CN107104932A - Key updating method, apparatus and system - Google Patents

Key updating method, apparatus and system Download PDF

Info

Publication number
CN107104932A
CN107104932A CN201610101539.5A CN201610101539A CN107104932A CN 107104932 A CN107104932 A CN 107104932A CN 201610101539 A CN201610101539 A CN 201610101539A CN 107104932 A CN107104932 A CN 107104932A
Authority
CN
China
Prior art keywords
server
random number
iot
iot equipment
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201610101539.5A
Other languages
Chinese (zh)
Inventor
余万涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201610101539.5A priority Critical patent/CN107104932A/en
Priority to PCT/CN2016/083676 priority patent/WO2017143685A1/en
Publication of CN107104932A publication Critical patent/CN107104932A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a kind of key updating method, apparatus and system.Wherein, this method includes:Server receives the subscriber identity information of Internet of Things IOT equipment, and judges to receive the time point of the subscriber identity information whether in effective time, wherein, the effective time is the duration that server is set after each IOT equipment completes access authentication;In the case where the judgment result is yes, the server sends the specify information of the session key for generating the IOT equipment to the IOT equipment.By the present invention, solve in correlation technique, the problem of Internet of Things IoT equipment is both needed to be authenticated caused network resources waste when each access network sends data, and then reached the effect for saving Internet resources, further increase the efficiency of key updating.

Description

Key updating method, device and system
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for updating a secret key.
Background
Currently, in the Enhanced Data Rate for GSM Evolution (EGPRS) technology, Authentication and key Agreement are completed in an Authentication and Key Agreement (AKA) process. For Internet of Things (IoT), the Internet of Things does not need to continuously transmit data, and therefore, the Internet of Things does not need to be online all the time, and only needs to access the network when transmitting data. Each time the network is accessed, the IoT device needs to be authenticated and key negotiated to ensure the security of communication. Authentication and key agreement is done in one AKA procedure.
However, in a Cellular Internet of Things (CIoT) system, the number of IoT devices is huge, and the IoT devices may continuously but intermittently transmit data. The system needs to authenticate and key negotiate the IoT device each time the access network sends data. This makes the CIoT system have to expend a lot of system resources handling the AKA procedure of the IoT device.
Aiming at the problem of network resource waste caused by authentication of IoT equipment which is accessed to a network every time when the IoT equipment sends data in the related technology, an effective solution is not provided yet.
Disclosure of Invention
The invention provides a method, a device and a system for updating a key, which are used for at least solving the problem of network resource waste caused by the fact that an IoT (Internet of things) device needs to be authenticated each time when the IoT device is accessed to a network to send data in the related technology.
According to an aspect of the present invention, there is provided a key update method including: the method comprises the steps that a server receives user identity information of IOT equipment and judges whether a time point of receiving the user identity information is within an effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication every time; and if the judgment result is yes, the server sends the specified information for generating the session key of the IOT equipment to the IOT equipment.
Optionally, if the determination result is negative, the server terminates the timing operation of the effective duration, and triggers an operation of performing access authentication on the IOT device and a retiming operation of the effective duration.
Optionally, the valid duration is determined by: the server sets the time length which is the same as the effective time length for all IOT equipment under a CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the starting point of the timing of the effective time length; or, the server sets respective effective durations of all the IOT devices by using time points at which all the IOT devices in the cellular internet of things CIoT system complete access authentication as timing starting points of the effective durations.
Optionally, the specifying information includes: a random number for generating the IOT device session key.
Optionally, the receiving, by the server, the user identity information of the internet of things IOT device includes: the server receives user identity information forwarded by IOT equipment through a network side node; the server transmitting, to the IOT device, designation information for generating a session key of the IOT device includes: and the server sends the specified information for generating the session key of the IOT equipment to the IOT equipment through the network side node.
Optionally, before the server sends the specifying information for generating the session key of the IOT device to the IOT device, the method further includes: the server receives a user private key sent by the IOT equipment; and the server generates a session key by using the random number and the user secret key and sends the session key to a network side node.
Optionally, the server includes any one of: home location register HLR, home subscriber server HSS.
According to another aspect of the present invention, there is provided a key update method including: the IOT equipment sends user identity information to a server; the IOT equipment judges whether specified information which is sent by the server and used for generating a session key is received, wherein the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective duration, and the effective duration is the duration set by the server after the IOT equipment completes access authentication every time; and if the judgment result is yes, the IOT equipment generates the session key according to the specified information.
Optionally, in a case that the determination result is negative, the IOT device re-initiates an access authentication operation.
Optionally, the specifying information includes: a random number for generating the IOT device session key.
Optionally, the generating, by the IOT device, the session key according to the specific information includes: the IOT equipment receives the random number forwarded by the server through a network side node; the IOT device generates the session key using a user secret key and the random number.
Optionally, the generating, by the IOT device, the session key according to the specific information includes: the IOT equipment receives a random number forwarded by the server through a network side node and a random number encrypted by the network side node; the IOT equipment generates a session key by using a user private key and the random number, and decrypts the encrypted random number according to the session key to obtain a decrypted random number; the IOT equipment judges whether the decrypted random number is the same as the random number forwarded by the server through the network side node; if the judgment result is yes, the IOT equipment sends data to be sent to the network side node; and under the condition that the judgment result is negative, the IOT equipment sends a request message to the server, wherein the request message is used for requesting the server to resend the random number.
According to still another aspect of the present invention, there is provided a key update apparatus applied to a server, including: the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for receiving user identity information of IOT equipment and judging whether a time point of receiving the user identity information is within an effective duration, and the effective duration is a duration set by a server after the IOT equipment completes access authentication each time; a first sending module, configured to send, to the IOT device, specification information for generating a session key of the IOT device if the determination result is yes.
Optionally, the apparatus further comprises: and the second processing module is used for terminating the timing operation of the effective duration, triggering the operation of performing access authentication on the IOT equipment and triggering the re-timing operation of the effective duration under the condition that the judgment result is negative.
Optionally, the first processing module is further configured to determine the validity duration by: setting the time length which is the same as the effective time length for all IOT equipment under a CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the starting point of the timing of the effective time length; or, the time point when all the IOT devices in the cellular internet of things CIoT system finish access authentication respectively is used as the starting point of the effective duration, and the respective effective durations of all the IOT devices are set respectively.
Optionally, the specifying information includes: a random number for generating the IOT device session key.
Optionally, the first processing module includes a first processing unit, and the processing unit is configured to receive user identity information of an internet of things IOT device and includes: the server receives user identity information forwarded by IOT equipment through a network side node; the first sending module includes a first sending unit, and the sending unit is configured to send, to the IOT device through the network-side node, specifying information used for generating a session key of the IOT device.
Optionally, the apparatus further comprises: a receiving module, configured to receive a user private key sent by the IOT device before the server sends, to the IOT device, designation information used to generate a session key of the IOT device; and the third processing module is used for generating a session key by using the random number and the user secret key and sending the session key to a network side node.
Optionally, the server includes any one of: home location register HLR, home subscriber server HSS.
According to another aspect of the present invention, there is provided a key updating apparatus applied to an IOT device in the internet of things, including: the second sending module is used for sending the user identity information to the server; the system comprises a judging module and a processing module, wherein the judging module is used for judging whether specified information which is sent by the server and used for generating a session key is received, the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective time length, and the effective time length is the time length set by the server after the IOT equipment completes access authentication every time; and the acquisition module generates the session key according to the specified information under the condition that the judgment result is yes.
Optionally, the apparatus further comprises: and the fourth processing module is used for restarting the access authentication operation under the condition that the judgment result is negative.
Optionally, the specifying information includes: a random number for generating the IOT device session key.
Optionally, the obtaining module includes: a first receiving unit, configured to receive the random number forwarded by the server through a network side node; an obtaining unit configured to generate the session key using a user secret key and the random number.
Optionally, the obtaining module includes: a second receiving unit, configured to receive the random number forwarded by the server through a network side node and the random number encrypted by the network side node; the second processing unit is used for generating a session key by using a user private key and the random number, and decrypting the encrypted random number according to the session key to obtain a decrypted random number; the judging unit is used for judging whether the decrypted random number is the same as the random number forwarded by the server through the network side node; a second sending unit, configured to send, to the network side node, data to be sent if the determination result is yes; and a third sending unit, configured to send a request message to the server if the determination result is negative, where the request message is used to request the server to resend the random number.
According to still another aspect of the present invention, there is provided a key update system including: the IOT equipment is used for sending user identity information to a network side node; the network side node is used for sending the user identity information to a server and sending the specified information for generating the session key of the IOT equipment to the IOT equipment; the server is used for judging whether the time point of receiving the user identity information is within the effective duration or not after receiving the user identity information; and if so, sending the specified information to the network side node.
According to the invention, the server is adopted to receive the user identity information of the IOT equipment and judge whether the time point of receiving the user identity information is within the effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication each time; if the determination result is yes, the server transmits specification information for generating a session key of the IOT device to the IOT device. That is, in the present invention, after the IOT device completes access authentication each time, the server sets the effective duration of the access authentication of the IOT device, and in the effective duration, if the user identity information sent by the IOT device is received, only the session key needs to be generated, and the operation of the access authentication of the IOT device does not need to be executed. According to the invention, the problem of network resource waste caused by authentication of the IoT equipment of the Internet of things when the IoT equipment is accessed to the network to send data each time in the related technology is solved, so that the effect of saving network resources is achieved, and the efficiency of updating the secret key is further improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow diagram of a method for key update according to an embodiment of the present invention;
fig. 2 is a flowchart of an IoT device authentication method according to an embodiment of the present invention;
fig. 3 is a flowchart of an IoT device re-authentication method according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method of rekeying (one) according to an embodiment of the present invention;
FIG. 5 is a block diagram of a key update apparatus according to an embodiment of the present invention;
FIG. 6 is a block diagram of a key update apparatus according to an embodiment of the present invention;
FIG. 7 is a block diagram of a key update apparatus according to an embodiment of the present invention;
fig. 8 is a block diagram (iii) of a key updating apparatus according to an embodiment of the present invention;
fig. 9 is a block diagram of an IOT device authentication management apparatus according to an embodiment of the present invention;
fig. 10 is a block diagram of a session key checking apparatus of an IOT device according to an embodiment of the present invention;
FIG. 11 is a flowchart of a rekeying method according to an embodiment of the present invention (two);
FIG. 12 is a flowchart of a rekeying method according to an embodiment of the present invention (III);
fig. 13 is a block diagram (iv) of a key updating apparatus according to an embodiment of the present invention;
fig. 14 is a block diagram (v) of a key updating apparatus according to an embodiment of the present invention;
fig. 15 is a block diagram (six) of a key updating apparatus according to an embodiment of the present invention;
fig. 16 is a block diagram of a key update system according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In this embodiment, a key updating method is provided, and fig. 1 is a flowchart of a key updating method according to an embodiment of the present invention, as shown in fig. 1, the flowchart includes the following steps:
step S102, a server receives user identity information of IOT equipment and judges whether a time point of receiving the user identity information is within an effective time length, wherein the effective time length is a time length set by the server after the IOT equipment completes access authentication each time;
in step S104, if the determination result is yes, the server transmits the designation information for generating the session key of the IOT device to the IOT device.
Optionally, in this embodiment, application scenarios of the key update method include, but are not limited to: the Cellular Internet of Things (CIoT) system is provided with a large number of Internet of Things (IoT) devices. In the application scene, a server is adopted to receive user identity information of IOT equipment and judge whether the time point of receiving the user identity information is within an effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication each time; if the determination result is yes, the server transmits specification information for generating a session key of the IOT device to the IOT device. That is, in the present invention, after the IOT device completes access authentication each time, the server sets the effective duration of the access authentication of the IOT device, and in the effective duration, if the user identity information sent by the IOT device is received, only the session key needs to be generated, and the operation of the access authentication of the IOT device does not need to be executed. According to the invention, the problem of network resource waste caused by authentication of the IoT equipment of the Internet of things when the IoT equipment is accessed to the network to send data each time in the related technology is solved, so that the effect of saving network resources is achieved, and the efficiency of updating the secret key is further improved.
The present embodiment will be described below by way of example with reference to specific examples.
The present embodiment provides a key updating method, which is applied to a cellular networking CIoT communication system including an IoT device, where the Server is described by taking a Home location register/Home Subscriber Server (HLR/HSS for short) as an example, the IoT device may include a SIM/USIM card, and may include the following:
after the IoT device access authentication is completed, the HLR/HSS determines when to re-authenticate the IoT device, e.g., the HLR/HSS defines the validity duration of each authentication. The HLR/HSS may define a uniform authentication validity duration for all IoT devices, or may define separate authentication validity durations for different IoT devices. After each IoT access authentication is completed, the HLR/HSS starts the authentication timing of the IoT equipment. And when the authentication timing exceeds the authentication valid duration, the HLR/HSS terminates the authentication timing of the IoT equipment. All unauthenticated timed IoT devices subsequently need to be authenticated. For example, the HLR/HSS defines the authentication validity duration of the IoT device. The HLR/HSS can set a counter for the IoT equipment, when the counter reaches the effective authentication duration, the HLR/HSS clears the counter and cancels the counting for the IoT equipment. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
Or, after receiving the user identity information sent by the IoT device, the HLR/HSS may forcibly start the authentication process for the IoT device;
after the access authentication of the IoT equipment is completed, the HLR/HSS performs authentication timing for the IoT equipment.
When the IoT equipment needs to send data, the user identity information of the IoT equipment is sent to a network side node, such as SGSN;
a network side node, such as SGSN, receives the user identity information sent by the IoT equipment and forwards the information to HLR/HSS;
and after receiving the user identity information sent by the IoT equipment, the HLR/HSS checks whether the authentication duration of the IoT equipment reaches the authentication valid duration or not according to the defined authentication valid duration. If the authentication validity duration is reached or exceeded, the HLR/HSS initiates an authentication procedure for the IoT device. If the authentication validity duration is not reached, the HLR/HSS generates a new random number for the IoT equipment, generates a new session key by using the new random number and an IoT equipment user secret key, and then sends the new session key and the new random number to a network side node, such as a serving GPRS Support node (SGSN for short);
after receiving the new session key and the new random number, the SGSN sends the new random number to the IoT equipment;
optionally, to ensure security, the SGSN may encrypt a new random number with a new session, and then send the new random number and the encrypted new random number together to the IoT device;
after the IoT equipment receives the new random number, a session key is generated according to the user secret key stored on the SIM/USIM and the received new random number;
optionally, after receiving the new random number and the encrypted new random number, the IoT device generates a session key according to the user secret key stored on the SIM/USIM and the received new random number, decrypts the encrypted new random number with the session key, and checks whether the decrypted new random number is the same as the received new random number. If not, the IoT equipment requests the network side node, such as SGSN, to send again; if the IoT device is the same with the network side node, such as the SGSN, the secure communication is carried out between the IoT device and the network side node.
In an optional embodiment, when it is determined that the time point of receiving the user identity information is not within the valid duration, the method includes the following steps:
in step S11, the server terminates the timing operation of the effective duration, and triggers the access authentication operation on the IOT device and triggers the re-timing operation of the effective duration.
Through the optional implementation manner, when the time point of receiving the user identity information is judged not to be within the effective time length, the server terminates the timing operation of the effective time length and triggers the operation of performing access authentication on the IOT device, so that the secure communication between the IOT device and the network side node is realized, and the problem of communication security reduction caused by the fact that the access authentication operation is not performed even if the time point of the user identity information sent by the IOT device is not within the effective time length is solved.
The present embodiment will be described below by way of example with reference to specific examples.
In this embodiment, an IoT device authentication method is provided, in which the valid duration is implemented by a timer counter, and the server takes HLR/HSS as an example for description. As shown in fig. 2, the method specifically includes the following steps:
step S201, the IoT equipment accesses the network and completes AKA authentication;
step S202, HLR/HSS starts a timing counter for the IoT equipment;
step S203, when the counter reaches the effective authentication time of the IoT equipment set by the HLR/HSS, the HLR/HSS clears the counter and cancels the counting aiming at the IoT equipment.
In the embodiment, an IoT device re-authentication method is also provided. The server takes HLR/HSS as an example for explanation, as shown in fig. 3, the method mainly includes the following steps:
step S301, when the IoT device needs to send data, the user identity information of the IoT device is sent to a network side node SGSN;
step S302, after receiving user identity information sent by IoT equipment, a network side node SGSN forwards the user identity information of the IoT equipment to HLR/HSS;
step S303, after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device, and if not, the HLR/HSS determines that re-authentication is required for the IoT device.
Step S304, AKA authentication process is performed between HLR/HSS and IoT.
Step S305, after the authentication between HLR/HSS and IoT is finished, HLR/HSS starts a new timing counter for the IoT equipment.
In an alternative embodiment, the validity period is determined by:
step S21, the server sets the same time length as the effective time length for all IOT equipment in the CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the timing starting point of the effective time length; or,
step S22, the server sets respective effective durations of all IOT devices with the time point at which all IOT devices in the cellular internet of things CIoT system complete access authentication as the starting point of the timing of the effective duration.
Through the optional implementation mode, the effective duration is preset for all IOT equipment under the CIoT system of the cellular Internet of things through the preset rule, and the dynamic setting of the effective duration is realized.
In an optional embodiment, the specifying information includes: a random number used to generate the IOT device session key.
It should be noted that, in this optional embodiment, the random number is used to further generate a security key according to the random number after the IOT device receives the random number.
In an optional embodiment, the receiving, by the server, the user identity information of the IOT device in the internet of things includes the following steps:
step S31, the server receives user identity information forwarded by IOT equipment through a network side node;
the server transmitting the specification information for generating the session key of the IOT device to the IOT device includes the steps of:
in step S32, the server transmits the specification information for generating the session key of the IOT device to the IOT device via the network-side node.
In the optional embodiment, the network side node is used as an intermediate node for receiving the user identity information and sending the designated information, so that the problem of network resource waste caused by authentication of the internet of things IoT device when the internet of things IoT device is accessed to the network to send data each time in the related art is solved, the effect of saving network resources is achieved, and the efficiency of updating the key is further improved.
In an optional embodiment, before the server sends the specification information for generating the session key of the IOT device to the IOT device, the method further includes the following steps:
step S41, the server receives the user private key sent by the IOT device;
in step S42, the server generates a session key using the random number and the user secret key, and transmits the session key to the network-side node.
Optionally, in this optional embodiment, the user private key may be stored on the SIM/USIM.
In this optional embodiment, the server generates a session key by using the user private key and the random number sent by the IOT device, and sends the session key to the network side node, thereby further achieving the effect of secure communication between the IOT device and the network side node.
The present embodiment will be described below by way of example with reference to specific examples.
In this embodiment, an IoT device key updating method is provided, in which a server takes HLR/HSS as an example for description, as shown in fig. 4, the method mainly includes the following steps:
step S401, when the IoT device needs to send data, the user identity information of the IoT device is sent to a network side node SGSN;
step S402, after receiving user identity information sent by IoT equipment, network side node SGSN forwards the user identity information of the IoT equipment to HLR/HSS;
step S403, after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device and generates a new session key using the new random number and the IoT device user secret key.
Step S404, HLR/HSS sends new session key and new random number to network side node, such as SGSN;
in step S405, after receiving the new session key and the new random number, the SGSN sends the new random number to the IoT device.
Step S406, after receiving the new random number, the IoT device generates a session key according to the user secret key stored on the SIM/USIM and the received new random number.
In step S407, an IoT device and a network side node, such as an SGSN, perform secure communication.
In an alternative embodiment, the server may comprise any one of: home location register HLR, home subscriber server HSS.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a key updating apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted for brevity. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a key update apparatus according to an embodiment of the present invention, as shown in fig. 5, the apparatus including:
1) the first processing module 52 is configured to receive user identity information of an IOT device in the internet of things, and determine whether a time point at which the user identity information is received is within an effective duration, where the effective duration is a duration set by the server after the IOT device completes access authentication each time;
2) and a first sending module 54, configured to send, if the determination result is yes, the specifying information for generating the session key of the IOT device to the IOT device.
Optionally, in this embodiment, application scenarios of the key update method include, but are not limited to: the Cellular Internet of Things (CIoT) system is provided with a large number of Internet of Things (IoT) devices. In the application scene, a server is adopted to receive user identity information of IOT equipment and judge whether the time point of receiving the user identity information is within an effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication each time; if the determination result is yes, the server transmits specification information for generating a session key of the IOT device to the IOT device. That is, in the present invention, after the IOT device completes access authentication each time, the server sets the effective duration of the access authentication of the IOT device, and in the effective duration, if the user identity information sent by the IOT device is received, only the session key needs to be generated, and the operation of the access authentication of the IOT device does not need to be executed. According to the invention, the problem of network resource waste caused by authentication of the IoT equipment of the Internet of things when the IoT equipment is accessed to the network to send data each time in the related technology is solved, so that the effect of saving network resources is achieved, and the efficiency of updating the secret key is further improved.
The present embodiment will be described below by way of example with reference to specific examples.
The embodiment provides a key updating method, which is applied to a cellular networking CIoT communication system including an IoT device, where a server is described by taking HLR/HSS as an example, the IoT device may include a SIM/USIM card, and the method may include the following steps:
after the IoT device access authentication is completed, the HLR/HSS determines when to re-authenticate the IoT device, e.g., the HLR/HSS defines the validity duration of each authentication. The HLR/HSS may define a uniform authentication validity duration for all IoT devices, or may define separate authentication validity durations for different IoT devices. After each IoT access authentication is completed, the HLR/HSS starts the authentication timing of the IoT equipment. And when the authentication timing exceeds the authentication valid duration, the HLR/HSS terminates the authentication timing of the IoT equipment. All unauthenticated timed IoT devices subsequently need to be authenticated. For example, the HLR/HSS defines the authentication validity duration of the IoT device. The HLR/HSS can set a counter for the IoT equipment, when the counter reaches the effective authentication duration, the HLR/HSS clears the counter and cancels the counting for the IoT equipment. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
Or, after receiving the user identity information sent by the IoT device, the HLR/HSS may forcibly start the authentication process for the IoT device;
after the access authentication of the IoT equipment is completed, the HLR/HSS performs authentication timing for the IoT equipment.
When the IoT equipment needs to send data, the user identity information of the IoT equipment is sent to a network side node, such as SGSN;
a network side node, such as SGSN, receives the user identity information sent by the IoT equipment and forwards the information to HLR/HSS;
and after receiving the user identity information sent by the IoT equipment, the HLR/HSS checks whether the authentication duration of the IoT equipment reaches the authentication valid duration or not according to the defined authentication valid duration. If the authentication validity duration is reached or exceeded, the HLR/HSS initiates an authentication procedure for the IoT device. If the authentication validity duration is not reached, the HLR/HSS generates a new random number aiming at the IoT equipment, generates a new session key by using the new random number and an IoT equipment user secret key, and then sends the new session key and the new random number to a network side node, such as SGSN;
after receiving the new session key and the new random number, the SGSN sends the new random number to the IoT equipment;
optionally, to ensure security, the SGSN may encrypt a new random number with a new session, and then send the new random number and the encrypted new random number together to the IoT device;
after the IoT equipment receives the new random number, a session key is generated according to the user secret key stored on the SIM/USIM and the received new random number;
optionally, after receiving the new random number and the encrypted new random number, the IoT device generates a session key according to the user secret key stored on the SIM/USIM and the received new random number, decrypts the encrypted new random number with the session key, and checks whether the decrypted new random number is the same as the received new random number. If not, the IoT equipment requests the network side node, such as SGSN, to send again; if the IoT device is the same with the network side node, such as the SGSN, the secure communication is carried out between the IoT device and the network side node.
Fig. 6 is a block diagram (a) of a key updating apparatus according to an embodiment of the present invention, and as shown in fig. 6, the apparatus includes, in addition to all modules shown in fig. 5:
1) the second processing module 62 is configured to terminate the timing operation of the valid duration, trigger an operation of performing access authentication on the IOT device, and trigger a re-timing operation of the valid duration if the determination result is negative.
Through the optional implementation manner, when the time point of receiving the user identity information is judged not to be within the effective time length, the server terminates the timing operation of the effective time length and triggers the operation of performing access authentication on the IOT device, so that the secure communication between the IOT device and the network side node is realized, and the problem of communication security reduction caused by the fact that the access authentication operation is not performed even if the time point of the user identity information sent by the IOT device is not within the effective time length is solved.
In an alternative embodiment, the first processing module is further configured to determine the validity period by: setting the time length which is the same as the effective time length for all IOT equipment under the CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the starting point of the timing of the effective time length; or, the time point when all the IOT devices in the cellular internet of things CIoT system finish access authentication respectively is used as the starting point of the effective duration, and the respective effective durations of all the IOT devices are set respectively.
Through the optional implementation mode, the effective duration is preset for all IOT equipment under the CIoT system of the cellular Internet of things through the preset rule, and the dynamic setting of the effective duration is realized.
In an alternative embodiment, the specifying information includes: a random number used to generate the IOT device session key.
It should be noted that, in this optional embodiment, the random number is used to further generate a security key according to the random number after the IOT device receives the random number.
In an alternative implementation manner, fig. 7 is a block diagram (ii) of a key updating apparatus according to an embodiment of the present invention, and as shown in fig. 7, the first processing module 52 includes:
1) the first processing unit 72 is configured to receive user identity information of an internet of things IOT device, and includes: the server receives user identity information forwarded by IOT equipment through a network side node;
the first transmission module 54 includes:
2) a first sending unit 74, configured to send, to the IOT device through the network-side node, the specifying information for generating the session key of the IOT device.
In the optional embodiment, the network side node is used as an intermediate node for receiving the user identity information and sending the designated information, so that the problem of network resource waste caused by authentication of the internet of things IoT device when the internet of things IoT device is accessed to the network to send data each time in the related art is solved, the effect of saving network resources is achieved, and the efficiency of updating the key is further improved.
In an alternative implementation manner, fig. 8 is a block diagram (three) of a key updating apparatus according to an embodiment of the present invention, and as shown in fig. 8, the apparatus includes, in addition to all modules shown in fig. 5:
1) a receiving module 82, configured to receive a user private key sent by the IOT device before the server sends, to the IOT device, the specifying information used to generate the session key of the IOT device;
2) and a third processing module 84, configured to generate a session key using the random number and the user secret key, and send the session key to the network-side node.
Optionally, in this optional embodiment, the user private key may be stored on the SIM/USIM.
In this optional embodiment, the server generates a session key by using the user private key and the random number sent by the IOT device, and sends the session key to the network side node, thereby further achieving the effect of secure communication between the IOT device and the network side node.
In an optional embodiment, the server includes any one of the following: home location register HLR, home subscriber server HSS.
Optionally, in this embodiment, there is further provided an IOT device authentication management apparatus, as shown in fig. 9, including:
1) an authentication timing module 92, configured to perform authentication timing for the IoT device after the AKA procedure is finished;
2) the management module 94, the management of the authentication timing module by the user HLR/HSS, checks if the timing counter for one IoT device timing module reaches the authentication validity duration. When the effective authentication duration is reached, the counter is cleared and the timing for the IoT device is cancelled.
3) A checking module 96, configured to check whether the IoT device needs to perform authentication or update a session key according to the IoT device user identity information;
in another alternative embodiment, there is provided a session key checking apparatus, as shown in fig. 10, including:
1) a session key check management module 1002, configured to update the IoT device session key, and check whether renegotiation is required for updating the session key.
Fig. 11 is a flowchart (two) of a key updating method according to an embodiment of the present invention, and as shown in fig. 11, the flowchart includes the following steps:
step S1102, the IOT equipment sends user identity information to a server;
step S1104, the IOT device determines whether to receive designation information sent by the server for generating a session key, where the designation information is information sent to the IOT device when it is determined that a time point at which the server receives the user identity information is within a preset effective duration, and the effective duration is a duration set by the server after the IOT device completes access authentication each time;
in step S1106, if the determination result is yes, the IOT device generates the session key according to the specific information.
Optionally, in this embodiment, application scenarios of the key update method include, but are not limited to: the Cellular Internet of Things (CIoT) system is provided with a large number of Internet of Things (IoT) devices. In the application scene, the IOT equipment sends user identity information to a server; the IOT equipment judges whether specified information which is sent by the server and used for generating a session key is received, wherein the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective duration, and the effective duration is the duration set by the server after the IOT equipment completes access authentication each time; if the determination result is yes, the IOT device generates the session key according to the specifying information. That is to say, after the IOT device sends the user identity information to the server, if the specified information sent by the server for generating the session key is received within the authentication validity duration of the IOT device, the session key is directly generated according to the specified information without performing access authentication, so that the problem of network resource waste caused by authentication required by the IOT device in the internet of things each time when the IOT device accesses the network to send data in the related art is solved, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
In an optional embodiment, the determining, by the IOT device, that the specific information for generating the session key sent by the server is not received includes the following steps:
in step S51, the IOT device re-initiates the access authentication operation.
Optionally, in this optional embodiment, specifically, when the IOT device determines that the specified information for generating the session key sent by the server is not received, the access authentication operation is re-initiated, so as to avoid a problem of network resource waste caused by authentication required each time the network is accessed to send data in the related art, thereby achieving an effect of saving network resources and further improving the efficiency of updating the key.
In an optional embodiment, the specifying information includes: a random number used to generate the IOT device session key.
It should be noted that, in this optional embodiment, the random number is used to further generate a security key according to the random number after the IOT device receives the random number.
In an optional embodiment, the IOT device generating the session key according to the specific information includes the following steps:
step S61, the IOT device receives the random number forwarded by the server through the network-side node;
in step S62, the IOT device generates the session key using the user private key and the random number.
Optionally, in this optional embodiment, the user private key may be stored on the SIM/USIM.
In this optional embodiment, the IOT device receives the random number sent by the server, and generates the session key according to the user private key and the random number, thereby further implementing secure communication.
In an optional embodiment, the IOT device generating the session key according to the specific information may further include the steps of:
step S71, the IOT device receives the random number forwarded by the server through the network side node and the random number encrypted by the network side node;
step S72, the IOT device uses the user private key and the random number to generate a session key, and decrypts the encrypted random number according to the session key to obtain a decrypted random number;
step S73, the IOT device judges whether the decrypted random number is the same as the random number forwarded by the server through the network side node;
step S74, if the determination result is yes, the IOT device sends data to be sent to the network side node;
in step S75, if the determination result is negative, the IOT device sends a request message to the server, where the request message is used to request the server to resend the random number.
In this optional embodiment, the IOT device compares the random number sent by the receiving server with the decrypted random number, and executes a corresponding operation according to a comparison result, so that the problem of network resource waste caused by authentication of the IOT device in the internet of things when the IOT device is accessed to a network to send data each time is solved, and the effect of saving network resources is achieved. And the safe communication of the IOT equipment is further ensured.
The present embodiment will be described below by way of example with reference to specific examples.
In this optional embodiment, an IoT device key updating method is provided, in which the server takes HLR/HSS as an example. As shown in fig. 12, the method mainly includes the following steps:
step S1201, when the IoT equipment needs to send data, the user identity information of the IoT equipment is sent to a network side node SGSN;
step S1202, after receiving user identity information sent by an IoT device, a network side node SGSN forwards the user identity information of the IoT device to an HLR/HSS;
step S1203, after receiving the IoT device user identity information, the HLR/HSS checks whether there is a counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device and generates a new session key using the new random number and the IoT device user secret key.
Step S1204, HLR/HSS sends new conversation cipher key and new random number to the network side node, such as SGSN;
step S1205, the SGSN encrypts the new random number by using the new session, and then sends the new random number and the encrypted new random number to the IoT equipment;
step S1206, after receiving the new random number and the encrypted new random number, the IoT device generates a session key according to the user secret key stored on the SIM/USIM and the received new random number, decrypts the encrypted new random number with the session key, and checks whether the decrypted new random number is the same as the received new random number. If the IoT device is the same as the network side node, step 407 is executed, and if the IoT device is different from the network side node, e.g., SGSN, the IoT device requests retransmission;
step S1207, secure communication is performed between the IoT device and a network side node, such as an SGSN.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a key updating apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted for brevity. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 13 is a block diagram (iv) of a key updating apparatus according to an embodiment of the present invention, as shown in fig. 13, the apparatus including:
1) a second sending module 1302, configured to send user identity information to a server;
2) a determining module 1304, configured to determine whether specified information sent by the server for generating a session key is received, where the specified information is information sent to the IOT device when it is determined that a time point at which the server receives the user identity information is within a preset effective duration, and the effective duration is a duration set by the server after the IOT device completes access authentication each time;
3) if the determination result is yes, the obtaining module 1306 generates the session key based on the specifying information.
Optionally, in this embodiment, application scenarios of the key update method include, but are not limited to: the Cellular Internet of Things (CIoT) system is provided with a large number of Internet of Things (IoT) devices. In the application scene, the IOT equipment sends user identity information to a server; the IOT equipment judges whether specified information which is sent by the server and used for generating a session key is received, wherein the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective duration, and the effective duration is the duration set by the server after the IOT equipment completes access authentication each time; if the determination result is yes, the IOT device generates the session key according to the specifying information. That is to say, after the IOT device sends the user identity information to the server, if the specified information sent by the server for generating the session key is received within the authentication validity duration of the IOT device, the session key is directly generated according to the specified information without performing access authentication, so that the problem of network resource waste caused by authentication required by the IOT device in the internet of things each time when the IOT device accesses the network to send data in the related art is solved, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
In an alternative implementation manner, fig. 14 is a block diagram (v) of a key updating apparatus according to an embodiment of the present invention, and as shown in fig. 14, the apparatus includes, in addition to all modules shown in fig. 13:
1) the fourth processing module 1402 is configured to, if the determination result is negative, re-initiate an access authentication operation.
Optionally, in this optional embodiment, specifically, when the IOT device determines that the specified information for generating the session key sent by the server is not received, the access authentication operation is re-initiated, so as to avoid a problem of network resource waste caused by authentication required each time the network is accessed to send data in the related art, thereby achieving an effect of saving network resources and further improving the efficiency of updating the key.
In an alternative embodiment, the specifying information includes: a random number used to generate the IOT device session key.
It should be noted that, in this optional embodiment, the random number is used to further generate a security key according to the random number after the IOT device receives the random number.
In an alternative implementation manner, fig. 15 is a block diagram (vi) of a key updating apparatus according to an embodiment of the present invention, and as shown in fig. 15, the obtaining module 1306 includes:
1) a first receiving unit 1502, configured to receive the random number forwarded by the server through a network-side node;
2) an obtaining unit 1504 is used to generate the session key using the user secret key and the random number.
In an optional embodiment, the unit included in the obtaining module 106 may also be replaced equivalently by 1) a second receiving unit, configured to receive the random number forwarded by the server through the network-side node and the random number encrypted by the network-side node; 2) the second processing unit is used for generating a session key by using the user private key and the random number, and decrypting the encrypted random number according to the session key to obtain a decrypted random number; 3) a judging unit, configured to judge whether the decrypted random number is the same as the random number forwarded by the server through the network-side node; 4) a second sending unit, configured to send, to the network side node, data to be sent if the determination result is yes; 5) and a third sending unit, configured to send a request message to the server if the determination result is negative, where the request message is used to request the server to resend the random number.
In this embodiment, a key updating system is further provided, as shown in fig. 16, which mainly includes:
1) the internet of things IOT device 1602, configured to send user identity information to a network side node;
2) a network side node 1604, configured to send the user identity information to a server, and send specification information used for generating a session key of the IOT device to the IOT device;
3) a server 1606, configured to determine, after receiving the user identity information, whether a time point at which the user identity information is received is within an effective duration; if yes, the specified information is sent to the network side node.
Alternatively, server 1606 may include: home location register HLR, home subscriber server HSS.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in a plurality of processors.
The embodiment of the invention also provides a storage medium. Alternatively, in the present embodiment, the storage medium may be configured to store program codes for performing the following steps:
s1, the server receives the user identity information of the IOT equipment and judges whether the time point of receiving the user identity information is within the effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication each time;
if the determination result is yes, the server transmits the designation information for generating the session key of the IOT device to the IOT device S2.
Optionally, the storage medium is further arranged to store program code for performing the steps of:
s3, the IOT equipment sends user identity information to the server;
s4, the IOT device judges whether the appointed information sent by the server for generating the session key is received, wherein the appointed information is the information sent to the IOT device when the time point that the server receives the user identity information is judged to be within the preset effective time length, and the effective time length is the time length set by the server after the IOT device completes the access authentication each time;
if yes, the IOT device generates the session key based on the specifying information S5.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Alternatively, in the present embodiment, the processor executes the above steps S1, S2 according to program codes already stored in the storage medium.
Alternatively, in the present embodiment, the processor performs the above steps S3, S4, and S5 according to program codes already stored in the storage medium.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (25)

1. A method for updating a key, comprising:
the method comprises the steps that a server receives user identity information of IOT equipment and judges whether a time point of receiving the user identity information is within an effective duration, wherein the effective duration is the duration set by the server after the IOT equipment completes access authentication every time;
and if the judgment result is yes, the server sends the specified information for generating the session key of the IOT equipment to the IOT equipment.
2. The method of claim 1, further comprising:
and under the condition that the judgment result is negative, the server terminates the timing operation of the effective duration, triggers the operation of performing access authentication on the IOT equipment and triggers the re-timing operation of the effective duration.
3. The method of claim 1, wherein the validity period is determined by:
the server sets the time length which is the same as the effective time length for all IOT equipment under a CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the starting point of the timing of the effective time length; or,
and the server takes the time point when all the IOT equipment in the cellular Internet of things CIoT system respectively finish access authentication as the timing starting point of the effective duration, and respectively sets the respective effective duration of all the IOT equipment.
4. The method according to claim 1, wherein the specifying information includes: a random number for generating the IOT device session key.
5. The method of claim 1,
the server receiving user identity information of the IOT equipment comprises the following steps: the server receives user identity information forwarded by IOT equipment through a network side node;
the server transmitting, to the IOT device, designation information for generating a session key of the IOT device includes: and the server sends the specified information for generating the session key of the IOT equipment to the IOT equipment through the network side node.
6. The method of claim 4, further comprising, before the server sending to the IOT device specifying information for generating the session key for the IOT device:
the server receives a user private key sent by the IOT equipment;
and the server generates a session key by using the random number and the user secret key and sends the session key to a network side node.
7. The method according to any one of claims 1 to 6, wherein the server comprises any one of: home location register HLR, home subscriber server HSS.
8. A method for updating a key, comprising:
the IOT equipment sends user identity information to a server;
the IOT equipment judges whether specified information which is sent by the server and used for generating a session key is received, wherein the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective duration, and the effective duration is the duration set by the server after the IOT equipment completes access authentication every time;
and if the judgment result is yes, the IOT equipment generates the session key according to the specified information.
9. The method of claim 8, further comprising:
and under the condition that the judgment result is negative, the IOT equipment re-initiates the access authentication operation.
10. The method according to claim 8, wherein the specifying information includes: a random number for generating the IOT device session key.
11. The method of claim 10, wherein generating, by the IOT device, the session key based on the specification information comprises:
the IOT equipment receives the random number forwarded by the server through a network side node;
the IOT device generates the session key using a user secret key and the random number.
12. The method of claim 8, wherein generating, by the IOT device, the session key based on the specification information comprises:
the IOT equipment receives a random number forwarded by the server through a network side node and a random number encrypted by the network side node;
the IOT equipment generates a session key by using a user private key and the random number, and decrypts the encrypted random number according to the session key to obtain a decrypted random number;
the IOT equipment judges whether the decrypted random number is the same as the random number forwarded by the server through the network side node;
if the judgment result is yes, the IOT equipment sends data to be sent to the network side node;
and under the condition that the judgment result is negative, the IOT equipment sends a request message to the server, wherein the request message is used for requesting the server to resend the random number.
13. A key update apparatus applied to a server, comprising:
the system comprises a first processing module, a second processing module and a third processing module, wherein the first processing module is used for receiving user identity information of IOT equipment and judging whether a time point of receiving the user identity information is within an effective duration, and the effective duration is a duration set by a server after the IOT equipment completes access authentication each time;
a first sending module, configured to send, to the IOT device, specification information for generating a session key of the IOT device if the determination result is yes.
14. The apparatus of claim 13, further comprising:
and the second processing module is used for terminating the timing operation of the effective duration, triggering the operation of performing access authentication on the IOT equipment and triggering the re-timing operation of the effective duration under the condition that the judgment result is negative.
15. The apparatus of claim 13, wherein the first processing module is further configured to determine the validity period by:
setting the time length which is the same as the effective time length for all IOT equipment under a CIoT system of the cellular Internet of things by taking the time point of the IOT equipment access authentication as the starting point of the timing of the effective time length; or,
and respectively setting the respective effective durations of all the IOT devices by taking the time points of all the IOT devices in the CIoT system of the cellular Internet of things, which finish the access authentication, as the timing starting points of the effective durations.
16. The apparatus of claim 13, wherein the specific information comprises: a random number for generating the IOT device session key.
17. The apparatus of claim 13,
the first processing module comprises a first processing unit, and the processing unit is configured to receive user identity information of an internet of things IOT device and comprises: the server receives user identity information forwarded by IOT equipment through a network side node;
the first sending module includes a first sending unit, and the sending unit is configured to send, to the IOT device through the network-side node, specifying information used for generating a session key of the IOT device.
18. The apparatus of claim 16, further comprising:
a receiving module, configured to receive a user private key sent by the IOT device before the server sends, to the IOT device, designation information used to generate a session key of the IOT device;
and the third processing module is used for generating a session key by using the random number and the user secret key and sending the session key to a network side node.
19. The apparatus according to any one of claims 13 to 18, wherein the server comprises any one of: home location register HLR, home subscriber server HSS.
20. A secret key updating device is applied to IOT equipment and is characterized by comprising:
the second sending module is used for sending the user identity information to the server;
the system comprises a judging module and a processing module, wherein the judging module is used for judging whether specified information which is sent by the server and used for generating a session key is received, the specified information is sent to the IOT equipment when the time point that the server receives the user identity information is judged to be within a preset effective time length, and the effective time length is the time length set by the server after the IOT equipment completes access authentication every time;
and the acquisition module generates the session key according to the specified information under the condition that the judgment result is yes.
21. The apparatus of claim 20, further comprising:
and the fourth processing module is used for restarting the access authentication operation under the condition that the judgment result is negative.
22. The apparatus of claim 20, wherein the specific information comprises: a random number for generating the IOT device session key.
23. The apparatus of claim 22, wherein the obtaining module comprises:
a first receiving unit, configured to receive the random number forwarded by the server through a network side node;
an obtaining unit configured to generate the session key using a user secret key and the random number.
24. The apparatus of claim 20, wherein the obtaining module comprises:
a second receiving unit, configured to receive the random number forwarded by the server through a network side node and the random number encrypted by the network side node;
the second processing unit is used for generating a session key by using a user private key and the random number, and decrypting the encrypted random number according to the session key to obtain a decrypted random number;
the judging unit is used for judging whether the decrypted random number is the same as the random number forwarded by the server through the network side node;
a second sending unit, configured to send, to the network side node, data to be sent if the determination result is yes;
and a third sending unit, configured to send a request message to the server if the determination result is negative, where the request message is used to request the server to resend the random number.
25. A key renewal system, comprising:
the IOT equipment is used for sending user identity information to a network side node;
the network side node is used for sending the user identity information to a server and sending the specified information for generating the session key of the IOT equipment to the IOT equipment;
the server is used for judging whether the time point of receiving the user identity information is within the effective duration or not after receiving the user identity information; and if so, sending the specified information to the network side node.
CN201610101539.5A 2016-02-23 2016-02-23 Key updating method, apparatus and system Withdrawn CN107104932A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201610101539.5A CN107104932A (en) 2016-02-23 2016-02-23 Key updating method, apparatus and system
PCT/CN2016/083676 WO2017143685A1 (en) 2016-02-23 2016-05-27 Key updating method, device, and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610101539.5A CN107104932A (en) 2016-02-23 2016-02-23 Key updating method, apparatus and system

Publications (1)

Publication Number Publication Date
CN107104932A true CN107104932A (en) 2017-08-29

Family

ID=59658460

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610101539.5A Withdrawn CN107104932A (en) 2016-02-23 2016-02-23 Key updating method, apparatus and system

Country Status (2)

Country Link
CN (1) CN107104932A (en)
WO (1) WO2017143685A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108449756A (en) * 2018-06-29 2018-08-24 北京邮电大学 A kind of system of network cryptographic key updating, method and device
CN110519052A (en) * 2019-08-23 2019-11-29 青岛海尔科技有限公司 Data interactive method and device based on Internet of Things operating system
WO2020009129A1 (en) * 2018-07-03 2020-01-09 株式会社ソラコム Device and method for mediating configuration of authentication information
CN111988143A (en) * 2020-08-28 2020-11-24 百度时代网络技术(北京)有限公司 Key updating method, device, equipment and storage medium
CN112671532A (en) * 2020-12-07 2021-04-16 华帝股份有限公司 Method for generating communication key and related equipment
CN112784250A (en) * 2021-01-27 2021-05-11 深圳融安网络科技有限公司 Identity authentication method, client, server and storage medium
CN112953923A (en) * 2021-02-03 2021-06-11 广州技象科技有限公司 Safe network access method and device based on secret key updating
CN115767522A (en) * 2023-01-09 2023-03-07 中国电子科技集团公司第三十研究所 Internet of things application security enhancement system and method based on communication security integrated design
WO2023124958A1 (en) * 2021-12-31 2023-07-06 中兴通讯股份有限公司 Key update method, server, client and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420799A (en) * 2010-09-27 2012-04-18 中国移动通信集团公司 User authentication method, device and system
CN102547680A (en) * 2010-12-17 2012-07-04 北京创毅视讯科技有限公司 System of internet of things and safety management method for system of internet of things
CN103117983A (en) * 2011-11-16 2013-05-22 中国移动通信集团公司 Data service request response method and data service protocol stack
CN103532713A (en) * 2012-07-04 2014-01-22 中国移动通信集团公司 Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101493212B1 (en) * 2012-10-31 2015-02-23 삼성에스디에스 주식회사 Method and system for id-based encryption and decryption
CN103686717B (en) * 2013-12-23 2016-09-07 江苏物联网研究发展中心 A kind of key management method of Internet of Things sensor-based system
CN104853354A (en) * 2015-05-18 2015-08-19 深圳门萨通信科技有限公司 Bluetooth authentication method and system thereof
CN105117657B (en) * 2015-07-22 2018-04-20 南京邮电大学 A kind of design method and system of the open mandate access based on intelligence s ervice

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420799A (en) * 2010-09-27 2012-04-18 中国移动通信集团公司 User authentication method, device and system
CN102547680A (en) * 2010-12-17 2012-07-04 北京创毅视讯科技有限公司 System of internet of things and safety management method for system of internet of things
CN103117983A (en) * 2011-11-16 2013-05-22 中国移动通信集团公司 Data service request response method and data service protocol stack
CN103532713A (en) * 2012-07-04 2014-01-22 中国移动通信集团公司 Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108449756B (en) * 2018-06-29 2020-06-05 北京邮电大学 System, method and device for updating network key
CN108449756A (en) * 2018-06-29 2018-08-24 北京邮电大学 A kind of system of network cryptographic key updating, method and device
US11552938B2 (en) 2018-07-03 2023-01-10 Soracom, Inc. Device and method for mediating configuration of authentication information
JP7185978B2 (en) 2018-07-03 2022-12-08 株式会社ソラコム Apparatus and method for mediating setting of authentication information
WO2020009129A1 (en) * 2018-07-03 2020-01-09 株式会社ソラコム Device and method for mediating configuration of authentication information
CN112640360B (en) * 2018-07-03 2024-04-26 株式会社宙连 Device and method for mediating setting of authentication information
CN112640360A (en) * 2018-07-03 2021-04-09 株式会社宙连 Device and method for intermediating setting of authentication information
US11943213B2 (en) 2018-07-03 2024-03-26 Soracom, Inc. Device and method for mediating configuration of authentication information
JP2020010099A (en) * 2018-07-03 2020-01-16 株式会社ソラコム Device and method for mediating setting of authentication information
CN110519052A (en) * 2019-08-23 2019-11-29 青岛海尔科技有限公司 Data interactive method and device based on Internet of Things operating system
CN110519052B (en) * 2019-08-23 2022-07-05 青岛海尔科技有限公司 Data interaction method and device based on Internet of things operating system
CN111988143B (en) * 2020-08-28 2024-03-01 百度时代网络技术(北京)有限公司 Key updating method, device, equipment and storage medium
CN111988143A (en) * 2020-08-28 2020-11-24 百度时代网络技术(北京)有限公司 Key updating method, device, equipment and storage medium
CN112671532A (en) * 2020-12-07 2021-04-16 华帝股份有限公司 Method for generating communication key and related equipment
CN112784250A (en) * 2021-01-27 2021-05-11 深圳融安网络科技有限公司 Identity authentication method, client, server and storage medium
CN112784250B (en) * 2021-01-27 2024-04-23 深圳融安网络科技有限公司 Identity authentication method, client, server and storage medium
CN112953923A (en) * 2021-02-03 2021-06-11 广州技象科技有限公司 Safe network access method and device based on secret key updating
WO2023124958A1 (en) * 2021-12-31 2023-07-06 中兴通讯股份有限公司 Key update method, server, client and storage medium
CN115767522A (en) * 2023-01-09 2023-03-07 中国电子科技集团公司第三十研究所 Internet of things application security enhancement system and method based on communication security integrated design

Also Published As

Publication number Publication date
WO2017143685A1 (en) 2017-08-31

Similar Documents

Publication Publication Date Title
CN107104932A (en) Key updating method, apparatus and system
KR102149587B1 (en) Identity authentication method and device
CN108293223B (en) Data transmission method, user equipment and network side equipment
US20200162913A1 (en) Terminal authenticating method, apparatus, and system
EP3340690B1 (en) Access method, device and system for user equipment (ue)
CN108616354B (en) Key negotiation method and device in mobile communication
EP3041164A1 (en) Member profile transfer method, member profile transfer system, and user device
AU2020200523B2 (en) Methods and arrangements for authenticating a communication device
KR102233860B1 (en) Actions related to user equipment using secret identifiers
EP2549785A1 (en) Method and apparatus for authenticating communication devices
CA3057401A1 (en) Enhanced registration procedure in a mobile system supporting network slicing
US20180034635A1 (en) GPRS System Key Enhancement Method, SGSN Device, UE, HLR/HSS, and GPRS System
CN109314693B (en) Method and apparatus for authenticating a key requestor
CN109922474A (en) Trigger the method and relevant device of network authentication
CN105721412A (en) Method and device for authenticating identity between multiple systems
CN111552935A (en) Block chain data authorization access method and device
CN111065101A (en) 5G communication information encryption and decryption method and device based on block chain and storage medium
CN111641498A (en) Key determination method and device
CN109756451B (en) Information interaction method and device
CN104796887A (en) Method and device for safely exchanging information
US20160044487A1 (en) Network access method and apparatus, and network system
US20220116774A1 (en) Methods and systems for authentication and establishment of secure connection for edge computing services
CN108243416B (en) User equipment authentication method, mobile management entity and user equipment
WO2020258988A1 (en) Access request transmission and processing methods, and device
CN110087338B (en) Method and equipment for authenticating narrowband Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20170829

WW01 Invention patent application withdrawn after publication