CN110061833A - A kind of binding update method and device of identity position - Google Patents
A kind of binding update method and device of identity position Download PDFInfo
- Publication number
- CN110061833A CN110061833A CN201810055629.4A CN201810055629A CN110061833A CN 110061833 A CN110061833 A CN 110061833A CN 201810055629 A CN201810055629 A CN 201810055629A CN 110061833 A CN110061833 A CN 110061833A
- Authority
- CN
- China
- Prior art keywords
- challenge
- grids
- message
- communication equipment
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Abstract
A kind of binding update method and device of identity position, in the method, GRIDS generate challenge message, include challenge content in the challenge message;The GRIDS sends the challenge message to communication equipment;Communication equipment receives the challenge message for being uniformly controlled management level GRIDS transmission, the communication equipment sends challenge response message to the GRIDS, includes the identity position mapping relations that the challenge content, challenge result and the communication equipment update in the challenge response message.The GRIDS receives the challenge response message that the communication equipment is sent, based on the challenge content and the challenge result, verify the validity of the challenge response message, if the challenge response message is effective, the identity position mapping relations that the communication equipment updates are saved, then to improve based on the safety for subscribing to release model realization binding renewal process.
Description
Technical field
This application involves field of communication technology more particularly to the binding update methods and device of a kind of identity position.
Background technique
Identity network (id-oriented networking, ION) is a kind of new network framework of network that faces the future.
In the ION network architecture, the body of communication equipment is represented using a unique constant identity (identity, ID)
Part, the network site where communication equipment is represented using position (Locator or IP address).In the ION network architecture, communication
The position change of equipment will cause the variation of Locator, and ID is remained unchanged.As shown in Figure 1, using communication equipment as mobile node
It being illustrated for (Mobile node, MN), it is still ID_JOHN that when MN is moved to position B from position A, ID, which is remained unchanged,
Locator is changed from the mapping relations that 2.2.2.2 becomes 1.1.1.1, i.e. ID and Locator.For successive links
It re-establishing, MN needs to notify updated ID/Locator into peer node (Correspondent node, CN), this
The binding that process is referred to as identity position updates (banding-update, BU).
In the ION network architecture, by mobile IP v 6 (Mobile IPv6, MIPv6) communication protocol, as based on ID and
The mobile communication network protocol of Locator separation.In mipv 6, ID is HOA (home address), and Locator is
COA (care-of address), and define the communication process between MN and CN.It, can be by more between communication equipment in MIPv6
The binding renewal process of identity position is realized in the transmission of new ID/Locator mapping relations, for example, MN can be by the ID/ of update
It is sent to peer node (CN) after the encryption of Locator mapping relations, binding renewal process executes between end and end, but such side
The binding renewal process will be individually performed in formula, each CN for needing MN to communicate with, and computing cost and network overhead are all larger.
In the ION network architecture, a unified control management level (Generic Resilient ID has been also set up
Services, GRIDS) for managing relevant service, the control management level distributed deployment in a network, for host
The information such as identity, position are managed collectively, such as can provide the management service (Mapping/ of identity and position mapping
Location Service).It can provide the management service of identity and position mapping based on GRIDS, PUB/SUB can be used between node
(subscription/publication) mode realizes that binding updates.Such as in Fig. 2, node UE_D subscribes to its node for communicating of needs (such as to GRIDS
Node UE_S) ID/Locator mapping relations, when the position of node UE_S changes, UE_S to GRIDS report update
Location information afterwards.GRIDS believes to the position of all communication equipment (such as node UE_D) publication UE_S for having subscribed node UE_S
Breath.Realize that binding renewal process can reduce the behaviour of node relative to renewal process is bound end to end based on PUB/SUB mode
Make, reduces the calculating in binding renewal process and network overhead.But realized in binding renewal process based on PUB/SUB mode,
By the way of simply reporting position, biggish security risk can be generated.
Summary of the invention
The embodiment of the present application provides the binding update method and device of a kind of identity position, to improve based on subscription publication mould
Formula realizes the safety of binding renewal process.
In a first aspect, the embodiment of the present application provides a kind of binding more new system of identity position, include within the system
GRIDS and communication equipment, wherein GRIDS sends challenge message for generating challenge message, and to communication equipment.Communication equipment
It for receiving the challenge message of GRIDS transmission, and determines challenge response message, sends challenge response message to GRIDS, it is described to choose
Include the challenge content for including in challenge message in war response message, and further includes challenge result in the challenge response message
And the identity position mapping relations that communication equipment updates.The challenge response message that GRIDS receiving communication device is sent, and be based on
Challenge content and the validity for challenging result verification challenge response message save communication equipment if challenge response message is effective
The identity position mapping relations of update.
Challenge message is sent by GRIDS in the embodiment of the present application, the mode of communication device feeding back challenge response message is real
Certification of the existing GRIDS to the communication equipment for sending the identity position mapping relations updated, can protect communication equipment to GRIDS's
DOS/DDOS attack, and include challenge content and challenge in challenge response message as a result, making GRIDS without saving session shape
State information, therefore can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, can be improved
Bind the safety of renewal process.
Wherein, the identity position mapping relations of update can be encryption or plaintext.
In a kind of possible embodiment, the identity in content including communication equipment is challenged, GRIDS is communication equipment
The random number and GRIDS of generation are the Message Authentication Code challenging content and generating using local key.GRIDS can verify that described choose
The validity for the Message Authentication Code for including in war content further determines that the challenge knot if the Message Authentication Code is effective
Whether fruit is the challenge result for challenging content.
It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content
Spend at least one in coefficient.If in the challenge content including the timestamp of the challenge content, described in the GRIDS determination
Challenge result whether be it is described challenge content challenge result before, can according to it is described challenge content timestamp, determine described in
Challenge content before the deadline.If not including the timestamp of the challenge content in the challenge content, challenge is not needed to determine
Whether before the deadline content, can directly determine whether the challenge result is the challenge result for challenging content.
If including the degree-of-difficulty factor of the challenge content in the challenge content, the GRIDS can be by described in confirmation
Whether low k for challenging the Hash operation result of result and the random number are 0, determine whether the challenge result is described choose
The challenge for content of fighting is as a result, the k is the degree-of-difficulty factor.If in the challenge content not including the difficulty of the challenge content
Coefficient, then whether the GRIDS can be 0 by confirming the Hash operation result of the challenge result and the random number, determine
Whether the challenge result is the challenge result for challenging content.
In alternatively possible embodiment, communication equipment sends identity position binding to GRIDS and updates request, GRIDS
The identity position binding that receiving communication device is sent updates request.It includes sequence number, sequence in request that identity position binding, which updates,
Row number is used to identify the identity position binding that the communication equipment is sent and updates request message.GRIDS is sent to communication equipment
It further include sequence number in challenge message.Before communication equipment sends challenge response message to GRIDS, determine in the challenge message
Including sequence number and the communication equipment send identity position binding update request in include sequence number it is whether consistent, true
Determine the sequence number for including in challenge message and the communication equipment sends identity position binding and updates the sequence number for including in request
Under unanimous circumstances, then the result that throws down the gauntlet calculating and challenge response information transmission, disappeared with the challenge for ensuring to receive
Breath is the challenge message sent for the communication equipment, prevents the counterfeit GRIDS of malicious attacker from causing to the counterfeit of communication equipment
Attack.
In another possible embodiment, after the challenge response message that GRIDS receiving communication device is sent, produce
In the validity period for the key and key verified to the identity position binding update messages of the subsequent transmission of the communication equipment,
And save the key of generation and the validity period of key.GRIDS sends key message to communication equipment, includes institute in key message
State the validity period of key and the key.Communication equipment receives the key message that the GRIDS is sent, and saves key message
In include key and the key validity period, so as to communication equipment it is subsequent to GRIDS send update identity position reflect
When penetrating relationship, it may be determined that key whether before the deadline, if before the deadline, can directly transmit identity position binding update disappear
Breath, without carrying out security verification by way of challenge-response again.
Specifically, GRIDS can utilize the public key of communication equipment, encryption key message, and encryption is sent to communication equipment
Key message, to further increase safety.
Further, after the validity period that communication equipment saves the key and the key, however, it is determined that need to
GRIDS send update identity position mapping relations, then communication equipment determine the key whether within the validity period, if
The key generation message authentication code is then utilized in validity period.Communication equipment sends identity position binding update messages to GRIDS,
It include the identity position of the message authentication code and the subsequent update of the communication equipment in the identity position binding update messages
Mapping relations.The identity position binding update messages that GRIDS receiving communication device is sent disappear described in the key authentication using preservation
It ceases authentication code and saves the identity position mapping relations of the subsequent update of the communication equipment if being verified.
Further, it may also include the signature of GRIDS in the key message that GRIDS is sent to communication equipment, terminal connects
The key message for receiving GRIDS transmission, authenticates the key message using the signature of the GRIDS.Communication equipment
It may also comprise the signature of communication equipment in the challenge response message sent to GRIDS, GRIDS receives choosing for communication equipment transmission
After response message of fighting, the challenge response message is recognized using the signature for the communication equipment for including in challenge response message
Card.By way of above-mentioned signature authentication, communication equipment and GRIDS can be made to realize and be mutually authenticated.
It further, further include the public key certificate of the communication equipment in the challenge response message, the key disappears
It further include the public key certificate of the GRIDS in breath.After GRIDS receives challenge response message, it may be verified that in challenge response message
Including communication equipment public key certificate, and obtain the public key of communication equipment, realized using the public key of communication equipment to communication equipment
Signature certification.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message,
And the public key of GRIDS is obtained, the certification to the signature of GRIDS is realized using the public key of GRIDS.
It further, further include the session key agreement parameter of the communication equipment, institute in the challenge response message
State further include in key message the GRIDS session key agreement parameter.Communication equipment passes through challenge response message to GRIDS
Send session key agreement parameter, make GRIDS can session key agreement parameter and GRIDS based on communication equipment session it is close
Key negotiates parameter and generates key.GRIDS sends the session key agreement for generating key and using to communication equipment by key message
Parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter it is raw
At key.
Second aspect, the embodiment of the present application provide a kind of binding update method of identity position, and this method can be applied to
GRIDS, the chip that can certainly be applied in GRIDS.When applied to GRIDS, in the method, GRIDS generates challenge and disappears
It ceases and sends challenge message to communication equipment, include challenge content in the challenge message.GRIDS receives the communication equipment hair
The challenge response message sent includes the challenge content in the challenge response message, challenges result and the communication equipment
The identity position mapping relations of update, the identity are the identity of the communication equipment, and the position is that the communication is set
Standby network address.GRIDS is based on the challenge content and the challenge as a result, verifying the effective of the challenge response message
Property, if the challenge response message is effective, save the identity position mapping relations that the communication equipment updates.
Challenge message is sent by GRIDS in the embodiment of the present application, the mode of communication device feeding back challenge response message is real
Certification of the existing GRIDS to the communication equipment for sending the identity position mapping relations updated, can protect communication equipment to GRIDS's
DOS/DDOS attack, and include challenge content and challenge in challenge response message as a result, making GRIDS without saving session shape
State information, therefore can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, can be improved
Bind the safety of renewal process.
Identity position mapping relations involved in the embodiment of the present application be encryption or plaintext.
In a kind of possible design, the identity that includes the communication equipment in the challenge content, the GRIDS are
The random number and the GRIDS that the communication equipment generates utilize the information authentication that local key is that the challenge content generates
Code.The GRIDS, as a result, when verifying the validity of the challenge response message, is tested based on the challenge content and the challenge
The validity for demonstrate,proving the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective, it is determined that the challenge
It as a result whether is the challenge result for challenging content.
Further include the timestamp of the challenge content in alternatively possible design, in the challenge content and described chooses
At least one of in the degree-of-difficulty factor for content of fighting.It is described if in the challenge content including the timestamp of the challenge content
Time before GRIDS determines whether the challenge result is the challenge result for challenging content, according to the challenge content
Stamp, determines the challenge content before the deadline.If in the challenge content including the degree-of-difficulty factor of the challenge content,
GRIDS when whether determine the challenge result is the challenge result of the challenge content, confirm the challenge result with it is described
Whether low k of the Hash operation result of random number are 0, and the k is the degree-of-difficulty factor.
In another possible design, GRIDS also can receive the identity position that communication equipment is sent before generating challenge message
It sets binding and updates request, it includes sequence number in request that the identity position binding, which updates, and the sequence number is described logical for identifying
The identity position binding for believing that equipment is sent updates request message, and includes the sequence number in the challenge message of transmission, so that
Before communication equipment sends challenge response message to GRIDS, the sequence number for including in the challenge message and the communication are determined
Whether the sequence number for including in equipment transmission identity position binding update request is consistent, the sequence for including in determining challenge message
Number sending identity position binding with the communication equipment updates under the sequence number unanimous circumstances for including in request, then throws down the gauntlet
As a result the transmission of calculating and challenge response information is sent with the challenge message for ensuring to receive for the communication equipment
Challenge message prevents the counterfeit GRIDS of malicious attacker from causing the bogus attack to communication equipment.
In another possible design, after the GRIDS receives the challenge response message that the communication equipment is sent,
GRIDS produces and saves the validity period of key and the key, and the key is used for the subsequent transmission of the communication equipment
Identity position binding update messages verified, the GRIDS sends key message to the communication equipment, and the key disappears
Include the validity period of the key and the key in breath, sends the identity position updated to GRIDS so that communication equipment is subsequent
When setting mapping relations, it may be determined that key whether before the deadline, if before the deadline, can directly transmit identity position binding more
New information, without carrying out security verification by way of challenge-response again.
Wherein, the key message is message of the GRIDS using the public key encryption of communication equipment.
Further, after the GRIDS sends key message to the communication equipment, the GRIDS can receive described
The identity position binding update messages that communication equipment is sent include message authentication code in the identity position binding update messages with
And the identity position mapping relations of the subsequent update of communication equipment, the message authentication code are described in the communication equipment is based on
What key generated.GRIDS is using message authentication code described in the key authentication saved, if being verified, saves the communication and sets
The identity position mapping relations of standby subsequent update.
Further, it may also include the signature of the communication equipment, the communication equipment in the challenge response message
Signature the challenge response message is authenticated for the GRIDS.It may also include the GRIDS in the key message
Signature, the signature of the GRIDS authenticates the key message for the communication equipment.It is wrapped in challenge response message
The signature of the communication equipment is included, includes the signature of GRIDS in key message, communication equipment and GRIDS can be made to recognize using signature
The mode of card, realization are mutually authenticated.
It further, further include the certificate of the communication equipment in the challenge response message, in the key message
It further include the certificate of the GRIDS, so that after GRIDS receives challenge response message, it may be verified that include in challenge response message
Communication equipment public key certificate, and obtain the public key of communication equipment, the label to communication equipment realized using the public key of communication equipment
The certification of name.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message, and obtain
The public key for taking GRIDS realizes the certification to the signature of GRIDS using the public key of GRIDS.
Alternatively, further including the session key agreement parameter of the communication equipment in the challenge response message, so that communication
Equipment by challenge response message to GRIDS send session key agreement parameter, make GRIDS can the session based on communication equipment it is close
Key negotiates parameter and the session key agreement parameter of GRIDS generates key.It further include the GRIDS in the key message
Session key agreement parameter, so that GRIDS, which is sent by key message to communication equipment, generates the session key association that key uses
Quotient's parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter
Generate key.
The third aspect, the embodiment of the present application provide a kind of binding update method of identity position, and this method can be applied to lead to
Believe equipment, also can be applied to the chip in communication equipment.When applied to communication equipment, in the method, communication equipment is received
The challenge message that GRIDS is sent, the challenge message include challenge content.The communication equipment sends to the GRIDS and challenges
Response message includes the body that the challenge content, challenge result and the communication equipment update in the challenge response message
Part position mapping relations.
The embodiment of the present application summarizes, and communication equipment receives challenge message and sends challenge response message, can make GRIDS pairs
The certification for sending the communication equipment of the identity position mapping relations updated, can protect communication equipment to the DOS/DDOS of GRIDS
It attacks, and includes challenge content and challenge in challenge response message as a result, GRIDS is made to be not necessarily to preserving session state information,
Therefore it can avoid Replay Attack.By the binding update method of identity position provided by the embodiments of the present application, binding can be improved more
The safety of new process.
In a kind of possible design, the identity that includes the communication equipment in the challenge content, the GRIDS are
The random number and the GRIDS that the communication equipment generates utilize the information authentication that local key is that the challenge content generates
Code.
It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content
Spend at least one in coefficient.
In alternatively possible design, communication equipment can also be sent before receiving the challenge message that GRIDS is sent to GRIDS
Identity position binding updates request, and it includes sequence number in request that identity position binding, which updates, and the sequence number is described for identifying
The identity position binding that communication equipment is sent updates request message.It further include the sequence number in the challenge message.Communication is set
It can determine that the sequence number for including in the challenge message and the communication equipment are sent out before the standby transmission challenge response message to GRIDS
Sending identity position binding to update, the sequence number for including in request is consistent, and the sequence number for including in determining challenge message leads to described
Letter equipment sends identity position binding and updates under the sequence number unanimous circumstances for including in request, then the calculating for the result that throws down the gauntlet
And the transmission of challenge response information, it is the challenge message sent for the communication equipment with the challenge message for ensuring to receive,
Prevent the counterfeit GRIDS of malicious attacker from causing the bogus attack to communication equipment.
In another possible design, communication equipment also can receive GRIDS hair after sending challenge response message to GRIDS
The key message sent saves the validity period of the key and the key, sends and updates to GRIDS so that communication equipment is subsequent
Identity position mapping relations when, it may be determined that key whether before the deadline, if before the deadline, identity position can be directly transmitted
Binding update messages are set, without carrying out security verification by way of challenge-response again.Wherein, include in key message
The validity period of key and key, the key are that GRIDS is that the communication equipment is generated and is used for after the communication equipment
The continuous identity position mapping relations updated are verified.
Wherein, key message is message of the GRIDS using the public key encryption of communication equipment.
Further, after the validity period that communication equipment saves the key and the key, it may be determined that the key
When within the validity period, using the key generation message authentication code, and sends identity position binding to GRIDS and update and disappear
It ceases, includes the identity position of the message authentication code and the subsequent update of the communication equipment in the identity position binding update messages
Mapping relations are set, so that GRIDS using message authentication code described in the key authentication saved, if being verified, is saved described logical
Believe the identity position mapping relations of the subsequent update of equipment.
It further, further include the signature of the communication equipment, the label of the communication equipment in the challenge response message
Name authenticates the challenge response message for the GRIDS.It further include the label of the GRIDS in the key message
The signature of name, the GRIDS authenticates the key message for the communication equipment.It include institute in challenge response message
The signature of communication equipment is stated, includes the signature of GRIDS in key message, communication equipment and GRIDS can be made using signature authentication
Mode, realization are mutually authenticated.
It further, further include the certificate of the communication equipment in the challenge response message, in the key message
It further include the certificate of the GRIDS, so that after GRIDS receives challenge response message, it may be verified that include in challenge response message
Communication equipment public key certificate, and obtain the public key of communication equipment, the label to communication equipment realized using the public key of communication equipment
The certification of name.After communication equipment receives key message, it may be verified that the public key certificate for the GRIDS for including in key message, and obtain
The public key for taking GRIDS realizes the certification to the signature of GRIDS using the public key of GRIDS.
Alternatively, further including the session key agreement parameter of the communication equipment in the challenge response message, so that communication
Equipment by challenge response message to GRIDS send session key agreement parameter, make GRIDS can the session based on communication equipment it is close
Key negotiates parameter and the session key agreement parameter of GRIDS generates key.It further include the GRIDS in the key message
Session key agreement parameter, so that GRIDS, which is sent by key message to communication equipment, generates the session key association that key uses
Quotient's parameter, make communication equipment can session key agreement parameter and GRIDS based on communication equipment session key agreement parameter
Generate key.
Fourth aspect, the embodiment of the present application provide a kind of binding updating device of identity position, which can
To be GRIDS, the chip being also possible to inside GRIDS.Chip inside GRIDS or GRIDS, which has, realizes above-mentioned second aspect
Or second aspect be related to any one may design in GRIDS execute identity position binding update method function, institute
Corresponding software realization can also be executed by hardware realization by hardware by stating function.The hardware or software include one
A or multiple modules corresponding with above-mentioned function.The module can be software and/or hardware.
Wherein, GRIDS includes transmission unit, receiving unit and processing unit.The transmission unit and the receiving unit
It can be transceiver, may include radio circuit in the transceiver, the processing unit for example can be processor.Optionally,
The GRIDS further includes storage unit, and the storage unit for example can be memory.When the GRIDS includes processing unit
When with storage unit, the storage unit connects for storing computer executed instructions, the processing unit and the storage unit
It connects, the processing unit executes the computer executed instructions of the storage unit storage, so that the GRIDS executes second aspect
Or the binding update method of the identity position in the arbitrarily possible design of second aspect.
Wherein, chip includes transmission unit, receiving unit and processing unit.The transmission unit and the receiving unit can
To be input/output interface, pin or circuit etc. on the chip.The processing unit for example can be processor.It is optional
Ground, the chip further include storage unit, and the storage unit for example can be memory.The executable storage of the processing unit
The computer executed instructions of unit storage, so that the chip executes in second aspect or the arbitrarily possible design of second aspect
The binding update method of identity position.
Optionally, the storage unit can be the storage unit (for example, register, caching etc.) in the chip, institute
State storage unit can also be in the GRIDS positioned at the chip exterior storage unit (for example, read-only memory) or
The other kinds of static storage device (for example, random access memory) etc. of static information and instruction can be stored.
5th aspect, the embodiment of the present application provide a kind of binding updating device of identity position, which can
To be communication equipment, it is also possible to the chip of inside communication equipment, the chip of communication equipment or inside communication equipment, which has, to be realized
The above-mentioned third aspect or the third aspect be related to any one may design in communication equipment execute identity position binding more
Function described in the function of new method can also execute corresponding software realization by hardware realization by hardware.It is described hard
Part or software include one or more modules corresponding with above-mentioned function.The module can be software and/or hardware.
Wherein, communication equipment includes receiving unit and processing unit.Optionally, communication equipment may also include transmission unit,
Or it also may also include storage unit.Wherein, the transmission unit and the receiving unit can be transceiver, the transceiver
In may include radio circuit, the processing unit for example can be processor.The storage unit for example can be memory.When
When the communication equipment includes processing unit and storage unit, the storage unit is described for storing computer executed instructions
Processing unit is connect with the storage unit, and the processing unit executes the computer executed instructions of the storage unit storage,
So that the communication equipment executes the binding update side of the third aspect or the identity position in the arbitrarily possible design of the third aspect
Method.
Wherein, chip includes receiving unit and processing unit.Optionally, communication equipment may also include transmission unit, or
Also it may also include storage unit.The transmission unit and the receiving unit can be input/output interface on the chip,
Pin or circuit etc..The processing unit for example can be processor.The storage unit for example can be memory.The place
Managing unit can be performed the computer executed instructions of storage unit storage, so that the chip executes second aspect or second aspect is appointed
The binding update method of identity position in possible design of anticipating.
Optionally, the storage unit can be the storage unit (for example, register, caching etc.) in the chip, institute
Stating storage unit can also be the storage unit (for example, read-only memory) positioned at the chip exterior in the communication equipment
Or the other kinds of static storage device (for example, random access memory) etc. of static information and instruction can be stored.
The binding update method and device of identity position provided by the embodiments of the present application send challenge message by GRIDS,
The mode of communication device feeding back challenge response message, the binding for carrying out identity position update, and can be improved binding renewal process
Safety.It also, include challenging content and challenging the challenge of content as a result, making in challenge response message in the embodiment of the present application
It obtains GRIDS and is not necessarily to preserving session state information, therefore can avoid Replay Attack.
Detailed description of the invention
Fig. 1 realizes binding renewal process schematic diagram by the transmission of binding update messages between communication equipment;
Fig. 2 realizes binding renewal process schematic diagram based on subscription release model between communication equipment;
Fig. 3 is the system architecture diagram of the embodiment of the present application application;
Fig. 4 is a kind of binding update method implementation flow chart of identity position provided by the embodiments of the present application;
Fig. 5 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application;
Fig. 6 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application;
Fig. 7 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application;
Fig. 8 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application;
Fig. 9 is the binding update method implementation flow chart of another identity position provided by the embodiments of the present application;
Figure 10 is a kind of structural schematic diagram of the binding updating device of identity position provided by the embodiments of the present application;
Figure 11 is a kind of structural schematic diagram of the binding updating device of identity position provided by the embodiments of the present application;
Figure 12 is the structural schematic diagram of the binding updating device of another identity position provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with attached drawing, technical solutions in the embodiments of the present application is described.
The embodiment of the present application provides the binding update method and device of a kind of identity position, and this method can be applied to Fig. 3 institute
The ION network architecture shown.As shown in fig.3, including communication equipment (alternatively referred to as communication node or node in the ION network architecture
Equipment) and ION be uniformly controlled management level (generic resilient id services, GRIDS).Communication equipment can be managed
Solution is the data surface for being the ION network architecture, can carry out end-to-end communication, such as Fig. 1 between the communication equipment in the ION network architecture
Radio Access Network (radio access network, RAN), user plane functions (user plan can be passed through between middle communication equipment
Function, UPF) and internet (Internet) progress end-to-end communication.Each communication equipment of data surface carries out end-to-end
The agreement that identity and position separation is supported when communication includes physical layer (PHY layer), link layer (link that is, in protocol stack
Layer), IP layers (IP layer or locator), identity layer (ID layer), transport layer (Transport) and answer
With layer (App).GRIDS can be understood as the control plane of the ION network architecture, and GRIDS distributed deployment is in the ION network architecture
In, for communication equipment identity and the information such as position be managed collectively, such as the management of identity can be provided
Service (Identity service), the management service (Mapping/Location Service) of identity and position mapping, body
Part management service (Grouping Service) of relationship and the management service (Metadata Service) of metadata.Identity
The communication equipment that position mapping relations change sends identity position binding to the software communication module of GRIDS and updates request,
Reporting for identity position mapping relations is provided for the software communication module of GRIDS, and GRIDS is by the identity position mapping relations of update
The other communication equipments for being sent to and subscribing to communication equipment identity position mapping relations complete binding renewal process.
Currently, when the communication equipment that identity position mapping relations change reports identity position mapping relations to GRIDS,
Simple reporting position is carried out, there can be biggish security risk, such as: report identity position information to carry out body on a communications device
In the mapping relations renewal process of part position, if GRIDS keeps session status, if malicious communication equipment is largely initiated sessions and is connected
It connects, it will cause refusals to service (Denial of Service, DOS)/distributed denial of service (Distributed Denial
Of Service, DDOS) attack.For another example if the counterfeit other communication equipments of malicious communication equipment report identity position information, on
Report is not belonging to the location information of self ID, and it will cause bogus attacks.In another example malicious communication equipment uses other communication equipments
Legitimate signature information constantly repeat to send identity position information to GRIDS, will a large amount of consumption GRIDS Internet resources and calculating
Resource causes Replay Attack.
In view of this, the embodiment of the present application provides a kind of binding update method of identity position, in the method, using choosing
War-response authentication mode realizes certification of the GRIDS to communication equipment.Wherein, the authentication mode of challenge-response can be understood as
It is a calculating process, specifically, can be understood as initiating a computation requests by GRIDS, includes in the computation requests
The content of calculating, communication equipment receives the computation requests, and is calculated according to the calculating content for including in computation requests (as led to
Exhaustive mode is crossed to calculate), calculated result is obtained, which is sent to GRIDS, GRIDS receives calculated result, and verifies
Whether calculated result is correct.Wherein, computation requests can be understood as challenge message, and calculating content can be understood as in challenge
Hold, calculated result can be understood as challenge response message.
When realizing certification of the GRIDS to communication equipment using the authentication mode of challenge-response in the embodiment of the present application, communication
Equipment sends identity position binding to GRIDS and updates request, and the identity position that GRIDS receiving communication device is sent updates request,
Challenge message is generated, and sends challenge to communication equipment and disappears.Communication equipment receives the challenge message that the GRIDS is sent, and really
Determine challenge response message, sends challenge response message to GRIDS, including in challenge message in the challenge response message includes
Challenge the identity position mapping relations that content, challenge result and communication equipment update.What GRIDS receiving communication device was sent chooses
War response message, and the validity based on challenge content and challenge result verification challenge response message, if challenge response message has
Effect then saves the identity position mapping relations of communication equipment update.Challenge message is sent by GRIDS in the embodiment of the present application,
The mode of communication device feeding back challenge response message realizes certification of the GRIDS to communication equipment, can protect communication equipment pair
The DOS/DDOS of GRIDS is attacked, and includes the challenge knot of the challenge content, the challenge content in challenge response message
Fruit so that GRIDS is not necessarily to preserving session state information, therefore can avoid Replay Attack.Pass through identity provided by the embodiments of the present application
The binding update method of position can be improved the safety of binding renewal process.
It is understood that the agreement that communication equipment involved in the embodiment of the present application need to support identity and position to separate,
Such as can be support identity and position separated protocol terminal, the terminal be also referred to as user equipment (user equipment,
UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT) etc. may include mobile phone, flat
Plate computer, laptop, mobile internet device (Mobile Internet Device, MID), wearable device (such as
Smartwatch, Intelligent bracelet, pedometer etc.) etc., it can also include other communication equipments for supporting identity and position separated protocol.
Communication equipment involved in the embodiment of the present application is also possible to hold the networks such as the gateway (gateway) of identity and position separated protocol
Equipment.
In the embodiment of the present application for convenience of description, it is illustrated so that communication equipment is UE as an example below.
Fig. 4 show a kind of binding update method implementation flow chart of identity position provided by the embodiments of the present application, refering to
Shown in Fig. 4, this method comprises:
S101:UE sends identity position binding to GRIDS and updates request.
If the position of UE changes in the embodiment of the present application, UE can send identity position binding update to GRIDS and ask
Message is sought, to report identity position binding to update to GRIDS.The identity position can be tied up for convenience of description in the embodiment of the present application
Surely updating request message indicates that the parameter carried in U1 includes type of message (message_type) and sequence number with U1
(seq_number), wherein message_type is that identity position binding updates request type (update_request_type)
Request is updated for identifying the identity position binding that UE is sent to GRIDS.Seq_number is that UE currently reports identity position to tie up
Surely the sequence number for updating request message, can be specified by UE, and the identity position binding for identifying UE transmission updates request message.
S102:GRIDS generates challenge message.
Specifically, in the embodiment of the present application, GRIDS can after the identity position binding for receiving UE transmission updates request,
Generate challenge message.It wherein, include challenge content (challenge) in challenge message, GRIDS can be UE construction challenge content,
The challenge content calculates corresponding challenge result (solution) for UE.
In a kind of possible embodiment, the UE construction that GRIDS can update request for each transmission identity position binding be chosen
War content.It may include the identity (ID) of UE, the random number that GRIDS is UE generation in the challenge content of GRIDS construction
(random) and GRIDS utilizes the Message Authentication Code that local key is that challenge content generates.Wherein, the ID of UE is for identifying this
Challenging the targeted UE of content, random is used random number parameter when calculating the corresponding challenge result of challenge content,
GRIDS is to challenge the Message Authentication Code that content generates to can be used for realizing in challenge response message in challenge using local key
The certification of appearance prevents the counterfeit challenge content of UE.
Further, it may also include the timestamp of challenge content in the challenge content that GRIDS is constructed in the embodiment of the present application
At least one of (timestamp) and in the degree-of-difficulty factor (k) of challenge content.Wherein, it can be identified and be chosen by timestamp
The validity period for content of fighting.It is used to set the difficulty in computation of challenge result by degree-of-difficulty factor, for example, can be for different UE settings not
Same degree-of-difficulty factor k.
Further, before GRIDS generates challenge message in the embodiment of the present application, the identity of UE can be authenticated, if
Certification passes through, then produces challenge message, if certification does not pass through, the discardable identity position binding received updates request and disappears
Breath.
Specifically, whether GRIDS can be by verifying the identity (ID) of UE in preset black name in the embodiment of the present application
Dan Zhong authenticates the identity of UE.
S103:GRIDS sends challenge message to UE, includes challenge content in challenge message.
Specifically, challenge message can be indicated with G1 for convenience of description in the embodiment of the present application.The parameter carried in G1 can
Including type of message (message_type) and challenge content (challenge).Wherein, the message_type carried in G1
Identifying this message is challenge message, and challenge is the challenge content that GRIDS is UE construction.
Further, may also include in G1 sequence number (seq_number), and the seq_number is the sequence carried in U1
Row number, to prevent the counterfeit GRIDS of malicious attacker from causing the bypass attack to UE.
S104:UE receives the challenge message that GRIDS is sent, and calculates the challenge result (solution) of challenge content, to
GRIDS sends challenge response message.
The corresponding solution of challenge can be generated in the embodiment of the present application by exhaustive computations, by the solution
GRIDS is sent to by challenge response message.
UE further includes having challenge into the challenge response message that GRIDS is sent in the embodiment of the present application, will
Challenge and solution are sent to GRIDS together, and GRIDS can be made to be not necessarily to save the session state information of challenge,
Therefore it can avoid the Replay Attack of malicious attacker.
Further, in the embodiment of the present application UE also by the identity position mapping relations of update, with challenge and
Solution is sent to GRIDS together, by the identity position mapping relations (ID/ of update in a manner of through challenge-response
Locator map information) it is sent to GRIDS, realize that the binding of identity position updates, and identity position can be improved to a certain extent
Set the safety of binding renewal process.
Specifically, in the embodiment of the present application for convenience of description, challenge response message can be indicated with U2, carried in the U2
Parameter includes message_type, challenge, solution and ID/Locator map information.Wherein, it is carried in U2
Message_type is challenge_response, for identifying challenge response message.Challenge is in G1 message
Challenge, solution are the corresponding challenge of challenge as a result, ID/Locator map information identity position
Bind more new content.
Further, in the embodiment of the present application, UE can determine the seq_number for including in G1, with the seq_ carried in U1
Whether number is consistent, under the seq_number unanimous circumstances carried in the seq_number and U1 for including in determining G1,
The calculating for the result that throws down the gauntlet again and the transmission of challenge response information with the challenge message for ensuring to receive are sent out for the UE
The challenge message sent prevents the counterfeit GRIDS of malicious attacker from causing the attack to UE.
S105:GRIDS receives the challenge response message that UE is sent, based on the challenge for including in challenge response message
And solution, the validity of challenge response message is verified, if challenge response message is effective, saves the identity position of UE update
Mapping relations.If challenge response message invalid, the identity position mapping relations of UE update can not be saved, identity position is improved and ties up
Determine the safety of renewal process.
In the embodiment of the present application, if in challenge including the ID of UE, GRIDS is the random number and GRIDS that UE is generated
It is the Message Authentication Code that challenge is generated using local key, then GRIDS can verify that the message for including is tested in challenge
Code is demonstrate,proved, verifies whether the challenge is the challenge of GRIDS transmission, and then is determined in the challenge response message received
Solution whether be the corresponding solution of challenge.If the information authentication for including in GRIDS verifying challenge
Code effectively, then can determine that the solution in the challenge response message received is the corresponding solution of challenge.
Further, it if in the embodiment of the present application in challenge including timestamp, is determined according to timestamp
Whether before the deadline challenge answers the challenge for including in message, can be further if challenge is before the deadline
Determine whether the solution in the challenge response message received is the corresponding solution of challenge.If challenge
In do not include timestamp, then whether before the deadline can not need to determine challenge, directly determine the challenge received and answer
Answer whether the solution in message is the corresponding solution of challenge.
Further, if including degree-of-difficulty factor k in challenge in the embodiment of the present application, GRIDS is available
GRIDS is that the random that UE is generated and solution carries out Hash operation, if low k of Hash operation result are 0, be can determine
The solution in challenge response message received is the corresponding solution of challenge.If not including in challenge
Degree-of-difficulty factor k, then GRIDS can be that the random and solution that UE is generated carries out Hash operation using GRIDS, and GRIDS can lead to
Cross whether confirmation Hash operation result is 0, determines that the solution in the challenge response message received is corresponding for challenge
Solution.If Hash operation result is 0, it can determine that the solution in the challenge response message received is
The corresponding solution of challenge.If Hash operation result is not 0, can determine in the challenge response message received
Solution is not the corresponding solution of challenge.
The embodiment of the present application is by way of above-mentioned verifying solution validity, it may be determined that includes in challenge response message
Challenge be GRIDS send challenge, and determine challenge response message in include solution be
The corresponding solution of challenge is determining that challenge is the challenge that GRIDS is sent and solution is effective
In the case of, the identity position mapping relations that UE updates are saved, the safety of binding renewal process can be improved.
Further, GRIDS can verify that the signature of UE in the embodiment of the present application, and UE is saved in the case where being verified
The identity position mapping relations of update further increase the safety of binding renewal process.
Challenge message is sent by GRIDS in the embodiment of the present application, UE feeds back the mode of challenge response message, carries out identity
The binding of position updates, and can be improved the safety of binding renewal process.Also, in the embodiment of the present application in challenge response message
Including challenge content and the challenge of content is challenged as a result, making GRIDS without preserving session state information, therefore can avoid resetting
Attack.
In a kind of possible embodiment of the application, GRIDS saves UE by above-mentioned challenge-response mode and reports more
After new identity position mapping relations, GRIDS produces and saves the validity period (timer) of key (token) and key, should
Verifying of the token and timer for the identity position mapping relations of the subsequent update of UE.GRIDS sends out token and timer
UE is given, UE receives and saves the token and timer of GRIDS transmission.If UE sends the identity position of subsequent update to GRIDS
Set mapping relations, it may be determined that token whether before the deadline, if before the deadline, the identity of subsequent update can be directly transmitted
Binding positions update message, without carrying out security verification by way of above-mentioned challenge-response again.
Therefore on the basis of the embodiment of the present application method shown in Fig. 4, it may also include the steps of, refering to shown in Fig. 5:
S106:GRIDS generates and saves token and timer.
Specifically, GRIDS is controllable to generate to part UE and save token and timer, such as GRIDS can be part
The higher UE of credibility generates and saves token and timer.
S107:GRIDS sends key message to UE, includes token and timer in key message.
Specifically, in the embodiment of the present application for convenience of description, GRIDS can be described to the key message that UE is sent with G2.
The parameter carried in the G2 includes message_type, token and timer, wherein the message_type for including in G2 is used
In tagged keys message, token is that GRIDS is the key that current UE generates, and timer is the effective of the token that GRIDS is generated
Phase.
Further, GRIDS can utilize the private key of GRIDS, sign to key message, signature is sent to UE.
Further, GRIDS can utilize the public key of UE, encrypt to token and timer, by encrypted token
And timer is sent to UE, to improve safety.
It is understood that sign and encrypt key message suitable to key message in the embodiment of the present application
Sequence, without limitation.
S108:UE receives the key message that GRIDS is sent, and saves the token and timer for including in key message.
Further, if token and timer uses the public key encryption of UE, UE can be decrypted first using the private key of UE
Then token and timer saves token and timer that decryption obtains, to report identity position to tie up to GRIDS for UE
Fixed subsequent more new content.
Subsequent UE reports identity position mapping relations (the identity position mapping pass of subsequent update of update to GRIDS again
System) when, method implementing procedure shown in fig. 6 can be used and carry out reporting for the identity position binding subsequent more new content of update.
Fig. 6 show the binding update method implementation flow chart of another identity position provided by the embodiments of the present application.Ginseng
It reads shown in Fig. 6, this method comprises:
Before the deadline whether S201:UE determine token.
Specifically, if before the deadline, S202 can be performed in token.It, can be according to shown in Fig. 4 if token is out of date
Method flow is carried out identity position binding by the way of challenge-response and updated.
S202:UE is that the identity position mapping relations updated generate message authentication code using token.
S203:UE sends identity position binding update messages to GRIDS, includes benefit in the identity position binding update messages
Subsequent more new content is bound with the token message authentication code generated and identity position.
In the embodiment of the present application for convenience of description, identity position binding update messages can be indicated with U3, is carried in the U3
Parameter include message_type, ID/Locator map information and MAC (token).Wherein, message_type is body
Part binding positions update message (update_type) identifies the binding that this message is a simplified version and updates reporting message.ID/
Locator map information is that UE identity position binds subsequent more new content.MAC (token) is raw with token based on entire message
At Message Authentication Code.
Further, it may also include seq_number in U3.Seq_number is that UE this time reports identity position binding more
The sequence number of new information can be specified by UE.
S204:GRIDS receives the identity position binding update messages that UE is sent, and verifies identity using the token saved
The message authentication code for including in binding positions update message saves UE if being verified and the identity position of subsequent update is reported to reflect
Relationship is penetrated, if verifying does not pass through, can drop the identity position binding update messages.
Specifically, GRIDS can determine token used in verifying message authentication code by the ID of UE.
Further, GRIDS can also send response message to UE in the embodiment of the present application, include in the response message
The seq_number for including in U3, so that UE determines whether GRIDS has saved the identity position mapping relations of subsequent update.
S205:GRIDS sends response message to UE, includes the seq_number for including in U3 in the response message.
Specifically, response message can be indicated by G4, the parameter carried in G4 includes message_type and seq_
number.Wherein, message_type is response message (ACK_type), identifies this message and replies message for one.seq_
Number is the sequence number for including in U3 message, so that UE determines the identity of GRIDS subsequent update corresponding to seq_number
The preservation result of position mapping relations.
Wherein, S205 is optional step.
In the embodiment of the present application, GRIDS generates and saves token and timer, and token and timer are sent to
UE, UE save the token and timer, in the subsequent identity position mapping relations for needing to report subsequent update, if token
Within timer corresponding validity period, then identity position binding update messages can be directly transmitted, without-the response that throws down the gauntlet again
Process, simplify interaction flow.
In the possible embodiment of another of the embodiment of the present application, UE and GRIDS can be authenticated mutually, with further
Improve safety.
In a kind of possible embodiment, UE and GRIDS can realize safety certification by way of verifying private key signature.
Fig. 7 show a kind of UE and GRIDS provided by the embodiments of the present application and is based on signature progress safety certification, and realizes body
The implementation flow chart of part binding positions renewal process.
Method flow shown in Fig. 7 in the embodiment of the present application, difference similar with implementation method flow shown in fig. 5
It is only that, UE needs to send the signature of UE to GRID, and GRIDS needs to send the signature of GRIDS to UE, and carries out safety each other and recognize
Card.
Specifically, UE can send the signature of UE by the challenge response message sent to GRIDS.UE sends the signature of UE
To GRIDS, GRIDS can be made to carry out safety certification to challenge response message using the signature of UE, further increase safety.
GRIDS can be in the signature for carrying GRIDS into the key message that UE is sent.The signature of GRIDS is sent to UE by GRIDS, with
GRIDS is authenticated in UE.Further, UE can authenticate key message using the signature of GRIDS, if certification is logical
It crosses, then can be reserved for token and timer, if certification does not pass through, can drop the key message, further increase safety.
In a kind of possible embodiment, UE and GRIDS can be based on the asymmetric close of Certification system in the embodiment of the present application
Key scheme is obtained opposite end public key and is signed using opposite end public key verifications.
Fig. 8 show a kind of UE and GRIDS provided by the embodiments of the present application and is based on certificate progress safety certification and realizes body
The implementation flow chart of part binding positions renewal process.
Method flow shown in Fig. 8 in the embodiment of the present application, difference similar with implementation method flow shown in Fig. 7
It is only that, UE needs to send the certificate of UE to GRID, and GRIDS needs to send the certificate of GRIDS to UE, and carries out certificate each other
Verifying.
Specifically, UE can send the public key certificate of UE by the challenge response message sent to GRIDS.GRIDS reception is chosen
After response message of fighting, it may be verified that the UE public key certificate for including in challenge response message, and obtain the public key of UE.GRIDS can to
The public key certificate of GRIDS is carried in the key message that UE is sent.After UE receives key message, it may be verified that include in key message
The public key certificate of GRIDS, and obtain the public key of GRIDS.
In a kind of possible embodiment, UE can send the graceful key exchange of diffie-hellman to GRIDS in the embodiment of the present application
(Diffie-Hellman, DH) session key agreement parameter, make GRIDS can DH session key agreement parameter based on UE and
The DH session key agreement parameter of GRIDS generates token.GRIDS sends the DH session for generating the GRIDS that token is used to UE
Key agreement parameter, make UE can DH session key agreement parameter and GRIDS based on UE DH session key agreement parameter it is raw
At token.
Fig. 9 is shown a kind of UE and GRIDS provided by the embodiments of the present application and is generated based on DH session key agreement parameter
Token, and realize the implementation flow chart of identity position binding renewal process.
Method flow shown in Fig. 9 in the embodiment of the present application, difference similar with implementation method flow shown in Fig. 7
It is only that, UE needs to send the DH session key agreement parameter of UE to GRID, and GRIDS needs to send the DH session of GRIDS to UE
Key agreement parameter, and it is each based on the DH session key agreement parameter of UE and the DH session key agreement parameter life of GRIDS
At token.
Specifically, UE can send the DH session key agreement parameter of UE by the challenge response message sent to GRIDS.
GRIDS receive challenge response message after, can DH session key agreement parameter and GRIDS based on UE DH session key agreement
Parameter generates token.GRIDS can send the DH session key agreement parameter of GRIDS by the key message sent to UE.UE connects
Receive key message after, can DH session key agreement parameter and GRIDS based on UE DH session key agreement parameter generate
token。
It is above-mentioned that mainly scheme provided by the embodiments of the present application is described from the angle of UE and GRIDS interaction.It can be with
Understand, in order to realize the above functions, it comprises execute the corresponding hardware configuration of each function and/or soft by UE and GRIDS
Part module.In conjunction with each exemplary unit and algorithm steps that embodiment disclosed herein describes, the embodiment of the present application energy
The combining form with hardware or hardware and computer software is reached to realize.Some function is driven actually with hardware or computer software
The mode of dynamic hardware executes, the specific application and design constraint depending on technical solution.Those skilled in the art can be with
Described function is realized using different methods to each specific application, but this realization is it is not considered that beyond this
Apply for the range of the technical solution of embodiment.
The embodiment of the present application can carry out the division of functional unit according to above method example to UE and GRIDS, for example, can
With each functional unit of each function division of correspondence, two or more functions can also be integrated in a processing unit
In.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.It needs
It is noted that be schematical, only a kind of logical function partition to the division of unit in the embodiment of the present application, it is practical real
It is current that there may be another division manner.
Based on design identical with above method embodiment, the embodiment of the present application also provides a kind of bindings of identity position
The binding updating device of updating device, the identity position can be applied to UE, can also be applied to GRIDS.
When using formal implementation of hardware, the identity position applied to UE binds updating device and applied to the body of GRIDS
Part binding positions updating device can bind updating device 100 by identity position shown in Fig. 10 to realize.
As shown in Figure 10, identity position binding updating device 100 may include at least one processor 101, memory 103 with
And at least one transceiver 104.These components can communicate on one or more communication bus 102.
It should be noted that Figure 10 is only a kind of implementation of the embodiment of the present application, in practical application, identity position is tied up
Determining updating device 100 can also include more or fewer components, here with no restriction.
Transceiver 104 is coupled in the receiver of identity position binding updating device 100 for sending and receiving radiofrequency signal
And transmitter.Transceiver 104 passes through radiofrequency signal and communication network and other communication apparatus communications, such as Ethernet
(Ethernet), wireless access network (radio access network, RAN), WLAN (wireless local
Area networks, WLAN) etc..In the specific implementation, the communication protocol that transceiver 104 is supported may include but be not limited to: 2G/3G,
Long term evolution (long term evolution, LTE), Wireless Fidelity (wireless-fidelity, Wi-Fi), 5G is newly wireless
(new radio, NR) etc..
Memory 103 is coupled with processor 101, for storing various software programs and/or multiple groups instruction.Specific implementation
In, memory 103 may include the memory of high random access, and may also comprise nonvolatile memory, such as one or
Multiple disk storage equipments, flash memory device or other non-volatile solid-state memory devices.Memory 103 can store an operating system
(following abbreviation systems), such as the embedded OSs such as ANDROID, IOS, WINDOWS or LINUX.Memory 103 can
For storing the realization program of the embodiment of the present application.Memory 103 can also store network communication program, the network communication program
It can be used for and one or more optional equipments, one or more terminal devices, one or more network equipments are communicated.
Processor 101 can be a general central processor (central processing unit, CPU), micro process
Device, application-specific integrated circuit (application-specific integrated circuit, ASIC) or one or more
A integrated circuit executed for controlling application scheme program.
In some embodiments, identity position binding updating device 100 can also include output equipment 105 and input equipment
106.Output equipment 105 and processor 101 communicate, and can show information in many ways.For example, output equipment 105 can be with
It is liquid crystal display (liquid crystal display, LCD)), Light-Emitting Diode (light emitting diode,
LED equipment) is shown, cathode-ray tube (cathode ray tube, CRT) shows equipment or projector (projector) etc..
Input equipment 106 and processor 101 communicate, and can receive the input of user in many ways.For example, input equipment 106 can be with
It is mouse, keyboard, touch panel device or sensing equipment etc..User for the ease of output equipment 105 and input equipment 106 makes
With in some embodiments, memory 202 can also store user interface program, which can pass through figure
The operation interface of change shows the content image of application program is true to nature, and defeated by menu, dialog box and key etc.
Enter the control operation that control receives user to application program.When identity position shown in Fig. 10 binding updating device 100 realizes UE
Function when, identity position binding updating device 100 memory in can store one or more software modules, can be used for mentioning
For receiving challenge message, calculating the functions such as challenge response information and sending challenge response message, above method reality is specifically referred to
Apply example.When identity position shown in Fig. 10 binding updating device 100 realizes the function of GRIDS, identity position binds more new clothes
It sets and can store one or more software modules in 100 memory, can be used for providing generation challenge message, verifying challenge response
The functions such as message and the identity position mapping relations for saving update, specifically refer to above method embodiment.
When realizing in the form of software functional units, Figure 11 show a kind of identity position provided by the embodiments of the present application
Set the structural schematic diagram of the binding updating device of binding.Wherein, the binding updating device 1000 of identity position can be UE, can also
To be the component inside UE.Refering to fig. 1 shown in 1, the binding updating device 1000 of identity position includes receiving unit 1002 and place
Manage unit 1003.
Specifically, receiving unit 1002, the challenge message sent for receiving the GRIDS, the challenge message include
Challenge content.Processing unit 1003 is used to send challenge response message to the GRIDS, includes in the challenge response message
The identity position mapping relations that the challenge content, challenge result and UE update.
Specifically, the identity, the GRIDS in the challenge content including the UE are the random of UE generation
The several and described GRIDS utilizes the Message Authentication Code that local key is that the challenge content generates.
It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content
Spend at least one in coefficient.
In a kind of possible example, the binding updating device 1000 of identity position further includes transmission unit 1001.It sends single
Member 1001 updates request for sending identity position binding to GRIDS.It includes sequence in request that the identity position binding, which updates,
Number, the sequence number is used to identify the identity position binding that the UE is sent and updates request message, also wraps in the challenge message
Include the sequence number.
The processing unit 1003 is also used to: sending challenge response message to the GRIDS in the transmission unit 1001
Before, determine that the sequence number for including in the challenge message and the UE send identity position binding and update the sequence for including in request
Row number is consistent.
In alternatively possible example, the receiving unit 1002 is also used to: in the transmission unit 1001 to described
After GRIDS sends challenge response message, the key message that the GRIDS is sent is received, saves the key and described close
The validity period of key.It wherein, include the validity period of key and the key in the key message, the key is described
GRIDS is that the UE is generated and is used to verify the identity position binding update messages of the subsequent transmission of the UE.
Further, the key message is message of the GRIDS using the public key encryption of UE.
In another possible example, the processing unit 1003 is also used to: being saved in the receiving unit 1002 described
After the validity period of key and the key, determine that the key within the validity period, utilizes the key generation message
Authentication code.The transmission unit 1001 is also used to: Xiang Suoshu GRIDS sends identity position binding update messages, the identity position
Identity position mapping relations and the processing unit 1003 in binding update messages including the subsequent update of the UE are set to generate
Message authentication code.
It further, further include the signature of the UE in the challenge response message, the signature of the UE is for described
GRIDS authenticates the challenge response message.It further include the signature of the GRIDS, the GRIDS in the key message
Signature the key message is authenticated for the UE.
Further, further include the certificate of the UE in the challenge response message, further include in the key message
The certificate of the GRIDS.It or further include the session key agreement parameter of the UE, the key in the challenge response message
It further include the session key agreement parameter of the GRIDS in message.
Specifically, the identity position mapping relations of update described in the embodiment of the present application be encryption or plaintext.
Further, the binding updating device 1000 of the above-mentioned identity position being related to can also include storage unit.Storage
For storing computer executed instructions, processing unit 1003 is connect unit with storage unit, and it is single that processing unit 1003 executes storage
The computer executed instructions of member storage, so that the binding updating device 1000 of identity position executes UE institute in above method embodiment
The identity position binding update method of execution.
Wherein, when being realized using example, in hardware, the transmission unit 1001 and the receiving unit 1002 can be logical
Believe interface, transceiver etc..It may include radio circuit in the transceiver.Communication interface is to be referred to as, and may include one or more
Interface.The processing unit 1003 for example can be processor or controller.Storage unit for example can be memory.
Specifically, processing unit 1003 is processor when transmission unit 1001 and the receiving unit 1002 are transceivers,
When storage unit is memory, the binding updating device 1000 of identity position can be the binding of identity position shown in Fig. 10 more
The binding updating device 100 of new equipment 100, the identity position is applied to UE, for executing the side performed by UE into Fig. 9 Fig. 4
Method.
When being realized using chip form, the binding updating device 1000 of identity position involved in the embodiment of the present application can
With the chip being applied in UE, the chip has the binding update side for realizing UE execution identity position in above method embodiment
Function involved in method.The function can also execute corresponding software realization by hardware realization by hardware.It is described
Hardware or software include one or more units corresponding with above-mentioned function.Such as the chip includes: receiving unit 1002
With processing unit 1003.Optionally, communication equipment may also include transmission unit 1003, or also may also include storage unit.Institute
It states transmission unit 1001 and the receiving unit 1002 can be input/output interface, pin or circuit etc. on the chip.
The processing unit 1003 for example can be processor.The storage unit for example can be memory.The processing unit
The computer executed instructions of 1003 executable storage unit storages, so that the chip executes involved in above method embodiment
The binding update method for the identity position that UE is executed.Optionally, the storage unit can be the storage unit in the chip
(for example, register, caching etc.), the storage unit can also be the storage unit positioned at the chip exterior in the UE
(for example, read-only memory (read-only memory, ROM)) or the other kinds of static state that static information and instruction can be stored
Store equipment (for example, random access memory (random access memory, RAM)) etc..
When realizing in the form of software functional units, Figure 12 shows a kind of identity position provided by the embodiments of the present application
Set the structure of the binding updating device 200 of binding.The binding updating device 200 of identity position binding can be GRIDS, can also be with
It is the component in GRIDS.Refering to fig. 1 shown in 2, the binding updating device 2000 of identity position includes transmission unit 2001, receives
Unit 2002 and processing unit 2003.
Specifically, transmission unit 2001, described to choose for sending the challenge message that the processing unit 2003 generates to UE
It include challenge content in message of fighting.Receiving unit 2002, for receiving the challenge response message of UE transmission, the challenge response disappears
It include challenging result, the identity position mapping relations that the UE updates and the challenge that the transmission unit 2001 is sent to disappear in breath
Included challenge content in breath.The processing unit 2003 includes challenge in the challenge message for generating challenge message
Content, and tied based on the challenge content for including in the received challenge response message of the receiving unit 2002 and the challenge
Fruit verifies the validity of the challenge response message, if the challenge response message is effective, saves the identity that the UE updates
Position mapping relations.
Specifically, the identity, the GRIDS in the challenge content including the UE are the random of UE generation
The several and described GRIDS utilizes the Message Authentication Code that local key is that the challenge content generates.
The processing unit 2003 verifies the validity for the Message Authentication Code for including in the challenge content, if the message
Identifying code is effective, it is determined that whether the challenge result is the challenge result for challenging content.
It further, further include the difficulty of the timestamp for challenging content and the challenge content in the challenge content
Spend at least one in coefficient.The processing unit 2003, is also used to: if in the challenge content including the challenge content
Timestamp, it is determined that before whether the challenge result is the challenge result for challenging content, according to the challenge content
Timestamp determines the challenge content before the deadline.If in the challenge content including the degree-of-difficulty factor of the challenge content,
Whether low k for then confirming the Hash operation result of the challenge result and the random number are 0, and the k is the difficulty system
Number.
In a kind of possible example, the receiving unit 2002 is also used to: being generated challenge in the processing unit 2003 and is disappeared
Before breath, receiving the identity position binding that UE is sent and update request, it includes sequence number in request that the identity position binding, which updates,
The sequence number is used to identify the identity position binding that the UE is sent and updates request message.Wherein, in the challenge message also
Including the sequence number.
In another possible example, the processing unit 2003 is also used to: receiving UE hair in the receiving unit 2002
After the challenge response message sent, the validity period of key and the key is generated and saves, the key is used for the UE
The identity position binding update messages of subsequent transmission are verified.The transmission unit 2001, is also used to: Xiang Suoshu UE sends close
Key message includes the validity period of the key and the key in the key message.
Further, the processing unit 2003 is also used to key message described in the public key encryption using UE;The transmission
Unit 2001 sends the key message of encryption.
In another possible example, the receiving unit 2002 is also used to: in the transmission unit 2001 to the UE
After sending key message, the identity position binding update messages that the UE is sent are received, the identity position binding, which updates, to disappear
It include the identity position mapping relations of message authentication code and the subsequent update of the UE in breath, the message authentication code is the UE
It is generated based on the key.The processing unit 2003, is also used to: the key authentication saved using the receiving unit 2002
The message authentication code saves the identity position mapping relations of the subsequent update of the UE if being verified.
It further include the signature of the UE, the label of the UE in the challenge response message in a kind of possible embodiment
Name authenticates the challenge response message for the GRIDS.It further include the label of the GRIDS in the key message
The signature of name, the GRIDS authenticates the key message for the UE.
It further include the certificate of the UE, the key in alternatively possible embodiment, in the challenge response message
It further include the certificate of the GRIDS in message;It or further include the session key agreement of the UE in the challenge response message
Parameter further includes the session key agreement parameter of the GRIDS in the key message.
Further, the binding updating device 2000 of the above-mentioned identity position being related to can also include storage unit.Storage
For storing computer executed instructions, processing unit 2003 is connect unit with storage unit, and it is single that processing unit 2003 executes storage
The computer executed instructions of member storage, so that the binding updating device 2000 of identity position executes in above method embodiment
Identity position binding update method performed by GRIDS.
Wherein, when being realized using example, in hardware, the transmission unit 2001 and the receiving unit 2002 can be receipts
Device is sent out, communication interface is also possible to.It wherein, may include radio circuit in the transceiver.The communication interface is to be referred to as, can be with
Including one or more interfaces.The processing unit 2003 for example can be processor or controller.
When transmission unit 2001 and the receiving unit 2002 are transceivers, processing unit 2003 is processor, and storage is single
When member is memory, the binding updating device 2000 of identity position can be the binding updating device of identity position shown in Fig. 10
100, the binding updating device 100 of the identity position is applied to GRIDS, for executing the side performed by GRIDS into Fig. 9 Fig. 4
Method.
When being realized using chip form, the binding updating device 2000 of identity position involved in the embodiment of the present application can
With the chip being applied in GRIDS, the chip has the binding for realizing GRIDS execution identity position in above method embodiment
Function involved in update method.The function it is real can also to execute corresponding software by hardware realization by hardware
It is existing.The hardware or software include one or more units corresponding with above-mentioned function.Such as the chip includes: to send list
Member 2001, receiving unit 2002 and processing unit 2003.The transmission unit 2001 and the receiving unit 2002 can be institute
State input/output interface, pin or the circuit etc. on chip.The processing unit 2003 for example can be processor.Optionally,
The chip further includes storage unit, and the storage unit for example can be memory.The processing unit 2003 is executable to be deposited
The computer executed instructions of storage unit storage, so that the chip executes what GRIDS involved in above method embodiment was executed
The binding update method of identity position.Optionally, the storage unit can be the storage unit in the chip (for example, posting
Storage, caching etc.), the storage unit can also be the storage unit (example positioned at the chip exterior in the GRIDS
Such as, read-only memory) or the other kinds of static storage device of static information and instruction can be stored (for example, arbitrary access is deposited
Reservoir) etc..
In the embodiment of the present application, the binding updating device 2000 of the binding updating device 1000 and identity position of identity position
Related concept relevant to technical solution provided by the embodiments of the present application is explained and is described in detail and other steps refer to
The description as described in these contents, is not repeated herein in preceding method or other embodiments.
The embodiment of the present application also provides a kind of binding more new system of identity position, within the system includes above-mentioned be related to
GRIDS and UE, GRIDS and UE, which have, realizes corresponding function involved in above method embodiment.
Claims (18)
1. a kind of binding update method of identity position, which is characterized in that the described method includes:
It is uniformly controlled management level GRIDS and generates challenge message, include challenge content in the challenge message;
The GRIDS sends the challenge message to communication equipment;
The GRIDS receives the challenge response message that the communication equipment is sent, and includes described choose in the challenge response message
The identity position mapping relations for the content, challenge result and communication equipment update of fighting, the identity are the communication equipment
Identity, the position be the communication equipment network address;
The GRIDS is based on the challenge content and the challenge as a result, the validity of the challenge response message is verified, if institute
It states that challenge response message is effective, then saves the identity position mapping relations that the communication equipment updates.
2. the method as described in claim 1, which is characterized in that include the identity mark of the communication equipment in the challenge content
Know, the GRIDS be random number and the GRIDS that the communication equipment generates using local key is the challenge content
The Message Authentication Code of generation;
The GRIDS as a result, verify the validity of the challenge response message, is wrapped based on the challenge content and the challenge
It includes:
The GRIDS verifies the validity for the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective,
Then determine whether the challenge result is the challenge result for challenging content.
3. according to the method described in claim 2, it is characterized in that, it is described challenge content in further include it is described challenge content when
Between stab and it is described challenge content degree-of-difficulty factor at least one of;
Before the GRIDS determines whether the challenge result is the challenge result for challenging content, the method also includes:
It is determining according to the timestamp of the challenge content if in the challenge content including the timestamp of the challenge content
The challenge content is before the deadline;
The GRIDS determines whether the challenge result is the challenge result for challenging content, comprising:
If including the degree-of-difficulty factor of the challenge content in the challenge content, the challenge result and the random number are confirmed
Low k of Hash operation result whether be 0, the k is the degree-of-difficulty factor.
4. method according to claim 1-3, which is characterized in that before GRIDS generates challenge message, the side
Method further include:
The identity position binding that the GRIDS receiving communication device is sent updates request, and the identity position binding updates request
In include sequence number, the sequence number is used to identify the identity position binding that the communication equipment is sent and updates request message;
It further include the sequence number in the challenge message.
5. method according to claim 1-4, which is characterized in that the GRIDS receives the communication equipment hair
After the challenge response message sent, the method also includes:
The GRIDS generates and saves the validity period of key and the key, after the key is used for the communication equipment
The identity position binding update messages that supervention is sent are verified;
The GRIDS sends key message to the communication equipment, includes the key in the key message and described close
The validity period of key.
6. according to the method described in claim 5, it is characterized in that, the key message is that the GRIDS utilizes communication equipment
Public key encryption message.
7. method according to claim 5 or 6, which is characterized in that the GRIDS sends key to the communication equipment and disappears
After breath, the method also includes:
The GRIDS receives the identity position binding update messages that the communication equipment is sent, and the identity position binding updates
It include the identity position mapping relations of message authentication code and the subsequent update of the communication equipment, the message authentication code in message
It is that the communication equipment is generated based on the key;
The GRIDS is using message authentication code described in the key authentication saved, if being verified, after saving the communication equipment
The continuous identity position mapping relations updated.
8. according to the described in any item methods of claim 5-7, which is characterized in that further include described in the challenge response message
The signature of the signature of communication equipment, the communication equipment authenticates the challenge response message for the GRIDS;
It further include the signature of the GRIDS in the key message, the signature of the GRIDS is for the communication equipment to described
Key message is authenticated.
9. according to the method described in claim 8, it is characterized in that, further including the communication equipment in the challenge response message
Certificate, further include the certificate of the GRIDS in the key message;
Or
Further include the session key agreement parameter of the communication equipment in the challenge response message, is also wrapped in the key message
Include the session key agreement parameter of the GRIDS.
10. a kind of binding updating device of identity position, applied to being uniformly controlled management level GRIDS, which is characterized in that the dress
It sets including transmission unit, receiving unit and processing unit, in which:
The transmission unit, for sending the challenge message that the processing unit generates to communication equipment, in the challenge message
Including challenging content;
The receiving unit wraps in the challenge response message for receiving the challenge response message of the communication equipment transmission
It includes in challenge result, the identity position mapping relations that the communication equipment updates and the challenge message that the transmission unit is sent
Included challenge content, the identity are the identity of the communication equipment, and the position is the net of the communication equipment
Network address;
The processing unit includes challenge content in the challenge message, and single based on the reception for generating challenge message
The challenge content for including in the received challenge response message of member and the challenge are as a result, verify the challenge response message
Validity saves the identity position mapping relations that the communication equipment updates if the challenge response message is effective.
11. device as claimed in claim 10, which is characterized in that include the identity of the communication equipment in the challenge content
It using local key is in the challenge that mark, the GRIDS, which are the random number that the communication equipment generates and the GRIDS,
Hold the Message Authentication Code generated;
The processing unit is based on the challenge content in the following way and the challenge disappears as a result, verifying the challenge response
The validity of breath:
The validity for verifying the Message Authentication Code for including in the challenge content, if the Message Authentication Code is effective, it is determined that institute
State whether challenge result is the challenge result for challenging content.
12. device according to claim 11, which is characterized in that further include the challenge content in the challenge content
At least one of in the degree-of-difficulty factor of timestamp and the challenge content;
The processing unit, is also used to:
If in the challenge content including the timestamp of the challenge content, it is determined that whether the challenge result is the challenge
Before the challenge result of content, according to the timestamp of the challenge content, the challenge content is determined before the deadline;
If including the degree-of-difficulty factor of the challenge content in the challenge content, the challenge result and the random number are confirmed
Low k of Hash operation result whether be 0, the k is the degree-of-difficulty factor.
13. the described in any item devices of 0-12 according to claim 1, which is characterized in that the receiving unit is also used to:
Before the processing unit generates challenge message, the identity position binding that receiving communication device is sent updates request, institute
Stating identity position binding and updating includes sequence number in request, and the sequence number is used to identify the identity position that the communication equipment is sent
It sets binding and updates request message;
It wherein, further include the sequence number in the challenge message.
14. the described in any item devices of 0-13 according to claim 1, which is characterized in that the processing unit is also used to:
After the challenge response message that the receiving unit receiving communication device is sent, key and described close is generated and saved
The validity period of key, the key is for verifying the identity position binding update messages of the subsequent transmission of the communication equipment;
The transmission unit, is also used to:
Key message is sent to the communication equipment, includes the effective of the key and the key in the key message
Phase.
15. device according to claim 14, which is characterized in that the processing unit is also used to utilize communication equipment
Key message described in public key encryption;
The transmission unit sends the key message of encryption.
16. device according to claim 14 or 15, which is characterized in that the receiving unit is also used to:
After the transmission unit sends key message to the communication equipment, the identity position that the communication equipment is sent is received
Binding update messages are set, include that message authentication code and the communication equipment are subsequent more in the identity position binding update messages
New identity position mapping relations, the message authentication code are that the communication equipment is generated based on the key;
The processing unit, is also used to:
Message authentication code described in the key authentication saved using the receiving unit is saved the communication and set if being verified
The identity position mapping relations of standby subsequent update.
17. the described in any item devices of 4-16 according to claim 1, which is characterized in that further include in the challenge response message
The signature of the signature of the communication equipment, the communication equipment authenticates the challenge response message for the GRIDS;
It further include the signature of the GRIDS in the key message, the signature of the GRIDS is for the communication equipment to described
Key message is authenticated.
18. device according to claim 17, which is characterized in that further include that the communication is set in the challenge response message
Standby certificate further includes the certificate of the GRIDS in the key message;
Or
Further include the session key agreement parameter of the communication equipment in the challenge response message, is also wrapped in the key message
Include the session key agreement parameter of the GRIDS.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810055629.4A CN110061833B (en) | 2018-01-19 | 2018-01-19 | Binding update method and device for identity position |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810055629.4A CN110061833B (en) | 2018-01-19 | 2018-01-19 | Binding update method and device for identity position |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110061833A true CN110061833A (en) | 2019-07-26 |
CN110061833B CN110061833B (en) | 2020-09-04 |
Family
ID=67315269
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810055629.4A Active CN110061833B (en) | 2018-01-19 | 2018-01-19 | Binding update method and device for identity position |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110061833B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103428220A (en) * | 2013-08-23 | 2013-12-04 | 中国人民解放军理工大学 | Virtual reconstruction ubiquitous network architecture based on identity-position separation |
US20140245394A1 (en) * | 2013-02-26 | 2014-08-28 | International Business Machines Corporation | Trust-based computing resource authorization in a networked computing environment |
-
2018
- 2018-01-19 CN CN201810055629.4A patent/CN110061833B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140245394A1 (en) * | 2013-02-26 | 2014-08-28 | International Business Machines Corporation | Trust-based computing resource authorization in a networked computing environment |
CN103428220A (en) * | 2013-08-23 | 2013-12-04 | 中国人民解放军理工大学 | Virtual reconstruction ubiquitous network architecture based on identity-position separation |
Also Published As
Publication number | Publication date |
---|---|
CN110061833B (en) | 2020-09-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10601594B2 (en) | End-to-end service layer authentication | |
Mick et al. | LASeR: Lightweight authentication and secured routing for NDN IoT in smart cities | |
CN107534658B (en) | End-to-end authentication at the service layer using public key mechanisms | |
JP5414898B2 (en) | Security access control method and system for wired LAN | |
Saied et al. | HIP Tiny Exchange (TEX): A distributed key exchange scheme for HIP-based Internet of Things | |
US8812704B2 (en) | Method, apparatus and system for platform identity binding in a network node | |
De Rango et al. | Static and dynamic 4-way handshake solutions to avoid denial of service attack in Wi-Fi protected access and IEEE 802.11 i | |
CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
CN102594555A (en) | Security protection method for data, entity on network side and communication terminal | |
CN109417706A (en) | Method and apparatus for storing contextual information in a mobile device | |
CN111970699B (en) | Terminal WIFI login authentication method and system based on IPK | |
Singla et al. | Look before you leap: Secure connection bootstrapping for 5g networks to defend against fake base-stations | |
Xu et al. | A policy enforcing mechanism for trusted ad hoc networks | |
CN109076086A (en) | Execute the security signaling before Authentication and Key Agreement | |
CN101895388B (en) | Distributed dynamic keys management method and device | |
Lo et al. | A secure IoT firmware update framework based on MQTT protocol | |
Haddad et al. | Secure and efficient AKA scheme and uniform handover protocol for 5G network using blockchain | |
CN106304400A (en) | The IP address distribution method of wireless network and system | |
Cebe et al. | A bandwidth-efficient secure authentication module for smart grid DNP3 protocol | |
CN110061833A (en) | A kind of binding update method and device of identity position | |
CN110417722A (en) | A kind of business datum communication means, communication equipment and storage medium | |
Ortiz-Yepes | Balsa: Bluetooth low energy application layer security add-on | |
Zhang et al. | Secure and efficient scheme for fast initial link setup against key reinstallation attacks in IEEE 802.11 ah networks | |
CN108462681A (en) | A kind of communication means of heterogeneous network, equipment and system | |
CN105141620A (en) | Small data distribution method enabling wireless sensor network security and denial of service attack defense |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |