CN110061833A - A kind of binding update method and device of identity position - Google Patents

Abstract

A kind of binding update method and device of identity position, in the method, GRIDS generate challenge message, include challenge content in the challenge message；The GRIDS sends the challenge message to communication equipment；Communication equipment receives the challenge message for being uniformly controlled management level GRIDS transmission, the communication equipment sends challenge response message to the GRIDS, includes the identity position mapping relations that the challenge content, challenge result and the communication equipment update in the challenge response message.The GRIDS receives the challenge response message that the communication equipment is sent, based on the challenge content and the challenge result, verify the validity of the challenge response message, if the challenge response message is effective, the identity position mapping relations that the communication equipment updates are saved, then to improve based on the safety for subscribing to release model realization binding renewal process.

Description

A kind of binding update method and device of identity position

Technical field

This application involves field of communication technology more particularly to the binding update methods and device of a kind of identity position.

Background technique

Identity network (id-oriented networking, ION) is a kind of new network framework of network that faces the future.

In the ION network architecture, the body of communication equipment is represented using a unique constant identity (identity, ID) Part, the network site where communication equipment is represented using position (Locator or IP address).In the ION network architecture, communication The position change of equipment will cause the variation of Locator, and ID is remained unchanged.As shown in Figure 1, using communication equipment as mobile node It being illustrated for (Mobile node, MN), it is still ID_JOHN that when MN is moved to position B from position A, ID, which is remained unchanged, Locator is changed from the mapping relations that 2.2.2.2 becomes 1.1.1.1, i.e. ID and Locator.For successive links It re-establishing, MN needs to notify updated ID/Locator into peer node (Correspondent node, CN), this The binding that process is referred to as identity position updates (banding-update, BU).

In the ION network architecture, by mobile IP v 6 (Mobile IPv6, MIPv6) communication protocol, as based on ID and The mobile communication network protocol of Locator separation.In mipv 6, ID is HOA (home address), and Locator is COA (care-of address), and define the communication process between MN and CN.It, can be by more between communication equipment in MIPv6 The binding renewal process of identity position is realized in the transmission of new ID/Locator mapping relations, for example, MN can be by the ID/ of update It is sent to peer node (CN) after the encryption of Locator mapping relations, binding renewal process executes between end and end, but such side The binding renewal process will be individually performed in formula, each CN for needing MN to communicate with, and computing cost and network overhead are all larger.

In the ION network architecture, a unified control management level (Generic Resilient ID has been also set up Services, GRIDS) for managing relevant service, the control management level distributed deployment in a network, for host The information such as identity, position are managed collectively, such as can provide the management service (Mapping/ of identity and position mapping Location Service).It can provide the management service of identity and position mapping based on GRIDS, PUB/SUB can be used between node (subscription/publication) mode realizes that binding updates.Such as in Fig. 2, node UE_D subscribes to its node for communicating of needs (such as to GRIDS Node UE_S) ID/Locator mapping relations, when the position of node UE_S changes, UE_S to GRIDS report update Location information afterwards.GRIDS believes to the position of all communication equipment (such as node UE_D) publication UE_S for having subscribed node UE_S Breath.Realize that binding renewal process can reduce the behaviour of node relative to renewal process is bound end to end based on PUB/SUB mode Make, reduces the calculating in binding renewal process and network overhead.But realized in binding renewal process based on PUB/SUB mode, By the way of simply reporting position, biggish security risk can be generated.

Summary of the invention

The embodiment of the present application provides the binding update method and device of a kind of identity position, to improve based on subscription publication mould Formula realizes the safety of binding renewal process.

In a first aspect, the embodiment of the present application provides a kind of binding more new system of identity position, include within the system GRIDS and communication equipment, wherein GRIDS sends challenge message for generating challenge message, and to communication equipment.Communication equipment It for receiving the challenge message of GRIDS transmission, and determines challenge response message, sends challenge response message to GRIDS, it is described to choose Include the challenge content for including in challenge message in war response message, and further includes challenge result in the challenge response message And the identity position mapping relations that communication equipment updates.The challenge response message that GRIDS receiving communication device is sent, and be based on Challenge content and the validity for challenging result verification challenge response message save communication equipment if challenge response message is effective The identity position mapping relations of update.

Challenge message is sent by GRIDS in the embodiment of the present application, the mode of communication device feeding back challenge response message is real Certification of the existing GRIDS to the communication equipment for sending the identity position mapping relations updated, can protect communication equipment to GRIDS's DOS/DDOS attack, and include challenge content and challenge in challenge response message as a result, making GRIDS without saving session shape State information, therefore can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, can be improved Bind the safety of renewal process.

Wherein, the identity position mapping relations of update can be encryption or plaintext.

In a kind of possible embodiment, the identity in content including communication equipment is challenged, GRIDS is communication equipment The random number and GRIDS of generation are the Message Authentication Code challenging content and generating using local key.GRIDS can verify that described choose The validity for the Message Authentication Code for including in war content further determines that the challenge knot if the Message Authentication Code is effective Whether fruit is the challenge result for challenging content.

It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content Spend at least one in coefficient.If in the challenge content including the timestamp of the challenge content, described in the GRIDS determination Challenge result whether be it is described challenge content challenge result before, can according to it is described challenge content timestamp, determine described in Challenge content before the deadline.If not including the timestamp of the challenge content in the challenge content, challenge is not needed to determine Whether before the deadline content, can directly determine whether the challenge result is the challenge result for challenging content.

If including the degree-of-difficulty factor of the challenge content in the challenge content, the GRIDS can be by described in confirmation Whether low k for challenging the Hash operation result of result and the random number are 0, determine whether the challenge result is described choose The challenge for content of fighting is as a result, the k is the degree-of-difficulty factor.If in the challenge content not including the difficulty of the challenge content Coefficient, then whether the GRIDS can be 0 by confirming the Hash operation result of the challenge result and the random number, determine Whether the challenge result is the challenge result for challenging content.

In alternatively possible embodiment, communication equipment sends identity position binding to GRIDS and updates request, GRIDS The identity position binding that receiving communication device is sent updates request.It includes sequence number, sequence in request that identity position binding, which updates, Row number is used to identify the identity position binding that the communication equipment is sent and updates request message.GRIDS is sent to communication equipment It further include sequence number in challenge message.Before communication equipment sends challenge response message to GRIDS, determine in the challenge message Including sequence number and the communication equipment send identity position binding update request in include sequence number it is whether consistent, true Determine the sequence number for including in challenge message and the communication equipment sends identity position binding and updates the sequence number for including in request Under unanimous circumstances, then the result that throws down the gauntlet calculating and challenge response information transmission, disappeared with the challenge for ensuring to receive Breath is the challenge message sent for the communication equipment, prevents the counterfeit GRIDS of malicious attacker from causing to the counterfeit of communication equipment Attack.

In another possible embodiment, after the challenge response message that GRIDS receiving communication device is sent, produce In the validity period for the key and key verified to the identity position binding update messages of the subsequent transmission of the communication equipment, And save the key of generation and the validity period of key.GRIDS sends key message to communication equipment, includes institute in key message State the validity period of key and the key.Communication equipment receives the key message that the GRIDS is sent, and saves key message In include key and the key validity period, so as to communication equipment it is subsequent to GRIDS send update identity position reflect When penetrating relationship, it may be determined that key whether before the deadline, if before the deadline, can directly transmit identity position binding update disappear Breath, without carrying out security verification by way of challenge-response again.

Specifically, GRIDS can utilize the public key of communication equipment, encryption key message, and encryption is sent to communication equipment Key message, to further increase safety.

Further, after the validity period that communication equipment saves the key and the key, however, it is determined that need to GRIDS send update identity position mapping relations, then communication equipment determine the key whether within the validity period, if The key generation message authentication code is then utilized in validity period.Communication equipment sends identity position binding update messages to GRIDS, It include the identity position of the message authentication code and the subsequent update of the communication equipment in the identity position binding update messages Mapping relations.The identity position binding update messages that GRIDS receiving communication device is sent disappear described in the key authentication using preservation It ceases authentication code and saves the identity position mapping relations of the subsequent update of the communication equipment if being verified.

Further, it may also include the signature of GRIDS in the key message that GRIDS is sent to communication equipment, terminal connects The key message for receiving GRIDS transmission, authenticates the key message using the signature of the GRIDS.Communication equipment It may also comprise the signature of communication equipment in the challenge response message sent to GRIDS, GRIDS receives choosing for communication equipment transmission After response message of fighting, the challenge response message is recognized using the signature for the communication equipment for including in challenge response message Card.By way of above-mentioned signature authentication, communication equipment and GRIDS can be made to realize and be mutually authenticated.

It further, further include the public key certificate of the communication equipment in the challenge response message, the key disappears It further include the public key certificate of the GRIDS in breath.After GRIDS receives challenge response message, it may be verified that in challenge response message Including communication equipment public key certificate, and obtain the public key of communication equipment, realized using the public key of communication equipment to communication equipment Signature certification.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message, And the public key of GRIDS is obtained, the certification to the signature of GRIDS is realized using the public key of GRIDS.

It further, further include the session key agreement parameter of the communication equipment, institute in the challenge response message State further include in key message the GRIDS session key agreement parameter.Communication equipment passes through challenge response message to GRIDS Send session key agreement parameter, make GRIDS can session key agreement parameter and GRIDS based on communication equipment session it is close Key negotiates parameter and generates key.GRIDS sends the session key agreement for generating key and using to communication equipment by key message Parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter it is raw At key.

Second aspect, the embodiment of the present application provide a kind of binding update method of identity position, and this method can be applied to GRIDS, the chip that can certainly be applied in GRIDS.When applied to GRIDS, in the method, GRIDS generates challenge and disappears It ceases and sends challenge message to communication equipment, include challenge content in the challenge message.GRIDS receives the communication equipment hair The challenge response message sent includes the challenge content in the challenge response message, challenges result and the communication equipment The identity position mapping relations of update, the identity are the identity of the communication equipment, and the position is that the communication is set Standby network address.GRIDS is based on the challenge content and the challenge as a result, verifying the effective of the challenge response message Property, if the challenge response message is effective, save the identity position mapping relations that the communication equipment updates.

Challenge message is sent by GRIDS in the embodiment of the present application, the mode of communication device feeding back challenge response message is real Certification of the existing GRIDS to the communication equipment for sending the identity position mapping relations updated, can protect communication equipment to GRIDS's DOS/DDOS attack, and include challenge content and challenge in challenge response message as a result, making GRIDS without saving session shape State information, therefore can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, can be improved Bind the safety of renewal process.

Identity position mapping relations involved in the embodiment of the present application be encryption or plaintext.

In a kind of possible design, the identity that includes the communication equipment in the challenge content, the GRIDS are The random number and the GRIDS that the communication equipment generates utilize the information authentication that local key is that the challenge content generates Code.The GRIDS, as a result, when verifying the validity of the challenge response message, is tested based on the challenge content and the challenge The validity for demonstrate,proving the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective, it is determined that the challenge It as a result whether is the challenge result for challenging content.

Further include the timestamp of the challenge content in alternatively possible design, in the challenge content and described chooses At least one of in the degree-of-difficulty factor for content of fighting.It is described if in the challenge content including the timestamp of the challenge content Time before GRIDS determines whether the challenge result is the challenge result for challenging content, according to the challenge content Stamp, determines the challenge content before the deadline.If in the challenge content including the degree-of-difficulty factor of the challenge content, GRIDS when whether determine the challenge result is the challenge result of the challenge content, confirm the challenge result with it is described Whether low k of the Hash operation result of random number are 0, and the k is the degree-of-difficulty factor.

In another possible design, GRIDS also can receive the identity position that communication equipment is sent before generating challenge message It sets binding and updates request, it includes sequence number in request that the identity position binding, which updates, and the sequence number is described logical for identifying The identity position binding for believing that equipment is sent updates request message, and includes the sequence number in the challenge message of transmission, so that Before communication equipment sends challenge response message to GRIDS, the sequence number for including in the challenge message and the communication are determined Whether the sequence number for including in equipment transmission identity position binding update request is consistent, the sequence for including in determining challenge message Number sending identity position binding with the communication equipment updates under the sequence number unanimous circumstances for including in request, then throws down the gauntlet As a result the transmission of calculating and challenge response information is sent with the challenge message for ensuring to receive for the communication equipment Challenge message prevents the counterfeit GRIDS of malicious attacker from causing the bogus attack to communication equipment.

In another possible design, after the GRIDS receives the challenge response message that the communication equipment is sent, GRIDS produces and saves the validity period of key and the key, and the key is used for the subsequent transmission of the communication equipment Identity position binding update messages verified, the GRIDS sends key message to the communication equipment, and the key disappears Include the validity period of the key and the key in breath, sends the identity position updated to GRIDS so that communication equipment is subsequent When setting mapping relations, it may be determined that key whether before the deadline, if before the deadline, can directly transmit identity position binding more New information, without carrying out security verification by way of challenge-response again.

Wherein, the key message is message of the GRIDS using the public key encryption of communication equipment.

Further, after the GRIDS sends key message to the communication equipment, the GRIDS can receive described The identity position binding update messages that communication equipment is sent include message authentication code in the identity position binding update messages with And the identity position mapping relations of the subsequent update of communication equipment, the message authentication code are described in the communication equipment is based on What key generated.GRIDS is using message authentication code described in the key authentication saved, if being verified, saves the communication and sets The identity position mapping relations of standby subsequent update.

Further, it may also include the signature of the communication equipment, the communication equipment in the challenge response message Signature the challenge response message is authenticated for the GRIDS.It may also include the GRIDS in the key message Signature, the signature of the GRIDS authenticates the key message for the communication equipment.It is wrapped in challenge response message The signature of the communication equipment is included, includes the signature of GRIDS in key message, communication equipment and GRIDS can be made to recognize using signature The mode of card, realization are mutually authenticated.

It further, further include the certificate of the communication equipment in the challenge response message, in the key message It further include the certificate of the GRIDS, so that after GRIDS receives challenge response message, it may be verified that include in challenge response message Communication equipment public key certificate, and obtain the public key of communication equipment, the label to communication equipment realized using the public key of communication equipment The certification of name.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message, and obtain The public key for taking GRIDS realizes the certification to the signature of GRIDS using the public key of GRIDS.

Alternatively, further including the session key agreement parameter of the communication equipment in the challenge response message, so that communication Equipment by challenge response message to GRIDS send session key agreement parameter, make GRIDS can the session based on communication equipment it is close Key negotiates parameter and the session key agreement parameter of GRIDS generates key.It further include the GRIDS in the key message Session key agreement parameter, so that GRIDS, which is sent by key message to communication equipment, generates the session key association that key uses Quotient's parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter Generate key.

The third aspect, the embodiment of the present application provide a kind of binding update method of identity position, and this method can be applied to lead to Believe equipment, also can be applied to the chip in communication equipment.When applied to communication equipment, in the method, communication equipment is received The challenge message that GRIDS is sent, the challenge message include challenge content.The communication equipment sends to the GRIDS and challenges Response message includes the body that the challenge content, challenge result and the communication equipment update in the challenge response message Part position mapping relations.

The embodiment of the present application summarizes, and communication equipment receives challenge message and sends challenge response message, can make GRIDS pairs The certification for sending the communication equipment of the identity position mapping relations updated, can protect communication equipment to the DOS/DDOS of GRIDS It attacks, and includes challenge content and challenge in challenge response message as a result, GRIDS is made to be not necessarily to preserving session state information, Therefore it can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, binding can be improved more The safety of new process.

In a kind of possible design, the identity that includes the communication equipment in the challenge content, the GRIDS are The random number and the GRIDS that the communication equipment generates utilize the information authentication that local key is that the challenge content generates Code.

It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content Spend at least one in coefficient.

In alternatively possible design, communication equipment can also be sent before receiving the challenge message that GRIDS is sent to GRIDS Identity position binding updates request, and it includes sequence number in request that identity position binding, which updates, and the sequence number is described for identifying The identity position binding that communication equipment is sent updates request message.It further include the sequence number in the challenge message.Communication is set It can determine that the sequence number for including in the challenge message and the communication equipment are sent out before the standby transmission challenge response message to GRIDS Sending identity position binding to update, the sequence number for including in request is consistent, and the sequence number for including in determining challenge message leads to described Letter equipment sends identity position binding and updates under the sequence number unanimous circumstances for including in request, then the calculating for the result that throws down the gauntlet And the transmission of challenge response information, it is the challenge message sent for the communication equipment with the challenge message for ensuring to receive, Prevent the counterfeit GRIDS of malicious attacker from causing the bogus attack to communication equipment.

In another possible design, communication equipment also can receive GRIDS hair after sending challenge response message to GRIDS The key message sent saves the validity period of the key and the key, sends and updates to GRIDS so that communication equipment is subsequent Identity position mapping relations when, it may be determined that key whether before the deadline, if before the deadline, identity position can be directly transmitted Binding update messages are set, without carrying out security verification by way of challenge-response again.Wherein, include in key message The validity period of key and key, the key are that GRIDS is that the communication equipment is generated and is used for after the communication equipment The continuous identity position mapping relations updated are verified.

Wherein, key message is message of the GRIDS using the public key encryption of communication equipment.

Further, after the validity period that communication equipment saves the key and the key, it may be determined that the key When within the validity period, using the key generation message authentication code, and sends identity position binding to GRIDS and update and disappear It ceases, includes the identity position of the message authentication code and the subsequent update of the communication equipment in the identity position binding update messages Mapping relations are set, so that GRIDS using message authentication code described in the key authentication saved, if being verified, is saved described logical Believe the identity position mapping relations of the subsequent update of equipment.

It further, further include the signature of the communication equipment, the label of the communication equipment in the challenge response message Name authenticates the challenge response message for the GRIDS.It further include the label of the GRIDS in the key message The signature of name, the GRIDS authenticates the key message for the communication equipment.It include institute in challenge response message The signature of communication equipment is stated, includes the signature of GRIDS in key message, communication equipment and GRIDS can be made using signature authentication Mode, realization are mutually authenticated.

It further, further include the certificate of the communication equipment in the challenge response message, in the key message It further include the certificate of the GRIDS, so that after GRIDS receives challenge response message, it may be verified that include in challenge response message Communication equipment public key certificate, and obtain the public key of communication equipment, the label to communication equipment realized using the public key of communication equipment The certification of name.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message, and obtain The public key for taking GRIDS realizes the certification to the signature of GRIDS using the public key of GRIDS.

Alternatively, further including the session key agreement parameter of the communication equipment in the challenge response message, so that communication Equipment by challenge response message to GRIDS send session key agreement parameter, make GRIDS can the session based on communication equipment it is close Key negotiates parameter and the session key agreement parameter of GRIDS generates key.It further include the GRIDS in the key message Session key agreement parameter, so that GRIDS, which is sent by key message to communication equipment, generates the session key association that key uses Quotient's parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter Generate key.

Fourth aspect, the embodiment of the present application provide a kind of binding updating device of identity position, which can To be GRIDS, the chip being also possible to inside GRIDS.Chip inside GRIDS or GRIDS, which has, realizes above-mentioned second aspect Or second aspect be related to any one may design in GRIDS execute identity position binding update method function, institute Corresponding software realization can also be executed by hardware realization by hardware by stating function.The hardware or software include one A or multiple modules corresponding with above-mentioned function.The module can be software and/or hardware.

Wherein, GRIDS includes transmission unit, receiving unit and processing unit.The transmission unit and the receiving unit It can be transceiver, may include radio circuit in the transceiver, the processing unit for example can be processor.Optionally, The GRIDS further includes storage unit, and the storage unit for example can be memory.When the GRIDS includes processing unit When with storage unit, the storage unit connects for storing computer executed instructions, the processing unit and the storage unit It connects, the processing unit executes the computer executed instructions of the storage unit storage, so that the GRIDS executes second aspect Or the binding update method of the identity position in the arbitrarily possible design of second aspect.

Wherein, chip includes transmission unit, receiving unit and processing unit.The transmission unit and the receiving unit can To be input/output interface, pin or circuit etc. on the chip.The processing unit for example can be processor.It is optional Ground, the chip further include storage unit, and the storage unit for example can be memory.The executable storage of the processing unit The computer executed instructions of unit storage, so that the chip executes in second aspect or the arbitrarily possible design of second aspect The binding update method of identity position.

Optionally, the storage unit can be the storage unit (for example, register, caching etc.) in the chip, institute State storage unit can also be in the GRIDS positioned at the chip exterior storage unit (for example, read-only memory) or The other kinds of static storage device (for example, random access memory) etc. of static information and instruction can be stored.

5th aspect, the embodiment of the present application provide a kind of binding updating device of identity position, which can To be communication equipment, it is also possible to the chip of inside communication equipment, the chip of communication equipment or inside communication equipment, which has, to be realized The above-mentioned third aspect or the third aspect be related to any one may design in communication equipment execute identity position binding more Function described in the function of new method can also execute corresponding software realization by hardware realization by hardware.It is described hard Part or software include one or more modules corresponding with above-mentioned function.The module can be software and/or hardware.

Wherein, communication equipment includes receiving unit and processing unit.Optionally, communication equipment may also include transmission unit, Or it also may also include storage unit.Wherein, the transmission unit and the receiving unit can be transceiver, the transceiver In may include radio circuit, the processing unit for example can be processor.The storage unit for example can be memory.When When the communication equipment includes processing unit and storage unit, the storage unit is described for storing computer executed instructions Processing unit is connect with the storage unit, and the processing unit executes the computer executed instructions of the storage unit storage, So that the communication equipment executes the binding update side of the third aspect or the identity position in the arbitrarily possible design of the third aspect Method.

Wherein, chip includes receiving unit and processing unit.Optionally, communication equipment may also include transmission unit, or Also it may also include storage unit.The transmission unit and the receiving unit can be input/output interface on the chip, Pin or circuit etc..The processing unit for example can be processor.The storage unit for example can be memory.The place Managing unit can be performed the computer executed instructions of storage unit storage, so that the chip executes second aspect or second aspect is appointed The binding update method of identity position in possible design of anticipating.

Optionally, the storage unit can be the storage unit (for example, register, caching etc.) in the chip, institute Stating storage unit can also be the storage unit (for example, read-only memory) positioned at the chip exterior in the communication equipment Or the other kinds of static storage device (for example, random access memory) etc. of static information and instruction can be stored.

The binding update method and device of identity position provided by the embodiments of the present application send challenge message by GRIDS, The mode of communication device feeding back challenge response message, the binding for carrying out identity position update, and can be improved binding renewal process Safety.It also, include challenging content and challenging the challenge of content as a result, making in challenge response message in the embodiment of the present application It obtains GRIDS and is not necessarily to preserving session state information, therefore can avoid Replay Attack.

Detailed description of the invention

Fig. 1 realizes binding renewal process schematic diagram by the transmission of binding update messages between communication equipment；

Fig. 2 realizes binding renewal process schematic diagram based on subscription release model between communication equipment；

Fig. 3 is the system architecture diagram of the embodiment of the present application application；

Fig. 4 is a kind of binding update method implementation flow chart of identity position provided by the embodiments of the present application；

Fig. 5 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application；

Fig. 6 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application；

Fig. 7 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application；

Fig. 8 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application；

Fig. 9 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application；

Figure 10 is a kind of structural schematic diagram of the binding updating device of identity position provided by the embodiments of the present application；

Figure 11 is a kind of structural schematic diagram of the binding updating device of identity position provided by the embodiments of the present application；

Figure 12 is the structural schematic diagram of the binding updating device of another identity position provided by the embodiments of the present application.

Specific embodiment

Below in conjunction with attached drawing, technical solutions in the embodiments of the present application is described.

The embodiment of the present application provides the binding update method and device of a kind of identity position, and this method can be applied to Fig. 3 institute The ION network architecture shown.As shown in fig.3, including communication equipment (alternatively referred to as communication node or node in the ION network architecture Equipment) and ION be uniformly controlled management level (generic resilient id services, GRIDS).Communication equipment can be managed Solution is the data surface for being the ION network architecture, can carry out end-to-end communication, such as Fig. 1 between the communication equipment in the ION network architecture Radio Access Network (radio access network, RAN), user plane functions (user plan can be passed through between middle communication equipment Function, UPF) and internet (Internet) progress end-to-end communication.Each communication equipment of data surface carries out end-to-end The agreement that identity and position separation is supported when communication includes physical layer (PHY layer), link layer (link that is, in protocol stack Layer), IP layers (IP layer or locator), identity layer (ID layer), transport layer (Transport) and answer With layer (App).GRIDS can be understood as the control plane of the ION network architecture, and GRIDS distributed deployment is in the ION network architecture In, for communication equipment identity and the information such as position be managed collectively, such as the management of identity can be provided Service (Identity service), the management service (Mapping/Location Service) of identity and position mapping, body Part management service (Grouping Service) of relationship and the management service (Metadata Service) of metadata.Identity The communication equipment that position mapping relations change sends identity position binding to the software communication module of GRIDS and updates request, Reporting for identity position mapping relations is provided for the software communication module of GRIDS, and GRIDS is by the identity position mapping relations of update The other communication equipments for being sent to and subscribing to communication equipment identity position mapping relations complete binding renewal process.

Currently, when the communication equipment that identity position mapping relations change reports identity position mapping relations to GRIDS, Simple reporting position is carried out, there can be biggish security risk, such as: report identity position information to carry out body on a communications device In the mapping relations renewal process of part position, if GRIDS keeps session status, if malicious communication equipment is largely initiated sessions and is connected It connects, it will cause refusals to service (Denial of Service, DOS)/distributed denial of service (Distributed Denial Of Service, DDOS) attack.For another example if the counterfeit other communication equipments of malicious communication equipment report identity position information, on Report is not belonging to the location information of self ID, and it will cause bogus attacks.In another example malicious communication equipment uses other communication equipments Legitimate signature information constantly repeat to send identity position information to GRIDS, will a large amount of consumption GRIDS Internet resources and calculating Resource causes Replay Attack.

In view of this, the embodiment of the present application provides a kind of binding update method of identity position, in the method, using choosing War-response authentication mode realizes certification of the GRIDS to communication equipment.Wherein, the authentication mode of challenge-response can be understood as It is a calculating process, specifically, can be understood as initiating a computation requests by GRIDS, includes in the computation requests The content of calculating, communication equipment receives the computation requests, and is calculated according to the calculating content for including in computation requests (as led to Exhaustive mode is crossed to calculate), calculated result is obtained, which is sent to GRIDS, GRIDS receives calculated result, and verifies Whether calculated result is correct.Wherein, computation requests can be understood as challenge message, and calculating content can be understood as in challenge Hold, calculated result can be understood as challenge response message.

When realizing certification of the GRIDS to communication equipment using the authentication mode of challenge-response in the embodiment of the present application, communication Equipment sends identity position binding to GRIDS and updates request, and the identity position that GRIDS receiving communication device is sent updates request, Challenge message is generated, and sends challenge to communication equipment and disappears.Communication equipment receives the challenge message that the GRIDS is sent, and really Determine challenge response message, sends challenge response message to GRIDS, including in challenge message in the challenge response message includes Challenge the identity position mapping relations that content, challenge result and communication equipment update.What GRIDS receiving communication device was sent chooses War response message, and the validity based on challenge content and challenge result verification challenge response message, if challenge response message has Effect then saves the identity position mapping relations of communication equipment update.Challenge message is sent by GRIDS in the embodiment of the present application, The mode of communication device feeding back challenge response message realizes certification of the GRIDS to communication equipment, can protect communication equipment pair The DOS/DDOS of GRIDS is attacked, and includes the challenge knot of the challenge content, the challenge content in challenge response message Fruit so that GRIDS is not necessarily to preserving session state information, therefore can avoid Replay Attack.Pass through identity provided by the embodiments of the present application The binding update method of position can be improved the safety of binding renewal process.

It is understood that the agreement that communication equipment involved in the embodiment of the present application need to support identity and position to separate, Such as can be support identity and position separated protocol terminal, the terminal be also referred to as user equipment (user equipment, UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT) etc. may include mobile phone, flat Plate computer, laptop, mobile internet device (Mobile Internet Device, MID), wearable device (such as Smartwatch, Intelligent bracelet, pedometer etc.) etc., it can also include other communication equipments for supporting identity and position separated protocol. Communication equipment involved in the embodiment of the present application is also possible to hold the networks such as the gateway (gateway) of identity and position separated protocol Equipment.

In the embodiment of the present application for convenience of description, it is illustrated so that communication equipment is UE as an example below.

Fig. 4 show a kind of binding update method implementation flow chart of identity position provided by the embodiments of the present application, refering to Shown in Fig. 4, this method comprises:

S101:UE sends identity position binding to GRIDS and updates request.

If the position of UE changes in the embodiment of the present application, UE can send identity position binding update to GRIDS and ask Message is sought, to report identity position binding to update to GRIDS.The identity position can be tied up for convenience of description in the embodiment of the present application Surely updating request message indicates that the parameter carried in U1 includes type of message (message_type) and sequence number with U1 (seq_number), wherein message_type is that identity position binding updates request type (update_request_type) Request is updated for identifying the identity position binding that UE is sent to GRIDS.Seq_number is that UE currently reports identity position to tie up Surely the sequence number for updating request message, can be specified by UE, and the identity position binding for identifying UE transmission updates request message.

S102:GRIDS generates challenge message.

Specifically, in the embodiment of the present application, GRIDS can after the identity position binding for receiving UE transmission updates request, Generate challenge message.It wherein, include challenge content (challenge) in challenge message, GRIDS can be UE construction challenge content, The challenge content calculates corresponding challenge result (solution) for UE.

In a kind of possible embodiment, the UE construction that GRIDS can update request for each transmission identity position binding be chosen War content.It may include the identity (ID) of UE, the random number that GRIDS is UE generation in the challenge content of GRIDS construction (random) and GRIDS utilizes the Message Authentication Code that local key is that challenge content generates.Wherein, the ID of UE is for identifying this Challenging the targeted UE of content, random is used random number parameter when calculating the corresponding challenge result of challenge content, GRIDS is to challenge the Message Authentication Code that content generates to can be used for realizing in challenge response message in challenge using local key The certification of appearance prevents the counterfeit challenge content of UE.

Further, it may also include the timestamp of challenge content in the challenge content that GRIDS is constructed in the embodiment of the present application At least one of (timestamp) and in the degree-of-difficulty factor (k) of challenge content.Wherein, it can be identified and be chosen by timestamp The validity period for content of fighting.It is used to set the difficulty in computation of challenge result by degree-of-difficulty factor, for example, can be for different UE settings not Same degree-of-difficulty factor k.

Further, before GRIDS generates challenge message in the embodiment of the present application, the identity of UE can be authenticated, if Certification passes through, then produces challenge message, if certification does not pass through, the discardable identity position binding received updates request and disappears Breath.

Specifically, whether GRIDS can be by verifying the identity (ID) of UE in preset black name in the embodiment of the present application Dan Zhong authenticates the identity of UE.

S103:GRIDS sends challenge message to UE, includes challenge content in challenge message.

Specifically, challenge message can be indicated with G1 for convenience of description in the embodiment of the present application.The parameter carried in G1 can Including type of message (message_type) and challenge content (challenge).Wherein, the message_type carried in G1 Identifying this message is challenge message, and challenge is the challenge content that GRIDS is UE construction.

Further, may also include in G1 sequence number (seq_number), and the seq_number is the sequence carried in U1 Row number, to prevent the counterfeit GRIDS of malicious attacker from causing the bypass attack to UE.

S104:UE receives the challenge message that GRIDS is sent, and calculates the challenge result (solution) of challenge content, to GRIDS sends challenge response message.

The corresponding solution of challenge can be generated in the embodiment of the present application by exhaustive computations, by the solution GRIDS is sent to by challenge response message.

UE further includes having challenge into the challenge response message that GRIDS is sent in the embodiment of the present application, will Challenge and solution are sent to GRIDS together, and GRIDS can be made to be not necessarily to save the session state information of challenge, Therefore it can avoid the Replay Attack of malicious attacker.

Further, in the embodiment of the present application UE also by the identity position mapping relations of update, with challenge and Solution is sent to GRIDS together, by the identity position mapping relations (ID/ of update in a manner of through challenge-response Locator map information) it is sent to GRIDS, realize that the binding of identity position updates, and identity position can be improved to a certain extent Set the safety of binding renewal process.

Specifically, in the embodiment of the present application for convenience of description, challenge response message can be indicated with U2, carried in the U2 Parameter includes message_type, challenge, solution and ID/Locator map information.Wherein, it is carried in U2 Message_type is challenge_response, for identifying challenge response message.Challenge is in G1 message Challenge, solution are the corresponding challenge of challenge as a result, ID/Locator map information identity position Bind more new content.

Further, in the embodiment of the present application, UE can determine the seq_number for including in G1, with the seq_ carried in U1 Whether number is consistent, under the seq_number unanimous circumstances carried in the seq_number and U1 for including in determining G1, The calculating for the result that throws down the gauntlet again and the transmission of challenge response information with the challenge message for ensuring to receive are sent out for the UE The challenge message sent prevents the counterfeit GRIDS of malicious attacker from causing the attack to UE.

S105:GRIDS receives the challenge response message that UE is sent, based on the challenge for including in challenge response message And solution, the validity of challenge response message is verified, if challenge response message is effective, saves the identity position of UE update Mapping relations.If challenge response message invalid, the identity position mapping relations of UE update can not be saved, identity position is improved and ties up Determine the safety of renewal process.

In the embodiment of the present application, if in challenge including the ID of UE, GRIDS is the random number and GRIDS that UE is generated It is the Message Authentication Code that challenge is generated using local key, then GRIDS can verify that the message for including is tested in challenge Code is demonstrate,proved, verifies whether the challenge is the challenge of GRIDS transmission, and then is determined in the challenge response message received Solution whether be the corresponding solution of challenge.If the information authentication for including in GRIDS verifying challenge Code effectively, then can determine that the solution in the challenge response message received is the corresponding solution of challenge.

Further, it if in the embodiment of the present application in challenge including timestamp, is determined according to timestamp Whether before the deadline challenge answers the challenge for including in message, can be further if challenge is before the deadline Determine whether the solution in the challenge response message received is the corresponding solution of challenge.If challenge In do not include timestamp, then whether before the deadline can not need to determine challenge, directly determine the challenge received and answer Answer whether the solution in message is the corresponding solution of challenge.

Further, if including degree-of-difficulty factor k in challenge in the embodiment of the present application, GRIDS is available GRIDS is that the random that UE is generated and solution carries out Hash operation, if low k of Hash operation result are 0, be can determine The solution in challenge response message received is the corresponding solution of challenge.If not including in challenge Degree-of-difficulty factor k, then GRIDS can be that the random and solution that UE is generated carries out Hash operation using GRIDS, and GRIDS can lead to Cross whether confirmation Hash operation result is 0, determines that the solution in the challenge response message received is corresponding for challenge Solution.If Hash operation result is 0, it can determine that the solution in the challenge response message received is The corresponding solution of challenge.If Hash operation result is not 0, can determine in the challenge response message received Solution is not the corresponding solution of challenge.

The embodiment of the present application is by way of above-mentioned verifying solution validity, it may be determined that includes in challenge response message Challenge be GRIDS send challenge, and determine challenge response message in include solution be The corresponding solution of challenge is determining that challenge is the challenge that GRIDS is sent and solution is effective In the case of, the identity position mapping relations that UE updates are saved, the safety of binding renewal process can be improved.

Further, GRIDS can verify that the signature of UE in the embodiment of the present application, and UE is saved in the case where being verified The identity position mapping relations of update further increase the safety of binding renewal process.

Challenge message is sent by GRIDS in the embodiment of the present application, UE feeds back the mode of challenge response message, carries out identity The binding of position updates, and can be improved the safety of binding renewal process.Also, in the embodiment of the present application in challenge response message Including challenge content and the challenge of content is challenged as a result, making GRIDS without preserving session state information, therefore can avoid resetting Attack.

In a kind of possible embodiment of the application, GRIDS saves UE by above-mentioned challenge-response mode and reports more After new identity position mapping relations, GRIDS produces and saves the validity period (timer) of key (token) and key, should Verifying of the token and timer for the identity position mapping relations of the subsequent update of UE.GRIDS sends out token and timer UE is given, UE receives and saves the token and timer of GRIDS transmission.If UE sends the identity position of subsequent update to GRIDS Set mapping relations, it may be determined that token whether before the deadline, if before the deadline, the identity of subsequent update can be directly transmitted Binding positions update message, without carrying out security verification by way of above-mentioned challenge-response again.

Therefore on the basis of the embodiment of the present application method shown in Fig. 4, it may also include the steps of, refering to shown in Fig. 5:

S106:GRIDS generates and saves token and timer.

Specifically, GRIDS is controllable to generate to part UE and save token and timer, such as GRIDS can be part The higher UE of credibility generates and saves token and timer.

S107:GRIDS sends key message to UE, includes token and timer in key message.

Specifically, in the embodiment of the present application for convenience of description, GRIDS can be described to the key message that UE is sent with G2. The parameter carried in the G2 includes message_type, token and timer, wherein the message_type for including in G2 is used In tagged keys message, token is that GRIDS is the key that current UE generates, and timer is the effective of the token that GRIDS is generated Phase.

Further, GRIDS can utilize the private key of GRIDS, sign to key message, signature is sent to UE.

Further, GRIDS can utilize the public key of UE, encrypt to token and timer, by encrypted token And timer is sent to UE, to improve safety.

It is understood that sign and encrypt key message suitable to key message in the embodiment of the present application Sequence, without limitation.

S108:UE receives the key message that GRIDS is sent, and saves the token and timer for including in key message.

Further, if token and timer uses the public key encryption of UE, UE can be decrypted first using the private key of UE Then token and timer saves token and timer that decryption obtains, to report identity position to tie up to GRIDS for UE Fixed subsequent more new content.

Subsequent UE reports identity position mapping relations (the identity position mapping pass of subsequent update of update to GRIDS again System) when, method implementing procedure shown in fig. 6 can be used and carry out reporting for the identity position binding subsequent more new content of update.

Fig. 6 show the binding update method implementation flow chart of another identity position provided by the embodiments of the present application.Ginseng It reads shown in Fig. 6, this method comprises:

Before the deadline whether S201:UE determine token.

Specifically, if before the deadline, S202 can be performed in token.It, can be according to shown in Fig. 4 if token is out of date Method flow is carried out identity position binding by the way of challenge-response and updated.

S202:UE is that the identity position mapping relations updated generate message authentication code using token.

S203:UE sends identity position binding update messages to GRIDS, includes benefit in the identity position binding update messages Subsequent more new content is bound with the token message authentication code generated and identity position.

In the embodiment of the present application for convenience of description, identity position binding update messages can be indicated with U3, is carried in the U3 Parameter include message_type, ID/Locator map information and MAC (token).Wherein, message_type is body Part binding positions update message (update_type) identifies the binding that this message is a simplified version and updates reporting message.ID/ Locator map information is that UE identity position binds subsequent more new content.MAC (token) is raw with token based on entire message At Message Authentication Code.

Further, it may also include seq_number in U3.Seq_number is that UE this time reports identity position binding more The sequence number of new information can be specified by UE.

S204:GRIDS receives the identity position binding update messages that UE is sent, and verifies identity using the token saved The message authentication code for including in binding positions update message saves UE if being verified and the identity position of subsequent update is reported to reflect Relationship is penetrated, if verifying does not pass through, can drop the identity position binding update messages.

Specifically, GRIDS can determine token used in verifying message authentication code by the ID of UE.

Further, GRIDS can also send response message to UE in the embodiment of the present application, include in the response message The seq_number for including in U3, so that UE determines whether GRIDS has saved the identity position mapping relations of subsequent update.

S205:GRIDS sends response message to UE, includes the seq_number for including in U3 in the response message.

Specifically, response message can be indicated by G4, the parameter carried in G4 includes message_type and seq_ number.Wherein, message_type is response message (ACK_type), identifies this message and replies message for one.seq_ Number is the sequence number for including in U3 message, so that UE determines the identity of GRIDS subsequent update corresponding to seq_number The preservation result of position mapping relations.

Wherein, S205 is optional step.

In the embodiment of the present application, GRIDS generates and saves token and timer, and token and timer are sent to UE, UE save the token and timer, in the subsequent identity position mapping relations for needing to report subsequent update, if token Within timer corresponding validity period, then identity position binding update messages can be directly transmitted, without-the response that throws down the gauntlet again Process, simplify interaction flow.

In the possible embodiment of another of the embodiment of the present application, UE and GRIDS can be authenticated mutually, with further Improve safety.

In a kind of possible embodiment, UE and GRIDS can realize safety certification by way of verifying private key signature.

Fig. 7 show a kind of UE and GRIDS provided by the embodiments of the present application and is based on signature progress safety certification, and realizes body The implementation flow chart of part binding positions renewal process.

Method flow shown in Fig. 7 in the embodiment of the present application, difference similar with implementation method flow shown in fig. 5 It is only that, UE needs to send the signature of UE to GRID, and GRIDS needs to send the signature of GRIDS to UE, and carries out safety each other and recognize Card.

Specifically, UE can send the signature of UE by the challenge response message sent to GRIDS.UE sends the signature of UE To GRIDS, GRIDS can be made to carry out safety certification to challenge response message using the signature of UE, further increase safety. GRIDS can be in the signature for carrying GRIDS into the key message that UE is sent.The signature of GRIDS is sent to UE by GRIDS, with GRIDS is authenticated in UE.Further, UE can authenticate key message using the signature of GRIDS, if certification is logical It crosses, then can be reserved for token and timer, if certification does not pass through, can drop the key message, further increase safety.

In a kind of possible embodiment, UE and GRIDS can be based on the asymmetric close of Certification system in the embodiment of the present application Key scheme is obtained opposite end public key and is signed using opposite end public key verifications.

Fig. 8 show a kind of UE and GRIDS provided by the embodiments of the present application and is based on certificate progress safety certification and realizes body The implementation flow chart of part binding positions renewal process.

Method flow shown in Fig. 8 in the embodiment of the present application, difference similar with implementation method flow shown in Fig. 7 It is only that, UE needs to send the certificate of UE to GRID, and GRIDS needs to send the certificate of GRIDS to UE, and carries out certificate each other Verifying.

Specifically, UE can send the public key certificate of UE by the challenge response message sent to GRIDS.GRIDS reception is chosen After response message of fighting, it may be verified that the UE public key certificate for including in challenge response message, and obtain the public key of UE.GRIDS can to The public key certificate of GRIDS is carried in the key message that UE is sent.After UE receives key message, it may be verified that include in key message The public key certificate of GRIDS, and obtain the public key of GRIDS.

In a kind of possible embodiment, UE can send the graceful key exchange of diffie-hellman to GRIDS in the embodiment of the present application (Diffie-Hellman, DH) session key agreement parameter, make GRIDS can DH session key agreement parameter based on UE and The DH session key agreement parameter of GRIDS generates token.GRIDS sends the DH session for generating the GRIDS that token is used to UE Key agreement parameter, make UE can DH session key agreement parameter and GRIDS based on UE DH session key agreement parameter it is raw At token.

Fig. 9 is shown a kind of UE and GRIDS provided by the embodiments of the present application and is generated based on DH session key agreement parameter Token, and realize the implementation flow chart of identity position binding renewal process.

Method flow shown in Fig. 9 in the embodiment of the present application, difference similar with implementation method flow shown in Fig. 7 It is only that, UE needs to send the DH session key agreement parameter of UE to GRID, and GRIDS needs to send the DH session of GRIDS to UE Key agreement parameter, and it is each based on the DH session key agreement parameter of UE and the DH session key agreement parameter life of GRIDS At token.

Specifically, UE can send the DH session key agreement parameter of UE by the challenge response message sent to GRIDS. GRIDS receive challenge response message after, can DH session key agreement parameter and GRIDS based on UE DH session key agreement Parameter generates token.GRIDS can send the DH session key agreement parameter of GRIDS by the key message sent to UE.UE connects Receive key message after, can DH session key agreement parameter and GRIDS based on UE DH session key agreement parameter generate token。

It is above-mentioned that mainly scheme provided by the embodiments of the present application is described from the angle of UE and GRIDS interaction.It can be with Understand, in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or soft by UE and GRIDS Part module.In conjunction with each exemplary unit and algorithm steps that embodiment disclosed herein describes, the embodiment of the present application energy The combining form with hardware or hardware and computer software is reached to realize.Some function is driven actually with hardware or computer software The mode of dynamic hardware executes, the specific application and design constraint depending on technical solution.Those skilled in the art can be with Described function is realized using different methods to each specific application, but this realization is it is not considered that beyond this Apply for the range of the technical solution of embodiment.

The embodiment of the present application can carry out the division of functional unit according to above method example to UE and GRIDS, for example, can With each functional unit of each function division of correspondence, two or more functions can also be integrated in a processing unit In.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.It needs It is noted that be schematical, only a kind of logical function partition to the division of unit in the embodiment of the present application, it is practical real It is current that there may be another division manner.

Based on design identical with above method embodiment, the embodiment of the present application also provides a kind of bindings of identity position The binding updating device of updating device, the identity position can be applied to UE, can also be applied to GRIDS.

When using formal implementation of hardware, the identity position applied to UE binds updating device and applied to the body of GRIDS Part binding positions updating device can bind updating device 100 by identity position shown in Fig. 10 to realize.

As shown in Figure 10, identity position binding updating device 100 may include at least one processor 101, memory 103 with And at least one transceiver 104.These components can communicate on one or more communication bus 102.

It should be noted that Figure 10 is only a kind of implementation of the embodiment of the present application, in practical application, identity position is tied up Determining updating device 100 can also include more or fewer components, here with no restriction.

Transceiver 104 is coupled in the receiver of identity position binding updating device 100 for sending and receiving radiofrequency signal And transmitter.Transceiver 104 passes through radiofrequency signal and communication network and other communication apparatus communications, such as Ethernet (Ethernet), wireless access network (radio access network, RAN), WLAN (wireless local Area networks, WLAN) etc..In the specific implementation, the communication protocol that transceiver 104 is supported may include but be not limited to: 2G/3G, Long term evolution (long term evolution, LTE), Wireless Fidelity (wireless-fidelity, Wi-Fi), 5G is newly wireless (new radio, NR) etc..

Memory 103 is coupled with processor 101, for storing various software programs and/or multiple groups instruction.Specific implementation In, memory 103 may include the memory of high random access, and may also comprise nonvolatile memory, such as one or Multiple disk storage equipments, flash memory device or other non-volatile solid-state memory devices.Memory 103 can store an operating system (following abbreviation systems), such as the embedded OSs such as ANDROID, IOS, WINDOWS or LINUX.Memory 103 can For storing the realization program of the embodiment of the present application.Memory 103 can also store network communication program, the network communication program It can be used for and one or more optional equipments, one or more terminal devices, one or more network equipments are communicated.

Processor 101 can be a general central processor (central processing unit, CPU), micro process Device, application-specific integrated circuit (application-specific integrated circuit, ASIC) or one or more A integrated circuit executed for controlling application scheme program.

In some embodiments, identity position binding updating device 100 can also include output equipment 105 and input equipment 106.Output equipment 105 and processor 101 communicate, and can show information in many ways.For example, output equipment 105 can be with It is liquid crystal display (liquid crystal display, LCD)), Light-Emitting Diode (light emitting diode, LED equipment) is shown, cathode-ray tube (cathode ray tube, CRT) shows equipment or projector (projector) etc.. Input equipment 106 and processor 101 communicate, and can receive the input of user in many ways.For example, input equipment 106 can be with It is mouse, keyboard, touch panel device or sensing equipment etc..User for the ease of output equipment 105 and input equipment 106 makes With in some embodiments, memory 202 can also store user interface program, which can pass through figure The operation interface of change shows the content image of application program is true to nature, and defeated by menu, dialog box and key etc. Enter the control operation that control receives user to application program.When identity position shown in Fig. 10 binding updating device 100 realizes UE Function when, identity position binding updating device 100 memory in can store one or more software modules, can be used for mentioning For receiving challenge message, calculating the functions such as challenge response information and sending challenge response message, above method reality is specifically referred to Apply example.When identity position shown in Fig. 10 binding updating device 100 realizes the function of GRIDS, identity position binds more new clothes It sets and can store one or more software modules in 100 memory, can be used for providing generation challenge message, verifying challenge response The functions such as message and the identity position mapping relations for saving update, specifically refer to above method embodiment.

When realizing in the form of software functional units, Figure 11 show a kind of identity position provided by the embodiments of the present application Set the structural schematic diagram of the binding updating device of binding.Wherein, the binding updating device 1000 of identity position can be UE, can also To be the component inside UE.Refering to fig. 1 shown in 1, the binding updating device 1000 of identity position includes receiving unit 1002 and place Manage unit 1003.

Specifically, receiving unit 1002, the challenge message sent for receiving the GRIDS, the challenge message include Challenge content.Processing unit 1003 is used to send challenge response message to the GRIDS, includes in the challenge response message The identity position mapping relations that the challenge content, challenge result and UE update.

Specifically, the identity, the GRIDS in the challenge content including the UE are the random of UE generation The several and described GRIDS utilizes the Message Authentication Code that local key is that the challenge content generates.

It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content Spend at least one in coefficient.

In a kind of possible example, the binding updating device 1000 of identity position further includes transmission unit 1001.It sends single Member 1001 updates request for sending identity position binding to GRIDS.It includes sequence in request that the identity position binding, which updates, Number, the sequence number is used to identify the identity position binding that the UE is sent and updates request message, also wraps in the challenge message Include the sequence number.

The processing unit 1003 is also used to: sending challenge response message to the GRIDS in the transmission unit 1001 Before, determine that the sequence number for including in the challenge message and the UE send identity position binding and update the sequence for including in request Row number is consistent.

In alternatively possible example, the receiving unit 1002 is also used to: in the transmission unit 1001 to described After GRIDS sends challenge response message, the key message that the GRIDS is sent is received, saves the key and described close The validity period of key.It wherein, include the validity period of key and the key in the key message, the key is described GRIDS is that the UE is generated and is used to verify the identity position binding update messages of the subsequent transmission of the UE.

Further, the key message is message of the GRIDS using the public key encryption of UE.

In another possible example, the processing unit 1003 is also used to: being saved in the receiving unit 1002 described After the validity period of key and the key, determine that the key within the validity period, utilizes the key generation message Authentication code.The transmission unit 1001 is also used to: Xiang Suoshu GRIDS sends identity position binding update messages, the identity position Identity position mapping relations and the processing unit 1003 in binding update messages including the subsequent update of the UE are set to generate Message authentication code.

It further, further include the signature of the UE in the challenge response message, the signature of the UE is for described GRIDS authenticates the challenge response message.It further include the signature of the GRIDS, the GRIDS in the key message Signature the key message is authenticated for the UE.

Further, further include the certificate of the UE in the challenge response message, further include in the key message The certificate of the GRIDS.It or further include the session key agreement parameter of the UE, the key in the challenge response message It further include the session key agreement parameter of the GRIDS in message.

Specifically, the identity position mapping relations of update described in the embodiment of the present application be encryption or plaintext.

Further, the binding updating device 1000 of the above-mentioned identity position being related to can also include storage unit.Storage For storing computer executed instructions, processing unit 1003 is connect unit with storage unit, and it is single that processing unit 1003 executes storage The computer executed instructions of member storage, so that the binding updating device 1000 of identity position executes UE institute in above method embodiment The identity position binding update method of execution.

Wherein, when being realized using example, in hardware, the transmission unit 1001 and the receiving unit 1002 can be logical Believe interface, transceiver etc..It may include radio circuit in the transceiver.Communication interface is to be referred to as, and may include one or more Interface.The processing unit 1003 for example can be processor or controller.Storage unit for example can be memory.

Specifically, processing unit 1003 is processor when transmission unit 1001 and the receiving unit 1002 are transceivers, When storage unit is memory, the binding updating device 1000 of identity position can be the binding of identity position shown in Fig. 10 more The binding updating device 100 of new equipment 100, the identity position is applied to UE, for executing the side performed by UE into Fig. 9 Fig. 4 Method.

When being realized using chip form, the binding updating device 1000 of identity position involved in the embodiment of the present application can With the chip being applied in UE, the chip has the binding update side for realizing UE execution identity position in above method embodiment Function involved in method.The function can also execute corresponding software realization by hardware realization by hardware.It is described Hardware or software include one or more units corresponding with above-mentioned function.Such as the chip includes: receiving unit 1002 With processing unit 1003.Optionally, communication equipment may also include transmission unit 1003, or also may also include storage unit.Institute It states transmission unit 1001 and the receiving unit 1002 can be input/output interface, pin or circuit etc. on the chip. The processing unit 1003 for example can be processor.The storage unit for example can be memory.The processing unit The computer executed instructions of 1003 executable storage unit storages, so that the chip executes involved in above method embodiment The binding update method for the identity position that UE is executed.Optionally, the storage unit can be the storage unit in the chip (for example, register, caching etc.), the storage unit can also be the storage unit positioned at the chip exterior in the UE (for example, read-only memory (read-only memory, ROM)) or the other kinds of static state that static information and instruction can be stored Store equipment (for example, random access memory (random access memory, RAM)) etc..

When realizing in the form of software functional units, Figure 12 shows a kind of identity position provided by the embodiments of the present application Set the structure of the binding updating device 200 of binding.The binding updating device 200 of identity position binding can be GRIDS, can also be with It is the component in GRIDS.Refering to fig. 1 shown in 2, the binding updating device 2000 of identity position includes transmission unit 2001, receives Unit 2002 and processing unit 2003.

Specifically, transmission unit 2001, described to choose for sending the challenge message that the processing unit 2003 generates to UE It include challenge content in message of fighting.Receiving unit 2002, for receiving the challenge response message of UE transmission, the challenge response disappears It include challenging result, the identity position mapping relations that the UE updates and the challenge that the transmission unit 2001 is sent to disappear in breath Included challenge content in breath.The processing unit 2003 includes challenge in the challenge message for generating challenge message Content, and tied based on the challenge content for including in the received challenge response message of the receiving unit 2002 and the challenge Fruit verifies the validity of the challenge response message, if the challenge response message is effective, saves the identity that the UE updates Position mapping relations.

Specifically, the identity, the GRIDS in the challenge content including the UE are the random of UE generation The several and described GRIDS utilizes the Message Authentication Code that local key is that the challenge content generates.

The processing unit 2003 verifies the validity for the Message Authentication Code for including in the challenge content, if the message Identifying code is effective, it is determined that whether the challenge result is the challenge result for challenging content.

It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content Spend at least one in coefficient.The processing unit 2003, is also used to: if in the challenge content including the challenge content Timestamp, it is determined that before whether the challenge result is the challenge result for challenging content, according to the challenge content Timestamp determines the challenge content before the deadline.If in the challenge content including the degree-of-difficulty factor of the challenge content, Whether low k for then confirming the Hash operation result of the challenge result and the random number are 0, and the k is the difficulty system Number.

In a kind of possible example, the receiving unit 2002 is also used to: being generated challenge in the processing unit 2003 and is disappeared Before breath, receiving the identity position binding that UE is sent and update request, it includes sequence number in request that the identity position binding, which updates, The sequence number is used to identify the identity position binding that the UE is sent and updates request message.Wherein, in the challenge message also Including the sequence number.

In another possible example, the processing unit 2003 is also used to: receiving UE hair in the receiving unit 2002 After the challenge response message sent, the validity period of key and the key is generated and saves, the key is used for the UE The identity position binding update messages of subsequent transmission are verified.The transmission unit 2001, is also used to: Xiang Suoshu UE sends close Key message includes the validity period of the key and the key in the key message.

Further, the processing unit 2003 is also used to key message described in the public key encryption using UE；The transmission Unit 2001 sends the key message of encryption.

In another possible example, the receiving unit 2002 is also used to: in the transmission unit 2001 to the UE After sending key message, the identity position binding update messages that the UE is sent are received, the identity position binding, which updates, to disappear It include the identity position mapping relations of message authentication code and the subsequent update of the UE in breath, the message authentication code is the UE It is generated based on the key.The processing unit 2003, is also used to: the key authentication saved using the receiving unit 2002 The message authentication code saves the identity position mapping relations of the subsequent update of the UE if being verified.

It further include the signature of the UE, the label of the UE in the challenge response message in a kind of possible embodiment Name authenticates the challenge response message for the GRIDS.It further include the label of the GRIDS in the key message The signature of name, the GRIDS authenticates the key message for the UE.

It further include the certificate of the UE, the key in alternatively possible embodiment, in the challenge response message It further include the certificate of the GRIDS in message；It or further include the session key agreement of the UE in the challenge response message Parameter further includes the session key agreement parameter of the GRIDS in the key message.

Further, the binding updating device 2000 of the above-mentioned identity position being related to can also include storage unit.Storage For storing computer executed instructions, processing unit 2003 is connect unit with storage unit, and it is single that processing unit 2003 executes storage The computer executed instructions of member storage, so that the binding updating device 2000 of identity position executes in above method embodiment Identity position binding update method performed by GRIDS.

Wherein, when being realized using example, in hardware, the transmission unit 2001 and the receiving unit 2002 can be receipts Device is sent out, communication interface is also possible to.It wherein, may include radio circuit in the transceiver.The communication interface is to be referred to as, can be with Including one or more interfaces.The processing unit 2003 for example can be processor or controller.

When transmission unit 2001 and the receiving unit 2002 are transceivers, processing unit 2003 is processor, and storage is single When member is memory, the binding updating device 2000 of identity position can be the binding updating device of identity position shown in Fig. 10 100, the binding updating device 100 of the identity position is applied to GRIDS, for executing the side performed by GRIDS into Fig. 9 Fig. 4 Method.

When being realized using chip form, the binding updating device 2000 of identity position involved in the embodiment of the present application can With the chip being applied in GRIDS, the chip has the binding for realizing GRIDS execution identity position in above method embodiment Function involved in update method.The function it is real can also to execute corresponding software by hardware realization by hardware It is existing.The hardware or software include one or more units corresponding with above-mentioned function.Such as the chip includes: to send list Member 2001, receiving unit 2002 and processing unit 2003.The transmission unit 2001 and the receiving unit 2002 can be institute State input/output interface, pin or the circuit etc. on chip.The processing unit 2003 for example can be processor.Optionally, The chip further includes storage unit, and the storage unit for example can be memory.The processing unit 2003 is executable to be deposited The computer executed instructions of storage unit storage, so that the chip executes what GRIDS involved in above method embodiment was executed The binding update method of identity position.Optionally, the storage unit can be the storage unit in the chip (for example, posting Storage, caching etc.), the storage unit can also be the storage unit (example positioned at the chip exterior in the GRIDS Such as, read-only memory) or the other kinds of static storage device of static information and instruction can be stored (for example, arbitrary access is deposited Reservoir) etc..

In the embodiment of the present application, the binding updating device 2000 of the binding updating device 1000 and identity position of identity position Related concept relevant to technical solution provided by the embodiments of the present application is explained and is described in detail and other steps refer to The description as described in these contents, is not repeated herein in preceding method or other embodiments.

The embodiment of the present application also provides a kind of binding more new system of identity position, within the system includes above-mentioned be related to GRIDS and UE, GRIDS and UE, which have, realizes corresponding function involved in above method embodiment.

Claims (18)

1. a kind of binding update method of identity position, which is characterized in that the described method includes:

It is uniformly controlled management level GRIDS and generates challenge message, include challenge content in the challenge message；

The GRIDS sends the challenge message to communication equipment；

The GRIDS receives the challenge response message that the communication equipment is sent, and includes described choose in the challenge response message The identity position mapping relations for the content, challenge result and communication equipment update of fighting, the identity are the communication equipment Identity, the position be the communication equipment network address；

The GRIDS is based on the challenge content and the challenge as a result, the validity of the challenge response message is verified, if institute It states that challenge response message is effective, then saves the identity position mapping relations that the communication equipment updates.

2. the method as described in claim 1, which is characterized in that include the identity mark of the communication equipment in the challenge content Know, the GRIDS be random number and the GRIDS that the communication equipment generates using local key is the challenge content The Message Authentication Code of generation；

The GRIDS as a result, verify the validity of the challenge response message, is wrapped based on the challenge content and the challenge It includes:

The GRIDS verifies the validity for the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective, Then determine whether the challenge result is the challenge result for challenging content.

3. according to the method described in claim 2, it is characterized in that, it is described challenge content in further include it is described challenge content when Between stab and it is described challenge content degree-of-difficulty factor at least one of；

Before the GRIDS determines whether the challenge result is the challenge result for challenging content, the method also includes:

It is determining according to the timestamp of the challenge content if in the challenge content including the timestamp of the challenge content The challenge content is before the deadline；

The GRIDS determines whether the challenge result is the challenge result for challenging content, comprising:

If including the degree-of-difficulty factor of the challenge content in the challenge content, the challenge result and the random number are confirmed Low k of Hash operation result whether be 0, the k is the degree-of-difficulty factor.

4. method according to claim 1-3, which is characterized in that before GRIDS generates challenge message, the side Method further include:

The identity position binding that the GRIDS receiving communication device is sent updates request, and the identity position binding updates request In include sequence number, the sequence number is used to identify the identity position binding that the communication equipment is sent and updates request message；

It further include the sequence number in the challenge message.

5. method according to claim 1-4, which is characterized in that the GRIDS receives the communication equipment hair After the challenge response message sent, the method also includes:

The GRIDS generates and saves the validity period of key and the key, after the key is used for the communication equipment The identity position binding update messages that supervention is sent are verified；

The GRIDS sends key message to the communication equipment, includes the key in the key message and described close The validity period of key.

6. according to the method described in claim 5, it is characterized in that, the key message is that the GRIDS utilizes communication equipment Public key encryption message.

7. method according to claim 5 or 6, which is characterized in that the GRIDS sends key to the communication equipment and disappears After breath, the method also includes:

The GRIDS receives the identity position binding update messages that the communication equipment is sent, and the identity position binding updates It include the identity position mapping relations of message authentication code and the subsequent update of the communication equipment, the message authentication code in message It is that the communication equipment is generated based on the key；

The GRIDS is using message authentication code described in the key authentication saved, if being verified, after saving the communication equipment The continuous identity position mapping relations updated.

8. according to the described in any item methods of claim 5-7, which is characterized in that further include described in the challenge response message The signature of the signature of communication equipment, the communication equipment authenticates the challenge response message for the GRIDS；

It further include the signature of the GRIDS in the key message, the signature of the GRIDS is for the communication equipment to described Key message is authenticated.

9. according to the method described in claim 8, it is characterized in that, further including the communication equipment in the challenge response message Certificate, further include the certificate of the GRIDS in the key message；

Or

Further include the session key agreement parameter of the communication equipment in the challenge response message, is also wrapped in the key message Include the session key agreement parameter of the GRIDS.

10. a kind of binding updating device of identity position, applied to being uniformly controlled management level GRIDS, which is characterized in that the dress It sets including transmission unit, receiving unit and processing unit, in which:

The transmission unit, for sending the challenge message that the processing unit generates to communication equipment, in the challenge message Including challenging content；

The receiving unit wraps in the challenge response message for receiving the challenge response message of the communication equipment transmission It includes in challenge result, the identity position mapping relations that the communication equipment updates and the challenge message that the transmission unit is sent Included challenge content, the identity are the identity of the communication equipment, and the position is the net of the communication equipment Network address；

The processing unit includes challenge content in the challenge message, and single based on the reception for generating challenge message The challenge content for including in the received challenge response message of member and the challenge are as a result, verify the challenge response message Validity saves the identity position mapping relations that the communication equipment updates if the challenge response message is effective.

11. device as claimed in claim 10, which is characterized in that include the identity of the communication equipment in the challenge content It using local key is in the challenge that mark, the GRIDS, which are the random number that the communication equipment generates and the GRIDS, Hold the Message Authentication Code generated；

The processing unit is based on the challenge content in the following way and the challenge disappears as a result, verifying the challenge response The validity of breath:

The validity for verifying the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective, it is determined that institute State whether challenge result is the challenge result for challenging content.

12. device according to claim 11, which is characterized in that further include the challenge content in the challenge content At least one of in the degree-of-difficulty factor of timestamp and the challenge content；

The processing unit, is also used to:

If in the challenge content including the timestamp of the challenge content, it is determined that whether the challenge result is the challenge Before the challenge result of content, according to the timestamp of the challenge content, the challenge content is determined before the deadline；

If including the degree-of-difficulty factor of the challenge content in the challenge content, the challenge result and the random number are confirmed Low k of Hash operation result whether be 0, the k is the degree-of-difficulty factor.

13. the described in any item devices of 0-12 according to claim 1, which is characterized in that the receiving unit is also used to:

Before the processing unit generates challenge message, the identity position binding that receiving communication device is sent updates request, institute Stating identity position binding and updating includes sequence number in request, and the sequence number is used to identify the identity position that the communication equipment is sent It sets binding and updates request message；

It wherein, further include the sequence number in the challenge message.

14. the described in any item devices of 0-13 according to claim 1, which is characterized in that the processing unit is also used to:

After the challenge response message that the receiving unit receiving communication device is sent, key and described close is generated and saved The validity period of key, the key is for verifying the identity position binding update messages of the subsequent transmission of the communication equipment；

The transmission unit, is also used to:

Key message is sent to the communication equipment, includes the effective of the key and the key in the key message Phase.

15. device according to claim 14, which is characterized in that the processing unit is also used to utilize communication equipment Key message described in public key encryption；

The transmission unit sends the key message of encryption.

16. device according to claim 14 or 15, which is characterized in that the receiving unit is also used to:

After the transmission unit sends key message to the communication equipment, the identity position that the communication equipment is sent is received Binding update messages are set, include that message authentication code and the communication equipment are subsequent more in the identity position binding update messages New identity position mapping relations, the message authentication code are that the communication equipment is generated based on the key；

The processing unit, is also used to:

Message authentication code described in the key authentication saved using the receiving unit is saved the communication and set if being verified The identity position mapping relations of standby subsequent update.

17. the described in any item devices of 4-16 according to claim 1, which is characterized in that further include in the challenge response message The signature of the signature of the communication equipment, the communication equipment authenticates the challenge response message for the GRIDS；

It further include the signature of the GRIDS in the key message, the signature of the GRIDS is for the communication equipment to described Key message is authenticated.

18. device according to claim 17, which is characterized in that further include that the communication is set in the challenge response message Standby certificate further includes the certificate of the GRIDS in the key message；

Or

Further include the session key agreement parameter of the communication equipment in the challenge response message, is also wrapped in the key message Include the session key agreement parameter of the GRIDS.