively, described Business cipher key includes that second preset key derives the dependent variable of function;Wherein, described second is preset close Key derives business root key and the service parameter of the argument of function including the network element 1.This implementation In example, the service parameter is the service parameter in apllied first business in step S33, including but not It is limited in S31 the description to service parameter.
For concrete example, K=KDF (key, the service parameter in the first business), wherein, K is industry Business key, with K=KDF () for the second preset key derives function.Key includes the business root of network element 1 Key.
In practical application, network element 1 can also by other means get the ID of network element 2, such as business The ID of network element 2 is sent to network element 1 by server or application server etc.;Or network element 1 is stored There is the ID of network element 2;Or in KMS1 and network element 1 parameter used when business cipher key is calculated respectively not In the case of ID including network element 2, step S36 can be dispensed in the cryptographic key distribution method of the present embodiment To step S38.
S310, KMS1 send to KMS2 business cipher key.
S311, KMS2 are encrypted and/or integrity protection using 2 pairs of business cipher keys of shared key, Generate the safeguard protection parameter of network element 2.
KMS2 is added when being encrypted to business cipher key using shared key 2 using AES It is close, such as AES encryption algorithm;When integrity protection is carried out to business cipher key using shared key 2, adopt Integrity protection, such as hmac algorithm are carried out with protection algorithm integrallty.This is not restricted.
S312, KMS2 send to network element 2 the safeguard protection parameter of network element 2.
S313, network element 2 are according to shared key 2 and the safeguard protection parameter acquiring business cipher key of network element 2.
Due to the safeguard protection parameter of network element 2 be business cipher key is encrypted using shared key 2 and/or What integrity protection was obtained, network element 2 can be according to the safeguard protection parameter of the network element 2 and shared key 2 also Original goes out business cipher key.
In the present invention, after network element 1 and network element 2 get business cipher key respectively, the business cipher key is made Have various with method.
For example, network element 1 is protected using business cipher key to the first communication data, the communication number of generation second According to, and send to network element 2.Specifically, network element 1 can be directly using business cipher key to the first communication data It is encrypted and/or integrity protection generates the second communication data.Or, network element 1 is according to business cipher key K Business cipher key K ' is generated in prefabrication practice, then the first communication data is added using the business cipher key K ' Close and/or integrity protection generates the second communication data, and sends to network element 2.
Network element 2 receives the second communication data, and restores the first communication data according to business cipher key.Specifically , if network element 1 is the first communication data to be encrypted according to business cipher key and/or integrity protection generation Second communication data, then network element 2 directly restores first to the second communication data and leads to using business cipher key Letter data.If network element 1 is the first communication data to be encrypted according to business cipher key K and/or integrality guarantor Probationer nurse is into the second communication data, then network element 2 is according to business cipher key K using preset with the identical of network element 1 Method generates business cipher key K ', then the second communication data is reduced into the first communication using the business cipher key K ' Data.
Certainly, the use of network element 1 and network element 2 to business cipher key can also be other method, not make herein Limitation.
In the present embodiment, KMS1 and network element 1 get respectively identical network element 1 business root key and The service parameter of the business of identical first, and using the business root key of the identical pre-setting method network element 1 Business cipher key is generated with the service parameter, therefore KMS1 and network element 1 can generate identical business cipher key, So, KMS1 is without business cipher key is sent to network element 1, and then avoids business cipher key in transmission to net Situation about being revealed during unit 1;In addition, KMS1 and network element 2 obtain identical network element 2 respectively Shared key, so, KMS1 is encrypted and/or complete using the shared key of network element 2 to business cipher key The safeguard protection parameter that network element 2 is generated after whole property protection is sent during to network element 2, and network element 2 can be according to 2 nets The safeguard protection parameter of the network element 2 is reduced into business cipher key by the shared key of unit, so, the He of network element 1 Communication data can be protected using the business cipher key when communication data is mutually sent between network element 2, kept away The communication data is exempted from and has suffered that eavesdropping is attacked in transmission process.
In the embodiment shown in fig. 3, network element 2 is user terminal, and KMS2 need to be incited somebody to action using shared key 2 Network element 2 is just issued after business cipher key encryption and/or integrity protection.In practical application, network element 2 can also It is that the network element for having safe lane is set up with KMS2.For example, the network element 2 be server, gateway or its He controls network element.So, business cipher key directly can be sent to network element 2 by KMS2 by safe lane. So, KMS2 and network element 2 are also without acquisition identical shared key 2.
Therefore, in the case where network element 2 and KMS2 are set up and have safe lane, in embodiment illustrated in fig. 3 The step of S32, step S311 and step S313 can dispense, and, in step S312, KMS2 Business cipher key is sent to network element 2.
In the embodiment shown in fig. 3, the flow after step S35 is triggered by step S33 and S34. Optionally, in first possible implementation method of the invention, network element 1 is may not be in step S33 Service request is sent to service server, but service server, gateway, MME or network element 2 are to net Unit 1 sends service message, and the service message is used to indicate network element 1 and the network element 2 to carry out the first business, and At least one in the service message in ID and the second NE ID comprising the first network element.
In the embodiment shown in fig. 3, network element 1 and network element 2 correspond to different KMS respectively.Optionally, In second possible implementation method of the invention, network element 1 and network element 2 can also correspond to same KMS. For example, network element 1 and network element 2 are the user terminal for belonging to same operator, two network elements are in Shen Please be communicated with same KMS during business cipher key.So, in the embodiment shown in fig. 3, KMS1 It is same KMC with KMS2, step S37 and step S310 can be dispensed.
In the embodiment shown in fig. 3, KMS1 calculates business cipher key according to the business root key of network element 1. In practical application, KMS1 can also obtain the business root key of network element 2, and according to the business of network element 1 The service parameter of root key, the business root key of network element 2 and the first business calculates business cipher key.Below It is specifically described with reference to Fig. 4.
Fig. 4 is referred to, Fig. 4 is another embodiment of the key distribution flow of communication system shown in Fig. 2 Schematic flow sheet.
S41, network element 1 and KMS1 obtain the business root key of identical network element 1 respectively, and obtain respectively Take identical service parameter.
Specific description refers to the explanation of step S31 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
S42, network element 1 and KMS1 obtain identical shared key 1 respectively.
Network element 2 and KMS2 obtain phase in the step of specific description refers to embodiment illustrated in fig. 3 S32 The method of same shared key 2, will not be repeated here.
S43, network element 2 and KMS2 obtain the business root key of identical network element 2 respectively.
The method of the business root key that network element 2 and KMS2 obtain identical network element 2 is referred to shown in Fig. 3 The explanation of step S31, will not be repeated here in embodiment.
S44, network element 2 and KMS2 obtain identical shared key 2 respectively.
Specific description refers to the explanation of step S32 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
It is noted that there is no inevitable sequencing between step S41-42 and step S43-44.Step Before S42 is likely to occur in step S41;Before step S43 is likely to occur in step S44.
S45, network element 1 send service request to service server, and the service request is used to apply for the He of network element 1 Network element 2 carries out the first business.
Specific description refers to the explanation of step S33 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
S46, service server are authorized to first business, and response message is sent when authorizing successfully To network element 1.
Specific description refers to the explanation of step S34 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
S47, network element 1 send the key request of the first business to KMS1.
Specific description refers to the explanation of step S35 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
In practical application, network element 1 may not be to be awarded in the first business for receiving service server transmission Power sends key request after successfully notifying to KMS1, but actively initiates key request.Namely step S45 and step S46 can be dispensed.
S48, network element 2 send the key request of the first business to KMS2.
Specific description refers to the explanation of step S36 in embodiment illustrated in fig. 3, no longer goes to live in the household of one's in-laws on getting married herein State.
In the present embodiment, step S48 is optional step.
S49, KMS2 send to KMS1 the business root key of network element 2.
After KMS2 receives the key application of the first business, by the business root key of network element 2 send to KMS1。
S410, KMS1 are encrypted and/or completely using shared key 1 to the business root key of network element 2 Property protection, generate network element 1 safeguard protection parameter.
KMS1 using shared key 1 the business root key of network element 2 is encrypted when, using encryption Algorithm is encrypted, such as AES encryption algorithm;Using business root key of the shared key 1 to network element 2 When carrying out integrity protection, integrity protection, such as hmac algorithm are carried out using protection algorithm integrallty. This is not restricted.
S411, KMS1 send to network element 1 the safeguard protection parameter of network element 1.
S412, network element 1 are according to shared key 1 and the industry of the safeguard protection parameter acquiring network element 2 of network element 1 Business root key.
Because the safeguard protection parameter of network element 1 is that the business root key of network element 2 is entered using shared key 1 Row encryption and/or integrity protection are obtained, and network element 1 can according to the safeguard protection parameter of the network element 1 and altogether Enjoy the business root key that key 1 restores network element 2.
S413, KMS2 send to KMS1 the key request of network element 2.
Step S413 and step S49 can be combined into same step, it is also possible to be divided into two steps, and this two Individual step is without inevitable sequencing.
S414, KMS1 send to network element 1 key request of network element 2.
Step S414 and step S411 can be combined into same step, it is also possible to be divided into two steps, and should Two steps are without inevitable sequencing.
S415, KMS1 and network element 1 are respectively adopted business of the identical pre-setting method according to the network element 1 The service parameter generation business cipher key of root key, the business root key of network element 2 and the first business.
After network element 1 sends key request to KMS1, network element 1 and KMS1 use the preset side of identical Method is given birth to according to the service parameter of the business root key of network element 1, the business root key of network element 2 and the first business Into business cipher key.In the present embodiment, the pre-setting method has various.One kind therein is illustrated below Explanation.
KMS1 and network element 1 get the business root key of identical network element 1, the business of network element 2 respectively After the service parameter of root key and the first business, KMS1 and network element 1 calculate the second preset key and push away respectively Spread out the dependent variable of function, the business cipher key includes that second preset key derives the dependent variable of function; Wherein, second preset key derive argument of function including the network element 1 business root key, The business root key and the service parameter of network element 2.
In the present embodiment, the service parameter is the parameter in apllied first business in step S45.Lift For example, the service parameter can be sequence number, the deadline of the business cipher key in first business Time, present system time, fresh parameter (Fresh parameter), random number (nonce/random Number), at least one in the correlation ID in sequence number, the business of calculating business cipher key.Wherein, Correlation ID in the business can include ID, ID, Service of ID, KMS1 of network element 2 of network element 1 ID, session ID, network ID, in link ID, App ID, server ID, PLMN ID at least One.The ID of network element 1 and network element 2 can include IMSI, IMPI, TMSI, IMPU, App ID, Network ID, service ID, GUTI etc., this is not restricted.
For concrete example, K=KDF (key, the service parameter of the first business), wherein, K is business Key, with K=KDF () for the second preset key derives function.Key includes that the business root of network element 1 is close The business root key of key and network element 2.
S416, KMS1 send to KMS2 business cipher key.
S417, KMS2 are encrypted and/or integrity protection using 2 pairs of business cipher keys of shared key, Generate the safeguard protection parameter of network element 2.
S418, KMS2 send to network element 2 the safeguard protection parameter of network element 2.
S419, network element 2 are according to shared key 2 and the safeguard protection parameter acquiring business cipher key of network element 2.
In the embodiment shown in fig. 4, network element 2 is user terminal, and KMS2 need to be incited somebody to action using shared key 2 Network element 2 is just issued after business cipher key encryption and/or integrity protection.In practical application, network element 2 can also Be to set up to have the network element of safe lane with KMS2, for example, the network element 2 be server, gateway or its He controls network element.So, business cipher key directly can be sent to network element 2 by KMS2 by safe lane. Therefore, in the case where network element 2 and KMS2 are set up and have safe lane, the step in embodiment illustrated in fig. 4 Rapid S44, step S417 and step S419 can be dispensed, and, in step S418, KMS2 Business cipher key is sent to network element 2.
In the embodiment shown in fig. 3, network element 1 and KMS1 obtain identical first by AKA authentications The business root key of network element and the service parameter of the business of identical first, and it is preset that identical is respectively adopted Method generates business cipher key according to the business root key of first network element and the service parameter of the first business.It is real In the application of border, or network element 1 and KMS1 obtain the industry of identical network element 1 by AKA authentications Business root key, network element 2 can also obtain the business of identical network element 2 with KMS1 by AKA authentications The business root key of network element 2 is sent to network element 1 by root key, KMS1, by the business root key of network element 1 It is sent to network element 2.When business cipher key is calculated, network element 1 and network element 2 are respectively adopted identical pre-setting method The business root key generation business cipher key of business root key and network element 2 according to the network element 1.With reference to Fig. 5 is specifically described.
Fig. 5 is referred to, Fig. 5 is another embodiment of the key distribution flow of communication system shown in Fig. 2 Schematic flow sheet.
As shown in figure 5, the key distribution flow in the present embodiment includes:
S51, network element 1 obtain the business root key of identical network element 1 with KMS1 and obtain identical respectively Shared key 1.
The method of the business root key that network element 1 and KMS1 obtain identical network element 1 is referred to shown in Fig. 3 To " the business root that network element 1 and KMS1 obtain identical network element 1 respectively is close in step S31 in embodiment The explanation of the step of key ", will not be repeated here.
The method of network element 1 and KMS1 acquisition identicals shared key 1 is referred in embodiment illustrated in fig. 3 To the explanation of " network element 2 and KMS2 obtain identical shared key 2 respectively " in step S32, Will not be repeated here.
S52, network element 2 obtain the business root key of identical network element 2 with KMS2 and obtain identical respectively Shared key 2.
The explanation of step S51 is specifically referred to, be will not be repeated here.
S53, network element 1 send service request to service server, and the service request is used to apply for the He of network element 1 Network element 2 carries out the first business.
S54, service server are authorized to first business, and response message is sent when authorizing successfully To network element 1.
Specific descriptions refer to the explanation of step S34 in embodiment illustrated in fig. 3, will not be repeated here.
S55, network element 1 send the key request of the first business to KMS1.
The explanation of step S35 in embodiment illustrated in fig. 3 is specifically referred to, be will not be repeated here.
S56, network element 2 send the key request of the first business to KMS2, and the key request includes network element 2 ID.
The explanation of step S36 in embodiment illustrated in fig. 3 is specifically referred to, be will not be repeated here.
In the present embodiment, step S56 is optional step.
S57, KMS1 send to KMS2 the business root key of the key request of network element 1 and network element 1.
S58, KMS2 send to KMS1 the business root key of the key request of network element 2 and network element 2.
S59, KMS1 are encrypted and/or integrality using shared key 1 to the business root key of network element 2 Protection, generation safeguard protection parameter 1.
After KMS1 receives the business root key of the network element 2 of KMS2 transmissions, using AES to this The business root key of network element 2 is encrypted, such as AES encryption algorithm;Or use protection algorithm integrallty Business root key to the network element 2 carries out integrity protection, such as hmac algorithm, or to network element 2 Business root key is encrypted and integrity protection, and this is not restricted.
S510, KMS1 send to network element 1 ID of safeguard protection parameter 1 and network element 2.
S511, network element 1 are close according to the business root that shared key 1 and safeguard protection parameter 1 obtain network element 2 Key.
Because safeguard protection parameter 1 is that the business root key of network element 2 is encrypted using shared key 1 And/or integrity protection is obtained, network element 1 can restore according to safeguard protection parameter 1 and shared key 1 The business root key of network element 2.
S512, network element 1 generate business according to the business root key of network element 1 and the business root key of network element 2 Key.
In the present embodiment, business cipher key is used for network element 1 and network element 2 apllied the in step S53 Communication data in one business is encrypted and/or integrity protection.
There is identical pre-setting method respectively in network element 1 and network element 2, to enable network element 1 and network element 2 Phase is enough generated according to the business root key of network element 1 and the business root key of network element 2 using the pre-setting method Same business cipher key.Wherein, pre-setting method has various, and one kind therein is illustrated below.
After network element 1 gets the business root key of network element 1 and the business root key of network element 2, industry is also obtained Business parameter.Network element 1 calculates the dependent variable that preset key derives function, and the business cipher key includes that this is preset Key derives the dependent variable of function;Wherein, the preset key derives argument of function includes network element 1 The business root key and the service parameter of business root key, network element 2, or, the independent variable includes institute State the industry that the business root key of service parameter and the business root key by network element 1 and network element 2 is calculated Business root key.
In the present embodiment, the service parameter is the parameter in apllied first business in step S53.Lift For example, the service parameter can be sequence number, the deadline of the business cipher key in first business Time, present system time, calculate the sequence number of business cipher key, fresh parameter (Fresh parameter), At least one in correlation ID in random number (nonce/random number), the business.Wherein, Correlation ID in the business can include ID, ID, Service of ID, KMS1 of network element 2 of network element 1 ID, session ID, network ID, in link ID, App ID, server ID, PLMN ID at least One.The ID of network element 1 and network element 2 can include IMSI, IMPI, GUTI, TMSI, IMPU, App ID, network ID, service ID etc., this is not restricted.
For concrete example, K=KDF (key, the service parameter of the first business), wherein, K is business Key, with K=KDF () for the second preset key derives function.Key includes that the business root of network element 1 is close The business root key of key and network element 2, or including the business root key and the industry of network element 2 by network element 1 The business root key that business root key is calculated.
In practical application, when network element 1 calculates business cipher key, parameter used does not include the ID's of network element 2 In situation, KMS2 in step S56, and step S58 can be dispensed in the cryptographic key distribution method of the present embodiment It is not required to send the ID of network element 2 to KMS1, KMS1 is also without by network element 2 in step S510 ID is sent to network element 1.
S513, KMS2 are encrypted and/or completely using shared key 2 to the business root key of network element 1 Property protection, generation safeguard protection parameter 2.
After KMS2 receives the business root key of the network element 1 of KMS1 transmissions, using AES to this The business root key of network element 1 is encrypted, such as AES encryption algorithm;Or use protection algorithm integrallty Business root key to the network element 1 carries out integrity protection, such as hmac algorithm, or to network element 1 Business root key is encrypted and integrity protection, and this is not restricted.
S514, KMS2 send to network element 2 ID of safeguard protection parameter 2 and network element 1.
S515, network element 2 are close according to the business root that shared key 2 and safeguard protection parameter 2 obtain network element 1 Key.
Because safeguard protection parameter 2 is that the business root key of network element 1 is encrypted using shared key 2 And/or integrity protection is obtained, network element 2 can restore according to safeguard protection parameter 2 and shared key 2 The business root key of network element 1.
S516, network element 2 generate business according to the business root key of network element 1 and the business root key of network element 2 Key.
Network element 2 generates business cipher key according to the business root key of network element 1 and the business root key of network element 2 Pre-setting method refers to the pre-setting method in step S512, will not be repeated here.
In practical application, when network element 2 calculates business cipher key, parameter used does not include the ID's of network element 1 In situation, KMS1 in step S58, and step S58 can be dispensed in the cryptographic key distribution method of the present embodiment It is not required to send the ID of network element 1 to KMS2, KMS2 is also without by network element 2 in step S510 ID is sent to network element 1.
In the embodiment shown in fig. 5, network element 1 and network element 2 correspond to different KMS respectively.Optionally, In a possible implementation method of the invention, network element 1 and network element 2 can also correspond to same KMS. For example, network element 1 and network element 2 are the user terminal for belonging to same operator, two network elements are in Shen Please be communicated with same KMS during business cipher key.So, in the embodiment shown in fig. 5, KMS1 It is same KMC with KMS2, step S57 and step S58 can be dispensed.
In the embodiment shown in fig. 5, network element 1 and network element 2 all get network element 1 business root key and The business root key of network element 2, and got according to two business root keys by identical pre-setting method Business cipher key.In practical application, network element 2 can also obtain two business root keys and basis Two business root keys calculate business cipher key, but receive the business cipher key that KMS1 or KMS2 sends.
In the present embodiment, KMS will be sent after the business root key encryption and/or integrity protection of network element 1 to Network element 2, will send to network element 1, network element 1 after the business root key encryption and/or integrity protection of network element 2 Identical pre-setting method is respectively adopted according to the business root key of network element 1 and the industry of network element 2 with network element 2 Root key is engaged in calculate business cipher key;So, it is not to be sent to network element by KMS due to business cipher key, keeps away Exempt to suffer the situation that eavesdropping is attacked during business cipher key is sent to network element.
Above with Fig. 2 to Fig. 5 to three embodiments of communication system of the invention and each communication system In each embodiment of workflow be described.The cryptographic key distribution method in the present invention is entered below Row description.
Refer to Fig. 6, one embodiment of cryptographic key distribution method of the invention, including:
601st, first key administrative center obtains the business root key of service parameter and the first network element.
In the present embodiment, the service parameter is the parameter in first business, first network element Business root key is to be generated according to the key parameter obtained after the first network element certification.
First key administrative center can be the KMS 1 in embodiment illustrated in fig. 3, and the first network element can be Network element 1 in embodiment illustrated in fig. 3.Or, first key administrative center can be embodiment illustrated in fig. 3 In KMS 1, the first network element can be the network element 1 in embodiment illustrated in fig. 4.This is not restricted.
The method that first key administrative center obtains the business root key of service parameter and the first network element can join The explanation of step S31 in embodiment illustrated in fig. 3 is examined, be will not be repeated here.
602nd, business root key and the business of the first key administrative center according to first network element Parameter generates business cipher key, and the business cipher key is used for the between first network element and the second network element Communication data in one business is encrypted and/or integrity protection.
603rd, the first key administrative center obtains the shared key of second network element, second net The shared key of unit is used for the first key administrative center and the second network element communicates.
604th, the first key administrative center is close to the business using the shared key of second network element Key is encrypted and/or integrity protection, generates the first safeguard protection parameter.
605th, the first key administrative center sends to second net the first safeguard protection parameter Unit.
The explanation of the present embodiment can refer to Fig. 3 and the description explanation of embodiment illustrated in fig. 4 be understood, Do not do herein and excessively repeat.
In the present embodiment, first key administrative center obtains the business root key and service parameter of the first network element, And the pre-setting method and first of business root key and service parameter the generation business cipher key using first network element Network element is identical according to the pre-setting method that the business root key of first network element generates business cipher key, therefore first KMC and the first network element can generate identical business cipher key, so, in first key management The heart avoids business cipher key in transmission to the first network element without business cipher key is sent to the first network element During reveal situation;In addition, shared key pair of the first key administrative center using the second network element Business cipher key be encrypted and/or integrity protection after generate the first safeguard protection parameter send to the second net Unit, so that the first safeguard protection parameter is reduced into industry by the second network element according to the shared key of the second network element Business key, the business can be used when so, between the first network element and the second network element mutually sending communication data Cipher key pair communication data are protected, it is to avoid the communication data suffers that in transmission process eavesdropping is attacked.
Optionally, in the present embodiment, being set up between first key administrative center and second network element has In the case of safe lane, first key administrative center can also be not required to using the shared key of the second network element To being then forwarded to the second network element after business cipher key encryption and/or integrity protection, but by the business cipher key Sent to second network element by the safe lane, then step 603 to step 605 can be dispensed.
In the present embodiment, first key administrative center is used to manage the key of the second network element, namely first is close Key administrative center is corresponding with the second network element, therefore is sent to business cipher key by first key administrative center Two network elements.In practical application, it is understood that there may be the second network element discord first key administrative center correspondence, but Situation corresponding with the second KMC, then first key administrative center by business cipher key send to Second KMC, so that the second KMC is encrypted and/or integrality to business cipher key Sent after protection to second network element, then step 603 to step 605 can be dispensed.
In the present embodiment, the method that first key administrative center obtains the business root key of the first network element has many Kind.
Optionally, the first key administrative center authenticates acquisition by carrying out AKA with first network element First parameter, first parameter includes at least one in Kasme, Integrity Key and encryption key; The first key administrative center calculates the dependent variable that the first preset key derives function, first network element Business root key include that first preset key derives the dependent variable of function;Wherein, described first is pre- Put key and derive argument of function including first parameter.
Optionally, the first key administrative center receives the first network element that mobile management nodes MME sends Business root key, wherein, the business root key of first network element is that the MME passes through the first parameter Calculate, the first parameter MME is obtained by being authenticated with the first network element AKA, described First parameter includes at least one in Kasme, Integrity Key and encryption key.
In the present embodiment, first key administrative center is according to the business root key of first network element and described The method of service parameter generation business cipher key has various.
Optionally, the first key administrative center calculates the dependent variable that the second preset key derives function, The business cipher key includes that second preset key derives the dependent variable of function;Wherein, described second is pre- Put key and derive business root key and the service parameter of the argument of function including first network element.
Further, optionally, the first key administrative center obtains the business root key of the second network element; Second preset key derives the argument of function also business root key including second network element;
The first key administrative center obtains the shared key of the first network element, first network element it is shared Key is used for the first key administrative center and the first network element communicates;
The first key administrative center is using the shared key of first network element to second network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
The first key administrative center sends to first network element the second safeguard protection parameter, So that the business root of first network element, second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
Optionally, in the present embodiment, the first key administrative center is using pre-setting method according to described the The business root key of one network element and service parameter generation business cipher key, also include before:
The first key administrative center receives first network element, second network element, gateway or clothes The key request that business device sends, the key request is used to initiate the generation of the business cipher key, described close Identity comprising first network element, the identity of second network element and the industry in key request Business parameter at least one.
In the present embodiment, the first key administrative center obtains the side of the shared key of second network element Method has various.
Optionally, the first key administrative center authenticates acquisition by carrying out AKA with second network element First parameter, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the 3rd preset key derives function, described second The shared key of network element includes that the 3rd preset key derives the dependent variable of function;Wherein, the described 3rd Preset key derives argument of function includes first parameter.
Optionally, the first key administrative center receives the shared key of the second network element that MME sends, Wherein, the shared key of second network element is that the MME is calculated by the first parameter, described first The parameter MME is obtained by being authenticated with the second network element AKA, and first parameter includes At least one in Kasme, Integrity Key and encryption key.
The present embodiment explain can refer to Fig. 2 to embodiment illustrated in fig. 4 description explanation be understood, Do not do herein and excessively repeat.
Fig. 7 is referred to, Fig. 7 is the schematic flow sheet of one embodiment of key generation method of the invention. As shown in fig. 7, the key generation method in the present embodiment, including:
701st, first key administrative center obtains the business root key of the first network element and the business root of the second network element Key.
In the present embodiment, first key administrative center can be the KMS 1 in embodiment illustrated in fig. 5, the One network element can be the network element 1 in embodiment illustrated in fig. 5, during the second network element can be embodiment illustrated in fig. 5 Network element 2, this is not restricted.
702nd, first key administrative center obtains the first shared key and the second shared key, and described first is total to Enjoy key to be communicated for the first key administrative center and the first network element, second shared key is used for The first key administrative center and the second network element communicate.
703rd, the first key administrative center using first shared key to the industry of second network element Business root key is encrypted and/or integrity protection, generates the first safeguard protection parameter.
704th, the first key administrative center using second shared key to the industry of first network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter.
705th, the first key administrative center sends to first net the first safeguard protection parameter Unit, so as to the business of first network element, second network element according to the first safeguard protection parameter acquiring Root key, and business root key according to first network element and second network element the life of business root key Into business cipher key.
706th, the first key administrative center sends to second net the second safeguard protection parameter Unit, so as to the business of second network element, second network element according to the second safeguard protection parameter acquiring Root key, and business root key according to first network element and second network element the life of business root key Into business cipher key.
In the present embodiment, the business cipher key is used for first between first network element and the second network element Communication data in business is encrypted and/or integrity protection.
The present embodiment explain can refer to embodiment illustrated in fig. 5 description explanation be understood, herein not Do and excessively repeat.
In the present embodiment, first key administrative center is by the business root key encryption of the first network element and/or completely Property protection after send to the second network element, after the business root key encryption and/or integrity protection of the second network element Send to the first network element, so that the first network element and the second network element are respectively adopted identical pre-setting method according to the The business root key of one network element and the business root key of the second network element calculate business cipher key;So, by In business cipher key sent to network element by first key administrative center, it is to avoid business cipher key is sent to Suffer the situation that eavesdropping is attacked during network element.
Fig. 8 is referred to, Fig. 8 is the schematic flow sheet of another embodiment of key generation method of the invention. As shown in figure 8, the key generation method in the present embodiment, including:
801st, the first network element authenticates the first parameter of acquisition by carrying out AKA, and first parameter includes At least one in Kasme, Integrity Key and encryption key.
In the present embodiment, the first network element can be the network element 1 in Fig. 3, Fig. 4 and embodiment illustrated in fig. 5, This is not restricted.
802nd, the business root key of first network element, first network element according to first parameter acquiring.
803rd, first network element obtains service parameter, and the service parameter is the ginseng in first business Number.
804th, first network element is generated according to the business root key of first network element and the service parameter Business cipher key, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
In the present embodiment, the first network element obtains the business root key of the first network element, and uses first network element Business root key and service parameter generation business cipher key pre-setting method and first key administrative center according to The pre-setting method of the business root key generation business cipher key of first network element is identical, therefore first key is managed Center and the first network element can generate identical business cipher key, and so, it is close that the first network element need not receive first The business cipher key that key administrative center sends, and then avoid process of the business cipher key in transmission to the first network element The situation of middle leakage;So, can be used when communication data is mutually sent between the first network element and the second network element The business cipher key is protected to communication data, it is to avoid the communication data is eavesdropped in transmission process Attack.
In the present embodiment, business root key and the service parameter of first network element according to first network element The method for generating business cipher key has various.Optionally, first network element calculates preset key and derives function Dependent variable, the business cipher key includes that the preset key derives the dependent variable of function;Wherein, it is described Preset key derives business root key and business ginseng of the argument of function including first network element Number.
Further, optionally, in the present embodiment, first network element also obtains the identity mark of the second network element Know;The preset key derives the argument of function also identity including second network element.
In the present embodiment, optionally, the key reception method also includes:
First network element obtains the shared key of the first network element, and the shared key of first network element is used for The first key administrative center and the first network element communicate;
First network element receives the second safeguard protection parameter that the first key administrative center sends;
First network element is using the shared key of first network element to the second safeguard protection parametric solution It is close, obtain the business root key of the second network element;
First network element is according to the business root key of first network element and service parameter generation business Key, including:
First network element is according to the business root key of first network element, the business root of second network element Key and service parameter generation business cipher key.
In the present embodiment, optionally, first network element according to the business root key of first network element and The service parameter generates business cipher key, also includes before:
First network element sends key request to the first key administrative center, and the key request is used In the generation for initiating the business cipher key, the key request include first network element identity, At least one in the identity and the service parameter of second network element.
Further, optionally, first network element sends key request to the first key administrative center, Also include before:
First network element sends service request to service server, wherein, the service server is used for Perform the service management between first network element and second network element;
First network element receives the response message that the service server sends, and the response message includes In designator, the identity of first network element, the mark and the service parameter of second network element At least one, wherein the designator is used to indicate first service authorization success.
Or, first network element sends key request to the first key administrative center, also wraps before Include:
The business that first network element receives the transmission of service server, gateway, MME or the second network element disappears Breath, the service message is included in the identity of first network element and the mark of second network element At least one.
Fig. 9 is referred to, Fig. 9 is the schematic flow sheet of one embodiment of the method for acquisition key of the invention. As shown in figure 9, the method for the acquisition key in the present embodiment, including:
901st, MME authenticates the 3rd parameter of acquisition, the 3rd parameter by carrying out AKA with the first network element Including Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum encryption At least one in key, base station key.
902nd, the MME calculates the dependent variable that the first preset key derives function, first network element Key includes that first preset key derives the dependent variable of function;Wherein, first preset key is pushed away The argument of function that spreads out includes first parameter.
In the present embodiment, the key of the first network element can be the business root key of the first network element, or the The shared key of one network element, this is not restricted.
903rd, the key of first network element is sent key corresponding to first network element by the MME Administrative center.
In the present embodiment, the corresponding KMC of the first network element is referred to for managing the first network element Key KMC.
The present embodiment explain can refer to Fig. 2 to embodiment illustrated in fig. 5 description explanation be understood, Do not do herein and excessively repeat.
Above to cryptographic key distribution method in the embodiment of the present invention, method, the key reception of key generation The method that method and key are obtained is described, and the first key in the embodiment of the present invention is managed below Center, the first network element and MME are described.
Figure 10 is referred to, Figure 10 is that the structure of one embodiment of first key administrative center of the invention is shown It is intended to.In the present embodiment, first key administrative center 1000 includes:
First acquisition module 1001, the business root key for obtaining service parameter and the first network element is described Service parameter is the parameter in first business, and the business root key of first network element is according to described The key parameter generation obtained after first network element certification.
First generation module 1002, joins for the business root key according to first network element and the business Number generation business cipher key, the business cipher key is used for first between first network element and the second network element Communication data in business is encrypted and/or integrity protection.
The first key administrative center also includes the second acquisition module 1003, the and of the second generation module 1004 First sending module 1005, or managed including the second sending module (not shown), and the first key Being set up between center and second network element has safe lane, or including the 3rd sending module (not shown). Wherein:
Second acquisition module 1003 is used to obtain the shared key of second network element, second net The shared key of unit is used for the first key administrative center and the second network element communicates.
Second generation module 1004 is used for close to the business using the shared key of second network element Key is encrypted and/or integrity protection, generates the first safeguard protection parameter.
First sending module 1005 is used to send the first safeguard protection parameter to second net Unit.
Second sending module is used to by the safe lane send the business cipher key to described the Two network elements.
3rd sending module is used to send the business cipher key to the second KMC, so as to Second KMC business cipher key is encrypted and/or integrity protection after send to institute State the second network element.
In the present embodiment, first key administrative center obtains the business root key of the first network element, and use should The pre-setting method and the first network element of the business root key generation business cipher key of the first network element are according to first network element Business root key generation business cipher key pre-setting method it is identical, therefore first key administrative center and first Network element can generate identical business cipher key, and so, first key administrative center is without business cipher key is sent out The first network element is delivered to, and then avoids the situation that business cipher key is revealed during sending to the first network element; In addition, first key administrative center business cipher key is encrypted using the shared key of the second network element and/or After integrity protection generate the first safeguard protection parameter send to the second network element, so as to the second network element according to The first safeguard protection parameter is reduced into business cipher key by the shared key of the second network element, so, the first net Communication data can be protected using the business cipher key when communication data is mutually sent between unit and the second network element Shield, it is to avoid the communication data suffers that in transmission process eavesdropping is attacked.
In some possible implementation methods of the invention, first acquisition module 1001 specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with first network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the first preset key derives function is calculated, the business root key of first network element includes First preset key derives the dependent variable of function;Wherein, first preset key derives function Independent variable includes first parameter.
In some possible implementation methods of the invention, first acquisition module 1001 specifically for:
The business root key of the first network element that mobile management nodes MME sends is received, wherein, described first The business root key of network element is that the MME is calculated by the first parameter, and first parameter is described MME authenticates what is obtained by with the first network element AKA, and first parameter includes Kasme, integrality At least one in key and encryption key.
In some possible implementation methods of the invention, first generation module 1002 specifically for:
The dependent variable that the second preset key derives function is calculated, the business cipher key includes that described second is preset Key derives the dependent variable of function;Wherein, second preset key derives argument of function includes institute State the business root key and the service parameter of the first network element.
As shown in figure 11, in some possible implementation methods of the invention, in the first key management The heart also includes:
3rd acquisition module 1101, the business root key for obtaining the second network element;Described second is preset close Key derives the argument of function also business root key including second network element.
4th acquisition module 1102, the shared key for obtaining the first network element, first network element is total to Key is enjoyed to be communicated for the first key administrative center and the first network element.
3rd generation module 1103, for the shared key using first network element to second network element Business root key be encrypted and/or integrity protection, generate the second safeguard protection parameter.
4th sending module 1104, for the second safeguard protection parameter to be sent to first network element, So that the business root of first network element, second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
As shown in figure 12, in some possible implementation methods of the invention, in the first key management The heart also includes:
First receiver module 1201, in first generation module according to the business of first network element Before root key and service parameter generation business cipher key, first network element, second net are received The key request that unit, gateway or server send, the key request is used to initiate the business cipher key Generation, in the key request comprising first network element identity, the body of second network element Part mark and first business service parameter at least one.
In some possible implementation methods of the invention, when the first key administrative center is including described When the second acquisition module 1003, the second generation module 1004 and the first sending module 1005, described second Acquisition module 1003 specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with second network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the 3rd preset key derives function is calculated, the shared key of second network element includes institute State the dependent variable that the 3rd preset key derives function;Wherein, the 3rd preset key derives oneself of function Variable includes first parameter.
In some possible implementation methods of the invention, when the first key administrative center is including described When the second acquisition module 1003, the second generation module 1004 and the first sending module 1005, described second Acquisition module 1003 specifically for:
The shared key of the second network element that MME sends is received, wherein, the shared key of second network element It is that the MME is calculated by the first parameter, first parameter is that the MME passes through and the second net What first AKA authentications were obtained, first parameter is included in Kasme, Integrity Key and encryption key At least one.
Figure 13 is referred to, Figure 13 is the structure of another embodiment of first key administrative center of the invention Schematic diagram.In the present embodiment, first key administrative center 1300 includes:
First acquisition module 1301, for obtaining the business root key of the first network element and the business of the second network element Root key.
Second acquisition module 1302, for obtaining the first shared key and the second shared key, described first Shared key is used for the first key administrative center and the first network element communicates, and second shared key is used Communicated in the first key administrative center and the second network element.
First generation module 1303, for using first shared key to the business of second network element Root key is encrypted and/or integrity protection, generates the first safeguard protection parameter.
Second generation module 1304, for using second shared key to the business of first network element Root key is encrypted and/or integrity protection, generates the second safeguard protection parameter.
First sending module 1305, for the first safeguard protection parameter to be sent to first network element, So that the business root of first network element, second network element according to the first safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key.
Second sending module 1306, for the second safeguard protection parameter to be sent to second network element, So that the business root of second network element, second network element according to the second safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
In the present embodiment, first key administrative center is by the business root key encryption of the first network element and/or completely Property protection after send to the second network element, after the business root key encryption and/or integrity protection of the second network element Send to the first network element, so that the first network element and the second network element are respectively adopted identical pre-setting method according to the The business root key of one network element and the business root key of the second network element calculate business cipher key;So, by In business cipher key sent to network element by first key administrative center, it is to avoid business cipher key is sent to Suffer the situation that eavesdropping is attacked during network element.
Figure 14 is referred to, Figure 14 is the structural representation of one embodiment of the first network element of the invention.This In embodiment, the first network element 1400 includes:
First acquisition module 1401, for authenticating the first parameter of acquisition, described first by carrying out AKA Parameter includes at least one in Kasme, Integrity Key and encryption key;
Second acquisition module 1402, for the business root of the first network element according to first parameter acquiring Key;
3rd acquisition module 1403, for obtaining service parameter, the service parameter is first business In parameter;
First generation module 1404, joins for the business root key according to first network element and the business Number generation business cipher key, the business cipher key is used for first between first network element and the second network element Communication data in business is encrypted and/or integrity protection.
In some possible implementation methods of the invention, first generation module 1404 specifically for:
The dependent variable that preset key derives function is calculated, the business cipher key is derived including the preset key The dependent variable of function;Wherein, the preset key derives argument of function includes first network element Business root key and the service parameter.
As shown in figure 15, in some possible implementation methods of the invention, first network element also includes:
4th acquisition module 1501, the identity for obtaining the second network element;
The preset key derives the argument of function also identity including second network element.
As shown in figure 16, in some possible implementation methods of the invention, first network element also includes:
5th acquisition module 1601, the shared key for obtaining the first network element, first network element is total to Key is enjoyed to be communicated for the first key administrative center and the first network element.
First receiver module 1602, protects for receiving the second safety that the first key administrative center sends Shield parameter.
6th acquisition module 1603, for the shared key using first network element to the described second safety Protection parameters are decrypted, and obtain the business root key of the second network element.
First generation module 1404 is specifically for the business root key according to first network element, described The business root key of the second network element and service parameter generation business cipher key.
As shown in figure 17, in some possible implementation methods of the invention, first network element also includes:
First sending module 1701, in first generation module according to the business of first network element Before root key and service parameter generation business cipher key, send close to the first key administrative center Key is asked, and the key request is used to initiate the generation of the business cipher key, and the key request includes institute State the business ginseng of the identity, the identity of second network element and first business of the first network element At least one in number.
As shown in figure 18, in some possible implementation methods of the invention, first network element also includes:
Second sending module 1801, for being managed to the first key in first sending module 1701 Before center sends key request, service request is sent to service server, wherein, the business service Device is used to perform the service management between first network element and second network element;
Second receiver module 1802, for receiving the response message that the service server sends, the sound Answering message includes designator, the identity of first network element, the mark of second network element and described At least one in the service parameter of the first business, wherein the designator is used to indicate first business Authorize successfully.
As shown in figure 19, in some possible implementation methods of the invention, first network element also includes:
3rd receiver module 1901, in first sending module to the first key administrative center Before sending key request, the business that service server, gateway, MME or the second network element send is received Message, the service message is included in the identity of first network element and the mark of second network element At least one.
Figure 20 is referred to, Figure 20 is the structural representation of one embodiment of mobile management nodes of the invention. In the present embodiment, mobile management nodes 2000 include:
Acquisition module 2001, for authenticating the 3rd parameter of acquisition, institute by carrying out AKA with the first network element Stating the 3rd parameter includes Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, non- At least one in Access Layer encryption key, base station key;
Computing module 2002, the dependent variable of function, first net are derived for calculating the first preset key The key of unit includes that first preset key derives the dependent variable of function;Wherein, described first is preset close Key derives argument of function includes first parameter;
Sending module 2003, for the key of first network element to be sent into corresponding to first network element KMC.
Above from the angle of blocking functional entity to the first key administrative center in the embodiment of the present invention, First network element and MME are described, below from the angle of hardware handles to the embodiment of the present invention in One KMC, the first network element and MME are described.
Figure 21 is referred to, Figure 21 is that the structure of one embodiment of first key administrative center of the invention is shown It is intended to.In the present embodiment, first key administrative center 2100 includes:
Processor 2101, and it is coupled to the memory 2102 of the processor 2101;Wherein, it is described Processor 2101 reads the computer program stored in the memory 2102 to be used to perform following operation:
The business root key of service parameter and the first network element is obtained, the service parameter is first business In parameter, the business root key of first network element is close according to what is obtained after the first network element certification The generation of key parameter;;
Business root key and the service parameter generation business cipher key according to first network element, the industry Business key is used to add the communication data in the first business between first network element and the second network element Close and/or integrity protection;
Perform one of them of following steps A, step B and step C:
A, the first key administrative center obtain the shared key of second network element, second network element Shared key be used for the first key administrative center and the second network element and communicate;
The first key administrative center is entered using the shared key of second network element to the business cipher key Row encryption and/or integrity protection, generate the first safeguard protection parameter;
The first key administrative center sends to second network element the first safeguard protection parameter;
Being set up between B, the first key administrative center and second network element has a safe lane, and described the One KMC sends to second network element business cipher key by the safe lane;
C, the business cipher key is sent to the second KMC, so as in second key management The heart business cipher key is encrypted and/or integrity protection after send to second network element.
In first possible implementation method of the invention, the business root key for obtaining the first network element, Including:
The first key administrative center authenticates the ginseng of acquisition first by carrying out AKA with first network element Number, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the first preset key derives function, described first The business root key of network element includes that first preset key derives the dependent variable of function;Wherein, described One preset key derives argument of function includes first parameter.
In some possible implementation methods of the invention, the business root key for obtaining the first network element, Including:
The first key administrative center receives the business of the first network element that mobile management nodes MME sends Root key, wherein, the business root key of first network element is that the MME is calculated by the first parameter, The first parameter MME is obtained by being authenticated with the first network element AKA, first parameter Including at least one in Kasme, Integrity Key and encryption key.
In some possible implementation methods of the invention, the business root according to first network element is close Key and service parameter generation business cipher key, including:
The first key administrative center calculates the dependent variable that the second preset key derives function, the business Key includes that second preset key derives the dependent variable of function;Wherein, second preset key is pushed away The argument of function that spreads out includes the business root key and the service parameter of first network element.
Further, the processor 2101 is additionally operable to perform following steps:
Obtain the business root key of the second network element;Second preset key is derived argument of function and is also wrapped Include the business root key of second network element;
The shared key of the first network element is obtained, the shared key of first network element is used for the first key Administrative center and the first network element communicate;
Using the shared key of first network element business root key of second network element is encrypted and/ Or integrity protection, generate the second safeguard protection parameter;
The second safeguard protection parameter is sent to first network element, so as to first network element according to The business root key of the second network element described in the second safeguard protection parameter acquiring, and according to second net The business root key of unit calculates the business root key.
In some possible implementation methods of the invention, the processor 2101 is additionally operable to using preset Before method is according to the business root key of first network element and service parameter generation business cipher key, hold Row following steps:
The key request that first network element, second network element, gateway or server send is received, The key request is used to initiate the generation of the business cipher key, and described first is included in the key request In the service parameter of the identity of network element, the identity of second network element and first business At least one.
In some possible implementation methods of the invention, when the processor 2101 performs the step A When, the shared key of acquisition second network element, including:
The first parameter of acquisition is authenticated by carrying out AKA with second network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the 3rd preset key derives function is calculated, the shared key of second network element includes institute State the dependent variable that the 3rd preset key derives function;Wherein, the 3rd preset key derives oneself of function Variable includes first parameter.
In some possible implementation methods of the invention, when the processor 2101 performs the step A When, the shared key of acquisition second network element, including:
The shared key of the second network element that MME sends is received, wherein, the shared key of second network element It is that the MME is calculated by the first parameter, first parameter is that the MME passes through and the second net What first AKA authentications were obtained, first parameter is included in Kasme, Integrity Key and encryption key At least one.
Figure 22 is referred to, Figure 22 is the structure of another embodiment of first key administrative center of the invention Schematic diagram.In the present embodiment, first key administrative center 2200 includes:
Processor 2201, and it is coupled to the memory 2202 of the processor 2201;Wherein, it is described Processor 2201 reads the computer program stored in the memory 2202 to be used to perform following operation:
Obtain the business root key of the first network element and the business root key of the second network element;
The first shared key and the second shared key are obtained, it is close that first shared key is used for described first Key administrative center and the first network element communicate, and second shared key is used for the first key administrative center Communicated with the second network element;
The business root key of second network element is encrypted using first shared key and/or completely Property protection, generate the first safeguard protection parameter;
The business root key of first network element is encrypted using second shared key and/or completely Property protection, generate the second safeguard protection parameter;
The first safeguard protection parameter is sent to first network element, so as to first network element according to The business root key of the second network element described in the first safeguard protection parameter acquiring, and according to first net The business root key of unit and the business root key generation business cipher key of second network element;
The second safeguard protection parameter is sent to second network element, so as to second network element according to The business root key of the second network element described in the second safeguard protection parameter acquiring, and according to first net The business root key of unit and the business root key generation business cipher key of second network element;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
Figure 23 is referred to, Figure 23 is the structural representation of one embodiment of the first network element of the invention.This In embodiment, the first network element 2300 includes:
Processor 2301, and it is coupled to the memory 2302 of the processor 2301;Wherein, it is described Processor 2301 reads the computer program stored in the memory 2302 to be used to perform following operation:
The first parameter of acquisition is authenticated by carrying out AKA, first parameter includes that Kasme, integrality are close At least one in key and encryption key;
The business root key of the first network element according to first parameter acquiring;
Service parameter is obtained, the service parameter is the parameter in first business;
Business root key and the service parameter generation business cipher key according to first network element, the industry Business key is used to add the communication data in the first business between first network element and the second network element Close and/or integrity protection.
In some possible implementation methods of the invention, the business root according to first network element is close Key and service parameter generation business cipher key, including:
The dependent variable that preset key derives function is calculated, the business cipher key is derived including the preset key The dependent variable of function;Wherein, the preset key derives argument of function includes first network element Business root key and the service parameter.
In some possible implementation methods of the invention, the processor 2301 is additionally operable to perform following step Suddenly:
Obtain the identity of the second network element;The preset key derives argument of function also including described The identity of the second network element.
In some possible implementation methods of the invention, the processor 2301 is additionally operable to perform following step Suddenly:
The shared key of the first network element is obtained, the shared key of first network element is used for the first key Administrative center and the first network element communicate;
Receive the second safeguard protection parameter that the first key administrative center sends;
The second safeguard protection parameter is decrypted using the shared key of first network element, obtains second The business root key of network element;
Business root key and the service parameter generation business cipher key according to first network element, including:
Business root key, the business root key of second network element and the industry according to first network element Business parameter generation business cipher key.
In some possible implementation methods of the invention, the processor 2301 is additionally operable to according to described Before the business root key of the first network element and service parameter generation business cipher key, following steps are performed:
Key request is sent to the first key administrative center, the key request is used to initiate the industry The generation of business key, the key request includes identity, second network element of first network element Identity and first business service parameter at least one.
Further, in some possible implementation methods of the invention, the processor 2301 is additionally operable to Before key request is sent to the first key administrative center, following steps are performed:
Service request is sent to service server, wherein, the service server is used to perform described first Service management between network element and second network element;
Receive the response message that the service server sends, the response message includes designator, described In the service parameter of the identity of the first network element, the mark of second network element and first business At least one, wherein the designator is used to indicate the first service authorization success.
Or, in some possible implementation methods of the invention, the processor 2301 be additionally operable to Before the first key administrative center sends key request, following steps are performed:
Receive the service message that service server, gateway, MME or the second network element send, the business At least one in the identity of message including first network element and the mark of second network element.
Figure 24 is referred to, Figure 24 is the structural representation of one embodiment of mobile management nodes of the invention. In the present embodiment, mobile management nodes 2400 include:
Processor 2401, and it is coupled to the memory 2402 of the processor 2401;Wherein, it is described Processor 2401 reads the computer program stored in the memory 2402 to be used to perform following operation:
By with the first network element carry out AKA authenticate obtain the 3rd parameter, the 3rd parameter include Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, base station are close At least one in key;
Calculate the dependent variable that the first preset key derives function, the key of first network element includes described the One preset key derives the dependent variable of function;Wherein, first preset key derives argument of function Including first parameter;
The key of first network element is sent into KMC corresponding to first network element.
It is apparent to those skilled in the art that, it is for convenience and simplicity of description, above-mentioned to retouch The specific work process of the system, apparatus, and unit stated, may be referred to the correspondence in preceding method embodiment Process, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, device and Method, can realize by another way.For example, device embodiment described above is only to show Meaning property, for example, the division of the unit, only a kind of division of logic function can when actually realizing To there is other dividing mode, such as multiple units or component can be combined or be desirably integrated into another System, or some features can be ignored, or not perform.It is another, it is shown or discussed each other Coupling or direct-coupling or communication connection can be the INDIRECT COUPLING of device or unit by some interfaces Or communication connection, can be electrical, mechanical or other forms.
It is described as separating component illustrate unit can be or may not be it is physically separate, make For the part that unit shows can be or may not be physical location, you can with positioned at a place, Or can also be distributed on multiple NEs.Can select according to the actual needs part therein or Person whole units realize the purpose of this embodiment scheme.
In addition, during each functional unit in each embodiment of the invention can be integrated in a processing unit, Can also be that unit is individually physically present, it is also possible to which two or more units are integrated in a list In unit.Above-mentioned integrated unit can both be realized in the form of hardware, it would however also be possible to employ software function list The form of unit is realized.
If the integrated unit is to realize in the form of SFU software functional unit and as independent production marketing Or when using, can store in a computer read/write memory medium.Based on such understanding, this Part that the technical scheme of invention substantially contributes to prior art in other words or the technical scheme Can completely or partially be embodied in the form of software product, the computer software product is stored at one In storage medium, including some instructions are used to so that computer equipment (can be personal computer, Server, or the network equipment etc.) perform all or part of step of each embodiment methods described of the invention Suddenly.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD Etc. it is various can be with the medium of store program codes.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations; Although being described in detail to the present invention with reference to the foregoing embodiments, one of ordinary skill in the art should Work as understanding:It can still modify to the technical scheme described in foregoing embodiments, or to it Middle some technical characteristics carry out equivalent;And these modifications or replacement, do not make appropriate technical solution Essence depart from various embodiments of the present invention technical scheme spirit and scope.

Claims (34)

1. a kind of method that key is distributed, it is characterised in that including:
First key administrative center obtains the business root key of service parameter and the first network element, the business ginseng Number is the parameter in first business, and the business root key of first network element is according to first net The key parameter generation obtained after first certification;
Business root key and the service parameter of the first key administrative center according to first network element Generation business cipher key, the business cipher key is used for the first industry between first network element and the second network element Communication data in business is encrypted and/or integrity protection;
The first key administrative center performs one of them of following steps A, step B and step C:
A, the first key administrative center obtain the shared key of second network element, second network element Shared key be used for the first key administrative center and the second network element and communicate;
The first key administrative center is entered using the shared key of second network element to the business cipher key Row encryption and/or integrity protection, generate the first safeguard protection parameter;
The first key administrative center sends to second network element the first safeguard protection parameter;
Being set up between B, the first key administrative center and second network element has a safe lane, and described the One KMC sends to second network element business cipher key by the safe lane;
C, the business cipher key is sent to the second KMC, so as in second key management The heart business cipher key is encrypted and/or integrity protection after send to second network element.
2. cryptographic key distribution method according to claim 1, it is characterised in that the first key pipe Reason center obtains the business root key of the first network element, including:
The first key administrative center authenticates the ginseng of acquisition first by carrying out AKA with first network element Number, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the first preset key derives function, described first The business root key of network element includes that first preset key derives the dependent variable of function;Wherein, described One preset key derives argument of function includes first parameter.
3. cryptographic key distribution method according to claim 1, it is characterised in that the first key pipe Reason center obtains the business root key of the first network element, including:
The first key administrative center receives the business of the first network element that mobile management nodes MME sends Root key, wherein, the business root key of first network element is that the MME is calculated by the first parameter, The first parameter MME is obtained by being authenticated with the first network element AKA, first parameter Including at least one in Kasme, Integrity Key and encryption key.
4. the cryptographic key distribution method according to any one of claims 1 to 3, it is characterised in that described First key administrative center is according to the business root key of first network element and service parameter generation business Key, including:
The first key administrative center calculates the dependent variable that the second preset key derives function, the business Key includes that second preset key derives the dependent variable of function;Wherein, second preset key is pushed away The argument of function that spreads out includes the business root key and the service parameter of first network element.
5. cryptographic key distribution method according to claim 4, it is characterised in that methods described also includes:
The first key administrative center obtains the business root key of the second network element;Second preset key Derive the argument of function also business root key including second network element;
The first key administrative center obtains the shared key of the first network element, first network element it is shared Key is used for the first key administrative center and the first network element communicates;
The first key administrative center is using the shared key of first network element to second network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
The first key administrative center sends to first network element the second safeguard protection parameter, So that the business root of first network element, second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
6. cryptographic key distribution method according to claim 1, it is characterised in that the first key pipe Reason center is using pre-setting method according to the business root key of first network element and service parameter generation industry Business key, also includes before:
The first key administrative center receives first network element, second network element, gateway or clothes The key request that business device sends, the key request is used to initiate the generation of the business cipher key, described close Identity comprising first network element, the identity of second network element and the industry in key request Business parameter at least one.
7. cryptographic key distribution method according to claim 1, it is characterised in that when the first key When administrative center performs the step A, the first key administrative center obtains being total to for second network element Key is enjoyed, including:
The first key administrative center authenticates the ginseng of acquisition first by carrying out AKA with second network element Number, first parameter includes at least one in Kasme, Integrity Key and encryption key;
The first key administrative center calculates the dependent variable that the 3rd preset key derives function, described second The shared key of network element includes that the 3rd preset key derives the dependent variable of function;Wherein, the described 3rd Preset key derives argument of function includes first parameter.
8. cryptographic key distribution method according to claim 1, it is characterised in that when the first key When administrative center performs the step A, the first key administrative center obtains being total to for second network element Key is enjoyed, including:
The first key administrative center receives the shared key of the second network element that MME sends, wherein, institute The shared key for stating the second network element is that the MME is calculated by the first parameter, and first parameter is institute State MME by and the second network element AKA authenticate and obtain, first parameter includes Kasme, complete At least one in property key and encryption key.
9. a kind of method that key is generated, it is characterised in that including:
The business root key of first key administrative center the first network element of acquisition and the business root of the second network element are close Key;
First key administrative center obtains the first shared key and the second shared key, and described first is shared close Key is used for the first key administrative center and the first network element communicates, and second shared key is used for described First key administrative center and the second network element communicate;
The first key administrative center is using first shared key to the business root of second network element Key is encrypted and/or integrity protection, generates the first safeguard protection parameter;
The first key administrative center is using second shared key to the business root of first network element Key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
The first key administrative center sends to first network element the first safeguard protection parameter, So that the business root of first network element, second network element according to the first safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
The first key administrative center sends to second network element the second safeguard protection parameter, So that the business root of second network element, second network element according to the second safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
10. a kind of method that key is generated, it is characterised in that including:
First network element by carry out AKA authenticate obtain the first parameter, first parameter include Kasme, At least one in Integrity Key and encryption key;
The business root key of first network element, first network element according to first parameter acquiring;
First network element obtains service parameter, and the service parameter is the parameter in first business;
First network element is according to the business root key of first network element and service parameter generation business Key, the business cipher key be used for the first business between first network element and the second network element in it is logical Letter data is encrypted and/or integrity protection.
11. key reception methods according to claim 10, it is characterised in that first network element Business root key and the service parameter generation business cipher key according to first network element, including:
First network element calculates the dependent variable that preset key derives function, and the business cipher key includes described Preset key derives the dependent variable of function;Wherein, the preset key derives argument of function includes institute State the business root key and the service parameter of the first network element.
12. key reception methods according to claim 11, it is characterised in that methods described is also wrapped Include:
First network element obtains the identity of the second network element;
The preset key derives the argument of function also identity including second network element.
13. key reception methods according to claim 10, it is characterised in that the key reception Method also includes:
First network element obtains the shared key of the first network element, and the shared key of first network element is used for The first key administrative center and the first network element communicate;
First network element receives the second safeguard protection parameter that the first key administrative center sends;
First network element is using the shared key of first network element to the second safeguard protection parametric solution It is close, obtain the business root key of the second network element;
First network element is according to the business root key of first network element and service parameter generation business Key, including:
First network element is according to the business root key of first network element, the business root of second network element Key and service parameter generation business cipher key.
14. key reception methods according to claim 10, it is characterised in that first network element Business root key and the service parameter generation business cipher key according to first network element, also includes before:
First network element sends key request to the first key administrative center, and the key request is used In the generation for initiating the business cipher key, the key request include first network element identity, At least one in the identity and the service parameter of second network element.
15. key reception methods according to claim 14, it is characterised in that first network element Key request is sent to the first key administrative center, is also included before:
First network element sends service request to service server, wherein, the service server is used for Perform the service management between first network element and second network element;
First network element receives the response message that the service server sends, and the response message includes In designator, the identity of first network element, the mark and the service parameter of second network element At least one, wherein the designator is used to indicate first service authorization success.
16. key reception methods according to claim 14, it is characterised in that first network element Key request is sent to the first key administrative center, is also included before:
The business that first network element receives the transmission of service server, gateway, MME or the second network element disappears Breath, the service message is included in the identity of first network element and the mark of second network element At least one.
A kind of 17. methods for obtaining key, it is characterised in that including:
MME authenticates the 3rd parameter of acquisition by carrying out AKA with the first network element, and the 3rd parameter includes Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum encryption key, At least one in base station key;
The MME calculates the dependent variable that the first preset key derives function, the key packet of first network element Include the dependent variable that first preset key derives function;Wherein, first preset key derives function Independent variable include first parameter;
The key of first network element is sent key management corresponding to first network element by the MME Center.
A kind of 18. first key administrative centers, it is characterised in that including:
First acquisition module, the business root key for obtaining service parameter and the first network element, the business Parameter is the parameter in first business, and the business root key of first network element is according to described first The key parameter generation obtained after network element certification;
First generation module, gives birth to for the business root key according to first network element and the service parameter Into business cipher key, the business cipher key is used for the first business between first network element and the second network element In communication data be encrypted and/or integrity protection;
The first key administrative center also includes that the second acquisition module, the second generation module and first send Module, or including the second sending module, and the first key administrative center and second network element it Between set up and have safe lane, or including the 3rd sending module, wherein,
Second acquisition module is used to obtain the shared key of second network element, second network element Shared key is used for the first key administrative center and the second network element communicates;
Second generation module is used to enter the business cipher key using the shared key of second network element Row encryption and/or integrity protection, generate the first safeguard protection parameter;
First sending module is used to send the first safeguard protection parameter to second network element;
Second sending module is used to by the safe lane send the business cipher key to described the Two network elements;
3rd sending module is used to send the business cipher key to the second KMC, so as to Second KMC business cipher key is encrypted and/or integrity protection after send to institute State the second network element.
19. first key administrative centers according to claim 18, it is characterised in that described first Acquisition module specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with first network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the first preset key derives function is calculated, the business root key of first network element includes First preset key derives the dependent variable of function;Wherein, first preset key derives function Independent variable includes first parameter.
20. first key administrative centers according to claim 18, it is characterised in that described first Acquisition module specifically for:
The business root key of the first network element that mobile management nodes MME sends is received, wherein, described first The business root key of network element is that the MME is calculated by the first parameter, and first parameter is described MME authenticates what is obtained by with the first network element AKA, and first parameter includes Kasme, integrality At least one in key and encryption key.
The 21. first key administrative center according to any one of claim 18 to 20, its feature exists In, first generation module specifically for:
The dependent variable that the second preset key derives function is calculated, the business cipher key includes that described second is preset Key derives the dependent variable of function;Wherein, second preset key derives argument of function includes institute State the business root key and the service parameter of the first network element.
22. first key administrative centers according to claim 21, it is characterised in that described first KMC also includes:
3rd acquisition module, the business root key for obtaining the second network element;Second preset key is pushed away Spread out the argument of function also business root key including second network element;
4th acquisition module, for obtain the first network element shared key, first network element it is shared close Key is used for the first key administrative center and the first network element communicates;
3rd generation module, for using the shared key of first network element to the industry of second network element Business root key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
4th sending module, for the second safeguard protection parameter to be sent to first network element, with The business root that toilet states the first network element second network element according to the second safeguard protection parameter acquiring is close Key, and the business root key is calculated according to the business root key of second network element.
23. first key administrative centers according to claim 18, it is characterised in that described first KMC also includes:
First receiver module, for close according to the business root of first network element in first generation module Before key and service parameter generation business cipher key, receive first network element, second network element, The key request that gateway or server send, the key request is used to initiate the life of the business cipher key Into identity, the identity mark of second network element comprising first network element in the key request Know and at least one in the service parameter.
24. first key administrative centers according to claim 18, it is characterised in that when described When one KMC includes second acquisition module, the second generation module and the first sending module, Second acquisition module specifically for:
The first parameter of acquisition is authenticated by carrying out AKA with second network element, first parameter includes At least one in Kasme, Integrity Key and encryption key;
The dependent variable that the 3rd preset key derives function is calculated, the shared key of second network element includes institute State the dependent variable that the 3rd preset key derives function;Wherein, the 3rd preset key derives oneself of function Variable includes first parameter.
25. first key administrative centers according to claim 18, it is characterised in that when described When one KMC includes second acquisition module, the second generation module and the first sending module, Second acquisition module specifically for:
The shared key of the second network element that MME sends is received, wherein, the shared key of second network element It is that the MME is calculated by the first parameter, first parameter is that the MME passes through and the second net What first AKA authentications were obtained, first parameter is included in Kasme, Integrity Key and encryption key At least one.
A kind of 26. first key administrative centers, it is characterised in that including:
First acquisition module, the business root of business root key and the second network element for the first network element of acquisition is close Key;
Second acquisition module, for obtaining the first shared key and the second shared key, described first shares Key is used for the first key administrative center and the first network element communicates, and second shared key is used for institute State first key administrative center and the communication of the second network element;
First generation module, for close to the business root of second network element using first shared key Key is encrypted and/or integrity protection, generates the first safeguard protection parameter;
Second generation module, for close to the business root of first network element using second shared key Key is encrypted and/or integrity protection, generates the second safeguard protection parameter;
First sending module, for the first safeguard protection parameter to be sent to first network element, with The business root that toilet states the first network element second network element according to the first safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Second sending module, for the second safeguard protection parameter to be sent to second network element, with The business root that toilet states the second network element second network element according to the second safeguard protection parameter acquiring is close Key, and business root key and the business root key generation industry of second network element according to first network element Business key;
Wherein, the business cipher key is used in the first business between first network element and the second network element Communication data be encrypted and/or integrity protection.
A kind of 27. first network elements, it is characterised in that including:
First acquisition module, for authenticating the first parameter of acquisition, the first parameter bag by carrying out AKA Include at least one in Kasme, Integrity Key and encryption key;
Second acquisition module, for the business root key of the first network element according to first parameter acquiring;
3rd acquisition module, for obtaining service parameter, during the service parameter is first business Parameter;
First generation module, gives birth to for the business root key according to first network element and the service parameter Into business cipher key, the business cipher key is used for the first business between first network element and the second network element In communication data be encrypted and/or integrity protection.
28. first network elements according to claim 27, it is characterised in that first generation module Specifically for:
The dependent variable that preset key derives function is calculated, the business cipher key is derived including the preset key The dependent variable of function;Wherein, the preset key derives argument of function includes first network element Business root key and the service parameter.
29. first network elements according to claim 28, it is characterised in that first network element is also wrapped Include:
4th acquisition module, the identity for obtaining the second network element;
The preset key derives the argument of function also identity including second network element.
30. first network elements according to claim 27, it is characterised in that first network element is also wrapped Include:
5th acquisition module, for obtain the first network element shared key, first network element it is shared close Key is used for the first key administrative center and the first network element communicates;
First receiver module, for receiving the second safeguard protection ginseng that the first key administrative center sends Number;
6th acquisition module, for the shared key using first network element to second safeguard protection Parameter is decrypted, and obtains the business root key of the second network element;
First generation module is specifically for the business root key according to first network element, described second The business root key of network element and service parameter generation business cipher key.
31. first network elements according to claim 27, it is characterised in that first network element is also wrapped Include:
First sending module, for close according to the business root of first network element in first generation module Before key and service parameter generation business cipher key, sending key to the first key administrative center please Ask, the key request is used to initiating the generation of the business cipher key, the key request includes described the At least one in the identity of one network element, the identity and the service parameter of second network element.
32. first network elements according to claim 31, it is characterised in that first network element is also wrapped Include:
Second sending module, for being sent to the first key administrative center in first sending module Before key request, service request is sent to service server, wherein, the service server is used to hold Service management between row first network element and second network element;
Second receiver module, for receiving the response message that the service server sends, the response disappears Breath includes the mark and the business of designator, the identity of first network element, second network element At least one in parameter, wherein the designator is used to indicate the first service authorization success.
33. first network elements according to claim 31, it is characterised in that first network element is also wrapped Include:
3rd receiver module, for being sent to the first key administrative center in first sending module Before key request, the service message that service server, gateway, MME or the second network element send is received, In the mark of identity and second network element of the service message including first network element at least One.
A kind of 34. mobile management nodes, it is characterised in that including:
Acquisition module, for authenticating the 3rd parameter of acquisition, the described 3rd by carrying out AKA with the first network element Parameter includes Kasme, Integrity Key, encryption key, Non-Access Stratum Integrity Key, Non-Access Stratum At least one in encryption key, base station key;
Computing module, the dependent variable of function is derived for calculating the first preset key, first network element Key includes that first preset key derives the dependent variable of function;Wherein, first preset key is pushed away The argument of function that spreads out includes first parameter;
Sending module, for the key of first network element to be sent into key corresponding to first network element Administrative center.
CN201510780029.0A 2015-11-13 2015-11-13 Key distribution, generation and reception method and related device Active CN106714153B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510780029.0A CN106714153B (en) 2015-11-13 2015-11-13 Key distribution, generation and reception method and related device
PCT/CN2016/080649 WO2017080142A1 (en) 2015-11-13 2016-04-29 Key distribution, generation and reception method, and related apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510780029.0A CN106714153B (en) 2015-11-13 2015-11-13 Key distribution, generation and reception method and related device

Publications (2)

Publication Number Publication Date
CN106714153A true CN106714153A (en) 2017-05-24
CN106714153B CN106714153B (en) 2022-06-10

Family

ID=58695661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510780029.0A Active CN106714153B (en) 2015-11-13 2015-11-13 Key distribution, generation and reception method and related device

Country Status (2)

Country Link
CN (1) CN106714153B (en)
WO (1) WO2017080142A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309566A (en) * 2017-07-28 2019-02-05 中国移动通信有限公司研究院 A kind of authentication method, device, system, equipment and storage medium
CN110417708A (en) * 2018-04-26 2019-11-05 上海华为技术有限公司 A kind of information transferring method and relevant device
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067168A (en) * 2011-10-21 2013-04-24 华为技术有限公司 Method and system of global system for mobile communication (GSM) safety and related equipment
US20140298027A1 (en) * 2013-04-02 2014-10-02 Mastercard International Incorporated Integrated contactless mpos implementation
CN104618103A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Key agreement processing method and device
CN104683304A (en) * 2013-11-29 2015-06-03 中国移动通信集团公司 Processing method, equipment and system of secure communication service
CN104683098A (en) * 2013-11-29 2015-06-03 中国移动通信集团公司 Implementation method, equipment and system of secure communication service
CN104935426A (en) * 2014-03-21 2015-09-23 华为技术有限公司 Key negotiation method, user equipment and short-range communication control network element

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056159B (en) * 2009-11-03 2014-04-02 华为技术有限公司 Method and device for acquiring safe key of relay system
CN102625300B (en) * 2011-01-28 2015-07-08 华为技术有限公司 Generation method and device for key

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067168A (en) * 2011-10-21 2013-04-24 华为技术有限公司 Method and system of global system for mobile communication (GSM) safety and related equipment
US20140298027A1 (en) * 2013-04-02 2014-10-02 Mastercard International Incorporated Integrated contactless mpos implementation
CN104618103A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Key agreement processing method and device
CN104683304A (en) * 2013-11-29 2015-06-03 中国移动通信集团公司 Processing method, equipment and system of secure communication service
CN104683098A (en) * 2013-11-29 2015-06-03 中国移动通信集团公司 Implementation method, equipment and system of secure communication service
CN104935426A (en) * 2014-03-21 2015-09-23 华为技术有限公司 Key negotiation method, user equipment and short-range communication control network element

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309566A (en) * 2017-07-28 2019-02-05 中国移动通信有限公司研究院 A kind of authentication method, device, system, equipment and storage medium
CN110417708A (en) * 2018-04-26 2019-11-05 上海华为技术有限公司 A kind of information transferring method and relevant device
CN110417708B (en) * 2018-04-26 2021-04-20 上海华为技术有限公司 Information transmission method and related equipment
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and device
US11778459B2 (en) 2018-08-10 2023-10-03 Huawei Technologies Co., Ltd. Secure session method and apparatus

Also Published As

Publication number Publication date
WO2017080142A1 (en) 2017-05-18
CN106714153B (en) 2022-06-10

Similar Documents

Publication Publication Date Title
CN106714152A (en) Secret key distribution and reception methods, first secret key management center, and first network element
EP3493462A1 (en) Authentication method, authentication apparatus and authentication system
CN104754581B (en) A kind of safety certifying method of the LTE wireless networks based on public-key cryptosystem
CN107196920B (en) A kind of key generation distribution method towards wireless communication system
CA2949847A1 (en) System and method for secure deposit and recovery of secret data
TW201036394A (en) Method and apparatus for security protection of an original user identity in an initial signaling message
US20160156464A1 (en) Encrypting and storing data
CN101371491A (en) Method and arrangement for the creation of a wireless mesh network
KR20180066899A (en) Method and system for generating session key using Diffie-Hellman procedure
CN108809637A (en) The car-ground communication Non-Access Stratum authentication key agreement methods of LTE-R based on mixed cipher
CN108964897B (en) Identity authentication system and method based on group communication
CN107820239A (en) Information processing method and device
CN103313242A (en) Secret key verification method and device
Arkko et al. A USIM compatible 5G AKA protocol with perfect forward secrecy
Ouaissa et al. An efficient and secure authentication and key agreement protocol of LTE mobile network for an IoT system
CN106714153A (en) Key distribution, generation and reception method, and related device
CN104917604B (en) A kind of method for distributing key
CN101784048B (en) Method and system for dynamically updating identity authentication and secret key agreement of secret key
CN113329371B (en) 5G Internet of vehicles V2V anonymous authentication and key agreement method based on PUF
US10826688B2 (en) Key distribution and receiving method, key management center, first network element, and second network element
CN106992866A (en) It is a kind of based on wireless network access methods of the NFC without certificate verification
CN106209756A (en) Password update method, subscriber equipment, subscriber location servers and territory router
Dey et al. An efficient dynamic key based EAP authentication framework for future IEEE 802.1 x Wireless LANs
CN113014376B (en) Method for safety authentication between user and server
CN101730093B (en) Safe switching method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant