CN110536289A

CN110536289A - Key providing method and device thereof, mobile terminal, communication equipment and storage medium

Info

Publication number: CN110536289A
Application number: CN201811583792.4A
Authority: CN
Inventors: 谢振华
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2018-12-24
Filing date: 2018-12-24
Publication date: 2019-12-03

Abstract

The embodiment of the present invention provides a kind of key providing method and device thereof, mobile terminal, communication equipment and storage medium, this method extracts authentication information and user key according to the certification scheduling received, and the first authentication secret is generated according to key create-rule, and to the mobile network side return authentication response message, mobile network side is after receiving authentication response message, also it obtains corresponding authentication information and user key generates the second authentication secret, and first key information is encrypted, it obtains third key and returns to mobile terminal, mobile terminal is decrypted the third key information according to the first authentication secret, obtain first key information, realize the granting of key to guarantee safety issue of the mobile terminal in access to mobile network based on this mutual mode, the real-time update of key is also ensured simultaneously, it reduces Key is distorted, and the safety also further increased also substantially increases the security performance of system.

Description

Key providing method and device thereof, mobile terminal, communication equipment and storage medium

Technical field

The present embodiments relate to but be not limited to field of communication technology, in particular to but be not limited to a kind of key and send out Put method and device thereof, mobile terminal, communication equipment and storage medium.

Background technique

Third generation partner program (3rd Generation Partnership Project, 3GPP) has been formulated various The specification of mobile network, and the mobile network according to these specification deployment causes to attack also just by the attack of various pseudo-base stations The big main cause of can implement one is exactly that mobile terminal can not carry out true and false identification to base station, to receive pseudo-base station transmission Various instructions.

In order to be identified (authentic) to base station, it is necessary to key information is provided on base station and mobile terminal, thus Protect base station to the partial content in the message or message of transmission according to these key informations, so that mobile terminal The message that can be sent according to key information to base station identifies, and then can carry out true and false identification to base station, so that pseudo- base Stand can not access to mobile network obtain these key informations.

3GPP has formulated certifiede-mail protocol (the Authentication and Key between mobile network and mobile terminal Agreement, AKA) specification, but the specification can only allow mobile network associated to mobile terminal granting and contracted user Key information cannot provide the key information with base station association to protect the various communications of user, cannot achieve mobile terminal The true and false of base station is identified, that is to say that current true and false identification is just able to achieve after foundation is in communication with each other, do not have before it Have, the problem of such mode will appear safety.

Summary of the invention

A kind of key providing method and device thereof, mobile terminal, communication equipment and storage provided in an embodiment of the present invention are situated between Matter can not obtain when solving mobile terminal access to mobile network in the prior art and learn authentication key and lead to communication security The lower technical problem of property.

In order to solve the above technical problems, being applied to mobile terminal the embodiment of the invention provides a kind of key providing method Side, this method comprises:

Receive the third key information that the mobile network side is sent；The third key information is the mobile network side Result based on the second authentication secret encryption first key information obtains；Second authentication secret is by the mobile network side It is generated based on network user's key or the result by mobile network's side group in decryption third authentication secret obtains；The third Authentication secret is obtained by the mobile terminal based on the result for encrypting second authentication secret, and is sent to the mobile network Side；

It is generated based on the result for using the first authentication secret or second authentication secret to decrypt the third key information The first key information, first authentication secret are that the mobile terminal is generated based on end user keys；

Network user's key is user key in the backup of the mobile network side, and the end user keys are institute User key is stated in the backup of the mobile terminal.

In order to solve the above technical problems, being applied to mobile whole the embodiment of the invention also provides a kind of key providing method The security function of end side, which comprises

Receive the terminal device from the mobile terminal side first calls, and returns to the described first result called； It includes the second derived information that described first result called, which does not include the first authentication secret or the result of first calling, or Described first result called includes third authentication secret；Wherein, first authentication secret is generated based on end user keys, For generating the first authentication secret together with the end user keys, the third authentication secret is second derived information Result based on the second authentication secret of encryption obtains, and the end user keys are peace of the user key in the mobile terminal side Backup in global function；Receive the terminal device from the mobile terminal side second calls, and returns to described second and call Result；Described second calls comprising third key information, and the described second result called does not include first key information；Its In, the first key information is close based on using first authentication secret or second authentication secret to decrypt the third The result of key information generates.

In order to solve the above technical problems, being applied to mobile whole the embodiment of the invention also provides a kind of key providing method The terminal device of end side, which comprises

The third key information from mobile network side is received, the security function of Xiang Suoshu mobile terminal side is initiated second and adjusted With described second calls comprising the third key information；

The third key information is mobile network's side group in the knot of the second authentication secret encryption first key information Fruit obtains, and second authentication secret is that mobile network's side group is generated in network user's key or second verifying is close Key is that mobile network's side group is obtained in the result of decryption third authentication secret, and the third authentication secret is by described mobile whole End is sent to the mobile network side, and network user's key is backup of the user key in the mobile network side.

In order to solve the above technical problems, being applied to mobile network the embodiment of the invention also provides a kind of key providing method First core net function of network side, which comprises

Third key information is sent to mobile terminal；Or,

First key information is sent to the second core net function, receives the sent from the second core net function Three key informations send the third key information to mobile terminal；

Wherein, the third key information is based on the second authentication secret and first key information generates；Described second tests Demonstrate,proving key is to be generated by decryption third authentication secret, or generated by the second core net function based on network user's key； For the third authentication secret received from the mobile terminal, network user's key is user key in second core net The backup of functioning side.

In order to solve the above technical problems, being applied to the second core the embodiment of the invention also provides a kind of key providing method Heart net function, which comprises

The first key information from the first core net function is received, it is close that Xiang Suoshu the first core net function sends third Key information, the third key information is based on the first key information and the second authentication secret generates, and second verifying is close Key is generated based on network user's key, or is generated based on decryption third authentication secret, and the third authentication secret is received from described First core net function；Or,

The second derived information from the first core net function is received, Xiang Suoshu the first core net function sends second and tests Key is demonstrate,proved, second authentication secret is based on second derived information and network user's key generates；Or,

The first derived information is sent to the first core net function, and, Xiang Suoshu the first core net function sends second and tests Key is demonstrate,proved, second authentication secret is based on first derived information and network user's key generates；

Network user's key is backup of the user key in the second core net functioning side.

In order to solve the above technical problems, the embodiment of the invention also provides a kind of mobile terminals, comprising:

First receiving module, the third key information sent for receiving the mobile network side；The third key letter Breath is that mobile network's side group is obtained in the result that the second authentication secret encrypts first key information；Second authentication secret To be generated in network user's key or by mobile network's side group by mobile network's side group in decryption third authentication secret Result obtain；The third authentication secret is obtained by the mobile terminal based on the result for encrypting second authentication secret, And it is sent to the mobile network side；

First key generation module, for based on decrypting described the using the first authentication secret or second authentication secret The result of three key informations generates the first key information, and first authentication secret is that the mobile terminal is used based on terminal Family key generates, wherein network user's key is backup of the user key in the mobile network side, the terminal user Key is backup of the user key in the mobile terminal.

In order to solve the above technical problems, the embodiment of the invention also provides a kind of key providing devices, comprising:

First calling module, first for receiving the terminal device from the mobile terminal side calls, and returns to institute State the result of the first calling；Described first result called does not include the result packet of the first authentication secret or first calling The result called containing the second derived information or described first includes third authentication secret；Wherein, first authentication secret is based on End user keys generate, and second derived information is used to generate the first authentication secret together with the end user keys, The third authentication secret is that the result based on the second authentication secret of encryption obtains, and the end user keys are that user key exists Backup in the security function of the mobile terminal side；

Second calling module, second for receiving the terminal device from the mobile terminal side calls, and returns to institute State the result of the second calling；Described second calls comprising third key information, and it is close that the described second result called does not include first Key information；Wherein, the first key information is based on using first authentication secret or second authentication secret to decrypt The result of the third key information generates.

Second receiving module is sent out for receiving the third key information from mobile network side, and to key providing device It plays second to call, described second calls comprising the third key information；

In order to solve the above technical problems, the embodiment of the invention also provides a kind of communication equipments, comprising:

First sending module, for sending third key information to mobile terminal；Or, sending the to the second core net function One key information；

Third receiving module is sent for receiving the third key information sent from the second core net function The third key information is to mobile terminal；

In order to solve the above technical problems, the embodiment of the invention also provides a kind of communication equipments, comprising: the 4th receiving module With the second sending module；

4th receiving module is for receiving the first key information from the first core net function, second hair Send module for sending third key information to the first core net function, it is close that the third key information is based on described first Key information and the second authentication secret generate, and second authentication secret is generated based on network user's key, or based on decryption third Authentication secret generates, and the third authentication secret is received from the first core net function；Or,

4th receiving module is for receiving the second derived information from the first core net function, second hair Send module for sending the second authentication secret to the first core net function, second authentication secret is based on second group Raw information and network user's key generate；Or,

Second sending module is used to send the first derived information to the first core net function, and, second hair Module is sent to send the second authentication secret to the first core net function, second authentication secret is based on described first and derives from letter Breath is generated with network user's key, and network user's key is backup of the user key in the second core net functioning side.

In order to solve the above technical problems, the embodiment of the invention also provides a kind of communication equipment, including processor, storage Device, communication unit and communication bus；

The communication bus is for realizing the wireless communication between the processor, the communication unit and the memory Connection；

A kind of communication equipment characterized by comprising processor, memory, communication unit and communication bus；

The processor is as described above to realize for executing one or more first program stored in memory The step of key providing method；

The processor is as described above to realize for executing one or more second program stored in memory The step of key providing method；

The processor is as described above to realize for executing one or more third program stored in memory The step of key providing method

The processor is as described above to realize for executing one or more the 4th program stored in memory The step of key providing method；

The processor is as described above to realize for executing one or more the 5th program stored in memory The step of key providing method.

In order to solve the above technical problems, the embodiment of the invention also provides a kind of computer readable storage medium, the meter Calculation machine readable storage medium storing program for executing is stored with one or more first computer program, second computer program, third computer journey Sequence, the 4th computer program and second computer program, one or more of first computer programs can by one or Multiple processors execute, the step of to realize key providing method as described above；

One or more of second computer programs can be executed by one or more processor, to realize institute as above The step of key providing method stated；

One or more of third computer programs can be executed by one or more processor, to realize institute as above The step of key providing method stated

One or more of 4th computer programs can be executed by one or more processor, to realize institute as above The step of key providing method stated；

One or more of 5th computer programs can be executed by one or more processor, to realize institute as above The step of key providing method stated.

The beneficial effects of the present invention are:

Key providing method and device thereof, mobile terminal, communication equipment and the computer provided according to embodiments of the present invention Readable storage medium storing program for executing, this method extracts authentication information and user key according to the certification scheduling received, and generates according to key Rule generates the first authentication secret, and to the mobile network side return authentication response message, mobile network side is being received After authentication response message, also obtains corresponding authentication information and user key generates the second authentication secret, and first key is believed Encryption for information obtains third key and returns to mobile terminal, and mobile terminal believes the third key according to the first authentication secret Breath is decrypted, and obtains first key information, realizes the granting of key based on this mutual mode to guarantee mobile terminal Safety issue in access to mobile network, while also ensuring the real-time update of key, reduces distorting for key, also into The safety that one step improves, also substantially increases the security performance of system.

Other features of the invention and corresponding beneficial effect are described in the aft section of specification, and should be managed Solution, at least partly beneficial effect is apparent from from the record in description of the invention.

Detailed description of the invention

Fig. 1 is the flow chart for the key providing method that the embodiment of the present invention one provides；

Fig. 2 is another flow chart of key providing method provided by Embodiment 2 of the present invention；

Fig. 3 is the first structural schematic diagram for the mobile terminal that the embodiment of the present invention three provides；

Fig. 4 is second of structural schematic diagram of the mobile terminal that the embodiment of the present invention three provides；

Fig. 5 is the third structural schematic diagram for the mobile terminal that the embodiment of the present invention three provides；

Fig. 6 is the first structural schematic diagram for the communication equipment that the embodiment of the present invention four provides；

Fig. 7 is second of structural schematic diagram of the communication equipment that the embodiment of the present invention four provides；

Fig. 8 is the third structural schematic diagram for the communication equipment that the embodiment of the present invention four provides；

Fig. 9 is the structural schematic diagram for the communication system that the embodiment of the present invention five provides；

Figure 10 is mobile terminal cipher key-distribution architecture schematic diagram provided in an embodiment of the present invention；

Figure 11 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention six provides；

Figure 12 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention seven provides；

Figure 13 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention eight provides；

Figure 14 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention nine provides；

Figure 15 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention ten provides；

Figure 16 is a kind of mobile terminal key providing flow diagram that the embodiment of the present invention 11 provides；

Figure 17 is the mobile terminal key updating flow diagram that the embodiment of the present invention 12 provides.

Specific embodiment

In order to make the objectives, technical solutions, and advantages of the present invention clearer, below by specific embodiment knot Attached drawing is closed to be described in further detail the embodiment of the present invention.It should be appreciated that specific embodiment described herein is only used to It explains the present invention, is not intended to limit the present invention.

Embodiment one:

It referring to Figure 1, is key providing method provided in this embodiment, this method is mainly applied on mobile terminals, The specific implementation steps are as follows:

S11 extracts authentication information and user key according to the certification scheduling received.

In practical applications, the authentication information include random string RAND, parameters for authentication AUTN, challenge responses RES and At least one of session key, or even can also be the secret keys directly generated by mobile terminal.The user key is It is stored on mobile terminal, base station and mobile network simultaneously.

S12 generates the first authentication secret according to the authentication information and user key.

In this step, it is also necessary to be calculated in conjunction with certain algorithm, the preferred algorithm can be some keys Computational algorithm, be also possible to some Encryption Algorithm, specifically, pressing using authentication information and user password as input parameter The first authentication secret is generated according to key create-rule.

Further, after generating the first authentication secret, it is easy to implement the close of mobile terminal and mobile network side both ends Key is corresponding to be realized, it is also necessary to Xiang Suoshu mobile network side return authentication response message.

In practical applications, which can be certification request, key provides at least one requested, in challenge responses Kind, and different information can be carried by being right against different message, this can be according to the actual situation using offer.

S13 receives the third key information that the mobile network side is sent.

The third key information is mobile network's lateral root according to the authentication response message and key generation rule After the second authentication secret then generated is to the first key information encryption in the first core net for being stored in the mobile network side, Obtained key information.

In the present embodiment, after mobile network flanks and receives authentication response message, authentication information can be obtained and user is close Key generates the second authentication secret as input parameter, in conjunction with key create-rule identical with mobile terminal, passes through the second verifying Key and first key information generate corresponding third key information, which can be a kind of generating process of key, It is also possible to a kind of process of encryption, wherein key is the second authentication secret.

S14 is decrypted the third key information according to first authentication secret, obtains first key information.

In the present embodiment, an authentication secret is not all effective always, in certain situation either special item It will appear update under part, that is to say and the third key information is being decrypted according to first authentication secret, obtain After one key information, further includes:

The first key information is stored in the mobile terminal, and cipher code renewal time is set；

When detecting that the cipher code renewal time reaches, key updating step is executed, is obtained from the mobile network side New first key information.

In the present embodiment, being specifically for the authentication information for generating the first authentication secret or the second authentication secret can be with It is got by two ways, one is being generated by mobile terminal oneself, is then then forwarded to the equipment of mobile network side；It is another Kind is generated by the equipment on mobile network, and then returning again to can be to mobile terminal.

In the present embodiment, if the authentication information is generated by the mobile network side, the method also includes:

Laterally the mobile network side sends key offer request to the mobile terminal；The key provides to be carried in request There is instruction to indicate to obtain the instruction information of authentication secret, the key provides request to be recognized for controlling the mobile network side and generating Information is demonstrate,proved, the authentication information includes at least random string RAND, parameters for authentication AUTN, challenge responses and session key；

The certification scheduling that the basis receives extracts authentication information and includes:

It receives mobile network's lateral root and provides the certification request that request returns according to the key；

The authentication information carried in the certification request is extracted, the authentication information includes random string RAND, certification Parameter AUTN, challenge responses RES and session key.

In the present embodiment, described according to the authentication information and user key, first is generated according to key create-rule Authentication secret, and include: to the mobile network side return authentication response message

It is input parameter with random string RAND, it is raw according to key according to the user key and the random string The first protection key and challenge responses are generated at rule；

Challenge responses carrying is sent to the mobile network side in authentication response message.

Further, mobile network's lateral root generated according to the authentication response message and the key create-rule the After two authentication secrets encrypt first key information, obtained key information includes:

The mobile network side obtains first key information from the first core net；

According to the random string and user key generation the second protection key in the authentication information；

Third key information is generated based on the second protection key and the first key information.

It is described that the third key information is decrypted according to first authentication secret, obtain first key packet It includes: the third key information being decrypted according to the first protection password, obtains first key information.

In the present embodiment, if the authentication information is generated by the mobile terminal, certification that the basis receives Authentication information is extracted in scheduling

The access network request initiated according to the mobile terminal itself；

Authentication information is generated based on the access network request, which includes random string RAND, or secret Key.

When being generated based on authentication information by mobile terminal, if based on the access network request generate be random string It is described according to the authentication information and user key when RAND, the first authentication secret is generated according to key create-rule, and to institute Stating mobile network side return authentication response message includes:

It is input parameter with random string, generates and advise according to key according to the user key and the random string Then generate the first protection key；

The mobile terminal sends key to the mobile network side and provides request, and the key provides request and carries State random string；

It is described close according to the authentication information and user if what it is based on access network request generation is secret keys Key generates the first authentication secret according to key create-rule, and includes: to the mobile network side return authentication response message

The secret keys are encrypted based on preset public key, obtain transmission key；

The transmission key is carried to provide in key and is sent to the mobile network side in request, the key offer is asked It asks as the authentication response message.

In the present embodiment, if the mobile terminal is raw according to key according to the user key and the random string At rule generate be the first protection key when, third key information that the mobile terminal side receives are as follows: the mobile network The second protection key that the random string and the key create-rule that network lateral root is sended over according to the mobile terminal generate After the encryption of first key information, obtained key information.

If the mobile terminal is according to the authentication information and user key, what it is according to the generation of key create-rule is transmission When key, the second authentication secret that mobile network's lateral root is generated according to the authentication response message and the key create-rule After the encryption of first key information, obtained key information includes:

The transmission key by private key corresponding with the public key is decrypted in the mobile network side, and to obtain the secret close Key；

First key information is encrypted based on the secret keys, the gained third key information.

In practical applications, the mobile terminal is also divided into security function and terminal function carrys out middle module, wherein pacifying Global function refers to the phonecard of UIM card, SIM card etc., and terminal device can be understood as current communication handset etc , the key providing method in security function is implemented as follows:

Security function receives the first calling of the terminal device from the mobile terminal side, and returns to described first and call Result；It includes the second derivation that described first result called, which does not include the first authentication secret or the result of first calling, The result of information or first calling includes third authentication secret；Wherein, it is close to be based on terminal user for first authentication secret Key generates, and second derived information for generating the first authentication secret together with the end user keys, test by the third It demonstrate,proves key to obtain for the result based on the second authentication secret of encryption, the end user keys are user key described mobile whole Backup in the security function of end side；Receive the terminal device from the mobile terminal side second calls, and described in return Second result called；Described second calls comprising third key information, and the described second result called does not include first key Information；Wherein, the first key information is based on using first authentication secret or second authentication secret to decrypt institute The result for stating third key information generates.

Wherein the described first result called includes the first derived information and the second derived information, and is derived from when comprising first When information, first authentication secret is based on the end user keys and first derived information generates.Here first Derived information be terminal device issue USIM, can be terminal device generation be also possible to receive what network was sent.

If the described first result called includes the second derived information, first authentication secret is based on the terminal user Key and second derived information generate.

The third authentication secret is obtained based on the result of the second authentication secret of secret key encryption, the secrecy is close Key is the public key or the symmetric key shared with mobile network side of mobile network side.

In the present embodiment, the security function is also used to store network letter corresponding with the first key information Breath.

Key providing method in security function further includes receiving the third from the terminal device to call；Described The three input parameters called include verification information and part or all of third key information or the input parameter that the third is called Include verification information and the calculated result generated based on part or all of third key information；

The security function returns that the third is called as a result, the result that the third is called includes to use described first The result of authentication secret or second authentication secret based on verification information described in the input parameter verification；

Wherein, the third key information is used to decrypt institute using first authentication secret or second authentication secret The result for stating third key information generates first key information.

For realize on the terminal device key providing method when, the specific implementation steps are as follows:

The terminal device receives the third key information from mobile network side, and Xiang Suoshu security function is initiated second and adjusted With described second calls comprising the third key information；

The third key information, which is mobile network's lateral root, encrypts first key information acquisition according to the second authentication secret, Second authentication secret is that mobile network's side group is generated in network user's key or second authentication secret is described Mobile network side is decrypted third authentication secret and is obtained, and the third authentication secret is sent to the mobile network by the mobile terminal Network side.

Further, the terminal device is also used to initiate the first calling to security function, receives first calling As a result, the described first result called includes the third authentication secret.

Further, the terminal device is also used to initiate third calling to the security function, what the third was called Input parameter includes verification information and partly or entirely the input parameter of the third key information or third calling includes Verification information and the calculated result generated based on the partly or entirely described third key information；

The verification result that the security function returns is received, the verification result is use first authentication secret or institute State result of second authentication secret based on verification information described in the input parameter verification.

In the present embodiment, the terminal device is also used to initiate the first calling to security function, receives described first and adjusts As a result, described first calls comprising the first derived information, first derived information is used for together with end user keys The first authentication secret is generated, and is generated by the terminal device, or received from the mobile network side, first authentication secret For decrypting the third key information.

In the present embodiment, the terminal device is also used to send first derived information to the mobile network side, First derived information is generated for generating the first authentication secret together with end user keys by the terminal device, First authentication secret is for decrypting the third key information.

In the present embodiment, the terminal device is also used to initiate the first calling to security function, receives described first and adjusts As a result, the described first result called includes the second derived information, second derived information is used for close with terminal user Key generates the first authentication secret together, and first authentication secret is for decrypting the third key information；And to the shifting Dynamic network side sends second derived information.

In the present embodiment, the key providing method on terminal device is implemented as follows:

In the present embodiment, the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, described the to receive described first One result called includes the third authentication secret.

In the present embodiment, the method also includes:

It initiates third to the security function of the mobile terminal side to call, the input parameter that the third is called includes verifying The input parameter that information and the part or all of third key information or the third are called is comprising verification information and is based on portion Point or calculated result that all the third key information generates；

The verification result that the security function of the mobile terminal side returns is received, the verification result is to use described first The result of authentication secret or second authentication secret based on verification information described in the input parameter verification.

In the present embodiment, the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, described the to receive described first One calls comprising the first derived information, and first derived information is close for generating the first verifying together with end user keys Key, and generated by the terminal device of the mobile terminal side, or received from the mobile network side, first authentication secret is used In decrypting the third key information, the end user keys are backup of the user key in the mobile terminal side.

In the present embodiment, the method also includes:

First derived information is sent to the mobile network side.

Further, the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, described the to receive described first One result called includes the second derived information, and second derived information is tested for generating first together with end user keys Key is demonstrate,proved, first authentication secret is that the user is close for decrypting the third key information, the end user keys Backup of the key in the mobile terminal side；

Second derived information is sent to the mobile network side.

To sum up, key providing method provided in this embodiment, this method extract certification letter according to the certification scheduling received Breath and user key, and the first authentication secret is generated according to key create-rule, and to mobile network side return authentication Response message, mobile network side also obtain corresponding authentication information and user key generate after receiving authentication response message Second authentication secret, and first key information is encrypted, it obtains third key and returns to mobile terminal, mobile terminal is according to the The third key information is decrypted in one authentication secret, obtains first key information, based on this mutual mode come real The granting of existing key also ensures the real-time of key to guarantee safety issue of the mobile terminal in access to mobile network It updates, reduces distorting for key, the safety also further increased also substantially increases the security performance of system.

Embodiment two:

Fig. 2 is referred to, is key providing method provided in this embodiment, this method is mainly applied in mobile network one end On, the mobile network side includes the first core net and the second core net, and the specific implementation steps are as follows:

S21 receives the key from mobile terminal side and provides request.

S22 provides request and user key according to the key, and the second verifying generated according to key create-rule is close Key.

S23, it is close to first in the first core net for being stored in the mobile network side based on second authentication secret Key information is encrypted, obtained third key information.

The third key information is returned to the mobile terminal by S24.

It in the present embodiment, is specifically that can be obtained by two ways for the authentication information for generating the second authentication secret It arrives, one is being generated by mobile terminal, is then then forwarded to the equipment of mobile network side；Another kind is by setting on mobile network Standby oneself to generate, then returning again to can be to mobile terminal.

It is described to provide request and user key according to the key if generated by mobile network oneself, according to key Create-rule generate the second authentication secret include:

It extracts the key and the instruction information for being used to indicate acquisition authentication secret carried in request is provided；

Authentication information is generated according to the instruction information, the authentication information includes random string RAND；

Based on the random string and user key, the second authentication secret generated according to key create-rule.

Further, after the generation authentication information according to the instruction information, further includes:

The certification request for carrying the authentication information is sent to the mobile terminal；And it receives from described mobile whole The authentication response message that end group is returned in the certification request.

In practical applications, since mobile network itself can restore in two kinds of situations, one is simultaneously include two seed nucleus Heart network, is the first core net and the second core net, and another kind is only comprising the first core network, for including two core nets When network, and when the second authentication secret is protection key, it is described based on second authentication secret to being stored in the mobile network First key information in first core net of network side is encrypted, and obtained third key information includes:

First core net generated according to second core net based on the random string and user key the First key information described in two protection key pairs is encrypted, and the third key information is obtained；

Alternatively,

First core net obtains first key information and is sent to described the when receiving the authentication response message Two core nets；Second core net is encrypted according to described to first key information described in the second protection key pair, is obtained The third key information.

In the present embodiment, can specifically exist by two kinds of forms for first key information, one is directly with the One key information exists, and the form is then stored in the first core net, and another kind is deposited in the form of the second key information , and the form is then stored on base station, which generated based on first key information, when the first core It when heart net is obtained less than direct first key information, can select to generate by another key information, be key hair Put method further include:

When first core net is obtained less than the first password information, the second key information is obtained from base station side, The second protection key is generated according to the random string and the user key, based on the second protection key and described the Two key informations generate third key information；Second key information with the first key information to being associated with, by described One key information and the common parameters of base station generate.

In the present embodiment, when the authentication information is generated by mobile terminal, the authentication information can be carried It is sended in the request that mobile terminal is sent, is, it is described to provide request and user key according to the key, according to key Create-rule generate the second authentication secret include:

It extracts the key and the authentication information carried in request is provided；The authentication information is generated by the mobile terminal, And include at least random string RAND；

In practical applications, the authentication information that the mobile terminal sends over can be a kind of random string, can also To be secret keys, and the authentication information that at this moment mobile terminal sends over is then the secret keys life generated based on mobile terminal At transmission key.

After mobile network flanks and receives authentication information, the second authentication secret is generated according to information is received, this second is tested Card key can be protection key, be also possible to secret keys.

If second authentication secret is secret keys, it is described based on second authentication secret to being stored in the shifting First key information in first core net of dynamic network side is encrypted, and obtained third key information includes:

First core net receives the machine that second core net is generated based on the random string and user key Key encrypts the first key information according to institute's secret keys, obtains the third key information.

At this moment, described to provide request and user key according to the key, second generated according to key create-rule is tested Demonstrate,proving key includes:

First core net extracts the key and provides the transmission key carried in request；The transmission key is described Mobile terminal is encrypted to obtain based on secret keys of the preset public key to mobile terminal；

The transmission key, which is decrypted, by private key corresponding with the public key obtains the secret keys of the mobile terminal；

It is described close to first in the first core net for being stored in the mobile network side based on second authentication secret Key information is encrypted, and obtained third key information includes: close to described first according to the secret keys of the mobile terminal Key information is encrypted, the gained third key information.

In the present embodiment, consider still can exist for the second authentication secret and update modification, be from safety It is described the third key information is returned into the mobile terminal after, the method also includes:

The first key information is detected with the presence or absence of update；

If it exists, then the third key information is retransmitted to the mobile terminal；

Wherein, the third key information is according to second authentication secret and the updated first key information It generates, or, the third key information is raw according to the secret keys of mobile terminal and the updated first key information At.

In the present embodiment, the key providing method is in the first core net function of the mobile network side when realizing, It is specific as follows:

Third key information is sent to mobile terminal；Or,

It further, further include sending key request to the second core net function when being interacted with the second core net function；

Receive second authentication secret from the second core net function.

In the present embodiment, the key request includes third derived information；The third derived information is received from described Mobile terminal, for generating second authentication secret together with network user's key.Wherein the third derived information includes The second above-mentioned derived information+partly or completely the first derived information (terminal generation).

Further, the key request also includes the third authentication secret, and the third authentication secret is received from institute State mobile terminal.

Further, when being mobile terminal interaction, further includes: Xiang Suoshu mobile terminal sends the first derived information；Institute The first derived information is stated received from the second core net function, is tested for generating described second together with network side user key Demonstrate,prove key.

Further, verification information can also be sent to the mobile terminal；

Wherein, the verification information is raw based on second authentication secret and the partly or entirely described third key information At；Or generated based on second authentication secret and the first calculated result, first calculated result is based on part or all of institute State the generation of third key information；Or it is generated based on second authentication secret and the partly or entirely described first key information；Or It is generated based on second authentication secret and the second calculated result, second calculated result is based on part or all of described first Key information generates.

When for being realized in the second core net function, specifically: it is close to receive first from the first core net function Key information, Xiang Suoshu the first core net function send third key information, and the third key information is based on the first key Information and the second authentication secret generate, and second authentication secret is generated based on network user's key, or are tested based on decryption third It demonstrate,proves key to generate, the third authentication secret is received from the first core net function；Or,

Further, second authentication secret is based on decryption third authentication secret generation, and the third authentication secret connects It receives from the first core net function.

To sum up, the key providing method that the present embodiment supplies, this method extract authentication information according to the certification scheduling received And user key, and the first authentication secret is generated according to key create-rule, and ring to mobile network side return authentication Message is answered, mobile network side also obtains corresponding authentication information and user key and generate the after receiving authentication response message Two authentication secrets, and first key information is encrypted, it obtains third key and returns to mobile terminal, mobile terminal is according to first The third key information is decrypted in authentication secret, obtains first key information, is realized based on this mutual mode Key granting to guarantee safety issue of the mobile terminal in access to mobile network, while also ensure key in real time more Newly, distorting for key is reduced, the safety also further increased also substantially increases the security performance of system.

Embodiment three:

A kind of mobile terminal is present embodiments provided, shown in Figure 3, which includes calling module 31, first Key production module 32, first communication module 33 and deciphering module 34, wherein

Calling module 31, for extracting authentication information and user key according to the certification scheduling received；

First key generating layer module 32 is used for according to the authentication information and user key, raw according to key create-rule At the first authentication secret；

First communication module 33 is used for the mobile network side return authentication response message；And receive the movement The third key information that network side is sent, the third key information are mobile network's lateral root according to the authentication response message The second authentication secret generated with the key create-rule is to the in the first core net for being stored in the mobile network side After the encryption of one key information, obtained key information；

Deciphering module 34 obtains for the third key information to be decrypted according to first authentication secret One key information.

In the present embodiment, the calling module 31, first key generation module 32, first communication module 33 and decryption mould Block 34 be also used to realize above-described embodiment one provide key providing method each step function, each step it is specific Realization process just repeats no more here referring to the explanation of the various embodiments described above.

Further, the embodiment of the invention also provides the structures of another mobile terminal, as shown in figure 4, the movement is whole End includes safety function module 41 and terminal device module 42, wherein

The terminal device module 42 sends certification scheduling to the safety function module 41；

The safety function module 41 extracts authentication information and user key according to the certification scheduling received；According to described Authentication information and user key generate the first authentication secret according to key create-rule, and return and recognize to the mobile network side Demonstrate,prove response message；

The terminal device module 42 receives the third key information that the mobile network side is sent, and its be sent to it is described Safety function module 41, the third key information are mobile network's lateral root according to the authentication response message and the key The second authentication secret that create-rule generates is to the first key information in the first core net for being stored in the mobile network side After encryption, obtained key information；

The safety function module 41 is decrypted the third key information according to first authentication secret, obtains First key information.

In the present embodiment, the safety function module 41 and terminal device module 42 are also used to realize above-described embodiment one The function of each step of the key providing method of offer, the specific implementation process of each step is referring to the various embodiments described above Illustrate, just repeats no more here.

In this practical application, safety function module 41 is specifically used for receive the calling from terminal device, institute Calling is stated at least with random string RAND for input parameter, generates protection key according to user key and the random string And challenge responses, and the calling is returned, include the challenge responses in the information of return, does not include the protection key；Or,

The calling from terminal device is received, random string RAND is returned, the RAND is used for and user key one It rises and generates protection key；Or,

The calling from terminal device is received, random string transmission key is returned, the transmission key is based on secret Key and public key generate.

Further, the safety function module 41 is also used to receive the calling from terminal device, the calling Inputting parameter includes part or all of third key information；

First key is generated according to the protection key and the input parameter；Or,

The second key is generated according to the protection key and the input parameter；Or,

It is generated after first key according to the protection key and the input parameter and generates the based on the first key again Two keys.

Further, the safety function module 41 is also used to according to secret keys and the first key or described second Key generates the 4th key；

The 4th key is returned to the terminal device.

Further, the safety function module 41 is also used to store the first key, or storage second key, And store the network information corresponding with the first key or second key.

Further, the safety function module 41 is also used to generate the RAND before returning to the RAND, or reads The RAND of storage；

Protection key is generated based on the RAND and user key.

Further, before returning to the transmission key, it is close that the safety function module 41 is also used to generate the secret Key, or read the secret keys of storage；

The transmission key is generated based on the secret keys and the public key.

In practical applications, the terminal device module 42 is specifically used for receiving the carrying third key from mobile network The message of information；

The third key information is stored, or calls security function, the input parameter of the calling includes part or all of The third key information；

Wherein, the third key information is based on protection key and first key information or the second key information generates, Or the third key information is based on secret keys and first key information or the second key information generates；

Wherein, the protection key is generated based on user key, and second key information is believed based on the first key Breath generates or matches with the first key information, and the secret keys generate or be stored in the peace by the security function In global function.

Further, the terminal device 42 is also used to receive the 4th key information that the security function returns, described 4th key information is based on secret keys and the first key information or second key information generates.

Further, before the message for receiving the carrying third key information from the mobile network, the end End equipment 42 is also used to send key to the mobile network and provides request, and the key provides request and carries instruction information, institute Stating instruction information indicates initialization or updates.

Further, the terminal device 42 is also used to store the network information corresponding with the third key.

Further, the terminal device 42 is also used to send random string RAND to the mobile network, described RAND is received from security function, for generating the protection key together with user key；Or,

Transmission key is sent to the mobile network, the transmission key is received from security function.

Further, the embodiment of the invention also provides the structures of another mobile terminal, as shown in figure 5, the movement is whole End, comprising: first processor 51, first memory 52, the first communication unit 53 and the first communication bus 54；

First communication bus 54 is for realizing the first processor 51, first communication unit 53 and described Wireless communication connection between one memory 52；

The first processor 51 is for executing one or more first program stored in first memory 52, with reality The step of key providing method that now embodiment one as above provides, the specific implementation process of each step is referring to above-mentioned each implementation The explanation of example, is not repeated herein and repeats.

In the present embodiment, the structure of the mobile terminal can also be through the first receiving module and first key generation Module is realized, specific:

Further, the structure of mobile terminal can also be including the second receiving module, wherein the second receiving module, is used for The third key information from mobile network side is received, and initiates second to key providing device and calls, described second calls packet Containing the third key information；

In the present embodiment, it can also be that a kind of mode of key providing device is arranged in the terminal, key hair Putting device includes:

In the present embodiment, it can also be a kind of mobile terminal, comprising:

Example IV:

Present embodiments provide a kind of communication equipment, it is shown in Figure 6, the communication equipment include second communication module 61, Second key production module 62 and encrypting module 63, wherein

Second communication module 61 provides request for receiving the key from mobile terminal side；

Second key production module 62 is generated according to key and is advised for providing request and user key according to the key The second authentication secret then generated；

Encrypting module 63, for based on second authentication secret to the first core net for being stored in the mobile network side In first key information encrypted, obtained third key information；

Second communication module 61 is also used to the third key information returning to the mobile terminal.

In the present embodiment, the second communication module 61, the second key production module 62 and encrypting module 63 are also used to Realize the function of each step for the key providing method that above-described embodiment two provides, the specific implementation process ginseng of each step According to the explanation of the various embodiments described above, just repeat no more here.

Further, the embodiment of the invention also provides the structures of another communication equipment, as shown in fig. 7, the communication is set Standby includes authentication function module 71, base station defencive function module 72 and certification and subscription data management function module 73, wherein

The authentication function module 71 receives the key that mobile terminal is sent and provides request；

The base station defencive function module 72 provides the key to request and is transmitted to the certification and subscription data management Functional module 73；

The certification provides request and user key according to the key with subscription data management function module 73, according to close The second authentication secret that key create-rule generates；Based on second authentication secret to being stored in the first of the mobile network side First key information in core net is encrypted, obtained third key information；

The third key information is returned to the mobile terminal by the authentication function module 71.

In the present embodiment, the authentication function module 71, base station defencive function module 72 and certification and subscription data pipe Reason functional module 73 is also used to realize the function of each step for the key providing method that above-described embodiment two provides, each step Rapid specific implementation process just repeats no more here referring to the explanation of the various embodiments described above.

In the present embodiment, the authentication function module 71 and the conjunction of base station defencive function module 72 are set as a function mould Block.

In practical applications, for authentication function module 71, base station defencive function module 72 and certification and subscription data pipe Functional module 73 is managed when realizing the key providing method that embodiment two provides, can also be realized by sequence of steps below, Specifically:

The base station defencive function module 72 provides the key to request and is transmitted to the certification and subscription data management Functional module；

The certification provides request and user key according to the key with subscription data management function module 73, according to close The second authentication secret that key create-rule generates；

The base station defencive function module 72 is based on second authentication secret to being stored in the of the mobile network side First key information in one core net is encrypted, obtained third key information；

In practical applications, the communication equipment includes the first core net and the second core net, wherein

Authentication function module 71 and the specific implementation of base station defencive function module 72 in the first core net can be such that

Third key information is sent to mobile terminal；Or,

First key information or the second key information are sent to the second core net function, is received from second core The third key information that net function is sent, sends the third key information to mobile terminal；

Wherein, the protection key is generated based on the user key of the mobile terminal, and second key information is based on The first key information generates or matches with the first key information, and the secret keys are generated by the mobile terminal Or it is stored in the mobile terminal.

Further, after the communication equipment is also used to receive the protection key or the secret keys, Xiang Suoshu Mobile terminal sends the third key information；

Wherein, the third key information is according to the protection key and the first key information or described second close Key information generates, or, the third key information is according to the secret keys and the first key information or described second Key information generates.

After the communication equipment is also used to the first key information or second key information update, to the movement Terminal sends the third key information；

Wherein, the third key information is according to the protection key and the updated first key information or institute It states updated second key information to generate, or, after the third key information is according to the secret keys and the update First key information or updated second key information generate.

The communication equipment, which is also used to receive, to be carried out the key of self terminal and provides request, sends the to the second core net function Two message, the message carry instruction information, and the protection key or the secret keys are requested in the instruction information instruction, In, the key provides request and passes through the second core net function, or without the second core net function.

The communication equipment is also used to send random string RAND to the second core net function, and the RAND is received From the mobile terminal, for generating the protection key together with the user key of the mobile terminal.

The communication equipment be also used to the second core net function send transmission key, the transmission key received from The mobile terminal, for generating the secret keys.

Certification in the second core net is referred to subscription data management function module 73 specifically for receiving carrying The second message for showing information sends protection key to the first core net function, and the protection key is generated based on user key.

In practical applications, the communication equipment can also include third core net, and at this moment, the communication equipment is also used to The third message for carrying first key information or the second key information is received, sends third key information to mobile terminal, In, the third key information is based on protection key and the first key information or second key information generates, or, institute It states third key information and is based on secret keys and the first key information or second key information generation；

Wherein, the protection key is generated based on the user key of the mobile terminal, and the secret keys are by the shifting Dynamic terminal generates or is stored in the mobile terminal, second key information be based on the first key information generate or with institute First key information is stated to match.

The communication equipment is also used to receive the 4th message of request Ciphering Key, is calculated based on random string RAND New random string RAND ' generates session key based on the RAND ' and sends, or, receiving the 4th of request Ciphering Key Message, message carry random string RAND, generate session key based on the RAND and send, or, receiving request certification 4th message of vector, message carry transmission key, generate secret keys based on the transmission key and private key and send；

Wherein, the session key is for generating protection key, and the protection key or the secret keys are for handling First key information or the second key information generate third key information, and second key information is believed based on the first key Breath generates or matches with the first key information.

Further, the embodiment of the invention also provides the structures of another communication equipment, as shown in figure 8, the movement is whole End, comprising: second processor 81, second memory 82, the second communication unit 83 and the second communication bus 84；

Second communication bus 84 is for realizing the second processor 81, second communication unit 83 and described Wireless communication connection between two memories 82；

The second processor 81 is for executing one or more first program stored in second memory 82, with reality The step of key providing method that now embodiment two as above provides, the specific implementation process of each step is referring to above-mentioned each implementation The explanation of example, is not repeated herein and repeats.

Embodiment five:

A kind of communication equipment is present embodiments provided, shown in Figure 9, which includes mobile terminal 91 and communication Device 92 is established by base station between the mobile terminal 91 and the communication device 92 and is communicated；

The mobile terminal 91 sends key to the communication device 92 and provides request；

The communication device 92 provides request according to the key and generates authentication information, and returns to the mobile terminal 91；

The mobile terminal 91 generates the first verifying according to the authentication information and user key, according to key create-rule Key, and to the 92 return authentication response message of communication device；

The communication device 92 is after receiving the authentication response message, according to the authentication information and user key, And the second authentication secret that the key create-rule generates adds the first key information being stored in the communication equipment Third key information that is close, obtaining, and the third key information is returned into the mobile terminal 91；

The mobile terminal 91 is decrypted the third key information according to first authentication secret, obtains first Key information.

In practical applications, each equipment ternary of the communication system can also realize embodiment one by sequence below The key providing method provided with two is the request of access network first to be initiated by the mobile terminal 91, and generate certification letter Breath generates the first authentication secret according to the authentication information and user key, and the authentication information is sent to the communication and is filled Set 92；

The communication device 92 generated according to the authentication information and user key and the key create-rule the Two authentication secrets encrypt the first key information that is stored in the communication equipment, obtained third key information, and by institute It states third key information and returns to the mobile terminal 91；

In the present embodiment, the mobile terminal 91 and communication device 92 are also used to realize that above-described embodiment one and two provides Key providing method each step function, specific implementation process the saying referring to the various embodiments described above of each step It is bright, it just repeats no more here.

In practical applications, the mobile terminal 91 and communication device 92 can also specifically use above-described embodiment three to four The mobile terminal and communication equipment of middle offer is realized.

In the present embodiment, the structure of another middle communication equipment is additionally provided, which includes:

Embodiment six:

To carry out key providing method provided in an embodiment of the present invention below with reference to specific application scenarios detailed It describes in detail bright, specifically illustrates in conjunction with the system structure in Figure 10, following sections composition can be divided into the structure substantially, moved Dynamic terminal, base station and mobile network, and in mobile network include the first core net and the second core net.

Figure 10 is the configuration diagram for the system equipment that key of the invention is distributed, including following function and interface:

Security function F1: being located in mobile terminal F3, for passing through the internal components interface S10 and terminal of mobile terminal F3 Equipment F2 interaction to obtain the protected key information of network offer, and is handled it, and security function F1 can also prevent Only terminal device F2 obtains key information.The function can be operate in the software function on terminal device F2, or run on Usim card (Universal Subscriber Identity Module, Global Subscriber identification card) or UICC card etc. independently of Terminal device F2 is simultaneously formed in the secure hardware of mobile terminal F3 together with terminal device F2；

Terminal device F2 (is equivalent to the modules such as processor, the communication module in mobile terminal): for the logical of mobile terminal F3 The hardware devices such as news, calculating, storage,

Terminal device F2 is used to interacted with data-interface S1 with base station F4 by aerial signaling, and pass through signaling interface S8 and Authentication function F5 interaction, to receive every Communications service of mobile network's offer, the message on signaling interface S8 is connect by signaling Mouth S1 and signaling interface S3 transmission,

Terminal device F2 can also be interacted directly by signaling interface S9 with base station defencive function F6, to receive key distribution With the service of maintenance aspect, the message on signaling interface S9 can pass through signaling interface S8 and signaling interface S4 transmission；

Mobile terminal F3: including security function F1 and terminal device F2；

Base station F4: for the access net software function or hardware device of mobile network, for passing through control with mobile terminal F3 Signaling is interacted with data-interface S1, provides the service that every mobile network provides such as communication, such as eNB (4G for mobile terminal F1 Base station) or gNB (base station 5G)；

Authentication function F5: it for the software function or hardware device of the core net of mobile network, is used to pass through signaling interface S3 It is interacted with base station F4, so that movement of mobile network terminal F3 may be implemented to be mutually authenticated, such as MME (Mobility Management Entity, network node) or SEAF (safe anchor point function) or AMF (F access and mobile management function, Access and Mobility Management Function)；

Base station defencive function (Base Station Protection Function --- BSPF) F5: for passing through signaling Interface S5 interacts (directly interaction) with authentication service function F7, or passes through signaling interface S4 and S6 and certification via authentication function F5 Service function F7 interaction (indirect interaction), to obtain the protection information of protection key information；And pass through signaling via base station F4 Interface S2 and signaling interface S1 sends protected key information to mobile terminal F3, or logical via authentication function F5 and base station F4 It crosses signaling interface S4, signaling interface S3 and signaling interface S1 and sends protected key information to mobile terminal F3；Signaling interface Message on S5 can be transmitted via signaling interface S4 and signaling interface S6, and the message on signaling interface S2 can connect via signaling Mouth S4 and signaling interface S3 transmission；Base station defencive function F6 can be the partial function in authentication function F5, and (i.e. two functions are closed It is set as a function), there is no signaling interface S4, signaling interface S2 to be equal with signaling interface S3 at this time, signaling interface S5 and signaling Interface S6 is equivalent；

Authentication service function F7: for being interacted with subscription data management function F8 by signaling interface S7, acquisition and user Relevant key information, and the information is supplied to authentication function F5 by signaling interface S6, or provide by signaling interface S5 Base station defencive function F6 is given, or base station defencive function is supplied to by signaling interface S6 and signaling interface S4 via authentication function F5 F6.The function can be AUSF (Authentication Server Function), which can also be with subscription data pipe Reason function F8 conjunction is set；

Subscription data management function F8: storing and handles the relevant data of user, is used for based on user related data generation The information and the relevant key information of user of user are authenticated, and authentication service function F7 is supplied to by signaling interface S7, if Subscription data management function F8 and authentication service function F7 conjunction is set, and does not have signaling interface S8.The function can be UDM or HSS.

In the present embodiment, the stream of the key providing method of the application is realized based on above-mentioned Figure 10 hardware configuration provided Journey, detailed process step is as shown in figure 11, which includes:

S201: base station defencive function F6 is stored with first key information, and first key information includes one or more keys, It can also include key validity period, to facilitate the update of key.Key is the private key of network or the symmetrical shared key of network. Base station F4 is stored with the second key information, and second key information and first key are information-related, such as first key information In key when being one or more private keys, the key in the second key information is one or more corresponding with these private keys When key in public key or first key information is one or more symmetrical shared key information of network, the second key letter Key in breath is identical as the key in first key information, or the key being derived from first key information is (such as based on the The key in key and second key information of constant text string generation in one key information, commonly using generating mode is to use Hash function as HMAC-SHA-256), base station defencive function F6 can also store all or part of second key information (only The key in the second key information is stored, or stores all the second key information contents).Can also include in second key information Key validity period, no more than the key validity period (can be identical) in first key information.

S202: optional, mobile terminal F3 sends key to authentication function F5 and provides request, for example sends Key Provisioning Request message or Registration Request message can carry instruction information, indicate information table Show that initialization more specifically can be terminal device F2 and send the request；

S203: authentication function F5 receive key provide request, or by base station defencive function F6 triggering authentication function F5 with to Designated user provides key, and authentication function F5 sends certification request to authentication service function F7, for example sends Authentication Request message, message can carry instruction information, and instruction information display indicates to need to obtain protection Key, authentication service function F7 requests user authentication information to subscription data management function F8, including random string RAND, recognizes Parameter AUTN, challenge responses and session key are demonstrate,proved, instruction information can be carried in request message.Subscription data management function F8 RAND is generated, AUTN, session key are generated based on RAND and it is expected challenge responses XRES.

In the present embodiment, the generating mode of the session key and XRES include:

Mode one generates session key and XRES with user key；

Mode two, the derivative key based on user key call cipher key derivation function KDF or hash function raw as input At session key and XRES, session key includes Confidentiality protection ciphering key Kp and/or tegrity protection key's IKp, KDF function Or hash function can be HMAC-SHA-256 function or other hash (HASH) functions, generate the function of session key and XRES Input parameter can also have the other parameters such as RAND, AUTN, service network identification or service network title, generate XRES's Parameter includes RAND, and the parameter or function of the parameter of generation XRES or function and generation session key want not exactly the same.Such as Fruit subscription data management function F8 receives instruction information, and the session key of generation should be with the session that generates when confiscating instruction information Key is different, for example the parameter generated, in addition to RAND, other parameters are not exactly the same or generating function is different or RAND value increases A few constant add deduct as RAND and inputs parameter.

S204: authentication service function F7 sends authentication response to authentication function F5, for example sends Authentication Response carries authentication information, for example carries RAND and AUTN, can also carry user key, or carry derivative key, should Derivative key is derived from user key.

S205: authentication function F5 sends certification request to mobile terminal F3, for example sends User Authentication Request message, message carry authentication information, such as RAND and AUTN, more specifically, can be terminal device F2 reception and come from The certification request of authentication function F5.

S206: terminal device F2 calls the authentication operation of security function F1, and input authentication information is as parameter, for example inputs RAND and AUTN can also input network identity etc..If security function F1 is operate in the software function on terminal device F2, The inside that then calling of this step and the process of subsequent step 207~208 are terminal device F2 operates.

S207: security function F1 according to authentication information and is stored in user key therein and generates session key and challenge sound RES is answered, the mode of the generation of session key and RES and the generation session of subscription data management function F8 described in step 203 are close Key is identical with the mode of XRES.The dialogue-based key of security function F1 generates protection key, for example protects key close equal to session Key, or the parameters such as the dialogue-based key of protection key or network name derive from, or use a part of session key.Protect key It can be one, be also possible to multiple, such as Confidentiality protection key and tegrity protection key.

S208: security function F1 returns to call result to terminal device F2, and the call result of return is challenge responses RES.

S209: terminal device F2 sends authentication response to authentication function F5, for example sends User Authentication Response message, message carry challenge responses RES.

S210: authentication function F5, which sends certification to authentication service function F7, executes, for example sends Authentication Confirmation message carries challenge responses RES.

S211: authentication service function F7 foundation session key and other parameters, such as RAND, AUTN or network identity etc., Generate protection key or intermediate session key, if embodiment using protection key is generated, generate the mode of protection key with The mode that security function F1 generates protection key is identical, if embodiment is using generation intermediate session key, the session key Generating the result of some intermediate state in protection key step for security function F1, (for example security function F1 is using dialogue-based close Key generate the second session key, and so on, finally again based on the n-th session key generate protection key as mode, then in Between session key can using security function F1 generate the second session key by the way of or the n-th session key mode, with this Analogize).Authentication service function F7 can also request subscription data management function F8 to return to protection key or intermediate session key.It is intermediate Session key may include one or more keys.

S212: authentication service function F7 sends authenticate-acknowledge to authentication function F5, for example sends Authentication Acknowledge message, message carry protection key or intermediate session key.

S213: if embodiment using send intermediate session key mode, authentication function F5 can be based on receiving in Between session key generate another intermediate key (for example security function F1 is used and is generated the first session key based on user key, The second session key is being generated based on the first session key, and so on, until generating mode as protection key, then receive Intermediate key can be key identical with kth session key, another intermediate key can be identical as the n-th session key Key), or generate protection key, if embodiment using send protection key by the way of, authentication function F5 is directly used The protection key.Authentication function F5 sends protection request to base station defencive function F6, for example sends Key Request message, disappears Breath carries intermediate key or protection key.If embodiment is by the way of sending intermediate key, base station defencive function is based on The intermediate key that receives derives from protection key, if by the way of embodiment is using protection key is sent, base station defencive function F6 Directly using the protection key received.Base station defencive function F6 can store protection key, to facilitate the behaviour of subsequent renewal process Make.If base station defencive function F6 and authentication function F5 conjunction is set, the process of this step process and subsequent step 214~215 is The inside of authentication function F5 operates.

S214: base station defencive function F6 generates third key information, Huo Zheji based on protection key and first key information The defencive function F6 that stands is based on protection key and the second key information generates third key information.Using disposed of in its entirety mode or in batches Processing mode, for example first or second key information is encrypted integrally with Confidentiality protection ciphering key Kp, and/or, with integrity protection Key IKp does integrity protection to whole first or second key information or encrypted whole first or second key information, Ultimately generate third key information.Or base station defencive function F6 based on protection key with it is close in first or second key information Key generates the key in third key information, pair in third key information in addition to key in other information and first key information Answer information identical or by processing --- such as using the encryption of protection key and/or complete guarantor.Or with Confidentiality protection ciphering key Kp The key in first or second key information is encrypted one by one, and third key information is generated based on encrypted result, it is close based on third Key information (being equal to using the equal calculated result for calculating and generating) and IKp generate verification information, such as with third key information HASH calculating (for example using HMAC-SHA-256) is carried out with IKp, (is compared after for another example carrying out hash calculating to third key information Such as use SHA-256), verification information (for example using HMAC-SHA-256) is generated with calculated result and IKp.

S215: base station defencive function F6 sends protection response to authentication function F5, for example sends Key Response message, Carry third key information.

S216: authentication function F5, which sends key to mobile terminal F3, provides response, for example sends Key Provisioning Response message, message carry third key information, more specifically, can be terminal device F2 and receive from authentication function F5 Key provide response.

A kind of embodiment is: terminal device F2 can store the third key information received, while store corresponding network Mark or network name information, provide anti-fake base station functions so as to subsequent for multiple networks.

Another embodiment, which is to continue with, executes S217~S218.

S217: terminal device F2 calls the key storage operation of security function F1, inputs all or part of third key letter Breath is used as parameter, can also input network identity or network name, the parameter of input can be used for obtaining in first key information Key (embodiment be third key information be based on first key information generation) or the second key information in key (embodiment It is generated for third key information based on the second key information).Security function F1 can also store corresponding network identity or net simultaneously Network name information provides anti-fake base station functions so as to subsequent for multiple networks.If security function F1 is operate in terminal Software function on equipment F2, the then inside that the calling of this step and the process of subsequent step 218 are terminal device F2 operate.

S218: security function F1 generates the key in first key information according to the protection key and input parameter generated, For example input parameter is decrypted with CKp, and/or, with the information or verifying input parameter after IKp verifying decryption.Alternatively, security function F1 generates the second key information according to the protection key and input parameter generated, for example decrypts input parameter with CKp, and/or, it uses Information or verifying input parameter after IKp verifying decryption.Or security function F1 is generated in first key information by aforesaid operations Key after, generate the key in the second key information according to the key in first key information.Security function F1 can store Key in key in first key information, or the second key information of storage, or storage input parameter is so as to subsequent needs When execute again aforesaid operations obtain first key information in key or the second key information in key.

Another embodiment is after executing the step 217~218, and security function F1 generates encryption key, and is based on adding Key and first key information or the second key information generate the 4th key information, and return to terminal device F2, terminal Equipment F2 stores the 4th key information.

Another embodiment is: the message in step 202, step 205, step 209 and step 216 is mobile terminal F3 It is directly interacted with base station defencive function F6 (by interface S1 and interface S2 or interface S1, interface S3 and interface S4), to walk Rapid 203, step 204, step 210 and step 212, which directly interact for base station defencive function F6 with authentication service function F7, (to be passed through Interface S5 or interface S4 and interface S6), step 213 and step 215 do not need then.

Another embodiment is: after step 216, before step 217, terminal device F2 stores third key information, step Rapid 217 and step 218 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Another embodiment is: not executing 217~218, but terminal device F2 is by part or all of third key information Or the calculated result (for example using SHA-256) based on part or all of third key information (comes from the verification information received Verification information in step 214 by authentication function F5 give come) send jointly to security function F1, security function F1 is based on defeated Enter parameter and verification information verified, for example, based on input parameter and IKp calculate expectation verification information (such as use HMAC- SHA-256), then compare the verification information of desired verification information and input, verification result is returned to terminal by security function F1 Equipment F2.

Since then, using unsymmetrical key system, mobile terminal F3 has mobile network's private key, and base station F4 has Mobile network's public key can be used to the message full content or message for being sent to mobile terminal F3 in mobile network's public key, base station In partial content be digitally signed, mobile terminal F3 can be used mobile network's private key and verify to digital signature, from And may determine that whether message is tampered and (is digitally signed to full content), can also judge whether base station is pseudo-base station (all or part of the content is digitally signed).Using symmetric key system, mobile terminal F3 has first Key information can be based on the second key information of first key information acquisition, or have the second key information, and base station F4 is based on The partial content being sent in the message full content or message of mobile terminal F3 generates message authentication code MAC, mobile terminal F3 The second key information can be used to verify MAC, (generated so as to judge whether message is tampered with full content MAC), can also judge whether base station is pseudo-base station (generating MAC with all or part of the content).

Embodiment seven:

Figure 12 is the mobile terminal key providing flow diagram of the embodiment of the present invention, which includes:

S301~S309: it is described with S201~S209 in Figure 11 identical.

S310: authentication function F5 sends protection request to base station defencive function F6, for example sends Key Request.If Base station defencive function F6 and authentication function F5 conjunction is set, then this step process and the process of subsequent step 311 are authentication function F5's Inside operation.

S311: base station defencive function F6 sends protection response to authentication function F5, for example sends Key Response message, Carry first key information or the second key information.

S312: authentication function F5, which sends certification to authentication service function F7, executes, for example sends Authentication Confirmation message, message carries challenge responses and first key information, or carries challenge responses and the second key information.

S313: authentication service function F7 is according to session key and other parameters, such as RAND, AUTN or network identity etc. Protection key is generated, generation method is generated with security function F1 in step 307 protects the mode of key identical.Authentication service function F7 can also request subscription data management function F8 to generate protection key, and protection key is returned to authentication service function F7, sign About data management function F8 generates the mode of protection key and security function F1 is generated and protected the mode of key identical.Authentication service Function F7 is based on protection key and first key information generates third key information, such as with Confidentiality protection ciphering key Kp encryption First key information, and/or, first key information or encrypted first key information are done with tegrity protection key IKp Integrity protection ultimately generates third key information.Or authentication service function F7 is based on protection key and the second key information Third key information is generated, for example the second key information is encrypted with Confidentiality protection ciphering key Kp, and/or, it is close with integrity protection Key IKp does integrity protection to the second key information or encrypted second key information, ultimately generates third key information.Recognize First key information or the second key information can also be sent to subscription data management function F8 by card service function F7, by contracting Data management function F8 executes the above operation and generates third key information, and third key information is then returned to authentication service function It can F7.

S314: authentication service function F7 sends authenticate-acknowledge to authentication function F5, for example sends Authentication Acknowledge message carries third key information.

S315~S317: identical as the description of the step 216 in Figure 11~218.

Another embodiment is: the message in step 302, step 305, step 309 and step 316 is mobile terminal F3 It is directly interacted with base station defencive function F6 (by interface S1 and interface S2 or interface S1, interface S3 and interface S4), to walk Rapid 303, step 304, step 312 and step 314, which directly interact for base station defencive function F6 with authentication service function F7, (to be passed through Interface S5 or interface S4 and interface S6), step 310 and step 311 do not need then.

Another embodiment is: after step 315, before step 316, terminal device F2 stores third key information, step Rapid 316 and step 317 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Embodiment eight:

Figure 13 is the mobile terminal key providing flow diagram of the embodiment of the present invention, embodiment base station defencive function F6 Set up separately with authentication function F5, which includes:

S401: it is described with the S201 in Figure 11 identical.

S402: mobile terminal F3, which sends key to base station defencive function F6, provides request, for example sends Key Provisioning Request message more specifically can be terminal device F2 and send the request.

S403: base station defencive function F6 sends certification request to authentication function F5, for example sends Authentication Required message.

S404~S413: it is described with S203~S212 in Figure 11 identical.

S414: authentication function F5 sends authentication response to base station defencive function F6, for example sends Authentication Acknowledge message, message carry protection key, and base station defencive function F6 can store protection key, with facilitate it is subsequent more The operation of new process.

S415: it is described with the S214 in Figure 11 identical.

S416: base station defencive function F6, which sends key to mobile terminal F3, provides response, for example sends Key Provisioning Response message, message carry third key information, more specifically, can be terminal device F2 reception Key from base station defencive function F6 provides response.

S417~S418: it is described with S217~S218 in Figure 11 identical.

Another embodiment is: after step 416, before step 417, terminal device F2 stores third key information, step Rapid 417 and step 418 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Embodiment nine:

Figure 14 is the mobile terminal key providing flow diagram of the embodiment of the present invention, which includes:

S501: it is described with the S201 in Figure 11 identical.

S502: mobile terminal F3 will initiate the request of access network, and particularly terminal device F2 will initiate access network Request, then call the key generation operation of security function F1, may include random string RANDue in operation.

S503: if security function F1 does not protect key, random string RANDue is generated, or read random character The RANDue in key generation operation that string RANDue or using terminal equipment F2 is called, security function F1 are based on user key Protection key is generated with RANDue.

S504: security function F1 return RANDue gives terminal device F2.

S505: terminal device F2, which initiates key to authentication function F5, provides request, for example sends Key Provisioning Request message, or Registration Request message is sent, message carries RANDue.

S506: authentication function F5 sends certification request to authentication service function F7, for example sends Authentication Request message, message carry RANDue.

S507: authentication service function F7 requests Ciphering Key to subscription data management function, carries RANDue, authentication service After function F7 obtains Ciphering Key, the process that the network and terminal of triggering following standard are mutually authenticated, such as the EPS AKA of standard Or 5G AKA or EAP-AKA ' process.

It is close that S508: the subscription data management function F8 user key based on the RANDue and relative users received generates protection Key, for example use hash function as HMAC-SHA-256.

S509~S515: it is described with step S212~S218 in Figure 11 identical.

Another embodiment is: after step 513, before step 514, terminal device F2 stores third key information, step Rapid 514 and step 515 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Embodiment ten:

Figure 15 is the mobile terminal key providing flow diagram of the embodiment of the present invention, which includes:

S601: it is described with the step S201 in Figure 11 identical.

S602: mobile terminal F3 will initiate the request of access network, and particularly terminal device F2 will initiate access network Request, then call security function F1 key generation operation.

S603: if security function F1 is not directed to the mobile network and is transmitted across secret keys (unrelated with user key), Secret keys are then generated, or read the secret keys of storage, security function F1 is based on home network public key and secret keys are generated and passed Defeated key, for example home network public key encryption secret keys are used, or transmission is generated based on home network shared key and secret keys Key, for example encryption key is derived from based on home network shared key, it is close to reuse the generation transmission of encryption keys secret keys Key.

S604: security function F1 return transmission key gives terminal device F2.

S605: terminal device F2, which initiates key to authentication function F5, provides request, for example sends Key Provisioning Request message, or Registration Request message is sent, message carries transmission key.

S606: authentication function F5 sends certification request to authentication service function F7, for example sends Authentication Request message, message carry transmission key.

S607: authentication service function F7 requests Ciphering Key to subscription data management function, carries transmission key, certification clothes It is engaged in after function F7 acquisition Ciphering Key, the process that the network and terminal of triggering following standard are mutually authenticated, such as the EPS of standard AKA or 5G AKA or EAP-AKA ' process.

S608: subscription data management function F8 based on the transmission key received, using home network private key (with home network public key It is mating) secret keys are generated, for example secret keys are obtained using home network private key decrypted transport key, or shared using home network Key generates secret keys, for example derives from encryption key using home network shared key, close being transmitted using encryption key decryption Key obtains secret keys.

S609~S615: described with step S212~S218 in Figure 11 it is identical, only protect key replace with secret it is close Key.

Another embodiment is: after step 613, before step 614, terminal device F2 stores third key information, step Rapid 614 and step 615 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Another embodiment is: not executing 614~615, but terminal device F2 is by part or all of third key information Or the calculated result (for example using SHA-256) based on part or all of third key information (comes from the verification information received Verification information in step 611 by authentication function F5 give come) send jointly to security function F1, security function F1 is based on defeated Enter parameter and verification information is verified, for example is calculated based on input parameter and secret keys and it is expected that verification information (for example uses HMAC-SHA-256), then compare the verification information of desired verification information and input, security function F1 returns to verification result Terminal device F2.

Embodiment 11:

Figure 16 is the mobile terminal key providing flow diagram 6 of the embodiment of the present invention six, which includes:

S701: it is described with the step S201 in Figure 11 identical.

S702: mobile terminal F3 will initiate the request of access network, and particularly terminal device F2 will initiate access network Request, then call security function F1 key generation operation.

S703: if security function F1 does not have secret keys (unrelated with user key), secret keys, safe function are generated Energy F1 is based on visit net public key and secret keys generate transmission key, for example uses and visit net public key encryption secret keys.

S704: security function F1 return transmission key gives terminal device F2.

S705: terminal device F2, which initiates key to base station defencive function F6, provides request, for example sends Key Provisioning Request message, or Registration Request message is sent, message carries transmission key.

S706: base station defencive function F6 is raw based on the transmission key and visit net private key (mating with visit net public key) received Secret keys are obtained at secret keys, such as using visit net private key decrypted transport key.Then by the step S214 in Figure 11 The mode of description executes operation, and protection key is only replaced with secret keys.

Another embodiment is that step 705 passes through authentication function F5, then step 706 can be authentication function F5 and first obtain machine Then secret keys are transmitted further to base station defencive function F6 by key, then F6 executes the behaviour that step 214 describes in Fig. 2 again Make, protection key is only replaced with into secret keys.

S707~S709: described with step S416~S418 of Figure 13 it is identical, only protect key replace with secret keys.

Another embodiment is that step 705 passes through authentication function F5, then step 706 can be authentication function F5 and first obtain machine Key has authentication function F5 to hold after then first key information or the second key information are transferred to authentication function F5 again by F6 Protection key is only replaced with secret keys by the operation that step 214 describes in row Fig. 2.

Another embodiment is: after step 707, before step 708, terminal device F2 stores third key information, step Rapid 708 and step 709 do not need to execute at this time, but execute again when needed, to obtain first key information to base The message that the F4 that stands is sent is identified.

Embodiment 12:

Figure 17 is the mobile terminal key updating flow diagram of the embodiment of the present invention, which includes:

S801: describing identical with the step S201 in Figure 11, and only the first key information in base station defencive function F6 has been It is updated, therefore the second key information in corresponding base station F4 is also updated, and if carrying instruction information, is referred to Show that information indicates to update.

S802: optional, mobile terminal F3 sends key to base station defencive function F6 and provides request, for example sends Key Provisioning Request message more specifically can be terminal device F2 and send the request.Another embodiment is base It stands the processes of triggering following step 803~806 due to key updating defencive function F6.First key information or the second key information In may include in cipher code renewal time or third key information comprising cipher code renewal time, mobile terminal F3 can basis Cipher code renewal time therein sends key after exceeding the time limit and provides request.

S803~S806: it is described with step S415~418 in Figure 13 identical.

Another embodiment is that step S803 is based on secret keys and first key information or the second key information generates third Key information is generated with part or all of third key information based on secret keys in step S806 close in first key information Key in key or the second key information.

In the present embodiment, other than above-mentioned implementation, there is also modes below to realize: in security function F1 The third key information and safe function stored in the first key information of storage or the second key information or terminal device F2 Protection key in energy F1 can be used same or like method described in Figure 11~Figure 14 and obtain, other methods can also be used It obtains, such as OTA mechanism, i.e., relevant information is transferred to subscription data management by base station defencive function F6, under other mechanism, Such as OTA mechanism, protection key can be unrelated with user key, therefore the scheme of following embodiment and Figure 11~Figure 14 description Scheme does not have correlation.

Embodiment 13:

It present embodiments provides the present embodiment and additionally provides a kind of computer readable storage medium, the computer-readable storage Medium is included in for storing information (such as computer readable instructions, data structure, computer program module or other data) Any method or technique in the volatibility implemented or non-volatile, removable or non-removable medium.It is computer-readable to deposit Storage media includes but is not limited to RAM (Random Access Memory, random access memory), ROM (Read-Only Memory, read-only memory), EEPROM (Electrically Erasable Programmable read only Memory, band Electrically Erasable Programmable Read-Only Memory), flash memory or other memory technologies, CD-ROM (Compact Disc Read-Only Memory, compact disc read-only memory), digital versatile disc (DVD) or other optical disc storages, magnetic holder, tape, magnetic Disk storage or other magnetic memory apparatus or can be used for storing desired information and can be accessed by a computer it is any its His medium.

In a kind of example, the computer readable storage medium in the present embodiment can be used for storing one or more first Computer program, second computer program, third computer program, the 4th computer program and second computer program, it is described One or more above-mentioned computer program can be executed by one or more processor, to realize such as above-mentioned each embodiment institute The step of key providing method stated.

The present embodiment additionally provides a kind of computer program (or computer software), which can be distributed in On computer-readable medium, by can computing device execute, to realize key providing method shown in as above each embodiment extremely A few step；And in some cases, can using be different from the described sequence of above-described embodiment execute it is shown or At least one step of description.

The present embodiment additionally provides a kind of computer program product, including computer readable device, the computer-readable dress It sets and is stored with computer program as shown above.The computer readable device may include calculating as shown above in the present embodiment Machine readable storage medium storing program for executing.

As it can be seen that those skilled in the art should be understood that whole or certain steps in method disclosed hereinabove, be Functional module/unit in system, device may be implemented as the software (computer program code that can be can be performed with computing device To realize), firmware, hardware and its combination appropriate.In hardware embodiment, the functional module that refers in the above description/ Division between unit not necessarily corresponds to the division of physical assemblies；For example, a physical assemblies can have multiple functions, or One function of person or step can be executed by several physical assemblies cooperations.Certain physical assemblies or all physical assemblies can be by realities It applies as by processor, such as the software that central processing unit, digital signal processor or microprocessor execute, or is implemented as hard Part, or it is implemented as integrated circuit, such as specific integrated circuit.

In addition, known to a person of ordinary skill in the art be, communication media generally comprises computer-readable instruction, data knot Other data in the modulated data signal of structure, computer program module or such as carrier wave or other transmission mechanisms etc, and It and may include any information delivery media.So the present invention is not limited to any specific hardware and softwares to combine.

The above content is combining specific embodiment to be further described to made by the embodiment of the present invention, cannot recognize Fixed specific implementation of the invention is only limited to these instructions.For those of ordinary skill in the art to which the present invention belongs, Without departing from the inventive concept of the premise, a number of simple deductions or replacements can also be made, all shall be regarded as belonging to the present invention Protection scope.

Claims

1. a kind of key providing method is applied to mobile terminal side, which is characterized in that this method comprises:

Receive the third key information that the mobile network side is sent；The third key information be mobile network's side group in The result that second authentication secret encrypts first key information obtains；Second authentication secret be by mobile network's side group in Network user's key generates or the result by mobile network's side group in decryption third authentication secret obtains；The third verifying Key is obtained by the mobile terminal based on the result for encrypting second authentication secret, and is sent to the mobile network side；

Based on use the first authentication secret or second authentication secret decrypt the third key information result generate described in First key information, first authentication secret are that the mobile terminal is generated based on end user keys；

Network user's key is backup of the user key in the mobile network side, and the end user keys are the use Backup of the family key in the mobile terminal.

2. key providing method as described in claim 1, which is characterized in that the method also includes:

It include cipher code renewal time in the first key information or the third key information；

After the cipher code renewal time is exceeded the time limit, Xiang Suoshu mobile network side sends the message for requesting the third key information.

3. key providing method as described in claim 1, which is characterized in that the method also includes:

First authentication secret is generated based on the end user keys and derived information, wherein the derived information is by institute It states mobile terminal and is sent to the mobile network side, or by the mobile terminal received from the mobile network side.

4. key providing method as described in claim 1, which is characterized in that the method also includes:

Store the network information corresponding with the first key information, or storage net corresponding with the third key information Network information.

5. key providing method as described in claim 1, which is characterized in that the method also includes:

Receive the verification information that the mobile network side is sent；

The verifying letter is verified based on first authentication secret or second authentication secret and the third key information Breath, or, based on being verified described in first authentication secret or second authentication secret and the first key information checking Information.

6. key providing method as described in claim 1, which is characterized in that the third authentication secret is by the mobile terminal The step of being obtained based on the result for encrypting second authentication secret further include:

The mobile terminal is obtained based on the result of the second authentication secret described in secret key encryption, and the privacy key is described The public key of mobile network side or the symmetric key shared with the mobile network side.

7. a kind of key providing method, the security function applied to mobile terminal side, which is characterized in that the described method includes:

Receive the terminal device from the mobile terminal side first calls, and returns to the described first result called；It is described It includes the second derived information or described that first result called, which does not include the first authentication secret or the result of first calling, First result called includes third authentication secret；Wherein, first authentication secret is generated based on end user keys, described Second derived information for generating the first authentication secret together with the end user keys, the third authentication secret be based on The result for encrypting the second authentication secret obtains, and the end user keys are safe function of the user key in the mobile terminal side Backup on energy；Receive the terminal device from the mobile terminal side second calls, and returns to the described second knot called Fruit；Described second calls comprising third key information, and the described second result called does not include first key information；Wherein, institute Stating first key information is based on using first authentication secret or second authentication secret to decrypt the third key letter The result of breath generates.

8. key providing method according to claim 7, which is characterized in that described first calls comprising the first derivation letter Breath, first authentication secret is based on the end user keys and first derived information generates.

9. key providing method according to claim 7, which is characterized in that the described first result called includes the second group Raw information, first authentication secret is based on the end user keys and second derived information generates.

10. key providing method according to claim 7, which is characterized in that the method also includes:

Store the network information corresponding with the first key information.

11. key providing method according to claim 7, which is characterized in that the third authentication secret is based on encryption the The result of two authentication secrets included:

The third authentication secret is obtained based on the result of the second authentication secret of secret key encryption, and the privacy key is movement The public key of network side or the symmetric key shared with mobile network side.

12. the method according to the description of claim 7 is characterized in that the method also includes:

The third for receiving the terminal device from the mobile terminal side is called；The input parameter that the third is called includes verifying The input parameter that information and part or all of third key information or the third are called include verification information and based on part or The calculated result that whole third key informations generate；

Return that the third is called as a result, the result that the third is called includes using first authentication secret or described the Result of two authentication secrets based on verification information described in the input parameter verification；

Wherein, the third key information is used to decrypt described the using first authentication secret or second authentication secret The result of three key informations generates first key information.

13. a kind of key providing method, the terminal device applied to mobile terminal side, which is characterized in that the described method includes:

The third key information from mobile network side is received, the security function of Xiang Suoshu mobile terminal side is initiated second and is called, Described second calls comprising the third key information；

The third key information is that mobile network's side group is obtained in the result of the second authentication secret encryption first key information , second authentication secret is that mobile network's side group is generated in network user's key or second authentication secret is Mobile network's side group is obtained in the result of decryption third authentication secret, and the third authentication secret is sent out by the mobile terminal The mobile network side is given, network user's key is backup of the user key in the mobile network side.

14. key providing method according to claim 13, which is characterized in that the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, first tune to receive described first Result includes the third authentication secret.

15. key providing method according to claim 13, which is characterized in that the method also includes:

It initiates third to the security function of the mobile terminal side to call, the input parameter that the third is called includes verification information The input parameter called with the part or all of third key information or the third include verification information and based on part or All calculated result that the third key information generates；

The verification result that the security function of the mobile terminal side returns is received, the verification result is to verify using described first The result of key or second authentication secret based on verification information described in the input parameter verification.

16. key providing method according to claim 13, which is characterized in that the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, first tune to receive described first With comprising the first derived information, first derived information is used to generate the first authentication secret together with end user keys, and It is generated by the terminal device of the mobile terminal side, or received from the mobile network side, first authentication secret is for solving The close third key information, the end user keys are backup of the user key in the mobile terminal side.

17. key providing method according to claim 16, which is characterized in that the method also includes:

First derived information is sent to the mobile network side.

18. key providing method according to claim 13, which is characterized in that the method also includes:

First is initiated to the security function of the mobile terminal side to call, and it is calling as a result, first tune to receive described first Result includes the second derived information, and second derived information is close for generating the first verifying together with end user keys Key, first authentication secret are that the user key exists for decrypting the third key information, the end user keys The backup of the mobile terminal side；

Second derived information is sent to the mobile network side.

19. a kind of key providing method, the first core net function applied to mobile network side, which is characterized in that the method Include:

Third key information is sent to mobile terminal；Or,

First key information is sent to the second core net function, it is close to receive the third sent from the second core net function Key information sends the third key information to mobile terminal；

Wherein, the third key information is based on the second authentication secret and first key information generates；Second verifying is close Key is to be generated by decryption third authentication secret, or generated by the second core net function based on network user's key；It is described For third authentication secret received from the mobile terminal, network user's key is user key in the second core net function The backup of side.

20. key providing method according to claim 19, which is characterized in that the method also includes:

Key request is sent to the second core net function；

Receive second authentication secret from the second core net function.

21. key providing method according to claim 20, which is characterized in that the key request includes that third derives from letter Breath；The third derived information is received from the mobile terminal, for generating described second together with network user's key Authentication secret.

22. key providing method according to claim 21, which is characterized in that the key request also includes the third Authentication secret, the third authentication secret is received from the mobile terminal.

23. key providing method according to claim 19, which is characterized in that the method also includes:

The first derived information is sent to the mobile terminal；First derived information received from the second core net function, For generating second authentication secret together with network user's key.

24. key providing method according to claim 19, which is characterized in that the method also includes:

Verification information is sent to the mobile terminal；

Wherein, the verification information is generated based on second authentication secret and the partly or entirely described third key information； Or generated based on second authentication secret and the first calculated result, first calculated result is based on partly or entirely described the Three key informations generate；Or it is generated based on second authentication secret and the partly or entirely described first key information；Or it is based on Second authentication secret and the second calculated result generate, and second calculated result is based on the part or all of first key Information generates.

25. a kind of key providing method is applied to the second core net function, which is characterized in that the described method includes:

The first key information from the first core net function is received, Xiang Suoshu the first core net function sends third key letter Breath, the third key information is based on the first key information and the second authentication secret generates, the second authentication secret base It generates in network user's key, or is generated based on decryption third authentication secret, the third authentication secret is received from described first Core net function；Or,

The second derived information from the first core net function is received, it is close that Xiang Suoshu the first core net function sends the second verifying Key, second authentication secret is based on second derived information and network user's key generates；Or,

The first derived information is sent to the first core net function, and, it is close that Xiang Suoshu the first core net function sends the second verifying Key, second authentication secret is based on first derived information and network user's key generates；

26. a kind of mobile terminal characterized by comprising

First receiving module, the third key information sent for receiving the mobile network side；The third key information is Mobile network's side group is obtained in the result of the second authentication secret encryption first key information；Second authentication secret is served as reasons Mobile network's side group is generated in network user's key or by mobile network's side group in the knot of decryption third authentication secret Fruit obtains；The third authentication secret is obtained by the mobile terminal based on the result for encrypting second authentication secret, concurrently Give the mobile network side；

First key generation module, for close based on the third is decrypted using the first authentication secret or second authentication secret The result of key information generates the first key information, and first authentication secret is that the mobile terminal is close based on terminal user Key generates, wherein network user's key is backup of the user key in the mobile network side, the end user keys For the user key the mobile terminal backup.

27. a kind of key providing device characterized by comprising

First calling module, first for receiving the terminal device from the mobile terminal side calls, and returns to described the One result called；It includes that described first result called, which does not include the first authentication secret or the described first result for calling, The result of two derived informations or first calling includes third authentication secret；Wherein, first authentication secret is based on terminal User key generates, and second derived information is described for generating the first authentication secret together with the end user keys Third authentication secret is that the result based on the second authentication secret of encryption obtains, and the end user keys are user key described Backup in the security function of mobile terminal side；

Second calling module, second for receiving the terminal device from the mobile terminal side calls, and returns to described the Two results called；Described second calls comprising third key information, and the described second result called is believed not comprising first key Breath；Wherein, the first key information is based on using described in first authentication secret or second authentication secret decrypt The result of third key information generates.

28. a kind of mobile terminal characterized by comprising

Second receiving module initiates for receiving the third key information from mobile network side, and to key providing device Two call, and described second calls comprising the third key information；

29. a kind of communication equipment characterized by comprising

First sending module, for sending third key information to mobile terminal；Or, it is close to send first to the second core net function Key information；

Third receiving module, for receiving the third key information sent from the second core net function, described in transmission Third key information is to mobile terminal；

30. a kind of communication equipment characterized by comprising the 4th receiving module and the second sending module；

For 4th receiving module for receiving the first key information from the first core net function, described second sends mould Block is used to send third key information to the first core net function, and the third key information is believed based on the first key Breath and the second authentication secret generate, and second authentication secret is generated based on network user's key, or based on decryption third verifying Key generates, and the third authentication secret is received from the first core net function；Or,

For 4th receiving module for receiving the second derived information from the first core net function, described second sends mould Block is used to send the second authentication secret to the first core net function, and second authentication secret is based on described second and derives from letter Breath is generated with network user's key；Or,

Second sending module is used to send the first derived information to the first core net function, and, described second sends mould Block to the first core net function send the second authentication secret, second authentication secret be based on first derived information with Network user's key generates, and network user's key is backup of the user key in the second core net functioning side.

31. a kind of communication equipment characterized by comprising processor, memory, communication unit and communication bus；

The communication bus connects for realizing the wireless communication between the processor, the communication unit and the memory It connects；

The processor is for executing one or more first program stored in memory, to realize such as claim 1 to 6 The step of described in any item key providing methods；

The processor for executing one or more second program stored in memory, with realize as claim 7 to The step of 12 described in any item key providing methods；

The processor for executing one or more third program stored in memory, with realize as claim 13 to The step of 18 described in any item key providing methods

The processor for executing one or more the 4th program stored in memory, with realize as claim 19 to The step of 24 described in any item key providing methods；

The processor is for executing one or more the 5th program stored in memory, to realize such as claim 25 institute The step of key providing method stated.

32. a kind of computer readable storage medium, the computer-readable recording medium storage has one or more the first meter Calculation machine program, second computer program, third computer program, the 4th computer program and second computer program, described one A or multiple first computer programs can be executed by one or more processor, to realize such as any one of claim 1 to 6 The step of described key providing method；

One or more of second computer programs can be executed by one or more processor, to realize such as claim The step of 7 to 12 described in any item key providing methods；

One or more of third computer programs can be executed by one or more processor, to realize such as claim The step of 13 to 18 described in any item key providing methods

One or more of 4th computer programs can be executed by one or more processor, to realize such as claim The step of 19 to 24 described in any item key providing methods；

One or more of 5th computer programs can be executed by one or more processor, to realize such as claim Described in 25 the step of key providing method.