CN109845185A - A kind of data transmission method, terminal, node device and system - Google Patents

A kind of data transmission method, terminal, node device and system Download PDF

Info

Publication number
CN109845185A
CN109845185A CN201680090122.1A CN201680090122A CN109845185A CN 109845185 A CN109845185 A CN 109845185A CN 201680090122 A CN201680090122 A CN 201680090122A CN 109845185 A CN109845185 A CN 109845185A
Authority
CN
China
Prior art keywords
terminal
digital signature
public key
key
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201680090122.1A
Other languages
Chinese (zh)
Other versions
CN109845185B (en
Inventor
熊晓春
黄正安
付建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN109845185A publication Critical patent/CN109845185A/en
Application granted granted Critical
Publication of CN109845185B publication Critical patent/CN109845185B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a kind of data transmission method, terminal, node device and systems, wherein, the described method includes: first terminal receives the broadcast safe information that second terminal is sent, broadcast safe information includes broadcast message, the second digital signature, the first digital signature, the first public key and system banner, first digital signature is that key management system is calculated the first public key based on the second private key, and the second digital signature is that second terminal is calculated broadcast message based on the first private key;The second public key is obtained based on system banner, and the first digital signature is verified based on the second public key, when verifying successfully, identification second terminal is effective terminal;The second digital signature is verified based on the first public key, when verifying successfully, broadcast message is handled.Using the embodiment of the present invention, expense and transmitted data amount can be reduced on the legitimacy foundation in the source that ensures to broadcast the message.

Description

A kind of data transmission method, terminal, node device and system Technical field
The present invention relates to field of communication technology more particularly to a kind of data transmission method, terminal, node device and systems.
Background technique
LTE-V aims between vehicle and vehicle (Vehicle-to-Vehicle, V2V), (Vehicle-to-Pedestrian between vehicle and people, V2P (Vehicle-to-Everything) or even between vehicle and all things on earth, V2X Continued communication), to exchange current vehicle, surrounding vehicles, pedestrian or the status information of environment, to achieve the purpose that reduce traffic accident, more effectively ensure traffic trip safety, alleviate traffic congestion, reduce energy consumption and improve out line efficiency.But so far, 3GPP not yet clearly proposes how to improve the solution of the data transmission security based on LTE-V.
Electric and electronic engineering Shi Xuehui (Institute of Electrical and Electronics Engineers, IEEE the safety of V2V broadcast message) is improved using the method based on digital certificate, i.e. in every broadcast message of vehicle other than the digital signature for carrying the message, the digital certificate for also needing carrying sender guarantees the legitimacy in broadcast message source by digital certificate and digital signature.But vehicle requires to carry digital certificate in transmission data every time, transmitted data amount is larger.In addition, the demand for security anti-tracking in conjunction with car networking, the digital certificate needs of vehicle are periodically updated, i.e., Certificate Authority (Certificate Authority, CA) needs periodically to each vehicle issuing digital certificate, and expense is larger.
Summary of the invention
The embodiment of the invention provides a kind of data transmission method, terminal, node device and systems, can reduce expense and transmitted data amount on the legitimacy foundation in the source that ensures to broadcast the message.
First aspect present invention provides a kind of data transmission method, first terminal receives after the broadcast safe information of second terminal transmission, the second public key of key management system can be obtained based on system banner, and the first digital signature is verified based on the second public key, when verifying successfully, identification second terminal is effective terminal, and then first terminal can verify the second digital signature based on the first public key, when verifying successfully Broadcast message is handled.
Wherein, broadcast safe information may include the second digital signature, the first digital signature of second terminal, the first public key of second terminal and the system banner of key management system of broadcast message, broadcast message.First digital signature is that key management system is calculated the first public key based on the second private key of key management system.Second digital signature is that second terminal is calculated broadcast message based on the first private key of second terminal.
In the above-mentioned technical solutions, first terminal verifies the first digital signature based on the second public key of key management system, can identify to the identity of second terminal, avoids false identities, usurps identity or expired identity transmission broadcast message;After first terminal is to the success of the first digital signature verification, the second digital signature can be verified based on the first public key, it can be ensured that the legitimacy in the source that broadcasts the message.In addition, CA needs periodically to each vehicle issuing digital certificate in relatively traditional data transmission method, every of vehicle, which broadcasts the message, need to carry the digital certificate of sender, first terminal can identify the validity and legitimacy of the temporary identity of second terminal by way of verifying to the first digital signature in the technical program, expense can be reduced, transmitted data amount can also be reduced.
Optionally, the first digital signature is that key management system is calculated by effective initial time of the preset signature algorithm to the second private key, the first public key and the first private key.
Optionally, broadcast safe information further includes the generation time of effective initial time and the second digital signature, then before the second public key of the first terminal based on system banner acquisition key management system, it can be based on preset time parameter and effective initial time, determine the valid interval of the first private key, when being located in valid interval the generation time, first terminal determines that the first private key is effective private key;When being located at outside valid interval the generation time, first terminal determines that the first private key is invalid private key.
Optionally, first terminal is based on preset time parameter and effective initial time, before the valid interval for determining the first private key, the receiving time of available broadcast safe information, when difference between when 330 receiving between the generation time is less than preset time threshold, it triggers first terminal and is based on preset time parameter and effective initial time, determine the valid interval of the first private key;When difference between when 330 receiving between the generation time is more than or equal to preset time threshold, first terminal can determine that the broadcast safe information received is playback information, and then delete the broadcast safe information.
Optionally, first terminal verifies the first digital signature based on the second public key, is specifically as follows: first terminal is by preset verification algorithm to the second public key, the first public key, effective initial time and the first number Word signature is handled, and the check results of the first digital signature are obtained, and when the check results of the first digital signature are equal to 1, first terminal is determined to the success of the first digital signature verification;When the check results of the first digital signature are equal to 0, first terminal can determine that second terminal is inactive terminals, and then delete the broadcast safe information received.
Optionally, first terminal is obtained based on system banner before the second public key of key management system, it can be sent to first node equipment and trust acquisition of credentials request, so that first node equipment is sent to key management system for credential request information is trusted, and key management system is received by the feedback information of the first terminal of first node device forwards, the feedback information of first terminal includes updated second public key of system banner and key management system.
Optionally, first terminal receives after feedback information of the key management system by the first terminal of first node device forwards, the corresponding relationship of system banner and updated second public key can be generated, and storage system identifies and its corresponding updated second public key, when original second public key corresponding there are system banner in the local data base of first terminal, first terminal deletes original second public key after by preset duration.
Optionally, first terminal obtains the second public key of key management system based on system banner, and the first digital signature is verified based on the second public key, be specifically as follows: first terminal obtains corresponding updated second public key of system banner and original second public key, and the first digital signature is verified based on updated second public key, obtain the first check results of the first digital signature, the first digital signature is verified based on original second public key, obtains the second check results of the first digital signature.
Optionally, first terminal is when verifying successfully, and identification second terminal is effective terminal, is specifically as follows: when the first check results be equal to 1 or second check results be equal to 1 when, first terminal determines that second terminal is effective terminal.
Optionally, first terminal obtains the second public key of key management system based on system banner, it is specifically as follows: when there is no when the second public key for the local data base of first terminal, first terminal downloads the second public key according to preset credible address from specified node device, wherein storing the second public key of all key management systems in specified node device.
Optionally, first terminal is based on the first public key and verifies to the second digital signature, when verifying successfully, broadcast message is handled, be specifically as follows: first terminal is handled the first public key, the second digital signature and broadcast safe information by preset verification algorithm, the check results to be broadcast the message, when the check results of broadcast message are equal to 1, first terminal determines that broadcast message broadcasts the message to be effective, and to broadcast Message is handled;When the check results of broadcast message are equal to 0, first terminal determines that broadcast message is active broadcast message, and deletes the broadcast safe information.
Second aspect of the present invention provides a kind of data transmission method, second terminal receives after the feedback information for the second terminal that key management system is sent, the second digital signature that broadcast message is calculated can be carried out to broadcast message based on the first private key, and sends broadcast safe information to first terminal.
Wherein, feedback information includes the first digital signature for trusting voucher and second terminal of second terminal.Trusting voucher includes the first private key and the first public key.First digital signature is that key management system is calculated the first public key based on the second private key of key management system.Broadcast safe information includes the system banner of broadcast message, the second digital signature, the first digital signature, the first public key and key management system.
Optionally, second terminal receives the feedback information for the second terminal that key management system is sent, be specifically as follows: second terminal is sent to first node equipment trusts acquisition of credentials request, so that first node equipment, which will trust credential request information, is sent to key management system, second terminal can also receive the feedback information that key management system passes through first node device forwards.
Optionally, second terminal is sent to first node equipment trusts acquisition of credentials request, so that first node equipment is sent to key management system for credential request information is trusted, be specifically as follows: second terminal is sent to first node equipment trusts acquisition of credentials request, so that first node equipment sends authentication request to second node equipment, when the local data base of second node equipment includes the broadcast service authorization message to second terminal, broadcast service authorization message is sent to first node equipment by second node equipment, first node equipment is sent to key management system for credential request information is trusted.
Optionally, second terminal is sent to first node equipment trusts acquisition of credentials request, so that first node equipment is sent to key management system for credential request information is trusted, be specifically as follows: second terminal is sent to first node equipment trusts acquisition of credentials request, so that first node equipment sends authentication request to second node equipment, when the local data base of second node equipment includes the broadcast service authorization message to second terminal, broadcast service authorization message is sent to first node equipment by second node equipment, and broadcast service authorization message is sent to the base station of second terminal place cell by second node equipment, first node equipment is sent to key management system for credential request information is trusted.
Optionally, before second terminal to broadcast message carries out that the second digital signature of broadcast message is calculated, running time-frequency resource acquisition request can be sent to base station, so as to whether deposit in the local data base of base station detection base station In the broadcast service authorization message of second terminal, when there are when the broadcast service authorization message of second terminal in the local data base of base station, running time-frequency resource is distributed to second terminal in base station, and then second terminal can be used the running time-frequency resource that base station is distributed and broadcast safe information is sent to first terminal.
Optionally, second terminal be calculated before the second digital signature of broadcast message to broadcast message, running time-frequency resource acquisition request can be sent to the base station of cell where second terminal, so that base station sends the authorization message acquisition request to second terminal to second node equipment, when base station receive the transmission of second node equipment to the broadcast service authorization message of second terminal when, running time-frequency resource is distributed to second terminal in base station, and then broadcast safe information is sent to first terminal by the running time-frequency resource that second terminal is distributed using base station.
Optionally, second terminal sends running time-frequency resource acquisition request to the base station of cell where second terminal, so that base station sends the authorization message acquisition request to second terminal to second node equipment, be specifically as follows: second terminal sends running time-frequency resource acquisition request to the base station of cell where second terminal, so as to whether there is the broadcast service authorization message of second terminal in the local data base of base station detection base station, when, there are when the broadcast service authorization message of second terminal, running time-frequency resource is distributed to second terminal in base station in the local data base of base station;When the broadcast service authorization message of second terminal is not present in the local data base of base station, base station sends the authorization message acquisition request to second terminal to second node equipment.
Optionally, the effective initial time for trusting voucher can be carried by trusting credential request information, then the first digital signature is that key management system is calculated by the second private key, the first public key and effective initial time of the preset signature algorithm to key management system.
Optionally, feedback information can also include updated second public key of system banner and key management system, after the feedback information for the second terminal that then second terminal reception key management system is sent, the corresponding relationship of system banner and updated second public key can be generated, and store the system banner and its corresponding updated second public key, when original second public key corresponding there are system banner in the local data base of second terminal, second terminal can delete original second public key after by preset duration.
Optionally, second terminal carries out the second digital signature that broadcast message is calculated to broadcast message, be specifically as follows: second terminal is calculated by generation time of the preset signature algorithm to the first private key, broadcast message, the first public key, the effective initial time for trusting voucher, the first digital signature, system banner and the second digital signature, obtains the second digital signature information.
Third aspect present invention provides a kind of data transmission method, and first node equipment receives second terminal hair After the trust acquisition of credentials request sent, it can request to send the feedback information trusted credential request information, and receive the second terminal of key management system transmission to key management system according to acquisition of credentials is trusted, feedback information is sent to second terminal.
Wherein, feedback information may include the first digital signature for trusting voucher and second terminal of second terminal, trusting voucher may include the first private key and the first public key, and the first digital signature is that key management system is calculated the first public key based on the second private key of key management system.
Optionally, first node equipment requests to send before trusting credential request information to key management system according to acquisition of credentials is trusted, authentication request can be sent to second node equipment, so as to whether include the broadcast service authorization message to second terminal in the local data base of second node equipment detection second node equipment, when the local data base of second node equipment includes the broadcast service authorization message to second terminal, broadcast service authorization message to second terminal is sent to first node equipment by second node equipment, first node equipment receives the broadcast service authorization message to second terminal that second node equipment is sent.
Optionally, first node equipment requests to send trust credential request information to key management system according to acquisition of credentials is trusted, be specifically as follows: first node equipment generates the effective initial time for trusting voucher, and it is sent to key management system by credential request information is trusted, trust credential request information and carries effective initial time.
Optionally, first digital signature is that key management system is calculated by the second private key, the first public key and effective initial time of the preset signature algorithm to key management system, and feedback information may include the second public key for trusting voucher, the first digital signature, effective initial time and key management system.
Optionally, after first node equipment receives the feedback information that key management system is sent, the terminal iidentification of second terminal and the corresponding relationship of feedback information can be generated, and store terminal iidentification and its corresponding feedback information.
Fourth aspect present invention provides a kind of computer storage medium, and the computer storage medium is stored with program, and described program includes the steps that all or part of in the data transmission method of first aspect of the embodiment of the present invention offer when executing.
Fifth aspect present invention provides a kind of computer storage medium, and the computer storage medium is stored with program, and described program includes the steps that all or part of in the data transmission method of second aspect of the embodiment of the present invention offer when executing.
Sixth aspect present invention provides a kind of computer storage medium, and the computer storage medium is stored with program, and described program includes the steps that all or part of in the data transmission method of the third aspect of the embodiment of the present invention offer when executing.
Seventh aspect present invention provides a kind of terminal, and the terminal includes:
Broadcast safe information receiving module, for receiving the broadcast safe information of second terminal transmission, broadcast safe information includes the second digital signature, the first digital signature of second terminal, the first public key of second terminal and the system banner of key management system of broadcast message, broadcast message, first digital signature is that key management system is calculated the first public key based on the second private key of key management system, and the second digital signature is that second terminal is calculated broadcast message based on the first private key of second terminal.
Correction verification module verifies the first digital signature for being obtained the second public key of key management system based on system banner, and based on the second public key, and when verifying successfully, identification second terminal is effective terminal.
Correction verification module is also used to verify the second digital signature based on the first public key, when verifying successfully, be handled broadcast message.
Optionally, the first digital signature is that key management system is calculated by effective initial time of the preset signature algorithm to the second private key, the first public key and the first private key.
Optionally, broadcast safe information further includes the generation time of effective initial time and the second digital signature, then terminal can also include:
Determining module, before the second public key for obtaining key management system based on system banner for correction verification module, it is based on preset time parameter and effective initial time, determines the valid interval of the first private key, when being located in valid interval the generation time, determine that the first private key is effective private key.
Optionally, terminal can also include:
Receiving time obtains module, for determining module based on preset time parameter and effective initial time, before the valid interval for determining the first private key, obtains the receiving time of broadcast safe information.
Determining module is based on preset time parameter and effective initial time, determines the valid interval of the first private key when the difference between being also used to when 330 receiving between the generation time is less than preset time threshold.
Optionally, correction verification module verifies the first digital signature based on the second public key, is specifically used for:
The second public key, the first public key, effective initial time and the first number are signed by preset verification algorithm Name is handled, and the check results of the first digital signature are obtained;When the check results of the first digital signature are equal to 1, determine to the success of the first digital signature verification.
Optionally, terminal can also include:
Request sending module sends to first node equipment before second public key of the correction verification module based on system banner acquisition key management system and trusts acquisition of credentials request, so that first node equipment is sent to key management system for credential request information is trusted.
Feedback information receiving module, for receiving key management system by the feedback information of the first terminal of first node device forwards, the feedback information of first terminal includes updated second public key of system banner and key management system.
Optionally, terminal can also include:
Memory module, after the feedback information for receiving the first terminal that key management system passes through first node device forwards for feedback information receiving module, generate the corresponding relationship of system banner and updated second public key, and storage system mark and its corresponding updated second public key.
Removing module, for deleting original second public key after by preset duration when original second public key corresponding there are system banner in the local data base of terminal.
Optionally, correction verification module obtains the second public key of key management system based on system banner, and is verified based on the second public key to the first digital signature, is specifically used for:
Obtain corresponding updated second public key of system banner and original second public key.
The first digital signature is verified based on updated second public key, obtains the first check results of the first digital signature.
The first digital signature is verified based on original second public key, obtains the second check results of the first digital signature.
Optionally, for correction verification module when verifying successfully, identification second terminal is effective terminal, is specifically used for:
When the first check results be equal to 1 or second check results be equal to 1 when, determine second terminal be effective terminal.
Eighth aspect present invention provides a kind of terminal, and the terminal includes processor, input unit, output device and memory, and processor, input unit and output device can be used for implementing some or all of with reference to first aspect step.
Ninth aspect present invention provides a kind of terminal, and the terminal includes processor, input unit, output device and memory, and processor, input unit and output device can be used for implementing combining some or all of second aspect step.
Tenth aspect present invention provides a kind of node device, and the node device may include:
Request receiving module, for receiving the trust acquisition of credentials request of second terminal transmission.
Solicited message sending module trusts credential request information for requesting to send to key management system according to trust acquisition of credentials.
Feedback information receiving module, for receiving the feedback information of the second terminal of key management system transmission, feedback information includes the first digital signature for trusting voucher and second terminal of second terminal, trusting voucher includes the first private key and the first public key, and the first digital signature is that key management system is calculated the first public key based on the second private key of key management system.
Feedback information sending module, for feedback information to be sent to second terminal.
Optionally, node device can also include:
Request sending module, it requests to send before trusting credential request information to key management system according to acquisition of credentials is trusted for solicited message sending module, authentication request is sent to second node equipment, so as to whether include the broadcast service authorization message to second terminal in the local data base of second node equipment detection second node equipment, when in the local data base of second node equipment comprising the broadcast service authorization message to second terminal, the broadcast service authorization message to second terminal is sent to node device by second node equipment.
Authorization message receiving module, for receiving the broadcast service authorization message to second terminal of second node equipment transmission.
Optionally, solicited message sending module is specifically used for:
Generate the effective initial time for trusting voucher.
Credential request information will be trusted and be sent to key management system, credential request information is trusted and carry effective initial time.
Optionally, the first digital signature is that key management system is calculated by the second private key, the first public key and effective initial time of the preset signature algorithm to key management system.Feedback information includes the second public key for trusting voucher, the first digital signature, effective initial time and key management system.
Optionally, node device can also include:
Memory module generates the terminal iidentification of second terminal and the corresponding relationship of feedback information, and store terminal iidentification and its corresponding feedback information after receiving the feedback information that key management system is sent for feedback information receiving module.
Tenth one side of the invention provides a kind of node device, and the node device includes processor, input unit, output device and memory, and processor, input unit and output device can be used for implementing combining some or all of third aspect step.
The twelfth aspect of the present invention provides a kind of data transmission system, including node device described in terminal and the tenth one side described in terminal described in eighth aspect, the 9th aspect.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, the drawings to be used in the embodiments are briefly described below, apparently, drawings in the following description are only some embodiments of the invention, for those of ordinary skill in the art, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of configuration diagram of the data transmission system provided in the embodiment of the present invention;
Fig. 2 is a kind of flow diagram of the data transmission method provided in the embodiment of the present invention;
Fig. 3 is a kind of flow diagram of the data transmission method provided in another embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of the terminal provided in the embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of the terminal provided in another embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of the terminal provided in another embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram of the terminal provided in another embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of the node device provided in the embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram of the node device provided in another embodiment of the present invention;
Figure 10 is a kind of structural schematic diagram of the data transmission system provided in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, every other embodiment obtained by those of ordinary skill in the art without making creative efforts, shall fall within the protection scope of the present invention.
In traditional data transmission method, in every broadcast message of vehicle other than the digital signature for carrying the message, the digital certificate for carrying sender is also needed, transmitted data amount is larger, and CA needs periodically to each vehicle issuing digital certificate, and expense is larger.
The embodiment of the invention provides a kind of data transmission methods, first terminal receives the broadcast safe information that second terminal is sent, the system banner for the key management system for including according to broadcast safe information obtains the second public key of key management system, it is verified based on first digital signature of second public key to second terminal, when verifying successfully, identification second terminal is effective terminal, and the first public key based on second terminal verifies the second digital signature of broadcast message, when verifying successfully, broadcast message is handled, expense and transmitted data amount can be reduced on the legitimacy foundation in the source that ensures to broadcast the message.Wherein, broadcast safe information includes the system banner of broadcast message, the second digital signature, the first digital signature, the first public key and key management system, first digital signature is that key management system is calculated the first public key based on the second private key of key management system, and the second digital signature is that second terminal is calculated broadcast message based on the first private key of second terminal.
Based on the above principles, the embodiment of the invention provides a kind of configuration diagrams of data transmission system, the system architecture can be deployed in the cellular network or future 5G network of 3GPP, the cellular network of 3GPP may include LTE-V, device-to-device (device to device, D2D) or one-to-many communication (one-to-all communication) system, the following 5G network may include evolved from vehicle to all things on earth eV2X system.Referring to Figure 1, the framework of the data transmission system at least may include: first terminal 101, second terminal 102 and key management system (Key Management System, KMS) 103.
In specific implementation, second terminal 102 can receive the feedback information of the second terminal 102 of KMS103 transmission, wherein feedback information may include the first digital signature for trusting voucher and second terminal 102 of second terminal 102, trusting voucher may include the first private key and the first public key, and the first digital signature is that KMS103 is calculated the first public key based on the second private key of KMS103;When second terminal 102 needs to send broadcast message to first terminal 101, calculation processing can be carried out to the broadcast message and be somebody's turn to do Second digital signature of broadcast message, wherein the second digital signature is that second terminal 102 is calculated broadcast message based on the first private key, broadcast safe information can be generated in second terminal 102, wherein broadcast safe information may include the system banner of broadcast message, the second digital signature of broadcast message, the first digital signature, the first public key and KMS103, and then broadcast safe information is sent to first terminal 101 by second terminal 102;First terminal 101 receives after the broadcast safe information of the transmission of second terminal 102, the second public key of KMS103 can be obtained based on system banner, and the first digital signature is verified based on the second public key, when verifying successfully, first terminal 101 can identify that second terminal 102 is effective terminal;First terminal 101 is also based on the first public key and verifies to the second digital signature, and when verifying successfully, first terminal 101 can be handled the broadcast message.
Optionally, the framework of the data transmission system can also include first node equipment 104.Second terminal 102 receives before the feedback information for the second terminal 102 that KMS103 is sent, second terminal 102 can be sent to first node equipment 104 trusts acquisition of credentials request, first node equipment 104 requests to send trust credential request information to KMS103 according to acquisition of credentials is trusted, KMS103 can generate trust voucher according to credential request information is trusted, trust the first public key and its first private key that voucher may include second terminal 102, KMS103 can carry out the first public key the first digital signature is calculated based on the second private key of KMS103, and voucher and the first digital signature will be trusted and be sent to first node equipment 104, and then first node equipment 104 can will trust voucher and the first digital signature is sent to second terminal 102.
Optionally, the framework of the data transmission system can also include second node equipment 105.First node equipment 104 requests to send before trusting credential request information to KMS103 according to the trust acquisition of credentials that second terminal 102 is sent, authentication request can be sent to second node equipment 105, when the local data base of second node equipment 105 includes the broadcast service authorization message to second terminal 102, broadcast service authorization message to second terminal 102 can be sent to first node equipment 104 by second node equipment 105, and then first node equipment 104 is sent to KMS103 for credential request information is trusted.
Optionally, the framework of the data transmission system can also include home subscriber server (Home Subscriber Server, HSS) 107.After first node equipment 104 is sent to second node equipment 105 to the authentication request of second terminal 102, when the local data base of second node equipment 105 does not include the broadcast service authorization message to second terminal 102, second node equipment 105 can send the authentication request information to second terminal 102 to HSS107, when second terminal 102 opens V2X business, the broadcast service authorization message to second terminal 102 can be generated in HSS107, and will take to the broadcast of second terminal 102 Business authorization message is transmitted to first node equipment 104 by second node equipment 105.
Optionally, the framework of the data transmission system can also include the base station 106 of 102 place cell of second terminal.Second terminal 102 generates after broadcast message, running time-frequency resource acquisition request can be sent to base station 106, detect the broadcast service authorization message that whether there is second terminal 102 in the local data base of base station 106 in base station 106, when, there are when the broadcast service authorization message of second terminal 102, base station 106 can distribute running time-frequency resource to second terminal 102 in the local data base of base station 106;When the broadcast service authorization message of second terminal 102 is not present in the local data base of base station 106, base station 106 can send the authentication request to second terminal 102 to second node equipment 105, when the local data base of second node equipment 105 includes the broadcast service authorization message to second terminal 102, broadcast service authorization message to second terminal 102 can be sent to base station 106 by second node equipment 105, then base station 106 can distribute running time-frequency resource to second terminal 102, and then broadcast safe information is sent to first terminal 101 by the running time-frequency resource that second terminal 102 is distributed using base station 106.
Wherein, first terminal 101 and second terminal 102 are properly termed as user equipment (UE, User Equipment), mobile station, access terminal, subscriber unit, subscriber station, movement station, remote station, remote terminal, mobile device, terminal, wireless telecom equipment, user agent or user apparatus etc., it specifically can be the website (ST in WLAN, Station), cellular phone, wireless phone, session initiation protocol (SIP, Session Initiation Protocol) phone, wireless local loop (WLL, Wireless Local Loop) it stands, personal digital assistant (PDA, Personal Digital Assistant), have The handheld device of wireless communication function, calculate equipment, the other processing equipments for being connected to radio modem, mobile unit, wearable device, the mobile station in future 5G network and the terminal device in the PLMN network of the following evolution etc. in any one.It should be noted that first terminal 101 can be used for receiving data in the embodiment of the present invention, optionally, first terminal 101 can be used for sending data to other terminals, and the quantity of first terminal 101 can be at least one;Second terminal 102 can be used for sending data in the embodiment of the present invention, and optionally, second terminal 102 can be used for receiving the data of other terminals transmission, and the quantity of second terminal 102 can be at least one, not limited by the embodiment of the present invention specifically.
Wherein, KMS103 is specifically as follows V2X KMS, mentions in 3GPP TR 33.885V0.3.0.Its function is the interim public private key pair for generating user, and is digitally signed to temporary public key, is proved with providing the legitimacy of the temporary public key.It should be noted that the data transmission system in the embodiment of the present invention may include at least one KMS103.
Wherein, first node equipment 104 is specifically as follows interim ID management function (Temporary ID Management Function), mentions in 3GPP TR 33.885V0.4.0.Its function is as follows:
1. as the intermediate node between terminal and KMS103, it can avoid carrying out direct communication between terminal and KMS103 to expose the link position of KMS103, and then reveal the sensitive information stored in KMS103, such as the second public key and the second private key of KMS103, the interim public private key pair that KMS103 is generated, and to the first digital signature etc. that temporary public key is calculated, the safety of feedback information can be improved.
2. the interim public private key pair and terminal iidentification of terminal are associated and stored in the local database, to audit to sender.
3. keeping the independence of KMS103 function, that is KMS103 only carries out direct communication between first node equipment 104, KMS103 is only used for generating the interim public private key pair of user, and is digitally signed to temporary public key, it is not necessary that the interim public private key pair of terminal to be associated with and store with terminal iidentification.
Wherein, second node equipment 105 is specifically as follows from vehicle to all things on earth control function unit (V2X Control Function), it is mentioned in 3GPP TR 23.785v1.1.0, V2X Control function is one and provides the logic unit of network-related functions required by V2X, which provides the V2X service authorization information of terminal.
Wherein, base station 106 can be wideband code division multiple access (WCDMA, Wideband Code Division Multiple Access) in base station (NB, NodeB) or the evolved base station (eNB, Evolutional Node B) in LTE system.
Wherein, user profile is stored in the local data base of HSS107, executes the authentication and authorization of user.The accessible information of HSS includes: user's identification;User security information, i.e., for authentication and the Network access control information of authorization etc..
Before introducing specific embodiments of the present invention, some simple declarations are carried out to concepts such as the digital signature that may relate in the present invention first.Digital signature refers to only being generated and a number of segment word string that others can not forge by sender, this number of segment word string is also the valid certificates that data validity is sent to sender simultaneously, and digital signature can provide integrality, authentication and non-repudiation protection.Digital signature is made of three algorithms: key schedule Gen, signature algorithm Sign, verification algorithm Verf.Key schedule Gen is used to generate the public private key pair (PK, SK) of digital signature, is denoted as (PK, SK) ← Gen.Signature algorithm Sign generates signature Sig, is denoted as Sig ← Sign (SK, msg) by input signature private key SK and message m sg.Verification algorithm Verf exports a bit value by input verification public key PK, message m sg and signature Sig σ is denoted as σ ← Verf (PK, msg, Sig).For (PK, SK) ← Gen, if illegal user does not get SK, message & signature can not be generated to (msg, Sig), so that Verf (PK, msg, Sig)=1.
Before introducing specific embodiments of the present invention, some simple declarations are carried out to data such as the feedback informations or broadcast safe information that may relate in the present invention first.
Msg: broadcast message, i.e. second terminal 102 need the message content broadcasted in application layer, such as speed or current location etc..Optionally, the data length of broadcast message can be less than 300 bytes.
SKA: the first private key of second terminal 102, for generating the second digital signature.(PKA, SKA) is the interim public private key pair generated by KMS103, and depending on the renewal frequency of interim public private key pair is by the anti-tracking demand parameter in carrier policy and standard, i.e. KMS103 generates different interim public private key pairs based on preset renewal frequency.
PKA: the first public key of second terminal 102, while being also the temporary identity of second terminal 102, for verifying the second digital signature.
Time: effective initial time of interim public private key pair.Depending on the validity period duration of interim public private key pair is by the anti-tracking demand parameter in carrier policy and standard, illustratively, a length of time parameter Duration when validity period as defined in operator (such as, 5 minutes), then the valid interval of the interim public private key pair is [Time, Time+Duration].
It should be noted that, do not have clearly to provide the valid interval of verifying PKA in the embodiment of the present invention, broadcast message is carried out the second digital signature is calculated because second terminal 102 is based on the first private key, and broadcast safe information is sent to first terminal 101, whether the generation time detection broadcast message that first terminal 101 is primarily based on broadcast safe information is effective, it generates time, that is, timestamp (timestamp), then whether expired based on effective initial time detection SKA again, since the timestamp of configuration is smaller, such as 100ms, then detect the detection time of SKA and comparing using the time for SKA, most much later 100ms, this time span can be ignored on key validity period, which guarantee the detection times of verifying SKA will not be than SKA's It is too long using evening time, then it is whether expired without further detection PKA after whether the detection of first terminal 101 SKA is expired, when first terminal 101 determines that SKA is effective, it can also determine that PKA is effective;When first terminal 101 determines that SKA is expired, it can also determine that PKA is expired.
Duration: time parameter, for indicating the validity period duration of the first public key, which provides (or uniformly being provided by 3GPP standard) by operator.
First digital signature, the first digital signature are KMS103 using the second private key KSAK, the first public key PKA and effective initial time Time of KMS103 as input, call signature algorithm Sign digital signature generated.The effect of first digital signature is: first terminal 101 being allowed to be able to verify that the validity and legitimacy of the temporary identity PKA of second terminal 102.
KMSID: KMSIDIt is the identity of KMS103.One KMS103 only has a unique KMSIDAnd unique a pair of of digital signature keys are to (KPAK, KSAK), KMSIDIt is kept fixed constant, (KPAK, KSAK) can be kept fixed constant, and optionally, (KPAK, KSAK) can be periodically updated.First terminal 101 is according to KMSIDIt determines the second public key KPAK of corresponding K MS103, and verifies the first digital signature based on KPAK.
The second private key of KSKA:KMS103, for generating the first digital signature.
The second public key of KPKA:KMS103, for verifying the first digital signature.
Timestamp: the timestamp of broadcast message.Under normal circumstances, which is generation time when second terminal 102 generates the second digital signature.First terminal 101 receives after broadcast safe information, detection time stabs timestamp first, timestamp is subtracted with the receiving time for receiving broadcast safe information, if resulting value is greater than preset time threshold, then judge that the broadcast safe information is to reset information, refusal handles the broadcast safe information;Otherwise, whether the first public key of detection is expired.Preset time threshold can be preset duration, such as 200ms or 1s etc..
Sig: the second digital signature, the second digital signature be second terminal 102 with the first private key SKA and (msg, PKA, Time,KMSID, timestamp) and as input, call signature algorithm Sign digital signature generated.The effect of second digital signature is: allow first terminal 101 be able to verify that (msg, PKA, Time,KMSID, timestamp) source legitimacy.It should be noted that if it is msg that second terminal 102, which needs the broadcast message that sends, broadcast safe information can for (msg, PKA, Time,KMSID, timestamp, Sig).
Based on the configuration diagram of data transmission system shown in FIG. 1, Fig. 2 is referred to, Fig. 2 is a kind of flow diagram of the data transmission method provided in the embodiment of the present invention, and the data transmission method in the embodiment of the present invention as shown in the figure may include:
S201, second terminal send authentication request to second node equipment, and authentication request carries the terminal iidentification of second terminal.
In specific implementation, second terminal (such as UEA) executes EPS-AKA agreement, and negotiate network attached storage (Network Attached Storage, NAS) layer key and application server (Application Server, AS) after layer key, authentication request can be sent to second node equipment (such as V2X Control Function), authentication request carries the terminal iidentification (such as IDA) of UEA.
Optionally, first terminal (such as UEB) executes EPS-AKA agreement, and after negotiating NAS layers of key and AS layers of key, authentication request can be sent to V2X Control Function, authentication request carries the terminal iidentification (such as IDB) of UEB.Wherein, terminal iidentification can be used for the unique identification terminal, such as terminal iidentification may include Internet protocol address (the Internet Protocol Address of terminal,) or mobile device international identity code (International Mobile Equipment Identity, IMEI) etc. IP.It should be noted that terminal executes EPS-AKA agreement, and the specific steps visible 3GPP 33.401 and 3GPP 33.102 for negotiating NAS layers of key and AS layers of key, details are not described herein.
Optionally, UEA is sent to V2X Control Function before authentication request, client identification module (Subscriber Identity Module can be configured, SIM) relevant information, and between first node equipment (such as Temporary ID Management Function) secure communication required argument.In addition, UEA can establish { (a KMSID, KPAK) } list, it is initially empty table, system banner (such as the KMS of the key management system (KMS) for storing Temporary ID Management Function transmissionID) and its corresponding second public key (such as KPAK).Furthermore it is also possible to configure credible address to UEA, credible address can be the access path of the KPAK of any KMS of acquisition, and illustratively, the current KPAK of the KMS can be sent to specified node device by each KMS, then node device is specified to store the KMS of each KMSIDAnd its corresponding KPAK, when UEA needs to obtain the KPAK of specified KMS, UEA can access specified node device based on preset credible address, and the corresponding KPAK of KMSID of specified KMS is downloaded from specified node device.In addition, UEA can also configure required security parameter, such as anti-replay demand parameter (i.e. preset time threshold), the validity period duration (i.e. time parameter Duration) of the first public key.
Optionally, UEB to V2X Control Function send authentication request before, SIM card relevant information can be configured, and between Temporary ID Management Function secure communication required argument.In addition, UEB can establish { (a KMSID, KPAK) } list, it is initially empty table, system banner (such as the KMS of the key management system (KMS) for storing Temporary ID Management Function transmissionID) and its corresponding second public key (such as KPAK).Furthermore it is also possible to give UEB Credible address is configured, credible address can be the access path of the KPAK of any KMS of acquisition.Furthermore it is also possible to configure required security parameter, such as anti-replay demand parameter (i.e. preset time threshold), the validity period duration (i.e. time parameter Duration) of the first public key to UEB.
It optionally, can be to the relevant parameter of base station (such as eNB) configuration processing running time-frequency resource acquisition request.It optionally, may include the shortest time interval of user's request running time-frequency resource to the eNB parameter configured.Shortest time, interval was by operator depending on migration efficiency and standard requirement.
It optionally, can be to the relevant parameter communicated between the approval authority of contract signature information and HSS and V2X Control Function of home subscriber server (such as HSS) configuration LTE-V user.Specifically, HSS can store the terminal iidentification for having opened the terminal of V2X business.
Optionally, relevant information can be configured to V2X Control Function, including the relevant parameter that it is communicated between terminal, HSS Temporary ID Management Function, and has opened the broadcast service authorization message of the terminal of V2X business.
Optionally, relevant information, the relevant parameter communicated between terminal, V2X Control Function or KMS including it can be configured to Temporary ID Management Function.The local data base of Temporary ID Management Function can store terminal iidentification and its corresponding feedback information.
Optionally, relevant information, the KMS including its relevant parameter and KMS that communicate between Temporary ID Management Function can be configured to KMSIDWith key information (KPAK, KSAK).
S202, when the local data base of second node equipment includes the broadcast service authorization message of second terminal, the base station of cell where the terminal iidentification of second terminal and its broadcast service authorization message are sent to second terminal by second node equipment.
In specific implementation, V2X Control Function is received after the authentication request of UEA transmission, the broadcast service authorization message of UEA can be searched in the local data base of V2X Control Function according to the terminal iidentification of UEA, when the local data base of V2X Control Function includes the broadcast service authorization message of UEA, the base station (such as eNB) of cell where the terminal iidentification of UEA and its broadcast service authorization message can be sent to UEA by V2X Control Function;When the local data base of V2X Control Function does not include the broadcast service authorization message of UEA, V2X Control Function can send authentication request to HSS, the terminal iidentification of authentication request carrying UEA, HSS can detect the V2X service fulfillment situation of UEA according to authentication request, when UEA has opened V2X business, HSS be can be generated The broadcast service authorization message of UEA, and the broadcast service authorization message is sent to V2X Control Function, V2X Control Function and can store the broadcast service authorization message of UEA, and the broadcast service authorization message of UEA is sent to eNB;When UEA does not open V2X business, UEA is not opened the case where V2X business and is sent to V2X Control Function by HSS, the V2X service fulfillment situation of V2X Control Function storage UEA, UEA is not opened the case where V2X business and is sent to eNB by V2X Control Function, and eNB determines that UEA does not obtain broadcast service authorization.
Optionally, V2X Control Function is received after the authentication request of UEB transmission, the broadcast service authorization message of UEB can be searched in the local data base of V2X Control Function according to the terminal iidentification of UEB, when the local data base of V2X Control Function includes the broadcast service authorization message of UEB, the base station (such as eNB) of cell where the terminal iidentification of UEB and its broadcast service authorization message can be sent to UEB by V2X Control Function;When the local data base of V2X Control Function does not include the broadcast service authorization message of UEB, V2X Control Function can send authentication request to HSS, the terminal iidentification of authentication request carrying UEB, HSS can detect the V2X service fulfillment situation of UEB according to authentication request, when UEB has opened V2X business, the broadcast service authorization message of UEB can be generated in HSS, and the broadcast service authorization message is sent to V2X Control Function, V2X Control Function can store the broadcast service authorization message of UEB, and the broadcast service authorization message of UEB is sent to eNB;When UEB does not open V2X business, UEB is not opened the case where V2X business and is sent to V2X Control Function by HSS, the V2X service fulfillment situation of V2X Control Function storage UEB, UEB is not opened the case where V2X business and is sent to eNB by V2X Control Function, and eNB determines that UEB does not obtain broadcast service authorization.
Optionally, when UEA is moved to other cells, V2X Control Function can determine that UEA is presently in the base station of cell, and the broadcast service authorization message of UEA is sent to the base station for determining and obtaining.
Optionally, when UEB is moved to other cells, V2X Control Function can determine that UEB is presently in the base station of cell, and the broadcast service authorization message of UEB is sent to the base station for determining and obtaining.
S203, second terminal is sent to first node equipment trusts acquisition of credentials request, trusts the terminal iidentification that acquisition of credentials request carries second terminal.
Specifically, UEA can be sent by exit passageway to Temporary ID Management Function at interval of preset duration trusts acquisition of credentials request, the terminal iidentification that acquisition of credentials request carries UEA is trusted.
Optionally, UEB, which can be sent by exit passageway to Temporary ID Management Function, trusts acquisition of credentials request, and the terminal iidentification of UEB can be carried by trusting acquisition of credentials request.Specifically, UEB can be sent by exit passageway to Temporary ID Management Function at interval of preset duration trusts acquisition of credentials request, the terminal iidentification that acquisition of credentials request carries UEB is trusted.Illustratively, preset duration can be less than or equal to the renewal frequency of interim public private key pair, and the embodiment of the present invention is specifically not construed as limiting.
S204, first node equipment send authentication request to second node equipment, and authentication request carries the terminal iidentification of second terminal.
Specifically, Temporary ID Management Function is received after the trust acquisition of credentials request of UEA transmission, authentication request can be sent to V2X Control Function, to determine whether UEA has broadcast permission, authentication request can carry the terminal iidentification of UEA.
Optionally, Temporary ID Management Function is received after the trust acquisition of credentials request of UEB transmission, authentication request can be sent to V2X Control Function, to determine whether UEB has broadcast permission, authentication request can carry the terminal iidentification of UEB.
S205, when the local data base of second node equipment includes the broadcast service authorization message of second terminal, the terminal iidentification of second terminal and its broadcast service authorization message are sent to first node equipment by second node equipment.
Specifically, V2X Control Function is received after the authentication request of Temporary ID Management Function transmission, the terminal iidentification for the UEA that can be carried according to authentication request, the broadcast service authorization message there are UEA is searched whether in the local data base of V2X Control Function, when the local data base of V2X Control Function includes the broadcast service authorization message of UEA, the terminal iidentification of UEA and its broadcast service authorization message are sent to Temporary ID Management Function by V2X Control Function.Optionally, when the local data base of V2X Control Function does not include the broadcast service authorization message of UEA, V2X Control Function can send authentication request to HSS, the terminal iidentification of authentication request carrying UEA, the V2X service fulfillment situation of the available UEA of HSS, when UEA has opened V2X business, the broadcast service authorization message to UEA can be generated in HSS, and the broadcast service authorization message of UEA is sent to V2X Control Function, V2X Control Function can store UEA terminal iidentification and its corresponding broadcast service authorization message, and the broadcast service authorization message of UEA is sent to Tem Porary ID Management Function.Optionally, when When UEA does not open V2X business, HSS, which can be generated, is used to indicate the instruction information that UEA does not open V2X business, and the instruction information is sent to V2X Control Function, V2X Control Function, the instruction information is sent to Temporary ID Management Function.It is obtained in the embodiment of the present invention and needs to detect whether terminal has broadcast permission before trusting voucher, have broadcast right in terminal to prescribe a time limit, the feedback information that will acquire is sent to the terminal, broadcast message is sent to another terminal so that the terminal is based on the feedback information, it can avoid without broadcast permission, usurp broadcast permission or send broadcast message using the user of expired permission, the legitimacy in broadcast message source can be improved.
Optionally, V2X Control Function is received after the authentication request of Temporary ID Management Function transmission, the terminal iidentification for the UEB that can be carried according to authentication request, the broadcast service authorization message there are UEB is searched whether in the local data base of V2X Control Function, when the local data base of V2X Control Function includes the broadcast service authorization message of UEB, the terminal iidentification of UEB and its broadcast service authorization message are sent to Temporary ID Management Function by V2X Control Function.
S206, first node equipment request to send trust credential request information to key management system according to acquisition of credentials is trusted.
Specifically, Temporary ID Management Function is received after the broadcast service authorization message of the UEA of V2X Control Function transmission, it can determine that UEA has broadcast permission, and then request to send to KMS according to the trust acquisition of credentials that UEA is sent and trust credential request information.Optionally, Temporary ID Management Function can choose a highest KMS of idle degrees according to service conditions (such as idle degrees of each KMS), will trust credential request information and be sent to the KMS for choosing and obtaining.Optionally, the trust credential request information that Temporary ID Management Function is sent to KMS can carry the effective initial time Time for trusting voucher, which can not carry the terminal iidentification of UEA.
Optionally, Temporary ID Management Function receives when being used to indicate UEA and not opening the instruction information of V2X business of V2X Control Function transmission, the refuse information trusting acquisition of credentials and requesting that refusal processing UEA is sent can be sent to UEA, refuse information can carry refusal processing reason, illustratively, refusal processing reason can be " UEA does not open V2X business, does not have broadcast permission ".
Optionally, Temporary ID Management Function receives V2X Control Function After the broadcast service authorization message of the UEB of transmission, it can determine that UEB has broadcast permission, and then request to send to KMS according to the trust acquisition of credentials that UEB is sent and trust credential request information.
S207, key management system generate trust voucher according to credential request information is trusted, trust the first public key and its first private key that voucher includes second terminal.
Specifically, the trust acquisition of credentials that Temporary ID Management Function is sent according to UEA is requested after trusting credential request information to KMS transmission, KMS can call preset key generating algorithm Gen to generate trust voucher, trust the first public key PKA and its first private key SKA that voucher may include UEA.Wherein, trusting voucher can periodically update, and renewal frequency is by depending on by the anti-tracking demand parameter in carrier policy and standard.It should be noted that Temporary ID Management Function is sent to KMS when trusting credential request information, carried terminal is not identified, then KMS is not aware that the specific terminal for receiving and trusting voucher.Trust voucher timing in the embodiment of the present invention to update, then third party can not identify that the first public key for identifying the identity of which terminal, can prevent user to be tracked.
Optionally, the trust acquisition of credentials that Temporary ID Management Function is sent according to UEB is requested after trusting credential request information to KMS transmission, KMS can call preset key generating algorithm Gen to generate the trust voucher of UEB, and trusting voucher may include the first public key of UEB and the first private key of UEB.
S208, key management system calculate the first public key based on the second private key of key management system, obtain the first digital signature.
Specifically, second private key KSAK and its second public key KPAK of any KMS configured with the unique system banner KMSID and KMS, after KMS generates the trust voucher of UEA, can carry out PKA the first digital signature is calculated based on KSAK.Optionally, the effective initial time for trusting voucher can be carried by trusting credential request information, wherein trust effective initial time i.e. effective initial time of the first public key of voucher or effective initial time of the first private key, KMS can call preset signature algorithm Sig, it is signed with KSAK to PKA and Time, obtains the first digital signatureI.e. (KSAK, (PKA, Time)).
Optionally, after the trust voucher of KMS generation UEB, the first digital signature that UEB is calculated can be carried out based on the first public key of the KSAK to UEB.Further alternative, the trust acquisition of credentials that Temporary ID Management Function is sent according to UEB requests the trust credential request information sent to KMS that can carry the effective initial time for trusting voucher of UEB, wherein trusting having for voucher Imitate effective initial time of effective initial time of the first public key of initial time, that is, UEB or the first private key of UEB, KMS can call preset signature algorithm, it is signed with effective initial time of the KSAK to the first public key of UEB and the trust voucher of UEB, obtains the first digital signature of UEB.
Feedback information is sent to first node equipment by S209, key management system, and feedback information includes trusting voucher, the first digital signature, the system banner of key management system and the second public key.
Specifically, KMS is generated after the first digital signature of UEA, the feedback information of UEA can be generated, and the feedback information of UEA is sent to Temporary ID Management Function, wherein feedback information may include the first digital signature of the trust voucher and UEA of UEA.Optionally, when the first digital signature is that KMS based on the second private key is calculated PKA and Time, then feedback information may include: PKA, SKA, Time,And KPAK.For example, Temporary ID Management Function can by exit passageway will (PKA, SKA, Time,KMSID, KPAK) it is sent to UEA.
Optionally, Temporary ID Management Function receives the trust acquisition of credentials request of UEA transmission, it requests to send to KMS according to the trust acquisition of credentials and trusts credential request information, and receive KMS transmission feedback information after, feedback information can be associated with the terminal iidentification of UEA, such as the terminal iidentification and PKA of UEA can be generated in Temporary ID Management Function, Time, the corresponding relationship of KMSID and KPAK, and store the terminal iidentification and its corresponding PKA of UEA, Time, KMSID and KPAK, it will (IDA, PKA, Time, KMSID, KPAK it) deposits In the local data base for storing up Temporary ID Management Function.When reaching audit validity period, Temporary ID Management Function can delete (IDA, PKA, Time, KMSID, KPAK) in local data base.In the embodiment of the present invention when malicious user occur and sending false broadcast message using the legal identity of oneself, (the IDA that can be stored according to Temporary ID Management Function, PKA, Time, KMSID, KPAK transmitting terminal) is found, can be used for realizing broadcast message audit.
Optionally, KMS is generated after the first digital signature of UEB, the feedback information of UEB can be generated, and the feedback information of UEB is sent to Temporary ID Management Function, wherein feedback information may include the first digital signature of the trust voucher and UEB of UEB.Optionally, when the first digital signature is that KMS is calculated based on effective initial time of second private key to the first public key of UEB and the trust voucher of UEB, then the feedback information of UEB may include: trust voucher, the UEB of UEB Trust voucher effective initial time, the first digital signature of UEB and KPAK.
Optionally, Temporary ID Management Function receives the trust acquisition of credentials request of UEB transmission, it requests to send to KMS according to the trust acquisition of credentials and trusts credential request information, and receive KMS transmission feedback information after, the feedback information of UEB can be associated with the terminal iidentification of UEB, such as the terminal iidentification of UEB and the first public key of UEB can be generated in Temporary ID Management Function, effective initial time of the trust voucher of UEB, the corresponding relationship of KMSID and KPAK, and store the terminal iidentification of UEB and its first public key of corresponding UEB, effective initial time of the trust voucher of UEB, KMSI D and KPAK.When reaching audit validity period, Temporary ID Management Function can delete effective initial time, KMSID and the KPAK for trusting voucher of the terminal iidentification of the UEB in local data base and its first public key of corresponding UEB, UEB.
Feedback information is sent to second terminal by S210, first node equipment.
Specifically, the feedback information of UEA can be sent to UEA by Temporary ID Management Function after the feedback information of UEA is sent to Temporary ID Management Function by KMS.
Optionally, UEA is received after the feedback information of the UEA of Temporary ID Management Function transmission, KMSID and KPAK in available feedback information, the corresponding relationship of the KMSID and KPAK are generated, and stores the KMSID and its corresponding KPAK in the local data base of UEA.Optionally, KMS preconfigured KPAK and KSAK can be periodically updated, the corresponding KPAK of the KMSID KPAK corresponding with the KMSID being currently received that then the UEA last time receives may not be identical, based on this, UEA is stored in the local data base of UEA after the KMSID and its corresponding updated KPAK, it can detecte in the local data base of UEA with the presence or absence of the corresponding original KPAK of the KMSID, as original KPAK corresponding there are the KMSID in the local data base of UEA, UEA can delete original KPAK after by preset duration.Wherein, preset duration can be preconfigured period, such as 1s or 2s etc..
Optionally, when the feedback information of UEA is sent to UEA by Temporary ID Management Function, feedback information can also carry the KPAK of the KMSID and each KMS of other neighbouring KMS, UEA is received after the KMSID and KPAK of other KMS, the corresponding relationship of the KMSID and KPAK can be generated, and store the KMSID and its corresponding KPAK in the local data base of UEA.Optionally, UEA stored in the local data base of UEA the KMSID and its it is corresponding more It after KPAK after new, can detecte with the presence or absence of the corresponding original KPAK of the KMSID in the local data base of UEA, as original KPAK corresponding there are the KMSID in the local data base of UEA, UEA can delete original KPAK after by preset duration.In the embodiment of the present invention, the KPAK that Temporary ID Management Function is sent is the corresponding updated KPAK of KMS, then UEA can be updated the KPAK of each KMS, to ensure the accuracy of KPAK.
Optionally, after the feedback information of UEB is sent to Temporary ID Management Function by KMS, the feedback information of UEB can be sent to UEB by Temporary ID Management Function.
Optionally, when the feedback information of UEB is sent to UEB by Temporary ID Management Function, feedback information can also carry the KPAK of the KMSID and each KMS of other neighbouring KMS, UEB is received after the KMSID and KPAK of other KMS, the corresponding relationship of the KMSID and KPAK can be generated, and store the KMSID and its corresponding KPAK in the local data base of UEB.Optionally, UEB is stored in the local data base of UEB after the KMSID and its corresponding updated KPAK, it can detecte in the local data base of UEB with the presence or absence of the corresponding original KPAK of the KMSID, as original KPAK corresponding there are the KMSID in the local data base of UEB, UEB can delete original KPAK after by preset duration.In the embodiment of the present invention, the KPAK that Temporary ID Management Function is sent is the corresponding updated KPAK of KMS, then UEB can be updated the KPAK of each KMS, to ensure the accuracy of KPAK.
Optionally, UEB is received after the feedback information of the UEB of Temporary ID Management Function transmission, KMSID and KPAK in available feedback information, the corresponding relationship of the KMSID and KPAK are generated, and stores the KMSID and its corresponding KPAK in the local data base of UEB.Optionally, KMS preconfigured KPAK and KSAK can be periodically updated, the corresponding KPAK of the KMSID KPAK corresponding with the KMSID being currently received that then the UEB last time receives may not be identical, based on this, UEB is stored in the local data base of UEB after the KMSID and its corresponding updated KPAK, it can detecte in the local data base of UEB with the presence or absence of the corresponding original KPAK of the KMSID, as original KPAK corresponding there are the KMSID in the local data base of UEB, UEB can delete original KPAK after by preset duration.
S211, second terminal send running time-frequency resource acquisition request to base station, and the running time-frequency resource acquisition request carries the terminal iidentification of second terminal.
Specifically, UEA needs to send to UEB when broadcasting the message, running time-frequency resource acquisition request can be sent to the base station eNB of cell where UEA, the running time-frequency resource acquisition request carries the terminal iidentification of UEA.
S212, when the local data base of base station includes the broadcast service authorization message of second terminal, running time-frequency resource is distributed to second terminal in base station.
Specifically, eNB is received after the running time-frequency resource acquisition request of UEA transmission, the broadcast service authorization message there are UEA can be searched whether in the local data base of eNB, when the local data base of eNB includes the broadcast service authorization message of UEA, eNB can distribute running time-frequency resource to UEA;When the local data base of eNB does not include the broadcast service authorization message of UEA, eNB can send the refuse information of refusal distribution running time-frequency resource to UEA, the refuse information can carry refusal assignment cause, illustratively, refusing assignment cause can be " UEA does not have broadcast service permission, can not distribute running time-frequency resource to UEA ".Before transmitting terminal is using running time-frequency resource transmission broadcast message in the embodiment of the present invention, base station needs to detect whether transmitting terminal has broadcast permission, running time-frequency resource is distributed to the transmitting terminal in limited time when transmitting terminal has broadcast right, it can prevent radio resource from being abused by malicious user, cause other legitimate users can not normal use radio resource transmission broadcast message.
S213, second terminal are based on the first private key and calculate broadcast message, obtain the second digital signature.
Specifically, broadcast message msg can be generated in UEA, and calculates based on SKA msg after eNB distributes running time-frequency resource to UEA, the second digital signature is obtained.Optionally, when UEA starts based on SKA and calculates msg, the generation time timestamp of the second digital signature can be generated, such as it is 10:00 on October 25th, 2016 that UEA, which starts the system time calculated msg, then UEA can determine that the generation time of the second digital signature is 10:00 on October 25th, 2016.
Optionally, UEA can call preset signature algorithm sig, using SKA to (msg, PKA, Time,KMSID, KPAK, timestamp) signed to obtain the second digital signature sig, i.e. Sig ← Sign (SKA, (msg, PKA, Time,KMSID, timestamp)).
Broadcast safe information is sent to first terminal by S214, the running time-frequency resource that second terminal is distributed using base station, and broadcast safe information includes broadcast message, the second digital signature, the first digital signature, the first public key and system banner.
Specifically, UEA generate the second digital signature after, broadcast safe information can be generated, wherein broadcast safe information can for (msg, PKA, Time,KMSID, timestamp, sig), broadcast safe information is sent to UEB by the running time-frequency resource that eNB distribution can be used in UEA.
S215, first terminal obtains corresponding second public key of system banner, and is verified based on the second public key to the first digital signature, and when verifying successfully, identification second terminal is effective terminal.
Specifically, after UEB receives broadcast safe information, corresponding KPAK can be obtained based on KMSID, and call preset verification algorithm Verf, with KPAK, PKA, Time andAs input, export a bit value σ, i.e. σ ← Verf (KPAK, (PKA, Time,), as σ=1, UEB can identify that UEA is effective terminal;As σ=1, UEB can identify that UEA is inactive terminals.The embodiment of the present invention verifies the first digital signature, to detect whether transmitting terminal is that false identities perhaps usurp the avoidable third party of identity using false identities or usurp identity transmission broadcast message, improves the legitimacy in broadcast message source.
Optionally, UEB is received after broadcast safe information, the receiving time of available broadcast safe information, and the generation time timestamp of the second digital signature is obtained in broadcast safe information, difference between when 330 receiving between timestamp is less than preset time threshold, and when being greater than 0, it is to reset message that UEB, which can determine the broadcast safe information not,;Difference between when 330 receiving between timestamp is more than or equal to preset time threshold, and when being less than or equal to 0, UEB can determine that the broadcast safe information is to reset message, and then delete the broadcast safe information.Look into whether value is less than preset time threshold between the receiving time of detection broadcast safe information of the embodiment of the present invention and the generation time of the second digital signature, it can identify whether the broadcast safe information is repeated to send by third party, it causes information chaotic, broadcast message repeat attack can be prevented.
Optionally, it is after resetting message that UEB, which determines the broadcast safe information not, it can be based on preset time parameter Duration and Time, determine the valid interval for trusting voucher, the valid interval for trusting voucher is [Time, Time+Duration], when timestamp is located in the valid interval, UEB can determine that the trust voucher is effectively to trust voucher;When timestamp is located at outside the valid interval, UEB can determine that the trust voucher is expired, and then delete the broadcast safe information.Whether the detectable trust voucher of the embodiment of the present invention is expired, and third party is avoided to send broadcast message using expired identity, improves the legitimacy in the source that broadcasts the message.
Optionally, UEB can search corresponding KPAK according to the KMSID in broadcast safe information in the local data base of UEB, as KPAK corresponding there are KMSID in the local data base of UEB, UEB can be verified the first digital signature based on the corresponding KPAK of KMSID;When the corresponding KPAK of KMSID is not present in the local data base of UEB, UEB can be according to preset credible address from finger Determine to download KPAK in node device, wherein storing the second public key of all KMS in specified node device.
Optionally, when there are when the KMSID corresponding updated KPAK and original KPAK in the local data base of UEB, UEB can verify the first digital signature based on updated KPAK, obtain the first check results of the first digital signature, and the first digital signature is verified based on original KPAK, obtain the second check results of the first digital signature, when the first check results be equal to 1 or second check results be equal to 1 when, UEB can determine UEA be effective terminal.
S216, first terminal are based on the first public key and verify to the second digital signature, when verifying successfully, handle broadcast message.
Specifically, UEB identification UEA be effective terminal after, preset verification algorithm Verf can be called, with PKA, (msg, PKA, Time,KMSID, timestamp) and sig be input, export a bit value σ ', i.e. σ ' ← Verf (PKA, (msg, PKA, Time,KMSID, timestamp), sig), as σ '=0, msg can be submitted to application layer and handled by UEB;As σ '=1, UEB can identify that the msg is invalid, and then delete the broadcast safe information.
The embodiment of the present invention is by means of 3GPP-AKA authentication mechanism; and asymmetric cryptosystem is introduced to protect the safety of broadcast message; it not only can solve the safety problem of vehicle broadcast; and directly rely on cellular network; substantially reduce the lower deployment cost of infrastructure; it also can be reduced transport overhead and amount of storage simultaneously, reduce management complexity.
In data transmission method shown in Fig. 2, second terminal is sent to first node equipment trusts acquisition of credentials request, first node equipment is got by second node equipment after the broadcast service authorization message of second terminal, it requests to send trust credential request information to key management system according to acquisition of credentials is trusted, key management system calculates the first public key in the trust voucher of generation based on the second private key of key management system, obtain the first digital signature, and second terminal will be sent to comprising the feedback information for trusting voucher and the first digital signature, broadcast safe information is sent to first terminal by the running time-frequency resource that second terminal is distributed using base station, first terminal is based on the second public key and verifies to the first digital signature, when verifying successfully, identification second terminal is effective terminal, first terminal is based on the first public key to second Digital signature is verified, and when verifying successfully, is handled broadcast message, can reduce expense and transmitted data amount on the legitimacy foundation in the source that ensures to broadcast the message.
Fig. 3 is referred to, Fig. 3 is a kind of process of the data transmission method provided in another embodiment of the present invention Schematic diagram, the data transmission method in the embodiment of the present invention as shown in the figure may include:
S301, second terminal is sent to first node equipment trusts acquisition of credentials request, trusts the terminal iidentification that acquisition of credentials request carries second terminal.
Optionally, UEA is sent to Temporary ID Management Function before trusting acquisition of credentials request, UEA executes EPS-AKA agreement, and after negotiating NAS layers of key and AS layers of key, authentication request can be sent to V2X Control Function, authentication request carries the terminal iidentification of UEA, and when the local data base of V2X Control Function includes the broadcast service authorization message of UEA, V2X Control Function can provide related service parameters to UEA.
Optionally, UEB is sent to Temporary ID Management Function before trusting acquisition of credentials request, UEB executes EPS-AKA agreement, and after negotiating NAS layers of key and AS layers of key, authentication request can be sent to V2X Control Function, authentication request carries the terminal iidentification of UEB, and when the local data base of V2X Control Function includes the broadcast service authorization message of UEB, V2X Control Function can provide related service parameters to UEB.
S302, first node equipment send authentication request to second node equipment, and authentication request carries the terminal iidentification of second terminal.
S303, when the local data base of second node equipment includes the broadcast service authorization message of second terminal, the terminal iidentification of second terminal and its broadcast service authorization message are sent to first node equipment by second node equipment.
S304, first node equipment request to send trust credential request information to key management system according to acquisition of credentials is trusted.
S305, key management system generate trust voucher according to credential request information is trusted, trust the first public key and its first private key that voucher includes second terminal.
S306, key management system calculate the first public key based on the second private key of key management system, obtain the first digital signature.
Feedback information is sent to first node equipment by S307, key management system, and feedback information includes trusting voucher, the first digital signature, the system banner of key management system and the second public key.
Feedback information is sent to second terminal by S308, first node equipment.
S309, second terminal send running time-frequency resource acquisition request to the base station of cell where second terminal, and the running time-frequency resource acquisition request carries the terminal iidentification of second terminal.
S310, when the local data base of base station includes the broadcast service authorization message of second terminal, running time-frequency resource is distributed to second terminal in base station.
Base station receives after the running time-frequency resource acquisition request of UEA transmission, local data base in base station checks the broadcast service authorization message of UE A, when the local data base of base station includes the broadcast service authorization message of second terminal, base station can distribute running time-frequency resource to second terminal;When the local data base of base station does not include the broadcast service authorization message of second terminal, base station can further execute step S311.
S311, when the local data base of base station does not include the broadcast service authorization message of second terminal, base station sends authentication request to second node equipment, and authentication request carries the terminal iidentification of second terminal.
Specifically, if the local data base of base station not yet stores the broadcast service authorization message of UEB, the authentication request of UEB is just initiated to V2X Control Function in base station, when base station receives the broadcast service authorization message of the UEB of V2X Control Function transmission, base station can be stored the broadcast service authorization message of UEB into the local data base of base station.
S312, base station receive the broadcast service authorization message for the second terminal that second node equipment is sent.
Running time-frequency resource is distributed to second terminal in S313, base station.
S314, second terminal are based on the first private key and calculate broadcast message, obtain the second digital signature.
Broadcast safe information is sent to first terminal by S315, the running time-frequency resource that second terminal is distributed using base station, and broadcast safe information includes broadcast message, the second digital signature, the first digital signature, the first public key and system banner.
S316, first terminal obtains corresponding second public key of system banner, and is verified based on the second public key to the first digital signature, and when verifying successfully, identification second terminal is effective terminal.
S317, first terminal are based on the first public key and verify to the second digital signature, when verifying successfully, handle broadcast message.
In data transmission method shown in Fig. 3, second terminal will be sent to second terminal comprising the feedback information for trusting voucher and the first digital signature, second terminal sends running time-frequency resource acquisition request to base station, when the local data base of base station does not include the broadcast service authorization message of second terminal, base station sends authentication request to second node equipment, when base station receives the broadcast service authorization message of the second terminal of second node equipment transmission, running time-frequency resource is distributed to second terminal in base station, broadcast safe information is sent to first terminal by the running time-frequency resource that second terminal is distributed using base station, first terminal is based on the second public key and verifies to the first digital signature, when verifying successfully, identification second terminal is effective terminal, first terminal is based on the first public key to the second number Signature is verified, and when verifying successfully, is handled broadcast message, can reduce expense and transmitted data amount on the legitimacy foundation in the source that ensures to broadcast the message.
The embodiment of the invention also provides a kind of computer storage mediums, wherein the computer storage medium can be stored with program, which includes step some or all of in embodiment of the method shown in above-mentioned any one of Fig. 2 Fig. 3 when executing.
Refer to Fig. 4, Fig. 4 is a kind of structural schematic diagram of the terminal provided in the embodiment of the present invention, the terminal can be used for implementing in conjunction with step some or all of in Fig. 2 or embodiment of the method shown in Fig. 3, the terminal at least may include broadcast safe information receiving module 401 and correction verification module 402, in which:
Broadcast safe information receiving module 401, for receiving the broadcast safe information of second terminal transmission, the broadcast safe information includes broadcast message, second digital signature of the broadcast message, first digital signature of the second terminal, first public key of the second terminal and the system banner of key management system, first digital signature is that the key management system is calculated first public key based on the second private key of the key management system, second digital signature is that the second terminal is calculated the broadcast message based on the first private key of the second terminal.
Correction verification module 402 verifies first digital signature for being obtained the second public key of the key management system based on the system banner, and based on second public key, when verifying successfully, identifies that the second terminal is effective terminal.
The correction verification module 402 is also used to verify second digital signature based on first public key, when verifying successfully, be handled the broadcast message.
Optionally, first digital signature is that the key management system is calculated by effective initial time of the preset signature algorithm to second private key, first public key and first private key.
Optionally, the broadcast safe information further includes the generation time of effective initial time and second digital signature.
Further, the terminal in the embodiment of the present invention can also include:
Determining module 403 before the second public key for being obtained the key management system based on the system banner for the correction verification module 402, is based on preset time parameter and effective initial time, determines the valid interval of first private key.
The determining module 403 is also used to when being located in the valid interval generation time, determines that first private key is effective private key.
Optionally, the terminal in the embodiment of the present invention can also include:
Receiving time obtains module 404, for the determining module 403 based on preset time parameter and effective initial time, before the valid interval for determining first private key, obtains the receiving time of the broadcast safe information.
The determining module 403 is also used to be based on the preset time parameter and effective initial time when the difference between the receiving time and the generation time is less than preset time threshold, determine the valid interval of first private key.
Optionally, the correction verification module 402 verifies first digital signature based on second public key, is specifically used for:
Second public key, first public key, effective initial time and first digital signature are handled by preset verification algorithm, obtain the check results of first digital signature.
When the check results of first digital signature are equal to 1, determine to first digital signature verification success.
Optionally, the terminal in the embodiment of the present invention can also include:
Request sending module 405, before the second public key for obtaining the key management system based on the system banner for the correction verification module 402, it is sent to first node equipment and trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted.
Feedback information receiving module 406, for receiving the key management system by the feedback information of the first terminal of the first node device forwards, the feedback information of the first terminal includes updated second public key of the system banner and the key management system.
Optionally, the terminal in the embodiment of the present invention can also include:
Memory module 407, after receiving feedback information of the key management system by the first terminal of the first node device forwards for the feedback information receiving module 405, the corresponding relationship of the system banner and updated second public key is generated, and stores the system banner and its corresponding updated second public key.
Removing module 408, for deleting original second public key after by preset duration when original second public key corresponding there are the system banner in the local data base of the terminal.
Optionally, the correction verification module 402 obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, is specifically used for:
Obtain corresponding updated second public key of the system banner and original second public key.
First digital signature is verified based on updated second public key, obtains the first check results of first digital signature.
First digital signature is verified based on original second public key, obtains the second check results of first digital signature.
Optionally, the correction verification module 402 identifies that the second terminal is effective terminal, is specifically used for when verifying successfully:
When first check results are equal to 1 or second check results are equal to 1, determine that the second terminal is effective terminal.
Optionally, the correction verification module 402 obtains the second public key of the key management system based on the system banner, is specifically used for:
When second public key is not present in the local data base of the terminal, second public key is downloaded from specified node device according to preset credible address, the second public key of all key management systems is stored in the specified node device.
Optionally, the correction verification module 402 verifies second digital signature based on first public key, when verifying successfully, handles the broadcast message, is specifically used for:
First public key, second digital signature and the broadcast safe information are handled by preset verification algorithm, obtain the check results of the broadcast message.
When the check results of the broadcast message are equal to 1, determine the broadcast message for effectively broadcast message.
The broadcast message is handled.
In terminal shown in Fig. 4, broadcast safe information receiving module 401 receives the broadcast safe information that second terminal is sent, correction verification module 402 obtains the second public key of key management system based on system banner, and the first digital signature is verified based on the second public key, when verifying successfully, identification second terminal is effective terminal, and then correction verification module 402 is based on the first public key and verifies to the second digital signature, when verifying successfully, broadcast message is handled, expense and transmitted data amount can be reduced on the legitimacy foundation in the source that ensures to broadcast the message.
Refer to Fig. 5, Fig. 5 be another embodiment of the present invention provides a kind of terminal structural schematic diagram, the method that terminal provided in an embodiment of the present invention can be used for implementing above-mentioned Fig. 2 or various embodiments of the present invention shown in Fig. 3 are realized, for ease of description, only parts related to embodiments of the present invention are shown, it is disclosed by specific technical details, referring to figure 2. or various embodiments of the present invention shown in Fig. 3.
As shown in figure 5, the terminal includes: at least one processor 501, such as CPU, at least one input unit 503, at least one output device 504, memory 505, at least one communication bus 502.Wherein, communication bus 502 is for realizing the connection communication between these components.Wherein, input unit 503 optionally may include standard wireline interface and wireless interface (such as WI-FI interface), for receiving the broadcast safe information of second terminal transmission.Wherein, output device 504 optionally may include standard wireline interface and wireless interface, for carrying out data interaction between second terminal.Wherein, memory 505 may include high speed RAM memory, it is also possible to further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Batch processing code is stored in memory 505, and processor 501 calls the program code stored in memory 505, for performing the following operations:
Input unit 503 receives the broadcast safe information that second terminal is sent, the broadcast safe information includes broadcast message, second digital signature of the broadcast message, first digital signature of the second terminal, first public key of the second terminal and the system banner of key management system, first digital signature is that the key management system is calculated first public key based on the second private key of the key management system, second digital signature is that the second terminal is calculated the broadcast message based on the first private key of the second terminal.
Processor 501 obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, when verifying successfully, identifies that the second terminal is effective terminal.
Processor 501 is based on first public key and verifies to second digital signature, when verifying successfully, handles the broadcast message.
Optionally, the first digital signature is that the key management system is calculated by effective initial time of the preset signature algorithm to second private key, first public key and first private key.
Optionally, the broadcast safe information further includes the generation time of effective initial time and second digital signature, then before the second public key that processor 501 obtains the key management system based on the system banner, following operation can also be performed:
Processor 501 is based on preset time parameter and effective initial time, determines the valid interval of first private key.
When being located in the valid interval generation time, processor 501 determines that first private key is effective private key.
Optionally, before the valid interval for determining first private key, following operation can also be performed based on preset time parameter and effective initial time in processor 501:
Processor 501 obtains the receiving time of the broadcast safe information.
When the receiving time and the difference generated between the time are less than preset time threshold, processor 501 is based on the preset time parameter and effective initial time, determines the valid interval of first private key.
Optionally, processor 501 verifies first digital signature based on second public key, is specifically as follows:
Processor 501 is handled second public key, first public key, effective initial time and first digital signature by preset verification algorithm, obtains the check results of first digital signature.
When the check results of first digital signature are equal to 1, processor 501 is determined to first digital signature verification success.
Optionally, before the second public key that processor 501 obtains the key management system based on the system banner, following operation can also be performed:
Output device 504 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted.
Input unit 503 receives the key management system by the feedback information of the first terminal of the first node device forwards, and the feedback information of the first terminal includes updated second public key of the system banner and the key management system.
Optionally, after input unit 503 receives feedback information of the key management system by the first terminal of the first node device forwards, following operation can also be performed:
Processor 501 generates the corresponding relationship of the system banner and updated second public key, and stores the system banner and its corresponding updated second public key.
When original second public key corresponding there are the system banner in the local data base of the first terminal, processor 501 deletes original second public key after by preset duration.
Optionally, processor 501 obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, is specifically as follows:
Processor 501 obtains corresponding updated second public key of the system banner and original second public key.
Processor 501 is based on updated second public key and verifies to first digital signature, obtains the first check results of first digital signature.
Processor 501 is based on original second public key and verifies to first digital signature, obtains the second check results of first digital signature.
Optionally, processor 501 identifies that the second terminal is effective terminal, is specifically as follows when verifying successfully:
When first check results are equal to 1 or second check results are equal to 1, processor 501 determines that the second terminal is effective terminal.
Optionally, processor 501 obtains the second public key of the key management system based on the system banner, is specifically as follows:
When second public key is not present in the local data base of the first terminal, output device 504 downloads second public key according to preset credible address from specified node device, and the second public key of all key management systems is stored in the specified node device.
Optionally, processor 501 verifies second digital signature based on first public key, when verifying successfully, handles the broadcast message, is specifically as follows:
Processor 501 is handled first public key, second digital signature and the broadcast safe information by preset verification algorithm, obtains the check results of the broadcast message.
When the check results of the broadcast message are equal to 1, processor 501 determines the broadcast message for effectively broadcast message.
Processor 501 handles the broadcast message.
Specifically, the terminal introduced in the embodiment of the present invention can to implement the present invention combine Fig. 2 Fig. 3 introduction embodiment of the method in some or all of process.
Refer to Fig. 6, Fig. 6 is a kind of structural schematic diagram of the terminal provided in another embodiment of the present invention, the terminal can be used for implementing in conjunction with step some or all of in Fig. 2 or embodiment of the method shown in Fig. 3, and the terminal at least may include feedback information receiving module 601, computing module 602 and broadcast safe information hair Send module 603, in which:
Feedback information receiving module 601, for receiving the feedback information of the terminal of key management system transmission, the feedback information includes the first digital signature for trusting voucher and the terminal of the terminal, the trust voucher includes the first private key and the first public key, and first digital signature is that the key management system is calculated first public key based on the second private key of the key management system.
Computing module 602, for carrying out the second digital signature that the broadcast message is calculated to broadcast message based on first private key.
Broadcast safe information sending module 603, for sending broadcast safe information to first terminal, the broadcast safe information includes the system banner of the broadcast message, second digital signature, first digital signature, first public key and the key management system.
Optionally, the feedback information receiving module 601, is specifically used for:
It is sent to first node equipment and trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted.
It receives the key management system and passes through the feedback information of the first node device forwards.
Optionally, the feedback information receiving module 601 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted, is specifically used for:
The trust acquisition of credentials request is sent to the first node equipment, so that the first node equipment sends authentication request to second node equipment, when the local data base of the second node equipment includes the broadcast service authorization message to the terminal, the broadcast service authorization message is sent to the first node equipment by the second node equipment, and the trust credential request information is sent to the key management system by the first node equipment.
Optionally, the feedback information receiving module 601 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted, is specifically used for:
The trust acquisition of credentials request is sent to the first node equipment, so that the first node equipment sends authentication request to second node equipment, when the local data base of the second node equipment includes the broadcast service authorization message to the terminal, the broadcast service authorization message is sent to the first node equipment by the second node equipment, and the broadcast service authorization message is sent to institute by the second node equipment The trust credential request information is sent to the key management system by the base station of cell, the first node equipment where stating terminal.
Optionally, the terminal in the embodiment of the present invention can also include:
Request sending module 604, the broadcast message be calculated before the second digital signature of the broadcast message for the computing module 602, running time-frequency resource acquisition request is sent to the base station, so that the broadcast service authorization message that whether there is the terminal in the local data base of the base station is detected in the base station, when there is the broadcast service authorization message for stating terminal in the local data base of the base station, the base station is to the terminal distribution running time-frequency resource.
The broadcast safe information is sent to the first terminal specifically for the running time-frequency resource distributed using the base station by the broadcast safe information sending module 603.
Optionally, the terminal in the embodiment of the present invention can also include:
Request sending module 604, the broadcast message be calculated before the second digital signature of the broadcast message for the computing module 602, running time-frequency resource acquisition request is sent to the base station of cell where the terminal, so that the base station sends the authorization message acquisition request to the terminal to second node equipment, when the base station receive that the second node equipment sends to the broadcast service authorization message of the terminal when, the base station is to the terminal distribution running time-frequency resource.
The broadcast safe information is sent to the first terminal specifically for the running time-frequency resource distributed using the base station by the broadcast safe information sending module 603.
Optionally, the base station of cell where the request sending module 604 to the terminal sends running time-frequency resource acquisition request, so that the base station sends the authorization message acquisition request to the terminal to second node equipment, is specifically used for:
Running time-frequency resource acquisition request is sent to the base station of cell where the terminal, so that the broadcast service authorization message that whether there is the terminal in the local data base of the base station is detected in the base station, when there are when the broadcast service authorization message of the terminal, the base station is to the terminal distribution running time-frequency resource in the local data base of the base station;When the broadcast service authorization message of the terminal is not present in the local data base of the base station, the base station sends the authorization message acquisition request to the terminal to second node equipment.
Optionally, the effective initial time trusted credential request information and carry the trust voucher, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system.
Optionally, the feedback information further includes updated second public key of the system banner and the key management system.
Further, the terminal in the embodiment of the present invention can also include:
Memory module 605, after the feedback information for receiving the terminal that the key management system is sent for the feedback information receiving module 601, the corresponding relationship of the system banner and updated second public key is generated, and stores the system banner and its corresponding updated second public key.
Removing module 606, for deleting original second public key after by preset duration when original second public key corresponding there are the system banner in the local data base of the terminal.
Optionally, the computing module 602, specifically for calculating by generation time of the preset signature algorithm to first private key, the broadcast message, first public key, the effective initial time for trusting voucher, first digital signature, the system banner and second digital signature, second digital signature information is obtained.
In terminal shown in Fig. 6, feedback information receiving module 601 receives the feedback information for the terminal that key management system is sent, computing module 602 carries out the second digital signature that broadcast message is calculated based on the first private key to broadcast message, broadcast safe information sending module 603 sends broadcast safe information to first terminal, can reduce expense and transmitted data amount on the legitimacy foundation in the source that ensures to broadcast the message.
Refer to Fig. 7, Fig. 7 be another embodiment of the present invention provides a kind of terminal structural schematic diagram, the method that terminal provided in an embodiment of the present invention can be used for implementing above-mentioned Fig. 2 or various embodiments of the present invention shown in Fig. 3 are realized, for ease of description, only parts related to embodiments of the present invention are shown, it is disclosed by specific technical details, referring to figure 2. or various embodiments of the present invention shown in Fig. 3.
As shown in fig. 7, the terminal includes: at least one processor 701, such as CPU, at least one input unit 703, at least one output device 704, memory 705, at least one communication bus 702.Wherein, communication bus 702 is for realizing the connection communication between these components.Wherein, input unit 703 optionally may include standard wireline interface and wireless interface, the feedback information of the terminal for receiving key management system transmission.Wherein, output device 504 optionally may include standard wireline interface and wireless interface, for sending broadcast safe information to first terminal.Wherein, memory 705 may include high speed RAM memory, it is also possible to and it further include non-labile memory, a for example, at least magnetic disk storage.Memory 705 optionally may include at least one storage device for being located remotely from aforementioned processor 701.It is deposited in memory 705 Batch processing code is stored up, and processor 701 calls the program code stored in memory 705, for performing the following operations:
Input unit 703 receives the feedback information for the second terminal that key management system is sent, the feedback information includes the first digital signature for trusting voucher and the second terminal of the second terminal, the trust voucher includes the first private key and the first public key, and first digital signature is that the key management system is calculated first public key based on the second private key of the key management system.
Processor 701 carries out the second digital signature that the broadcast message is calculated based on first private key to broadcast message.
Output device 704 sends broadcast safe information to first terminal, and the broadcast safe information includes the system banner of the broadcast message, second digital signature, first digital signature, first public key and the key management system.
Optionally, input unit 703 receives the feedback information for the second terminal that key management system is sent, and is specifically as follows:
Output device 704 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted.
Input unit 703 receives the key management system and passes through the feedback information of the first node device forwards.
Optionally, output device 704 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted, is specifically as follows:
Output device 704 sends the trust acquisition of credentials request to the first node equipment, so that the first node equipment sends authentication request to second node equipment, when the local data base of the second node equipment includes the broadcast service authorization message to the second terminal, the broadcast service authorization message is sent to the first node equipment by the second node equipment, and the trust credential request information is sent to the key management system by the first node equipment.
Optionally, output device 704 is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted, is specifically as follows:
Output device 704 sends the trust acquisition of credentials request to the first node equipment, so that the first node equipment sends authentication request to second node equipment, when the local data base of the second node equipment includes to the broadcast service authorization message of the second terminal, the second node equipment is by the broadcast Service authorization information is sent to the first node equipment, and the broadcast service authorization message is sent to the base station of second terminal place cell by the second node equipment, the trust credential request information is sent to the key management system by the first node equipment.
Optionally, 701 pairs of processor broadcast messages be calculated before the second digital signature of the broadcast message, and following operation can also be performed:
Output device 704 sends running time-frequency resource acquisition request to the base station, so that the broadcast service authorization message that whether there is the second terminal in the local data base of the base station is detected in the base station, when, there are when the broadcast service authorization message of the second terminal, running time-frequency resource is distributed to the second terminal in the base station in the local data base of the base station.
Output device 704 sends broadcast safe information to first terminal, is specifically as follows:
The broadcast safe information is sent to the first terminal by the running time-frequency resource that output device 704 is distributed using the base station.
Optionally, 701 pairs of processor broadcast messages be calculated before the second digital signature of the broadcast message, and following operation can also be performed:
The base station of cell sends running time-frequency resource acquisition request where output device 704 to the second terminal, so that the base station sends the authorization message acquisition request to the second terminal to second node equipment, when the base station receive that the second node equipment sends to the broadcast service authorization message of the second terminal when, running time-frequency resource is distributed to the second terminal in the base station.
Output device 704 sends broadcast safe information to first terminal, is specifically as follows:
The broadcast safe information is sent to the first terminal by the running time-frequency resource that output device 704 is distributed using the base station.
Optionally, the base station of cell where output device 704 to the second terminal sends running time-frequency resource acquisition request, so that the base station sends the authorization message acquisition request to the second terminal to second node equipment, is specifically as follows:
The base station of cell sends running time-frequency resource acquisition request where output device 704 to the second terminal, so that the broadcast service authorization message that whether there is the second terminal in the local data base of the base station is detected in the base station, when, there are when the broadcast service authorization message of the second terminal, running time-frequency resource is distributed to the second terminal in the base station in the local data base of the base station;When the broadcast service authorization message of the second terminal is not present in the local data base of the base station, the base station is sent to second node equipment to described The authorization message acquisition request of second terminal.
Optionally, the effective initial time trusted credential request information and carry the trust voucher, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system.
Optionally, the feedback information further includes updated second public key of the system banner and the key management system, then after the feedback information for the second terminal that the reception of input unit 703 key management system is sent, following operation can also be performed:
Processor 701 generates the corresponding relationship of the system banner and updated second public key, and stores the system banner and its corresponding updated second public key.
When original second public key corresponding there are the system banner in the local data base of the second terminal, processor 701 deletes original second public key after by preset duration.
Optionally, 701 pairs of processor broadcast messages carry out the second digital signature that the broadcast message is calculated, and are specifically as follows:
Processor 701 is calculated by generation time of the preset signature algorithm to first private key, the broadcast message, first public key, the effective initial time for trusting voucher, first digital signature, the system banner and second digital signature, obtains second digital signature information.
Specifically, the terminal introduced in the embodiment of the present invention can to implement the present invention combine Fig. 2 Fig. 3 introduction embodiment of the method in some or all of process.
Refer to Fig. 8, Fig. 8 is a kind of structural schematic diagram of the node device provided in the embodiment of the present invention, the node device can be used for implementing in conjunction with step some or all of in Fig. 2 or embodiment of the method shown in Fig. 3, the node device at least may include request receiving module 801, solicited message sending module 802, feedback information receiving module 803 and Feedback information sending module 804, in which:
Request receiving module 801, for receiving the trust acquisition of credentials request of second terminal transmission.
Solicited message sending module 802 trusts credential request information for requesting to send to key management system according to the trust acquisition of credentials.
Feedback information receiving module 803, for receiving the feedback information for the second terminal that the key management system is sent, the feedback information includes the first digital signature for trusting voucher and the second terminal of the second terminal, the trust voucher includes the first private key and the first public key, and first digital signature is The key management system is calculated first public key based on the second private key of the key management system.
Feedback information sending module 804, for the feedback information to be sent to the second terminal.
Optionally, the node device in the embodiment of the present invention can also include:
Request sending module 805, it requests to send before trusting credential request information to the key management system according to the trust acquisition of credentials for the solicited message sending module 802, authentication request is sent to second node equipment, so that whether the second node equipment detects in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, when in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, broadcast service authorization message to the second terminal is sent to the node device by the second node equipment.
Authorization message receiving module 806, the broadcast service authorization message to the second terminal sent for receiving the second node equipment.
Optionally, the solicited message sending module 802, is specifically used for:
Generate the effective initial time for trusting voucher.
The trust credential request information is sent to the key management system, the trust credential request information carries effective initial time.
Optionally, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system, and the feedback information includes the second public key of the trust voucher, first digital signature, effective initial time and the key management system.
Optionally, the node device in the embodiment of the present invention can also include:
Memory module 807, after the feedback information for receiving the key management system transmission for the feedback information receiving module 803, the terminal iidentification of the second terminal and the corresponding relationship of the feedback information are generated, and stores the terminal iidentification and its corresponding feedback information.
In node device shown in Fig. 8, request receiving module 801 receives the trust acquisition of credentials request that second terminal is sent, solicited message sending module 802 requests to send trust credential request information to key management system according to acquisition of credentials is trusted, feedback information receiving module 803 receives the feedback information for the second terminal that key management system is sent, feedback information is sent to second terminal by Feedback information sending module 804, can reduce expense and transmitted data amount on the legitimacy foundation in the source that ensures to broadcast the message.
Refer to Fig. 9, Fig. 9 be another embodiment of the present invention provides a kind of node device structural schematic diagram, the method that node device provided in an embodiment of the present invention can be used for implementing above-mentioned Fig. 2 or various embodiments of the present invention shown in Fig. 3 are realized, for ease of description, only parts related to embodiments of the present invention are shown, it is disclosed by specific technical details, referring to figure 2. or various embodiments of the present invention shown in Fig. 3.
As shown in figure 9, the node device includes: at least one processor 901, such as CPU, at least one input unit 903, at least one output device 904, memory 905, at least one communication bus 902.Wherein, communication bus 902 is for realizing the connection communication between these components.Wherein, input unit 903 optionally may include standard wireline interface and wireless interface, for receiving the trust acquisition of credentials request of second terminal transmission.Wherein, output device 904 optionally may include standard wireline interface and wireless interface, trust credential request information for requesting to send to key management system according to trust acquisition of credentials.Wherein, memory 905 may include high speed RAM memory, it is also possible to and it further include non-labile memory, a for example, at least magnetic disk storage.Memory 905 optionally may include at least one storage device for being located remotely from aforementioned processor 901.Batch processing code is stored in memory 905, and processor 901 calls the program code stored in memory 905, for performing the following operations:
Input unit 903 receives the trust acquisition of credentials request that second terminal is sent.
Output device 904 requests to send to key management system according to the trust acquisition of credentials trusts credential request information.
Input unit 903 receives the feedback information for the second terminal that the key management system is sent, the feedback information includes the first digital signature for trusting voucher and the second terminal of the second terminal, the trust voucher includes the first private key and the first public key, and first digital signature is that the key management system is calculated first public key based on the second private key of the key management system.
The feedback information is sent to the second terminal by output device 904.
Optionally, output device 904 requests to send before trusting credential request information to key management system according to the trust acquisition of credentials, and following operation can also be performed:
Output device 904 sends authentication request to second node equipment, so that whether the second node equipment detects in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, when the local data base of the second node equipment includes the broadcast service authorization message to the second terminal, the broadcast service authorization message to the second terminal is sent to described by the second node equipment First node equipment.
Input unit 903 receives the broadcast service authorization message to the second terminal that the second node equipment is sent.
Optionally, output device 904 requests to send to key management system according to the trust acquisition of credentials trusts credential request information, is specifically as follows:
Processor 901 generates the effective initial time for trusting voucher.
The trust credential request information is sent to the key management system by output device 904, and the trust credential request information carries effective initial time.
Optionally, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system, and the feedback information includes the second public key of the trust voucher, first digital signature, effective initial time and the key management system.
Optionally, after input unit 903 receives the feedback information that the key management system is sent, following operation can also be performed:
Processor 901 generates the terminal iidentification of the second terminal and the corresponding relationship of the feedback information, and stores the terminal iidentification and its corresponding feedback information.
Specifically, the node device introduced in the embodiment of the present invention can to implement the present invention combine Fig. 2 Fig. 3 introduction embodiment of the method in some or all of process.
Referring to Figure 10, Figure 10 is a kind of structural schematic diagram of the data transmission system provided in the embodiment of the present invention, data transmission system in the embodiment of the present invention as shown in the figure at least may include first terminal 1001, second terminal 1002 and key management system 1003, in which:
Second terminal 1002 is sent to key management system 1003 trusts acquisition of credentials request.
Key management system 1003 requests the feedback information that second terminal 1002 is sent to second terminal 1002 according to acquisition of credentials is trusted, the feedback information includes the first digital signature for trusting voucher and the second terminal 1002 of the second terminal 1002, the trust voucher includes the first private key and the first public key, and first digital signature is that first public key is calculated in the second private key of the key management system 1003 based on the key management system 1003.
Second terminal 1002 is based on first private key and carries out that the broadcast message is calculated to broadcast message The second digital signature, and broadcast safe information is sent to first terminal 1001, the broadcast safe information includes the system banner of the broadcast message, second digital signature, first digital signature, first public key and the key management system 1003.
First terminal 1001 obtains the second public key of the key management system 1003 based on the system banner, and is verified based on second public key to first digital signature, when verifying successfully, identifies that the second terminal 1002 is effective terminal.
The first terminal 1001 is based on first public key and verifies to second digital signature, when verifying successfully, handles the broadcast message.
In data transmission system shown in Fig. 10, second terminal 1002 receives the feedback information for the second terminal 1002 that key management system 1003 is sent, second terminal 1002 carries out the second digital signature that broadcast message is calculated based on the first private key to broadcast message, and broadcast safe information is sent to first terminal 1001, first terminal 1001 obtains the second public key of key management system 1003 based on system banner, and the first digital signature is verified based on the second public key, when verifying successfully, identification second terminal 1002 is effective terminal, and then first terminal 1001 is based on the first public key and verifies to the second digital signature, when verifying successfully, broadcast message is handled, expense and transmitted data amount can be reduced on the legitimacy foundation in the source that ensures to broadcast the message.
In the description of this specification, the description of reference term " one embodiment ", " some embodiments ", " example ", " specific example " or " some examples " etc. means that particular features, structures, materials, or characteristics described in conjunction with this embodiment or example are included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not required to be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more of the embodiments or examples.In addition, without conflicting with each other, the feature of different embodiments or examples described in this specification and different embodiments or examples can be combined by those skilled in the art.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance or implicitly indicate the quantity of indicated technical characteristic." first " is defined as a result, the feature of " second " can explicitly or implicitly include at least one of the features.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three etc., unless otherwise specifically defined.
Any process described otherwise above or method description are construed as in flow chart or herein, indicate to include the steps that one or more codes for realizing specific logical function or the executable instruction of process Module, segment or part, and the range of the preferred embodiment of the present invention includes other realization, sequence shown or discussed can not wherein be pressed, including according to related function by it is basic simultaneously in the way of or in the opposite order, function is executed, this should understand by the embodiment of the present invention person of ordinary skill in the field.
Expression or logic and/or step described otherwise above herein in flow charts, such as, it is considered the program listing of the executable instruction for realizing logic function, it may be embodied in any computer-readable medium, for instruction execution system, device or equipment (such as computer based system, including the system of processor or other can be from instruction execution system, device or equipment instruction fetch and the system executed instruction) use, or used in conjunction with these instruction execution systems, device or equipment.For the purpose of this specification, " computer-readable medium " can be it is any may include, store, communicate, propagate, or transport program is for instruction execution system, device or equipment or the device used in conjunction with these instruction execution systems, device or equipment.The more specific example (non-exhaustive list) of computer-readable medium include the following: there is the electrical connection section (electronic device) of one or more wirings, portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasable edit read-only storage (EPROM or flash memory), fiber device and portable optic disk read-only storage (CDROM).In addition, computer-readable medium can even is that the paper that can print described program on it or other suitable media, because can be for example by carrying out optical scanner to paper or other media, then it edited, interpreted or is handled when necessary with other suitable methods electronically to obtain described program, is then stored in computer storage.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.In the above-described embodiment, multiple steps or method can be executed in memory and by suitable instruction execution system with storage software or firmware is realized.Such as, if realized with hardware, in another embodiment, it may be implemented using any one or a combination of the following techniques well known in the art: there is the discrete logic for realizing the logic gates of logic function to data-signal, specific integrated circuit with suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize that all or part of the steps that above-described embodiment method carries is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer readable storage medium, the program when being executed, includes the steps that one of embodiment of the method or its group It closes.
In addition, each functional unit in each embodiment of the present invention can integrate in a processing module, it is also possible to each unit and physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated module both can take the form of hardware realization, can also be realized in the form of software function module.If the integrated module is realized and when sold or used as an independent product in the form of software function module, also can store in a computer readable storage medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..Although the embodiments of the present invention has been shown and described above, it can be understood that, above-described embodiment is exemplary, and is not considered as limiting the invention, and those skilled in the art can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.

Claims (28)

  1. A kind of data transmission method, which is characterized in that the described method includes:
    First terminal receives the broadcast safe information that second terminal is sent, the broadcast safe information includes broadcast message, second digital signature of the broadcast message, first digital signature of the second terminal, first public key of the second terminal and the system banner of key management system, first digital signature is that the key management system is calculated first public key based on the second private key of the key management system, second digital signature is that the second terminal is calculated the broadcast message based on the first private key of the second terminal;
    The first terminal obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, when verifying successfully, identifies that the second terminal is effective terminal;
    The first terminal is based on first public key and verifies to second digital signature, when verifying successfully, handles the broadcast message.
  2. The method as described in claim 1, which is characterized in that first digital signature is that the key management system is calculated by effective initial time of the preset signature algorithm to second private key, first public key and first private key.
  3. Method according to claim 2, which is characterized in that the broadcast safe information further includes the generation time of effective initial time and second digital signature;
    The first terminal is obtained based on the system banner before the second public key of the key management system, further includes:
    The first terminal is based on preset time parameter and effective initial time, determines the valid interval of first private key;
    When being located in the valid interval generation time, the first terminal determines that first private key is effective private key.
  4. Method as claimed in claim 3, which is characterized in that the first terminal is based on preset time parameter and effective initial time, before the valid interval for determining first private key, further includes:
    The first terminal obtains the receiving time of the broadcast safe information;
    When the receiving time and the difference generated between the time are less than preset time threshold, trigger the first terminal and be based on the preset time parameter and effective initial time, determine the valid interval of first private key.
  5. Such as the described in any item methods of claim 2~4, which is characterized in that the first terminal is based on second public key and verifies to first digital signature, comprising:
    The first terminal is handled second public key, first public key, effective initial time and first digital signature by preset verification algorithm, obtains the check results of first digital signature;
    When the check results of first digital signature are equal to 1, the first terminal is determined to first digital signature verification success.
  6. The method as described in claim 1, which is characterized in that the first terminal is obtained based on the system banner before the second public key of the key management system, further includes:
    The first terminal is sent to first node equipment trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted;
    The first terminal receives the key management system by the feedback information of the first terminal of the first node device forwards, and the feedback information of the first terminal includes updated second public key of the system banner and the key management system.
  7. Method as claimed in claim 6, which is characterized in that the first terminal receives after feedback information of the key management system by the first terminal of the first node device forwards, further includes:
    The first terminal generates the corresponding relationship of the system banner and updated second public key, and stores the system banner and its corresponding updated second public key;
    When original second public key corresponding there are the system banner in the local data base of the first terminal, the first terminal deletes original second public key after by preset duration.
  8. The method of claim 7, which is characterized in that the first terminal obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, comprising:
    The first terminal obtains corresponding updated second public key of system banner and original second public key;
    The first terminal is based on updated second public key and verifies to first digital signature, obtains the first check results of first digital signature;
    The first terminal is based on original second public key and verifies to first digital signature, obtains the second check results of first digital signature.
  9. Method according to claim 8, which is characterized in that it is described when verifying successfully, identify that the second terminal is effective terminal, comprising:
    When first check results are equal to 1 or second check results are equal to 1, the first terminal determines that the second terminal is effective terminal.
  10. A kind of data transmission method, which is characterized in that the described method includes:
    First node equipment receives the trust acquisition of credentials request that second terminal is sent;
    The first node equipment requests to send to key management system according to the trust acquisition of credentials trusts credential request information;
    The first node equipment receives the feedback information for the second terminal that the key management system is sent, the feedback information includes the first digital signature for trusting voucher and the second terminal of the second terminal, the trust voucher includes the first private key and the first public key, and first digital signature is that the key management system is calculated first public key based on the second private key of the key management system;
    The feedback information is sent to the second terminal by the first node equipment.
  11. Method as claimed in claim 10, which is characterized in that the first node equipment requests to send before trusting credential request information to key management system according to the trust acquisition of credentials, further includes:
    The first node equipment sends authentication request to second node equipment, so that the second node equipment It whether detects in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, when the local data base of the second node equipment includes the broadcast service authorization message to the second terminal, the broadcast service authorization message to the second terminal is sent to the first node equipment by the second node equipment;
    The first node equipment receives the broadcast service authorization message to the second terminal that the second node equipment is sent.
  12. Method as claimed in claim 10, which is characterized in that the first node equipment requests to send to key management system according to the trust acquisition of credentials trusts credential request information, comprising:
    The first node equipment generates the effective initial time for trusting voucher;
    The trust credential request information is sent to the key management system by the first node equipment, and the trust credential request information carries effective initial time.
  13. Method as claimed in claim 12, it is characterized in that, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system;
    The feedback information includes the second public key of the trust voucher, first digital signature, effective initial time and the key management system.
  14. Method as claimed in claim 10, which is characterized in that the first node equipment receives after the feedback information that the key management system is sent, further includes:
    The first node equipment generates the terminal iidentification of the second terminal and the corresponding relationship of the feedback information, and stores the terminal iidentification and its corresponding feedback information.
  15. A kind of terminal, which is characterized in that the terminal includes:
    Broadcast safe information receiving module, for receiving the broadcast safe information of second terminal transmission, the broadcast safe information includes broadcast message, the second digital signature of the broadcast message, the first digital signature of the second terminal, the first public key of the second terminal and the system banner of key management system, first digital signature be the key management system based on the second private key of the key management system to described What one public key was calculated, second digital signature is that the second terminal is calculated the broadcast message based on the first private key of the second terminal;
    Correction verification module verifies first digital signature for being obtained the second public key of the key management system based on the system banner, and based on second public key, when verifying successfully, identifies that the second terminal is effective terminal;
    The correction verification module is also used to verify second digital signature based on first public key, when verifying successfully, be handled the broadcast message.
  16. Terminal as claimed in claim 15, which is characterized in that first digital signature is that the key management system is calculated by effective initial time of the preset signature algorithm to second private key, first public key and first private key.
  17. Terminal as claimed in claim 16, which is characterized in that the broadcast safe information further includes the generation time of effective initial time and second digital signature;
    The terminal further include:
    Determining module before the second public key for being obtained the key management system based on the system banner for the correction verification module, is based on preset time parameter and effective initial time, determines the valid interval of first private key;
    The determining module is also used to when being located in the valid interval generation time, determines that first private key is effective private key.
  18. Terminal as claimed in claim 17, which is characterized in that the terminal further include:
    Receiving time obtains module, for the determining module based on preset time parameter and effective initial time, before the valid interval for determining first private key, obtains the receiving time of the broadcast safe information;
    The determining module is also used to be based on the preset time parameter and effective initial time when the difference between the receiving time and the generation time is less than preset time threshold, determine the valid interval of first private key.
  19. Such as the described in any item terminals of claim 16~18, which is characterized in that the correction verification module base First digital signature is verified in second public key, is specifically used for:
    Second public key, first public key, effective initial time and first digital signature are handled by preset verification algorithm, obtain the check results of first digital signature;
    When the check results of first digital signature are equal to 1, determine to first digital signature verification success.
  20. Terminal as claimed in claim 15, which is characterized in that the terminal further include:
    Request sending module, before the second public key for obtaining the key management system based on the system banner for the correction verification module, it is sent to first node equipment and trusts acquisition of credentials request, so that the first node equipment is sent to the key management system for credential request information is trusted;
    Feedback information receiving module, for receiving the key management system by the feedback information of the first terminal of the first node device forwards, the feedback information of the first terminal includes updated second public key of the system banner and the key management system.
  21. Terminal as claimed in claim 20, which is characterized in that the terminal further include:
    Memory module, after receiving feedback information of the key management system by the first terminal of the first node device forwards for the feedback information receiving module, the corresponding relationship of the system banner and updated second public key is generated, and stores the system banner and its corresponding updated second public key;
    Removing module, for deleting original second public key after by preset duration when original second public key corresponding there are the system banner in the local data base of the terminal.
  22. Terminal as claimed in claim 21, which is characterized in that the correction verification module obtains the second public key of the key management system based on the system banner, and is verified based on second public key to first digital signature, is specifically used for:
    Obtain corresponding updated second public key of the system banner and original second public key;
    First digital signature is verified based on updated second public key, obtains the first check results of first digital signature;
    First digital signature is verified based on original second public key, obtains first number Second check results of signature.
  23. Terminal as claimed in claim 22, which is characterized in that the correction verification module identifies that the second terminal is effective terminal, be specifically used for when verifying successfully:
    When first check results are equal to 1 or second check results are equal to 1, determine that the second terminal is effective terminal.
  24. A kind of node device, which is characterized in that the node device includes:
    Request receiving module, for receiving the trust acquisition of credentials request of second terminal transmission;
    Solicited message sending module trusts credential request information for requesting to send to key management system according to the trust acquisition of credentials;
    Feedback information receiving module, for receiving the feedback information for the second terminal that the key management system is sent, the feedback information includes the first digital signature for trusting voucher and the second terminal of the second terminal, the trust voucher includes the first private key and the first public key, and first digital signature is that the key management system is calculated first public key based on the second private key of the key management system;
    Feedback information sending module, for the feedback information to be sent to the second terminal.
  25. Node device as claimed in claim 24, which is characterized in that the node device further include:
    Request sending module, it requests to send before trusting credential request information to the key management system according to the trust acquisition of credentials for the solicited message sending module, authentication request is sent to second node equipment, so that whether the second node equipment detects in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, when in the local data base of the second node equipment comprising the broadcast service authorization message to the second terminal, broadcast service authorization message to the second terminal is sent to the node device by the second node equipment;
    Authorization message receiving module, the broadcast service authorization message to the second terminal sent for receiving the second node equipment.
  26. Node device as claimed in claim 24, which is characterized in that the solicited message sends mould Block is specifically used for:
    Generate the effective initial time for trusting voucher;
    The trust credential request information is sent to the key management system, the trust credential request information carries effective initial time.
  27. Node device as claimed in claim 26, it is characterized in that, first digital signature is that the key management system is calculated by the second private key, first public key and effective initial time of the preset signature algorithm to the key management system;
    The feedback information includes the second public key of the trust voucher, first digital signature, effective initial time and the key management system.
  28. Node device as claimed in claim 24, which is characterized in that the node device further include:
    Memory module generates the terminal iidentification of the second terminal and the corresponding relationship of the feedback information, and store the terminal iidentification and its corresponding feedback information after receiving the feedback information that the key management system is sent for the feedback information receiving module.
CN201680090122.1A 2016-10-31 2016-10-31 Data transmission method, terminal, node equipment and system Active CN109845185B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/104139 WO2018076377A1 (en) 2016-10-31 2016-10-31 Data transmission method, terminal, node device and system

Publications (2)

Publication Number Publication Date
CN109845185A true CN109845185A (en) 2019-06-04
CN109845185B CN109845185B (en) 2020-11-10

Family

ID=62024248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680090122.1A Active CN109845185B (en) 2016-10-31 2016-10-31 Data transmission method, terminal, node equipment and system

Country Status (2)

Country Link
CN (1) CN109845185B (en)
WO (1) WO2018076377A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131494A (en) * 2019-12-31 2020-05-08 上海能塔智能科技有限公司 Vehicle data storage and verification processing method and device, electronic equipment and medium
CN112733128A (en) * 2021-02-06 2021-04-30 深圳市云小白科技有限公司 Centerless Internet of things security authentication method based on asymmetric encryption
CN112822758A (en) * 2020-12-31 2021-05-18 深圳市晨北科技有限公司 Method, device and storage medium for accessing network
WO2023151696A1 (en) * 2022-02-14 2023-08-17 华为技术有限公司 Communication method, communication apparatus, and system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231426A1 (en) * 2017-06-16 2018-12-20 Motorola Mobility Llc Rogue unit detection information
CN110826091B (en) * 2018-08-14 2022-05-06 珠海金山办公软件有限公司 File signature method and device, electronic equipment and readable storage medium
CN110311783B (en) * 2019-05-30 2022-09-23 平安科技(深圳)有限公司 User attribution verification method and device based on group signature and computer equipment
CN115226060A (en) * 2021-04-16 2022-10-21 华为技术有限公司 Data transmission method and data processing device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132195A1 (en) * 2003-12-16 2005-06-16 Josef Dietl Electronic signing apparatus and methods
CN101060480A (en) * 2007-06-04 2007-10-24 武汉理工大学 HORSEI2-based mobile self-organized network safety QoS multicast route creating method
CN101296083A (en) * 2008-05-14 2008-10-29 华为技术有限公司 Enciphered data transmission method and system
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN102263638A (en) * 2010-05-31 2011-11-30 索尼公司 Authentication device, authentication method, program, and signature generation device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8627073B2 (en) * 2010-03-24 2014-01-07 GM Global Technology Operations LLC Adaptive certificate distribution mechanism in vehicular networks using forward error correcting codes
US8756430B2 (en) * 2011-04-14 2014-06-17 GM Global Technology Operations LLC Exploiting application characteristics for multiple-authenticator broadcast authentication schemes
US10631162B2 (en) * 2013-10-30 2020-04-21 Samsung Electronics Co., Ltd. Method and apparatus to perform device to device communication in wireless communication network
CN105323753A (en) * 2014-05-30 2016-02-10 中国电信股份有限公司 In-vehicle safety module, vehicular system and method for information interaction between vehicles
CN104683112B (en) * 2015-03-20 2017-12-01 江苏大学 A kind of car car safety communicating method that certification is assisted based on RSU

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132195A1 (en) * 2003-12-16 2005-06-16 Josef Dietl Electronic signing apparatus and methods
CN101060480A (en) * 2007-06-04 2007-10-24 武汉理工大学 HORSEI2-based mobile self-organized network safety QoS multicast route creating method
CN101296083A (en) * 2008-05-14 2008-10-29 华为技术有限公司 Enciphered data transmission method and system
CN101610150A (en) * 2009-07-22 2009-12-23 中兴通讯股份有限公司 Third party's digital signature method and data transmission system
CN102263638A (en) * 2010-05-31 2011-11-30 索尼公司 Authentication device, authentication method, program, and signature generation device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131494A (en) * 2019-12-31 2020-05-08 上海能塔智能科技有限公司 Vehicle data storage and verification processing method and device, electronic equipment and medium
CN111131494B (en) * 2019-12-31 2022-06-03 上海能塔智能科技有限公司 Vehicle data storage and verification processing method and device, electronic equipment and medium
CN112822758A (en) * 2020-12-31 2021-05-18 深圳市晨北科技有限公司 Method, device and storage medium for accessing network
CN112733128A (en) * 2021-02-06 2021-04-30 深圳市云小白科技有限公司 Centerless Internet of things security authentication method based on asymmetric encryption
CN112733128B (en) * 2021-02-06 2022-06-14 深圳市云小白科技有限公司 Centerless Internet of things security authentication method based on asymmetric encryption
WO2023151696A1 (en) * 2022-02-14 2023-08-17 华为技术有限公司 Communication method, communication apparatus, and system

Also Published As

Publication number Publication date
CN109845185B (en) 2020-11-10
WO2018076377A1 (en) 2018-05-03

Similar Documents

Publication Publication Date Title
CN109845185A (en) A kind of data transmission method, terminal, node device and system
US9237444B2 (en) Trust discovery in a communications network
EP3523998B1 (en) Method for mutual authentication between user equipment and a communications network
KR20140023991A (en) Machine-to-machine node erase procedure
Bhoi et al. SIR: a secure and intelligent routing protocol for vehicular ad hoc network
Ahmed et al. A blockchain-based emergency message transmission protocol for cooperative VANET
CN111182545B (en) Micro base station authentication method and terminal
CN108990062B (en) Intelligent security Wi-Fi management method and system
CN111246481B (en) Micro base station authentication method and terminal
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
CN111246474B (en) Base station authentication method and device
Vasudev et al. A lightweight authentication protocol for V2V communication in VANETs
CN114286416A (en) Communication control method and device, electronic device and storage medium
Zhang et al. A Novel Privacy‐Preserving Authentication Protocol Using Bilinear Pairings for the VANET Environment
CN111263361B (en) Connection authentication method and device based on block chain network and micro base station
CN112383897A (en) Information transmission method, device, medium and electronic equipment based on intelligent network connection
WO2017008223A1 (en) Proximity service communication authentication method, user equipment, and proximity service function entity
US20230209345A1 (en) Device-specific selection between peer-to-peer connections and core-based hybrid peer-to-peer connections in a secure data network
CN115038084A (en) Decentralized trusted access method for cellular base station
CN115022850A (en) Authentication method, device, system, electronic equipment and medium for D2D communication
EP1673917A1 (en) Naming of 802.11 group keys to allow support of multiple broadcast and multicast domains
Haddad et al. Secure and efficient AKA scheme and uniform handover protocol for 5G network using blockchain
Shawky et al. Blockchain-based secret key extraction for efficient and secure authentication in VANETs
Punitha et al. Privacy preservation and authentication on secure geographical routing in VANET
CN108632295B (en) Method for preventing terminal from repeatedly attacking server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant