CN112654013A - Certificate issuing method and device - Google Patents
Certificate issuing method and device Download PDFInfo
- Publication number
- CN112654013A CN112654013A CN201910913345.9A CN201910913345A CN112654013A CN 112654013 A CN112654013 A CN 112654013A CN 201910913345 A CN201910913345 A CN 201910913345A CN 112654013 A CN112654013 A CN 112654013A
- Authority
- CN
- China
- Prior art keywords
- information
- terminal device
- message
- equipment
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/40—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
- H04W4/44—Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for communication between vehicles and infrastructures, e.g. vehicle-to-cloud [V2C] or vehicle-to-home [V2H]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/009—Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application provides a certificate issuing method and a certificate issuing device, wherein the method comprises the following steps: the method comprises the steps that a terminal device sends a first message to a first network device, wherein the first message is used for requesting the first network device to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining device information of the terminal device; then, the terminal device receives a second message sent by the first network device, wherein the second message includes a registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key. The terminal equipment and the first network equipment interact with each other to realize online issuing of the registration certificate, and the registration certificate does not need to be configured in advance in the terminal equipment production process.
Description
Technical Field
The embodiment of the application relates to communication technologies, and in particular, to a certificate issuing method and apparatus.
Background
The vehicle-to-environment (V2X) is a key technology for future intelligent transportation, and by deploying devices such as a Global Positioning System (GPS), Radio Frequency Identification (RFID), camera image processing, etc., vehicle-to-environment and state information is acquired by vehicle-to-environment equipment, and by using the internet technology, wireless communication can be performed between the vehicle and the vehicle, between the vehicle and a base station, between the base station and a V2X device such as the base station, etc., so as to obtain a series of traffic information such as vehicle information, road condition information, pedestrian information, etc., thereby providing driving safety, reducing congestion, improving traffic efficiency, and providing vehicle-mounted entertainment services, etc.
Currently, the communication security between V2X devices is protected by the car networking communication system through certificates, which include management certificates and communication certificates, where the management certificates include both authorization certificates and registration certificates. Specifically, the authorization certificate is a certificate applied by a V2X device manufacturer to an authorization Certificate Authority (CA) to obtain V2X device production authority, and the registration certificate stored in the V2X device is a certificate applied by the V2X device manufacturer as a V2X device before the manufactured V2X device leaves the factory, and the registration certificate is to be stored in the V2X device for applying for other certificates.
At present, the registration certificate of the V2X device is applied by the V2X device manufacturer in an off-line manner, and the flexibility of the registration certificate issuing manner is low.
Disclosure of Invention
The application provides a certificate issuing method and device, which are used for improving the flexibility of issuing a registered certificate.
In a first aspect, an embodiment of the present application provides a certificate issuing method, including: the method comprises the steps that a terminal device sends a first message to a first network device, wherein the first message is used for requesting the first network device to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining device information of the terminal device; then, the terminal device receives a second message sent by the first network device, wherein the second message includes a registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key. The terminal equipment and the first network equipment are interacted to realize the online issuing of the registration certificate, the registration certificate is not required to be configured in advance in the production process of the terminal equipment, the flexibility of a certificate issuing mode can be improved, and the production steps of the terminal equipment can be reduced.
In a first embodiment of the first aspect, the terminal device decrypts a second message according to a first shared key to obtain the registration certificate, where the second message is obtained by encrypting according to the first shared key, and the first shared key is a key shared between the terminal device and the first network device.
According to the first aspect or the first embodiment of the first aspect, in the second embodiment of the first aspect, before the terminal device sends the first message to the first network device, the method further includes: and the terminal equipment generates a public and private key pair.
According to the first aspect or the first embodiment of the first aspect or the second embodiment of the first aspect, in a third embodiment of the first aspect, the device information of the terminal device comprises one or more of: license plate, electronic license plate, Vehicle Identification Number (VIN), equipment Number.
According to the first aspect, or the second embodiment of the first aspect, or the third embodiment of the first aspect, in a fourth embodiment of the first aspect, the sending, by the terminal device, the first message to the first network device includes: and if the key shared between the terminal equipment and the first network equipment is in the corresponding valid period, the terminal equipment sends the first message to the first network equipment.
According to the first aspect or the second embodiment of the first aspect or the third embodiment of the first aspect, in a fifth embodiment of the first aspect, the method further comprises:
and if the key shared between the terminal equipment and the first network equipment is not in the corresponding valid period, or the shared key does not exist between the terminal equipment and the first network equipment, the terminal equipment and the first network equipment negotiate to obtain the first shared key.
According to a fifth embodiment of the first aspect, in the sixth embodiment of the first aspect, the negotiating, by the terminal device and the first network device, for obtaining the first shared key includes:
and the terminal equipment generates the first shared key according to a second shared key, the identifier of the terminal equipment, the identifier of the first network equipment and the random number, wherein the second shared key is a key shared between the terminal equipment and the anchor point network element.
According to a sixth embodiment of the first aspect, in a seventh embodiment of the first aspect, the method further comprises:
and the terminal equipment receives a third message sent by the first network equipment, wherein the third message comprises a valid period corresponding to the first shared secret key.
According to a sixth embodiment of the first aspect or the seventh embodiment of the first aspect, in the eighth embodiment of the first aspect, before the terminal device generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the method further includes:
the terminal device sends a fourth message to the first network device, where the fourth message is used to request the first network device to authenticate the terminal device, the fourth message includes the first information, and the first information is used to determine a second shared key.
According to a sixth embodiment of the first aspect, or the seventh embodiment of the first aspect, or the eighth embodiment of the first aspect, in the ninth embodiment of the first aspect, after the terminal device generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the method further includes: and the terminal equipment receives a fifth message sent by the first network equipment, wherein the fifth message is used for indicating that the terminal equipment successfully negotiates the first shared key.
According to a sixth embodiment of the first aspect, in the tenth embodiment of the first aspect, the generating, by the terminal device, the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number includes:
and if the key shared between the terminal equipment and the anchor point network element is in the corresponding validity period, the terminal equipment generates the first shared key according to the second shared key, the identifier of the terminal equipment, the identifier of the first network equipment and the random number.
In this embodiment of the application, if the key shared between the terminal device and the first network device is within the corresponding validity period, the terminal device may generate the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, and then the terminal device may decrypt the second message according to the first shared key to obtain the registration certificate in the second message, thereby improving the security of the registration certificate.
In a second aspect, an embodiment of the present application provides a certificate issuing method, including: the method comprises the steps that first network equipment receives a first message sent by terminal equipment, wherein the first message comprises a public key and first information, and the first information is used for determining equipment information of the terminal equipment; then, the first network equipment obtains the equipment information of the terminal equipment according to the first information, and generates a registration certificate according to the equipment information of the terminal equipment and the public key; thereafter, the first network device sends a second message to the terminal device, the second message including the registration certificate. The terminal equipment and the first network equipment are interacted to realize the online issuing of the registration certificate, the registration certificate is not required to be configured in advance in the production process of the terminal equipment, the flexibility of a certificate issuing mode can be improved, and the production steps of the terminal equipment can be reduced.
In a first embodiment of the second aspect, the sending, by the first network device, the second message to the terminal device includes: the first network equipment encrypts the second message according to a first shared key to obtain the encrypted second message, wherein the first shared key is a key shared between the terminal equipment and the first network equipment; then, the first network device sends the encrypted second message to the terminal device.
According to the second aspect or the first embodiment of the second aspect, in the second embodiment of the second aspect, the obtaining, by the first network device, the device information of the terminal device according to the first information includes: the first network equipment sends the first information to an anchor point network element and requests the anchor point network element to send equipment information of the terminal equipment corresponding to the first information; and the first network equipment receives the equipment information of the terminal equipment, which is sent by the anchor point network element.
According to the second aspect or the first embodiment of the second aspect, in a third embodiment of the second aspect, the obtaining, by the first network device, the device information of the terminal device according to the first information includes: the first network equipment sends first information to an anchor point network element; then, the first network equipment receives the permanent identification of the terminal equipment sent by the anchor point network element; then, the first network device determines the device information of the terminal device according to the permanent identifier of the terminal device.
According to the second aspect or any one of the first to third embodiments of the second aspect, in a fourth embodiment of the second aspect, the device information of the terminal device includes one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to any one of the first embodiment to the fourth embodiment of the second aspect, in a fifth embodiment of the second aspect, the encrypting, by the first network device, the registration certificate according to the first shared key to obtain the encrypted second message includes:
if the key shared between the terminal device and the first network device is in the corresponding validity period, the first network device encrypts the registration certificate according to the first shared key to obtain the encrypted second message.
According to the second aspect or any one of the first to fourth embodiments of the second aspect, in a sixth embodiment of the second aspect, before the first network device performs encryption processing on the second message according to the first shared key, the method further includes:
and if the key shared between the terminal equipment and the first network equipment is not in the corresponding valid period, or the shared key does not exist between the terminal equipment and the first network equipment, the first network equipment and the terminal equipment negotiate to obtain the first shared key.
According to a sixth embodiment of the second aspect, in the seventh embodiment of the second aspect, the negotiating, by the first network device and the terminal device, the first shared key includes:
the first network equipment sends a sixth message to the anchor point network element, wherein the sixth message comprises the first information and the identifier of the first network equipment; then, the first network device receives a seventh message sent by the anchor network element, where the seventh message includes the first shared key.
According to a seventh embodiment of the second aspect, in the eighth embodiment of the second aspect, the first network device sends a fifth message to the terminal device, where the fifth message is used to indicate that the terminal device successfully negotiates the first shared key.
According to a seventh embodiment of the second aspect or an eighth embodiment of the second aspect, in a ninth embodiment of the second aspect, the method further comprises: and the first network equipment sends a third message to the terminal equipment, wherein the third message comprises the validity period corresponding to the first shared secret key.
In the embodiment of the application, if the key shared between the terminal device and the first network device is not in the corresponding validity period, the first network device obtains the first shared key from the anchor point network element, and then the first network device can encrypt the second message according to the first shared key to obtain the encrypted second message, and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a third aspect, an embodiment of the present application provides a certificate issuing method, including: the anchor point network element receives first information sent by first network equipment, wherein the first information is used for determining equipment information of terminal equipment; the anchor point network element determines the equipment information of the terminal equipment according to the first information; then, the anchor point network element sends the equipment information of the terminal equipment to the first network equipment, and the equipment information of the terminal equipment and the public key are used for generating a registration certificate of the terminal equipment; or, the anchor point network element determines the permanent identifier of the terminal device according to the first information, and then the anchor point network element sends the permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine the device information of the terminal device.
In the embodiment of the application, the anchor point network element sends the device information of the terminal device to the first network device, the first network device generates the registration certificate according to the device information of the terminal device and the public key, or the anchor point network element sends the permanent identifier of the terminal device to the first network device, the first network device can determine the device information of the terminal device according to the permanent identifier of the terminal device and generate the registration certificate according to the device information of the terminal device and the public key, and then the first network device can issue the registration certificate to the terminal device in an online mode without pre-configuring the registration certificate in the production process of the terminal device, so that not only can the flexibility of a certificate issuing mode be improved, but also the production steps of the terminal device can be reduced.
In a first embodiment of the third aspect, the determining, by the anchor network element, the device information of the terminal device according to the first information includes: the anchor point network element determines the permanent identification of the terminal equipment according to the first information; and then, the anchor point network element determines the equipment information of the terminal equipment according to the permanent identifier of the terminal equipment.
According to the third aspect or the first embodiment of the third aspect, in a second embodiment of the third aspect, the method further comprises: receiving, by an anchor point network element, a sixth message sent by the first network device, where the sixth message includes the first information and an identifier of the first network device, and the first information is used to determine a second shared key, where the second shared key is a key shared between the terminal device and the anchor point network element; the anchor point network element determines a second shared key according to first information, and generates the first shared key according to the second shared key, the identifier of the terminal equipment and the identifier of the first network equipment; the anchor point network element sends a seventh message to the first network device, where the seventh message includes the first shared key.
According to the third aspect or the first embodiment of the third aspect or the second embodiment of the third aspect, in a third embodiment of the third aspect, the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to a second embodiment of the third aspect, in a fourth embodiment of the third aspect, the method further comprises:
the anchor point network element determines the validity period corresponding to the first shared secret key; and then, the anchor point network element sends the validity period corresponding to the first shared key to the first network equipment.
According to the second embodiment of the third aspect or the fourth embodiment of the third aspect, in a fifth embodiment of the third aspect, the determining, by the anchor network element, the second shared key according to the first information includes:
and if the key shared between the terminal equipment and the anchor point network element is in the corresponding valid period, the anchor point network element determines the second shared key according to the first information.
In this embodiment of the application, if a key shared between the terminal device and the first network device is not in a corresponding validity period or a key shared between the terminal device and the first network device does not exist, the anchor point network element generates a first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device, and then the anchor point network element sends the first shared key to the first network device, and the first network device can encrypt the second message according to the first shared key and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a fourth aspect, an embodiment of the present application further provides a certificate issuing apparatus, including:
the terminal equipment comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for sending a first message to the first network equipment, the first message is used for requesting the first network equipment to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining equipment information of the terminal equipment;
the transceiver module is further configured to receive a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
The terminal equipment and the first network equipment are interacted to realize the online issuing of the registration certificate, the registration certificate is not required to be configured in advance in the production process of the terminal equipment, the flexibility of a certificate issuing mode can be improved, and the production steps of the terminal equipment can be reduced.
In a first embodiment of the fourth aspect, the apparatus further comprises: a processing module;
the processing module is used for decrypting the second message according to the first shared key to obtain a registration certificate; the second message is obtained by encrypting according to a first shared key, and the first shared key is a key shared between the terminal device and the first network device.
According to the fourth aspect or the first embodiment of the fourth aspect, in a second embodiment of the fourth aspect, the processing module is further configured to generate a public-private key pair. According to the fourth aspect or the first embodiment of the fourth aspect or the second embodiment of the fourth aspect, in the third embodiment of the fourth aspect, the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to the fourth aspect, or the second embodiment of the fourth aspect, or the third embodiment of the fourth aspect, in the fourth embodiment of the fourth aspect, the processing module is further configured to determine whether a key shared between the terminal device and the first network device is within a corresponding validity period, and if the key shared between the terminal device and the first network device is within the corresponding validity period, the transceiver module sends the first message to the first network device.
According to the fourth aspect or the second embodiment of the fourth aspect or the third embodiment of the fourth aspect, in a fifth embodiment of the fourth aspect, the method further comprises:
if the processing module determines that the key shared between the terminal device and the first network device is not in the corresponding validity period, or the shared key does not exist between the terminal device and the first network device, the processing module is further configured to negotiate with the first network device to obtain the first shared key.
According to a fifth embodiment of the fourth aspect, in a sixth embodiment of the fourth aspect, the processing module is specifically configured to generate the first shared key according to a second shared key, an identifier of a terminal device, an identifier of a first network device, and a random number, where the second shared key is a key shared between the terminal device and an anchor network element.
According to a sixth embodiment of the fourth aspect, in a seventh embodiment of the fourth aspect, before the processing module generates the first shared key according to a second shared key, an identifier of a terminal device, an identifier of a first network device, and a random number, the transceiver module is further configured to receive a third message sent by the first network device, where the third message includes a validity period corresponding to the first shared key.
According to a sixth embodiment of the fourth aspect or the seventh embodiment of the fourth aspect, in an eighth embodiment of the fourth aspect, the transceiver module is further configured to send a fourth message to the first network device, where the fourth message is used to request the first network device to authenticate the terminal device, and the fourth message includes the first information, and the first information is used to determine a second shared key.
According to the sixth embodiment of the fourth aspect, or the seventh embodiment of the fourth aspect, or the eighth embodiment of the fourth aspect, in the ninth embodiment of the fourth aspect, after the processing module generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the transceiver module is further configured to receive a fifth message sent by the first network device, where the fifth message is used to indicate that the terminal device successfully negotiates the first shared key.
According to a sixth embodiment of the fourth aspect, in a tenth embodiment of the fourth aspect, the processing module is specifically configured to determine whether a key shared between the terminal device and the anchor network element is within a corresponding validity period, and if it is determined that the key shared between the terminal device and the anchor network element is within the corresponding validity period, the processing module generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number.
In this embodiment of the application, if the processing module determines that the key shared between the terminal device and the first network device is within the corresponding validity period, the terminal device may generate the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, and then the terminal device may decrypt the second message according to the first shared key to obtain the registration certificate in the second message, thereby improving the security of the registration certificate.
In a fifth aspect, an embodiment of the present application provides a certificate issuing apparatus, including:
the terminal equipment comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for receiving a first message sent by the terminal equipment, the first message comprises a public key and first information, and the first information is used for determining equipment information of the terminal equipment;
the transceiver module is further configured to obtain device information of the terminal device according to the first information;
the processing module is used for generating the registration certificate according to the equipment information of the equipment and the public key;
the transceiver module is further configured to send a second message to the terminal device, where the second message includes the registration certificate.
In a first embodiment of the fifth aspect, the processing module is further configured to encrypt the second message according to a first shared key, to obtain an encrypted second message, where the first shared key is a key shared between the terminal device and the first network device;
correspondingly, the transceiver module is configured to send the encrypted second message to the terminal device.
According to the fifth aspect or the first embodiment of the fifth aspect, in a second embodiment of the fifth aspect, the transceiver module is specifically configured to send the first information to an anchor network element, and request the anchor network element to send device information of the terminal device corresponding to the first information;
the transceiver module is further configured to receive the device information of the terminal device sent by the anchor point network element.
According to the fifth aspect or the first embodiment of the fifth aspect, in a third embodiment of the fifth aspect, the transceiver module is specifically configured to send the first information to an anchor point network element;
the transceiver module is further configured to receive a permanent identifier of the terminal device sent by the anchor point network element;
the processing module is used for determining the equipment information of the terminal equipment according to the permanent identification of the terminal equipment.
According to the fifth aspect or any one of the first to third embodiments of the fifth aspect, in a fourth embodiment of the fifth aspect, the device information of the terminal device includes one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to any one of the first to fourth embodiments of the fifth aspect, in the fifth embodiment of the fifth aspect, the processing module is specifically configured to, if it is determined that a key shared between the terminal device and the first network device is within a corresponding validity period, perform encryption processing on the registration certificate according to the first shared key, so as to obtain the encrypted second message.
According to the fifth aspect or any one of the first to fourth embodiments of the fifth aspect, in a sixth embodiment of the fifth aspect, if the processing module determines that the key shared between the terminal device and the first network device is not within the corresponding validity period, or there is no shared key between the terminal device and the first network device, the transceiver module is further configured to negotiate with the first network device to obtain the first shared key.
According to a sixth embodiment of the fifth aspect, in the seventh embodiment of the fifth aspect, the transceiver module is specifically configured to send a sixth message to the anchor network element, where the sixth message includes the first information and the identifier of the first network device;
the transceiver module is further configured to receive a seventh message sent by the anchor point network element, where the seventh message includes the first shared key.
According to a seventh embodiment of the fifth aspect, in the eighth embodiment of the fifth aspect, the transceiver module is further configured to send a fifth message to the terminal device, where the fifth message is used to indicate that the terminal device successfully negotiates with the first shared key.
According to a seventh embodiment of the fifth aspect or the eighth embodiment of the fifth aspect, in a ninth embodiment of the fifth aspect, the transceiver module is further configured to send a third message to the terminal device, where the third message includes a validity period corresponding to the first shared key.
In the embodiment of the application, if the key shared between the terminal device and the first network device is not in the corresponding validity period, the first network device obtains the first shared key from the anchor point network element, and then the first network device can encrypt the second message according to the first shared key to obtain the encrypted second message, and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a sixth aspect, an embodiment of the present application provides a certificate issuing apparatus, including:
the receiving and sending module is used for receiving first information sent by first network equipment, and the first information is used for determining equipment information of the terminal equipment;
the processing module is used for determining the equipment information of the terminal equipment according to the first information;
the transceiver module is further configured to send device information of the terminal device to the first network device, where the device information of the terminal device and the public key are used to generate a registration certificate of the terminal device;
the processing module is further used for determining a permanent identifier of the terminal equipment according to the first information;
the transceiver module is further configured to send a permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine device information of the terminal device.
In the embodiment of the application, the anchor point network element sends the device information of the terminal device to the first network device, the first network device generates the registration certificate according to the device information of the terminal device and the public key, or the anchor point network element sends the permanent identifier of the terminal device to the first network device, the first network device can determine the device information of the terminal device according to the permanent identifier of the terminal device and generate the registration certificate according to the device information of the terminal device and the public key, and then the first network device can issue the registration certificate to the terminal device in an online mode without pre-configuring the registration certificate in the production process of the terminal device, so that not only can the flexibility of a certificate issuing mode be improved, but also the production steps of the terminal device can be reduced.
In a first embodiment of the sixth aspect, the processing module is specifically configured to determine a permanent identifier of the terminal device according to the first information;
the processing module is further configured to determine device information of the terminal device according to the permanent identifier of the terminal device.
According to the sixth aspect or the first embodiment of the sixth aspect, in a second embodiment of the sixth aspect, the transceiver module is further configured to receive a sixth message sent by the first network device, where the sixth message includes the first information and an identifier of the first network device, and the first information is used to determine a second shared key, where the second shared key is a key shared between the terminal device and the anchor network element;
the processing module is further configured to determine a second shared key according to the first information, and generate the first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device;
the transceiver module is further configured to send a seventh message to the first network device, where the seventh message includes the first shared key.
According to the sixth aspect or the first embodiment of the sixth aspect or the second embodiment of the sixth aspect, in a third embodiment of the sixth aspect, the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to a second embodiment of the sixth aspect, in a fourth embodiment of the sixth aspect, the processing module is further configured to determine a validity period corresponding to the first shared key;
the transceiver module is further configured to send the validity period corresponding to the first shared key to the first network device.
According to the second embodiment of the sixth aspect or the fourth embodiment of the sixth aspect, in a fifth embodiment of the sixth aspect, the processing module is specifically configured to determine the second shared key according to the first information when determining that the key shared between the terminal device and the anchor network element is within the corresponding validity period.
In this embodiment of the application, if a key shared between the terminal device and the first network device is not in a corresponding validity period or a key shared between the terminal device and the first network device does not exist, the anchor point network element generates a first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device, and then the anchor point network element sends the first shared key to the first network device, and the first network device can encrypt the second message according to the first shared key and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a seventh aspect, an embodiment of the present application further provides a certificate issuing apparatus, including:
the terminal equipment comprises a transceiver and a first network equipment, wherein the transceiver is used for sending a first message to the first network equipment, the first message is used for requesting the first network equipment to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining equipment information of the terminal equipment;
the transceiver is further configured to receive a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
The terminal equipment and the first network equipment are interacted to realize the online issuing of the registration certificate, the registration certificate is not required to be configured in advance in the production process of the terminal equipment, the flexibility of a certificate issuing mode can be improved, and the production steps of the terminal equipment can be reduced.
In a first embodiment of the seventh aspect, the apparatus further comprises: a processor;
the processor is used for decrypting the second message according to the first shared key to obtain a registration certificate; the second message is obtained by encrypting according to a first shared key, and the first shared key is a key shared between the terminal device and the first network device.
According to the seventh aspect or the first embodiment of the seventh aspect, in a second embodiment of the seventh aspect, the processor is further configured to generate a public-private key pair. According to the seventh aspect or the first embodiment of the seventh aspect or the second embodiment of the seventh aspect, in a third embodiment of the seventh aspect, the device information of the terminal device includes one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to the seventh aspect, or the second embodiment of the seventh aspect, or the third embodiment of the seventh aspect, in a fourth embodiment of the seventh aspect, the processor is further configured to determine whether a key shared between the terminal device and the first network device is within a corresponding validity period, and if the key shared between the terminal device and the first network device is within the corresponding validity period, the transceiver sends the first message to the first network device.
According to a seventh aspect or a second embodiment of the seventh aspect or a third embodiment of the seventh aspect, in a fifth embodiment of the seventh aspect the method further comprises:
if the processor determines that the key shared between the terminal device and the first network device is not in the corresponding validity period, or the shared key does not exist between the terminal device and the first network device, the processor is further configured to negotiate with the first network device to obtain the first shared key.
According to a fifth embodiment of the seventh aspect, in the sixth embodiment of the seventh aspect, the processor is specifically configured to generate the first shared key according to a second shared key, an identifier of a terminal device, an identifier of a first network device, and a random number, where the second shared key is a key shared between the terminal device and an anchor network element.
According to a sixth embodiment of the seventh aspect, in the seventh embodiment of the seventh aspect, before the processor generates the first shared key according to a second shared key, an identifier of a terminal device, an identifier of a first network device, and a random number, the transceiver is further configured to receive a third message sent by the first network device, where the third message includes a validity period corresponding to the first shared key.
According to a sixth embodiment of the seventh aspect or a seventh embodiment of the seventh aspect, in an eighth embodiment of the seventh aspect, the transceiver is further configured to send a fourth message to the first network device, the fourth message being used to request the first network device to authenticate the terminal device, the fourth message including the first information, the first information being used to determine a second shared key.
According to a sixth embodiment of the seventh aspect, or the seventh embodiment of the seventh aspect, or the eighth embodiment of the seventh aspect, in a ninth embodiment of the seventh aspect, after the processor generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the transceiver is further configured to receive a fifth message sent by the first network device, where the fifth message is used to indicate that the terminal device successfully negotiates the first shared key.
According to a sixth embodiment of the seventh aspect, in a tenth embodiment of the seventh aspect, the processor is specifically configured to determine whether a key shared between the terminal device and the anchor network element is within a corresponding validity period, and if it is determined that the key shared between the terminal device and the anchor network element is within the corresponding validity period, the processor generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number.
It should be noted that, in some embodiments, the terminal device further includes: a memory for storing program code. When the program code is executed, the terminal device is configured to implement the method of any embodiment of the first aspect.
In this embodiment of the application, if the processing module determines that the key shared between the terminal device and the first network device is within the corresponding validity period, the terminal device may generate the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, and then the terminal device may decrypt the second message according to the first shared key to obtain the registration certificate in the second message, thereby improving the security of the registration certificate.
In an eighth aspect, an embodiment of the present application provides a certificate issuing apparatus, including:
the terminal equipment comprises a transceiver and a receiver, wherein the transceiver is used for receiving a first message sent by the terminal equipment, the first message comprises a public key and first information, and the first information is used for determining equipment information of the terminal equipment;
the transceiver is further configured to obtain device information of the terminal device according to the first information;
a processor, configured to generate the registration certificate according to the device information of the device and the public key;
the transceiver is further configured to send a second message to the terminal device, where the second message includes the registration certificate.
In a first embodiment of the eighth aspect, the processor is further configured to encrypt the second message according to a first shared key, to obtain an encrypted second message, where the first shared key is a key shared between the terminal device and the first network device;
correspondingly, the transceiver is used for sending the encrypted second message to the terminal equipment.
According to the eighth aspect or the first embodiment of the eighth aspect, in a second embodiment of the eighth aspect, the transceiver is specifically configured to send the first information to an anchor network element, and request the anchor network element to send device information of the terminal device corresponding to the first information;
the transceiver is further configured to receive the device information of the terminal device sent by the anchor point network element.
According to the eighth aspect or the first embodiment of the eighth aspect, in a third embodiment of the eighth aspect, the transceiver is specifically configured to send the first information to an anchor network element;
the transceiver is further configured to receive a permanent identifier of the terminal device sent by the anchor point network element;
the processor is used for determining the equipment information of the terminal equipment according to the permanent identification of the terminal equipment.
According to the eighth aspect or any one of the first to third embodiments of the eighth aspect, in a fourth embodiment of the eighth aspect, the device information of the terminal device includes one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to any one of the first embodiment to the fourth embodiment of the eighth aspect, in a fifth embodiment of the eighth aspect, the processor is specifically configured to, if it is determined that a key shared between the terminal device and the first network device is within a corresponding validity period, perform encryption processing on the registration certificate according to the first shared key, so as to obtain the encrypted second message.
According to the eighth aspect or any one of the first to fourth embodiments of the eighth aspect, in a sixth embodiment of the eighth aspect, if the processor determines that the key shared between the terminal device and the first network device is not within the corresponding validity period, or there is no shared key between the terminal device and the first network device, the transceiver is further configured to negotiate with the first network device to obtain the first shared key.
According to a sixth embodiment of the eighth aspect, in a seventh embodiment of the eighth aspect, the transceiver is specifically configured to send a sixth message to the anchor network element, where the sixth message includes the first information and the identifier of the first network device;
the transceiver is further configured to receive a seventh message sent by the anchor network element, where the seventh message includes the first shared key.
According to a seventh embodiment of the eighth aspect, in the eighth embodiment of the eighth aspect, the transceiver is further configured to send a fifth message to the terminal device, the fifth message being negotiated with the first shared key for indicating the terminal device.
According to a seventh embodiment of the eighth aspect or the eighth embodiment of the eighth aspect, in a ninth embodiment of the eighth aspect, the transceiver is further configured to send a third message to the terminal device, where the third message includes a validity period corresponding to the first shared key.
In the embodiment of the application, if the key shared between the terminal device and the first network device is not in the corresponding validity period, the first network device obtains the first shared key from the anchor point network element, and then the first network device can encrypt the second message according to the first shared key to obtain the encrypted second message, and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a ninth aspect, an embodiment of the present application provides a certificate issuing apparatus, including:
the transceiver is used for receiving first information sent by first network equipment, and the first information is used for determining equipment information of the terminal equipment;
the processor is used for determining equipment information of the terminal equipment according to the first information;
the transceiver is further configured to send device information of the terminal device to the first network device, where the device information of the terminal device and the public key are used to generate a registration certificate of the terminal device;
the processor is further used for determining a permanent identifier of the terminal equipment according to the first information;
the transceiver is further configured to send a permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine device information of the terminal device.
In the embodiment of the application, the anchor point network element sends the device information of the terminal device to the first network device, the first network device generates the registration certificate according to the device information of the terminal device and the public key, or the anchor point network element sends the permanent identifier of the terminal device to the first network device, the first network device can determine the device information of the terminal device according to the permanent identifier of the terminal device and generate the registration certificate according to the device information of the terminal device and the public key, and then the first network device can issue the registration certificate to the terminal device in an online mode without pre-configuring the registration certificate in the production process of the terminal device, so that not only can the flexibility of a certificate issuing mode be improved, but also the production steps of the terminal device can be reduced.
In a first embodiment of the ninth aspect, the processor is specifically configured to determine the permanent identification of the terminal device from the first information;
the processor is further configured to determine device information of the terminal device according to the permanent identifier of the terminal device.
According to the ninth aspect or the first embodiment of the ninth aspect, in the second embodiment of the ninth aspect, the transceiver is further configured to receive a sixth message sent by the first network device, where the sixth message includes the first information and an identifier of the first network device, and the first information is used to determine a second shared key, where the second shared key is a key shared between the terminal device and the anchor network element;
the processor is further configured to determine a second shared key according to the first information, and generate the first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device;
the transceiver is further configured to send a seventh message to the first network device, where the seventh message includes the first shared key.
According to the ninth aspect or the first embodiment of the ninth aspect or the second embodiment of the ninth aspect, in the third embodiment of the ninth aspect, the device information of the terminal device includes one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
According to a second embodiment of the ninth aspect, in the fourth embodiment of the ninth aspect, the processor is further configured to determine a validity period corresponding to the first shared key;
the transceiver is further configured to send the validity period corresponding to the first shared key to the first network device.
According to the second embodiment of the ninth aspect or the fourth embodiment of the ninth aspect, in the fifth embodiment of the ninth aspect, the processor is specifically configured to determine the second shared key according to the first information when determining that the key shared between the terminal device and the anchor network element is within the corresponding validity period.
It should be noted that, in some embodiments, the anchor point network element further includes: a memory for storing program code. When the program code is executed, the anchor network element is configured to implement the method of any embodiment of the third aspect.
In this embodiment of the application, if a key shared between the terminal device and the first network device is not in a corresponding validity period or a key shared between the terminal device and the first network device does not exist, the anchor point network element generates a first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device, and then the anchor point network element sends the first shared key to the first network device, and the first network device can encrypt the second message according to the first shared key and send the encrypted second message to the terminal device, thereby improving the security of the registration certificate.
In a tenth aspect, an embodiment of the present application provides a certificate issuing apparatus, including: the interface is coupled with the processor.
The processor is configured to execute the certificate issuing method according to any embodiment of the first aspect, any embodiment of the second aspect, or any embodiment of the third aspect.
In an eleventh aspect, embodiments of the present application provide a computer-readable storage medium, where a computer program is stored, where the computer program includes at least one code, and the at least one code is executable by a computer to control the computer to perform a certificate issuing method according to any embodiment of the first aspect, or any embodiment of the second aspect, or any embodiment of the third aspect.
The program may be stored in whole or in part on a storage medium packaged with the processor, or may be stored in part or in whole on a memory not packaged with the processor.
In a twelfth aspect, an embodiment of the present application provides a processor, including:
at least one circuit, configured to send a first message to a first network device, where the first message is used to request the first network device to issue a registration certificate, and the first message includes a public key and first information, where the first information is used to determine device information of the terminal device;
at least one circuit, configured to receive a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
The processor may be a chip.
In a thirteenth aspect, an embodiment of the present application provides a processor, including:
at least one circuit, configured to receive a first message sent by a terminal device, where the first message is used to request the first network device to issue a registration certificate, and the first message includes a public key and first information, where the first information is used to determine device information of the terminal device;
at least one circuit, configured to obtain device information of the terminal device according to the first information, and generate the registration certificate according to the device information of the terminal device and the public key;
at least one circuit configured to send a second message to a terminal device, the second message including the registration certificate.
The processor may be a chip.
In a fourteenth aspect, an embodiment of the present application provides a processor, including:
the terminal equipment comprises at least one circuit, a first communication circuit and a second communication circuit, wherein the at least one circuit is used for receiving first information sent by first network equipment, and the first information is used for determining equipment information of the terminal equipment;
at least one circuit configured to determine device information of the terminal device according to the first information;
at least one circuit, configured to send device information of the terminal device to a first network device, where the device information of the terminal device and a public key are used to generate a registration certificate of the terminal device;
at least one circuit configured to determine a permanent identity of the terminal device based on the first information;
at least one circuit, configured to send a permanent identifier of a terminal device to a first network device, where the permanent identifier of the terminal device is used to determine device information of the terminal device.
The processor may be a chip.
In a fifteenth aspect, an embodiment of the present application further provides a communication system, including: a terminal device as described above, a first network device as described above and an anchor network element as described above.
Drawings
FIG. 1 is a schematic diagram of a conventional GBA architecture;
fig. 2 is a schematic diagram of a protocol stack of a radio access network device according to an embodiment of the present application;
fig. 3 is a flowchart of a certificate issuing method according to an embodiment of the present application;
fig. 4 is a flowchart of a certificate issuing method according to another embodiment of the present application;
fig. 5 is a flowchart of a certificate issuing method according to another embodiment of the present application;
fig. 6 is a flowchart of a certificate issuing method according to another embodiment of the present application;
fig. 7 is a flowchart of a certificate issuing method according to another embodiment of the present application;
fig. 8 is a schematic structural diagram of a certificate issuing apparatus according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application;
fig. 10 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application;
fig. 11 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application;
fig. 12 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
fig. 13 is a block diagram of a communication system according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic diagram of a conventional GBA architecture. As shown in fig. 1, the generic bootstrapping architecture (GBA architecture) includes: a Bootstrapping Service Function (BSF), a User Equipment (UE), a Network Application Function (NAF), and a Subscriber Location Function (SLF). The BSF is used as an intermediate hub, interacts with the UE through a Ub interface and executes authentication between the UE and the BSF; the parameters related to the UE authentication can be obtained from a Home Subscriber Server (HSS) through a Zh interface, and the HSS stores the parameters related to the UE authentication; interacting with NAF through Zn interface; through interaction with the SLF through the Dz interface, the BSF can obtain the HSS name corresponding to the UE from the SLF under a plurality of HSS scenes. In addition, the UE interacts with the NAF over the Ua interface. Since there is one NAF for each application, BSF and UE may interact with multiple NAFs.
As described above, in the defined GBA AKA authentication standard, the participating parties include UE, BSF and HSS, and based on the root key shared between UE and HSS, key agreement of Ks between UE and BSF is implemented; a shared key is established between the BSF and the UE by performing a bootstrapping (bootstrapping) procedure. Specifically, the UE and the BSF complete GBA AKA authentication based on the HTTP, and the specific steps are as follows: UE sends UE ID to BSF; the BSF sends the UE ID to a Home Subscriber Server (HSS); the HSS determines a root key corresponding to the UE ID according to the UE ID, calculates an Authentication Vector (AV), and sends AV to BSF, wherein RAND represents a random number, AUTN represents an authentication token (authentication token), CK represents an encryption key (cipher key), IK represents an integrity protection key (integrity key), and XRES represents an expected user response (expected user response); the BSF sends the RAND and AUTN in the AV to the UE; the UE verifies AUTN and calculates CK, IK and RES, and RES represents user response (user response); UE sends RES to BSF; BSF compares XRES and RES, and verifies whether RES is correct; if the verification is successful, the BSF calculates Ks ═ CK | | | IK; the BSF sends a bootstrap transmission identifier (B-TID) and a Key lifetime to the UE, wherein the BSF generates the B-TID based on the RAND and the BSF server name, namely Base64encode (RAND) @ BSF _ servers _ domain _ name, the Base64encode (RAND) represents that the RAND is subjected to Base64 code conversion, and the Key lifetime represents the validity period of the Ks; the UE calculates Ks ═ CK | | | IK. In addition, fig. 2 shows one possible protocol stack format between the UE and the BSF, from which it can also be seen that the existing GBA AKA authentication is HTTP-based.
Fig. 3 is a flowchart of a certificate issuing method according to an embodiment of the present application. As shown in fig. 3, the method comprises the steps of:
s301, the terminal device sends a first message to the first network device, wherein the first message comprises a public key and first information. Accordingly, the first network device receives the first message sent by the terminal device.
S302, the first network equipment determines the equipment information of the terminal equipment according to the first information.
And S303, the first network equipment generates a registration certificate according to the equipment information of the terminal equipment and the public key.
In this embodiment of the application, a registration certificate generated according to the device information of the terminal device and the public key sent by the terminal device is stored in the terminal device, where the registration certificate is a basic certificate used by the terminal device to apply for another certificate, and for example, the other certificate may include a communication certificate.
S304, the first network equipment sends a second message to the terminal equipment. Accordingly, the terminal device receives the second message sent by the first network device.
For example, the terminal device in this embodiment of the present application may be a V2X device, such as a vehicle, a RSU, etc., it is understood that the terminal device may also be referred to as a user equipment, and the first network device may be a NAF in a GBA architecture, which may also be referred to as an application server, an external application server, etc., which is not limited in this embodiment of the present application.
Optionally, the first information may be a B-TID, which can be used to determine device information of the terminal device. Alternatively, the B-TID may be referred to as a transaction ID, an identification ID, a first ID, a GBA session ID, or other names, which is not limited by the embodiment of the present application. For example, if the terminal device is a vehicle, the first network device can determine the device information of the vehicle, such as the license plate, the model number, the vehicle identification code and the like of the vehicle according to the B-TID.
The device information of the terminal device includes permanent identification information of the terminal device, for example, the device information of the terminal device may include one or more of the following: license plate, electronic license plate, vehicle identification number VIN, equipment number, etc. If the terminal device is a vehicle, the device number may be an Electronic Toll Collection (ETC) device number, and the device information of the terminal device may include: vehicle identification code, license plate, electronic license plate, etc. equipment number. If the terminal device is a road side unit and the device number may be an RSU device number, the device information of the terminal device may include the RSU device number.
In the embodiment of the application, if the terminal device needs to acquire the registration certificate, the terminal device first sends, to the first network device, a first message for requesting the first network device to issue the registration certificate, where the first message includes a public key and first information, the first information may be temporary identification information of the terminal device, and the first information may be used to determine device information of the terminal device. Then, the first network device determines the device information of the terminal device according to the first information. And then, the first network device generates a registration certificate of the terminal device according to the device information of the terminal device and the public key sent by the terminal device, and sends a second message to the terminal device, wherein the second message comprises the registration certificate.
In the embodiment of the application, the terminal device sends a first message for requesting the first network device to issue the registration certificate to the first network device, and the first network device obtains the registration certificate according to the received first message and issues the registration certificate to the terminal device in an online manner. The method in the embodiment of the application can realize online issuing of the registration certificate without pre-configuring the registration certificate in the production process of the terminal equipment, and not only can the steps of the production equipment be reduced, but also the flexibility of the certificate issuing mode can be improved.
Optionally, in some embodiments, after performing S304, the first network device may further perform steps S3041-S3043:
s3041, the first network device encrypts the second message according to the first shared key to obtain an encrypted second message.
The embodiment of the present application is not limited to the specific implementation manner of encrypting the second message according to the first shared key.
S3042, the first network device sends the encrypted second message to the terminal device. Accordingly, the terminal device receives the encrypted second message sent by the first network device.
S3043, the terminal device decrypts the second message according to the first shared key, and obtains the registration certificate.
In this embodiment of the application, after obtaining the registration certificate, the first network device generates a second message according to the registration certificate, and then, the first network device may directly send the second message to the terminal device in the manner in S304, or the first network device may also encrypt the second message by using the first shared key in the manner in S3041-S3043 to obtain the encrypted second message, and send the encrypted second message to the terminal device, and the terminal device decrypts the encrypted second message according to the first shared key to obtain the registration certificate therein. The first shared key is a key shared between the terminal device and the first network device.
Specifically, if the key shared between the terminal device and the first network device is within the corresponding validity period, the first network device encrypts the second message according to the first shared key to obtain the encrypted second message, if the key shared between the terminal device and the first network device is not within the corresponding validity period, or the first shared key does not exist between the terminal device and the first network device, the first network device negotiates with the terminal device to obtain the key shared between the first network device and the terminal device, that is, the first shared key is obtained by negotiation, and then the first network device encrypts the second message according to the first shared key obtained by negotiation to obtain the encrypted second message, and then sends the encrypted second message to the terminal device.
For example, the first network device is NAF in GBA architecture, the first shared key KAFIs a key shared between the terminal equipment and the NAF, and KAFIn the corresponding validity period, NAF generates registration certificate according to the equipment information of terminal equipment and the public key sent by the terminal equipment, and generates second message according to the registration certificate, then NAF generates second message according to KAFEncrypting the second message to obtain an encrypted second message, and sending the encrypted second message to the terminal equipment, wherein the terminal equipment sends the encrypted second message to the terminal equipment according to KAFAnd decrypting the received encrypted second message to obtain the registration certificate.
In the embodiment of the application, when the first network device issues the registration certificate to the terminal device, the second message is encrypted through the first shared key, and the encrypted second message is sent to the terminal device, so that the security of the registration certificate in the second message can be ensured.
Fig. 4 is a flowchart of a certificate issuing method according to another embodiment of the present application. As shown in fig. 4, the method includes the steps of:
s401, the terminal device sends a first message to the first network device, wherein the first message comprises a public key and first information. Accordingly, the first network device receives the first message sent by the terminal device.
In the embodiment of the present application, S401 is similar to S301 in the embodiment shown in fig. 3, and reference may be made to the description about S301 in the embodiment shown in fig. 3, which is not repeated herein.
On the basis of the embodiment shown in fig. 3, S302 may be implemented by the means in S402-S405:
s402, the first network equipment sends the first information to an anchor point network element. Correspondingly, the anchor point network element receives the first information sent by the first network device.
S403, the anchor point network element determines the permanent identifier of the terminal device according to the first information.
S404, the anchor point network element sends the permanent identification of the terminal device to the first network device. Correspondingly, the first network device receives the permanent identifier of the terminal device sent by the anchor point network element.
S405, the first network equipment determines the equipment information of the terminal equipment according to the permanent identification of the terminal equipment.
In this embodiment, the first information is specifically used to determine a persistent identifier (SUPI) of the terminal device, and the SUPI of the terminal device has a corresponding relationship with the device information of the terminal device, so that the device information of the terminal device can be determined according to the SUPI of the terminal device and the corresponding relationship between the SUPI of the terminal device and the device information of the terminal device.
Illustratively, the first network device may be NAF in GBA architecture, the anchor network element may be BSF in GBA architecture, the first information is B-TID, and the BSF may determine a permanent identifier of the terminal device according to the B-TID, then the BSF sends the SUPI of the terminal device to NAF, and then NAF determines the device information of the terminal device according to the SUPI of the terminal device and a correspondence between the SUPI of the terminal device and the device information of the terminal device.
S406, the first network device generates a registration certificate according to the device information of the terminal device and the public key.
S407, the first network device sends a second message to the terminal device. Accordingly, the terminal device receives the second message sent by the first network device.
In the embodiment of the present application, S406 to S407 are similar to S303 to S304 in the embodiment shown in fig. 3, and reference may be made to the description contents related to S303 to S304 in the embodiment shown in fig. 3, which is not repeated herein.
S4061, the first network device encrypts the second message according to the first shared key to obtain an encrypted second message.
S4062, the first network device sends the encrypted second message to the terminal device. Accordingly, the terminal device receives the encrypted second message sent by the first network device.
S4063, the terminal device decrypts the second message according to the first shared key to obtain the registration certificate.
In some embodiments, S4071-S4073 may also be performed after S406, where S4071-S4073 in this embodiment is similar to S3041-S3043 in the embodiment shown in fig. 3, and reference may be made to the description about S3041-S3043 in the embodiment shown in fig. 3, which is not repeated herein.
In this embodiment, if the terminal device needs to acquire the registration certificate, the terminal device sends a first message for requesting the first network device to issue the registration certificate to the first network device, the first network device forwards the first message in the first message to an anchor network element, the anchor network element determines the SUPI of the terminal device according to the first message, the anchor network element sends the SUPI of the terminal device to the first network device, the first network device determines the device information of the terminal device according to the SUPI of the terminal device and a correspondence between the SUPI of the terminal device and the device information of the terminal device, then the first network device generates the registration certificate according to the device information of the terminal device and a public key sent by the terminal device, and issues the registration certificate to the terminal device in an online manner. The method in the embodiment of the application can realize online issuing of the registration certificate without pre-configuring the registration certificate in the production process of the terminal equipment, and not only can the steps of the production equipment be reduced, but also the flexibility of the certificate issuing mode can be improved.
In addition, if the key shared between the terminal device and the first network device is in the corresponding validity period, the first network device encrypts the second message according to the first shared key to obtain the encrypted second message, if the key shared between the terminal device and the first network device is not in the corresponding validity period, or the first shared key does not exist between the terminal device and the first network device, the first network device negotiates with the terminal device to obtain the first shared key, then the first network device encrypts the second message according to the first shared key obtained by negotiation to obtain the encrypted second message, and then sends the encrypted second message to the terminal device.
In the embodiment of the application, the second message is encrypted through the first shared key, and the encrypted second message is sent to the terminal device, so that the security of the registration certificate in the second message can be ensured.
Fig. 5 is a flowchart of a certificate issuing method according to another embodiment of the present application. As shown in fig. 5, the method comprises the steps of:
s501, the terminal device sends a first message to the first network device, wherein the first message comprises a public key and first information. Accordingly, the first network device receives the first message sent by the terminal device.
In the embodiment of the present application, S501 is similar to S301 in the embodiment shown in fig. 3, and reference may be made to the description about S301 in the embodiment shown in fig. 3, which is not repeated herein.
On the basis of the embodiment shown in fig. 3, S302 can be implemented by the means in S502-S505:
s502, the first network equipment sends the first information to the anchor point network element. Correspondingly, the anchor point network element receives the first information sent by the first network device.
S503, the anchor point network element determines the permanent identification of the terminal equipment according to the first information.
S504, the anchor point network element determines the equipment information of the terminal equipment according to the permanent identification of the terminal equipment.
And S505, the anchor point network element sends the equipment information of the terminal equipment to the first network equipment. Correspondingly, the first network device receives the device information of the terminal device sent by the anchor point network element.
In this embodiment, the first information may be used to determine the SUPI of the terminal device, and the SUPI of the terminal device has a corresponding relationship with the device information of the terminal device, so that the anchor network element first determines the SUPI of the terminal device according to the first information, and then the anchor network element determines the device information of the terminal device according to the SUPI of the terminal device and the corresponding relationship between the SUPI of the terminal device and the device information of the terminal device, and sends the determined device information of the terminal device to the first network device.
Illustratively, the first network device may be NAF in GBA architecture, the anchor network element may be BSF in GBA architecture, the first information is B-TID, the BSF determines the SUPI of the terminal device according to the B-TID, then the BSF determines the device information of the terminal device according to the SUPI of the terminal device and the corresponding relationship between the SUPI of the terminal device and the device information of the terminal device, and then the BSF sends the device information of the terminal device to NAF.
S506, the first network equipment generates a registration certificate according to the equipment information of the terminal equipment and the public key.
S507, the first network equipment sends a second message to the terminal equipment. Accordingly, the terminal device receives the second message sent by the first network device.
S5071, the first network device encrypts the second message according to the first shared key to obtain an encrypted second message.
S5072, the first network device sends the encrypted second message to the terminal device. Accordingly, the terminal device receives the encrypted second message sent by the first network device.
S5073, the terminal device decrypts the second message according to the first shared key, and obtains the registration certificate.
In some embodiments, S5071-S5073 may be performed after S506, where S5071-S5073 in the present embodiment is similar to S3041-S3043 in the embodiment shown in fig. 3, and reference may be made to the description of S3041-S3043 in the embodiment shown in fig. 3, which is not repeated herein.
In the embodiment of the application, if the terminal device needs to acquire the registration certificate, the terminal device sends a first message for requesting the first network device to issue the registration certificate to the first network device, the first network device forwards the first message in the first message to an anchor point network element, the anchor point network element determines the SUPI of the terminal device according to the first message, then determines the device information of the terminal device according to the permanent identifier of the terminal device, then the anchor point network element sends the device information of the terminal device to the first network device, the first network device generates the registration certificate according to the device information of the terminal device and the public key sent by the terminal device, and issues the registration certificate to the terminal device in an online manner. The method in the embodiment of the application can realize online issuing of the registration certificate without pre-configuring the registration certificate in the production process of the terminal equipment, and not only can the steps of the production equipment be reduced, but also the flexibility of the certificate issuing mode can be improved.
In addition, if the key shared between the terminal device and the first network device is in the corresponding validity period, the first network device encrypts the second message according to the first shared key to obtain the encrypted second message, if the key shared between the terminal device and the first network device is not in the corresponding validity period, or the first shared key does not exist between the terminal device and the first network device, the first network device negotiates with the terminal device to obtain the first shared key, then the first network device encrypts the second message according to the first shared key obtained by negotiation to obtain the encrypted second message, and then sends the encrypted second message to the terminal device.
In the embodiment of the application, the second message is encrypted through the first shared key, and the encrypted second message is sent to the terminal device, so that the security of the registration certificate in the second message can be ensured.
Fig. 6 is a flowchart of a certificate issuing method according to another embodiment of the present application. As shown in fig. 6, the method comprises the steps of:
if the terminal device and the first network device determine to use the first shared key to perform encryption transmission on the registration certificate, the terminal device or the first network device may determine whether the first shared key is in a corresponding validity period, or whether the first shared key exists between the terminal device and the first network device. In the embodiment of the present application, a detailed description is given by taking an example that the terminal device determines whether the first shared key is in the corresponding validity period, or whether the first shared key exists between the terminal device and the first network device.
S601, the terminal device determines whether the first shared key is in a corresponding validity period, or determines whether the first shared key exists between the terminal device and the first network device.
S602, the terminal device sends a fourth message to the first network device. Correspondingly, the first network equipment receives the fourth message sent by the terminal equipment. The first network device receives the fourth message and then executes S604.
If the terminal device determines that the first shared key is not in the corresponding validity period, or the terminal device determines that the first shared key does not exist between the terminal device and the first network device, the terminal device sends fourth information to the first network device, wherein the fourth information is used for requesting the first network device to authenticate the terminal device, the fourth information includes the first information, and the first network device can determine a second shared key according to the first information. In this embodiment, the first network device authenticates the terminal device to obtain the first shared key through negotiation.
For example, if the first network device is NAF in GBA architecture, the anchor network element is BSF in GBA architecture, and the first information is B-TID, then if the terminal device determines KAFIs not in the corresponding valid period or the terminal equipment determines that no K exists between the terminal equipment and NAFAFAnd the terminal equipment sends fourth information to the NAF, wherein the fourth information comprises the B-TID, the NAF receives the B-TID, and the Ks is determined according to the B-TID.
S603, the terminal device generates a first shared secret key according to the second shared secret key, the identifier of the terminal device, the identifier of the first network device and the random number.
And the second shared key is a key shared between the terminal equipment and the anchor point network element. For example, if the anchor network element is a BSF, the second shared key is a key shared between the terminal device and the BSF, that is, Ks.
The identifier of the terminal device may be a permanent identifier or a temporary identifier, including but not limited to any one of the following: user-related identifier (SUCI), International Mobile Subscriber Identity (IMSI), IP Multimedia Private Identifier (IMPI), temporary IP multimedia private ID (TMPI), Globally Unique Temporary Identifier (GUTI), Temporary Mobile Station Identifier (TMSI), IP multimedia public Identifier (IMPU), application identifier (App ID), network identifier (network ID), service ID, NAI, and the like, which can uniquely identify the Identity of the terminal device.
The identity of the first network device may be a permanent identity or a temporary identity, including but not limited to any of the following: the first network device may be a first network device, and the first network device may be a second network device, such as a first network device, a second network device, or a third network device.
The random number is a parameter sent to the terminal device by the anchor point network element in the process of negotiating with the anchor point network element to obtain the second shared key by the terminal device.
Specifically, if the second shared key is within the corresponding validity period, the terminal device may generate the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number. Optionally, in this embodiment of the application, a manner in which the terminal device generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number is not limited.
For example, if the second shared secret key is a secret key Ks shared between the terminal device and the BSF, and the random number RAND is a parameter sent by the BSF to the terminal device in the process of obtaining the Ks through negotiation between the terminal device and the BSF, the terminal device may generate K in the following mannerAF:KAFKDF (Ks, "gba-me", RAND, IMPI, NAF _ Id), where KDF is a key derivation function (key derivation function), IMPI is an identifier of a terminal device, the first network device is NAF, NAF _ Id is an identifier of NAF, and NAF _ Id is FQDN of the NAF | | Ua security protocol identifier.
It should be noted that, if the terminal device determines that the first shared key is not in the corresponding validity period or the first shared key does not exist between the terminal device and the first network device, the execution sequence of S602 and S603 is not in sequence.
S604, the first network device sends a sixth message to the anchor point network element. Correspondingly, the anchor point network element receives the sixth message sent by the first network device. Wherein the sixth message includes the first information and the identity of the first network device.
S605, the anchor point network element generates a first shared key according to the first information and the identifier of the first network device.
Specifically, the anchor point network element determines the second shared key, the identifier of the terminal device, and the random number according to the first information, and generates the first shared key according to the second shared key, the identifier of the terminal device, the random number, and the identifier of the first network device. The method for generating the first shared key by the anchor point network element is the same as the method for generating the first shared key by the terminal equipment.
For example, the anchor network element is BSF, the first network device is NAF, the first information is B-TID, the identifier of the first network device is NAF _ Id, the BSF receives the B-TID and NAF _ Id sent by NAF, the BSF determines Ks, IMPI and RAND according to the B-TID, and then the BSF determines Ks, IMPI and RAND according to KAFK is generated from KDF (Ks, "gba-me", RAND, IMPI, NAF _ Id)AF。
It should be noted that, if the anchor point network element determines that the second shared key is not within the corresponding validity period according to the first information, the anchor point network element and the terminal device may obtain the second shared key according to the existing GBA AKA authentication procedure negotiation, which may refer to the detailed description in the embodiment shown in fig. 1 in detail.
S606, the anchor point network element sends a seventh message to the first network device. Correspondingly, the first network device receives the seventh message sent by the anchor network element. Wherein the seventh message includes the first shared key.
And S607, the first network device sends a fifth message to the terminal device. Accordingly, the terminal device receives the fifth message sent by the first network device. And the fifth message is used for indicating that the first shared key of the terminal equipment is successfully negotiated.
Optionally, in some embodiments, after S604, the method further includes:
s605', the anchor network element determines a validity period corresponding to the first shared key.
S606', the anchor point network element sends the validity period corresponding to the first shared key to the first network device. Correspondingly, the first network device receives the validity period corresponding to the first shared key sent by the anchor point network element.
Optionally, in this embodiment of the present application, S606 and S606 'may be performed through the same signaling, or S606 and S606' may be performed through different signaling.
S607', the first network device sends a third message to the terminal device. Accordingly, the terminal device receives the third message sent by the first network device.
Wherein, the third message includes a validity period (key lifetime) corresponding to the first shared key. And the terminal equipment receives a third message sent by the first network equipment, and determines the validity period corresponding to the first shared secret key according to the third message. The terminal device may determine whether the first shared key is invalid according to the validity period corresponding to the first shared key when the method of the embodiment of the present application is executed next time.
Optionally, in this embodiment of the present application, S607 and S607 'may be performed through the same signaling, or S607 and S607' may be performed through different signaling.
S608, the terminal device sends a first message to the first network device, where the first message includes a public key and first information. Accordingly, the first network device receives the first message sent by the terminal device.
Optionally, in some embodiments, S601-S607 may also be performed after S608 and before S611.
And S609, the first network equipment determines the equipment information of the terminal equipment according to the first information.
S610, the first network equipment obtains the registration certificate according to the equipment information of the terminal equipment and the public key.
S611, the first network device encrypts the second message according to the first shared key to obtain the encrypted second message.
And S612, the first network equipment sends the encrypted second message to the terminal equipment. Accordingly, the terminal device receives the encrypted second message sent by the first network device.
S613, the terminal equipment decrypts the second message according to the first shared key to obtain the registration certificate.
In this embodiment of the application, if it is determined that a registration certificate is to be obtained based on GBA by a terminal device and a first network device, and a key shared between the terminal device and the first network device is not in a corresponding validity period or a first shared key does not exist between the terminal device and the first network device, the terminal device and the first network device execute a GBA AKA procedure to obtain the first shared key, encrypt the registration certificate generated by the first network device by using the first shared key to obtain an encrypted second message, and send the encrypted second message to the terminal device, and the terminal device decrypts the encrypted second message according to the first shared key to obtain the registration certificate. The method of the embodiment of the application can realize online issuing of the registration certificate without pre-configuring the registration certificate in the production process of the terminal equipment, and not only can the steps of the production equipment be reduced, but also the flexibility of the certificate issuing mode can be improved.
In addition, in the embodiment of the application, the second message is encrypted through the first shared key, and the encrypted second message is sent to the terminal device, so that the security of the registration certificate in the second message can be ensured.
Fig. 7 is a flowchart of a certificate issuing method according to another embodiment of the present application. As shown in fig. 7, the method comprises the steps of:
if the terminal device and the first network device determine to use the first shared key to perform encryption transmission on the registration certificate, the terminal device or the first network device may determine whether the first shared key is in a corresponding validity period, or whether the first shared key exists between the terminal device and the first network device. In this embodiment, a detailed description is given by taking an example that the first network device determines whether the first shared key is in the corresponding validity period, or whether the first shared key exists between the terminal device and the first network device.
S701, the terminal device sends a first message to the first network device, wherein the first message comprises a public key and first information. Accordingly, the first network device receives the first message sent by the terminal device.
S702, the first network equipment determines the equipment information of the terminal equipment according to the first information.
And S703, the first network device obtains the registration certificate according to the device information of the terminal device and the public key.
S704, the first network device determines whether the first shared key is in the corresponding validity period or whether the first shared key exists between the terminal device and the first network device according to the first information.
If the first network device determines, according to the first information, that the first shared key is not in the corresponding validity period, or the first shared key does not exist between the terminal device and the first network device, the first network device and the terminal device may negotiate in the manner in S705-S710 to obtain the first shared key. If the first network device determines that the first shared key is within the corresponding validity period according to the first information, S711 is executed.
It should be noted that the execution order of S704 and S702 is not sequential.
S705, the first network device sends a notification message to the terminal device. Accordingly, the terminal device receives the notification message sent by the first network device. The notification message is used for notifying the terminal device to negotiate to obtain the first shared key.
S706, the terminal device generates a first shared secret key according to the second shared secret key, the identifier of the terminal device, the identifier of the first network device and the random number.
Specifically, the terminal receives a notification message sent by the first network device, determines that the terminal device and the first network device need to negotiate to obtain the first shared key, and then the terminal device generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number. The identifier of the terminal device, the identifier of the first network device, and the random number may refer to the description in the foregoing embodiments, and are not described herein again.
Exemplarily, the first network device is NAF, the first information is B-TID, the identifier of the first network device is NAF _ Id, the identifier of the terminal device is IMPI, and the terminal device may be according to KAFK is generated from KDF (Ks, "gba-me", RAND, IMPI, NAF _ Id)AF。
S707, the first network device sends a sixth message to the anchor point network element. Correspondingly, the anchor point network element receives the sixth message sent by the first network device.
The sixth message is used for requesting the anchor network element to generate the first shared key, and the sixth message includes the first information and the identifier of the first network device.
The execution sequence of S705 and S707 is not sequential.
S708, the anchor point network element generates a first shared key according to the first information and the identifier of the first network device.
The method for generating the first shared key by the anchor point network element according to the second shared key is the same as the method for generating the first shared key by the terminal equipment according to the second shared key.
Specifically, the anchor point network element determines the second shared key, the identifier of the terminal device, and the random number according to the first information, and generates the first shared key according to the second shared key, the identifier of the terminal device, the random number, and the identifier of the first network device. The method for generating the first shared key by the anchor point network element is the same as the method for generating the first shared key by the terminal equipment.
For example, the anchor network element is BSF, the first network device is NAF, the first information is B-TID, the identifier of the first network device is NAF _ Id, the BSF receives the B-TID and NAF _ Id sent by NAF, the BSF determines Ks, IMPI and RAND according to the B-TID, and then the BSF determines Ks, IMPI and RAND according to KAFK is generated from KDF (Ks, "gba-me", RAND, IMPI, NAF _ Id)AF。
It should be noted that, if the anchor point network element determines that the second shared key is not within the corresponding validity period according to the first information, the anchor point network element and the terminal device may obtain the second shared key according to the existing GBA AKA authentication procedure negotiation, which may refer to the detailed description in the embodiment shown in fig. 1 in detail.
S709, the anchor point network element sends a seventh message to the first network device. Correspondingly, the first network device receives the seventh message sent by the anchor network element. Wherein the seventh message includes the first shared key.
And S710, the first network equipment sends a fifth message to the terminal equipment. Accordingly, the terminal device receives the fifth message sent by the first network device.
And the fifth message is used for indicating that the first shared key of the terminal equipment is successfully negotiated. And the terminal equipment receives the fifth information sent by the first network equipment and determines that the first shared key is successfully negotiated according to the fifth information.
Optionally, in some embodiments, S707 is followed by:
s708', the anchor network element determines a validity period corresponding to the first shared key.
S709', the anchor point network element sends a validity period corresponding to the first shared key to the first network device. Correspondingly, the first network device receives the validity period corresponding to the first shared key sent by the anchor point network element.
Optionally, in this embodiment of the present application, S708 and S708 'may be performed by the same signaling, or S708 and S708' may be performed by different signaling.
S710', the first network device sends a third message to the terminal device. Accordingly, the terminal device receives the third message sent by the first network device.
Wherein, the third message includes a validity period (key lifetime) corresponding to the first shared key. And the terminal equipment receives a third message sent by the first network equipment, and determines the validity period corresponding to the first shared secret key according to the third message. The terminal device may determine whether the first shared key is invalid according to the validity period corresponding to the first shared key when the method of the embodiment of the present application is executed next time.
Optionally, in this embodiment of the present application, S710 and S710 'may be performed through the same signaling, or S710 and S710' may be performed through different signaling.
S711, the first network device encrypts the second message according to the first shared key to obtain the encrypted second message.
In this embodiment of the application, a specific implementation manner of the first network device encrypting the second message according to the first shared key is not limited.
And S712, the first network device sends the encrypted second message to the terminal device.
S713, the terminal device decrypts the second message according to the first shared key to obtain the registration certificate.
In this embodiment of the application, if it is determined that a registration certificate is to be obtained based on GBA by a terminal device and a first network device, and a key shared between the terminal device and the first network device is not in a corresponding validity period or a first shared key does not exist between the terminal device and the first network device, the terminal device and the first network device execute a GBA AKA procedure to obtain the first shared key, encrypt the registration certificate generated by the first network device by using the first shared key to obtain an encrypted second message, and send the encrypted second message to the terminal device, and the terminal device decrypts the encrypted second message according to the first shared key to obtain the registration certificate. The method of the embodiment of the application can realize online issuing of the registration certificate without pre-configuring the registration certificate in the production process of the terminal equipment, and not only can the steps of the production equipment be reduced, but also the flexibility of the certificate issuing mode can be improved.
In addition, in the embodiment of the application, the second message is encrypted through the first shared key, and the encrypted second message is sent to the terminal device, so that the security of the registration certificate in the second message can be ensured.
Fig. 8 is a schematic structural diagram of a certificate issuing apparatus according to an embodiment of the present application. The certificate issuing apparatus may be a terminal device, or a component (e.g., an integrated circuit, a chip, etc.) of the terminal device, or may be another communication module, configured to implement an operation corresponding to the terminal device in the corresponding method embodiment, as shown in fig. 8, the certificate issuing apparatus of this embodiment may include: a transceiver module 801.
A transceiver module 801, configured to send a first message to a first network device, where the first message is used to request the first network device to issue a registration certificate, where the first message includes a public key and first information, and the first information is used to determine device information of a terminal device;
the transceiver module 801 is further configured to receive a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
In some embodiments, the certificate issuing apparatus further includes: a processing module 802.
A processing module 802, configured to decrypt the second message according to the first shared key, to obtain a registration certificate; the second message is obtained by encrypting according to a first shared key, and the first shared key is a key shared between the terminal device and the first network device.
In some embodiments, processing module 802 is further configured to generate a public-private key pair.
In some embodiments, the device information of the terminal device comprises one or more of: license plate, electron license plate, electronic toll collection system ETC equipment number, vehicle identification number VIN, equipment number.
In some embodiments, the processing module 802 is further configured to determine whether the key shared between the terminal device and the first network device is within a corresponding validity period, and if the key shared between the terminal device and the first network device is within the corresponding validity period, the transceiver module 801 sends the first message to the first network device.
In some embodiments, if the processing module 802 determines that the key shared between the terminal device and the first network device is not within the corresponding validity period, or there is no shared key between the terminal device and the first network device, the processing module 802 is further configured to negotiate with the first network device to obtain the first shared key.
In some embodiments, the processing module 802 is specifically configured to generate the first shared key according to a second shared key, an identifier of a terminal device, an identifier of a first network device, and a random number, where the second shared key is a key shared between the terminal device and an anchor network element.
In some embodiments, before the processing module 802 generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the transceiving module 801 is further configured to receive a third message sent by the first network device, where the third message includes a validity period corresponding to the first shared key.
In some embodiments, the transceiver module 801 is further configured to send a fourth message to the first network device, where the fourth message is used to request the first network device to authenticate the terminal device, and the fourth message includes the first information, and the first information is used to determine a second shared key.
In some embodiments, after the processing module 802 generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number, the transceiver module 801 is further configured to receive a fifth message sent by the first network device, where the fifth message is used to indicate that the terminal device successfully negotiates the first shared key.
In some embodiments, the processing module 802 is specifically configured to determine whether a key shared between the terminal device and the anchor network element is within a corresponding validity period, and if it is determined that the key shared between the terminal device and the anchor network element is within the corresponding validity period, the processing module 802 generates the first shared key according to the second shared key, the identifier of the terminal device, the identifier of the first network device, and the random number.
The certificate issuing apparatus described above in this embodiment may be configured to execute the technical solution executed by the terminal device in each corresponding method embodiment, and the implementation principle and the technical effect are similar, where the function of each module may refer to the corresponding description in the method embodiment, and is not described herein again. Fig. 9 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application. The certificate issuing apparatus may be the first network device, or may be a component (e.g., an integrated circuit, a chip, or the like) of the first network device, or may be another communication module, configured to implement the operation corresponding to the first network device in the corresponding method embodiment, as shown in fig. 9, the certificate issuing apparatus of this embodiment may include: a transceiver module 901 and a processing module 902.
A transceiver module 901, configured to receive a first message sent by a terminal device, where the first message includes a public key and first information, and the first information is used to determine device information of the terminal device;
the transceiver module 901 is further configured to obtain device information of the terminal device according to the first information;
a processing module 902, configured to generate the registration certificate according to the device information of the terminal device and the public key;
the transceiver module 901 is further configured to send a second message to the terminal device, where the second message includes the registration certificate.
In some embodiments, the processing module 902 is further configured to encrypt the second message according to a first shared key, to obtain an encrypted second message, where the first shared key is a key shared between the terminal device and the first network device;
accordingly, the transceiver module 901 is configured to send the encrypted second message to the terminal device.
In some embodiments, the transceiver module 901 is specifically configured to send the first information to an anchor point network element, and request the anchor point network element to send device information of the terminal device corresponding to the first information;
the transceiver module 901 is further configured to receive the device information processing module 902 of the terminal device sent by the anchor point network element.
In some embodiments, the transceiver module 901 is specifically configured to send the first information to the anchor point network element;
a transceiver module 901, further configured to receive a permanent identifier of the terminal device sent by the anchor point network element;
a processing module 902, configured to determine the device information processing module 902 of the terminal device according to the permanent identifier of the terminal device.
In some embodiments, the device information of the terminal device comprises one or more of: license plate, electron license plate, electronic toll collection system ETC equipment number, vehicle identification number VIN, equipment number.
In some embodiments, the processing module 902 is specifically configured to, if it is determined that the key shared between the terminal device and the first network device is within the corresponding validity period, perform encryption processing on the registration certificate according to the first shared key to obtain the encrypted second message.
In some embodiments, if the processing module 902 determines that the key shared between the terminal device and the first network device is not within the corresponding validity period, or there is no shared key between the terminal device and the first network device, the transceiver module 901 is further configured to negotiate with the first network device to obtain the first shared key.
In some embodiments, the transceiver module 901 is specifically configured to send a sixth message to the anchor network element, where the sixth message includes the first information and the identifier of the first network device;
the transceiving module 901 is further configured to receive a seventh message sent by the anchor point network element, where the seventh message includes the first shared key.
In some embodiments, the transceiver module 901 is further configured to send a fifth message to the terminal device, where the fifth message is used to indicate that the terminal device successfully negotiates with the first shared key.
In some embodiments, the transceiver module 901 is further configured to send a third message to the terminal device, where the third message includes a validity period corresponding to the first shared key.
The certificate issuing apparatus described above in this embodiment may be configured to execute the technical solution executed by the first network device in each corresponding method embodiment, and the implementation principle and the technical effect are similar, where the function of each module may refer to the corresponding description in the method embodiment, and is not described herein again.
Fig. 10 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application, where the certificate issuing apparatus may be an anchor network element, or may also be a component (e.g., an integrated circuit, a chip, or the like) of the anchor network element, or may be another certificate issuing apparatus, and is configured to implement operations corresponding to the anchor network element in each corresponding method embodiment, as shown in fig. 10, the certificate issuing apparatus according to this embodiment may include: a transceiver module 1001 and a processing module 1002.
A transceiver module 1001, configured to receive first information sent by a first network device, where the first information is used to determine device information of a terminal device;
the processing module 1002 is configured to determine device information of the terminal device according to the first information;
the transceiver module 1001 is further configured to send device information of a terminal device to a first network device, where the device information of the terminal device and a public key are used to generate a registration certificate of the terminal device;
the processing module 1002 is further configured to determine a permanent identifier of the terminal device according to the first information;
the transceiver module 1001 is further configured to send a permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine device information of the terminal device.
In some embodiments, the processing module 1002 is specifically configured to determine a permanent identifier of the terminal device according to the first information;
the processing module 1002 is further configured to determine device information of the terminal device according to the permanent identifier of the terminal device.
In some embodiments, the transceiving module 1001 is further configured to receive a sixth message sent by the first network device, where the sixth message includes the first information and an identifier of the first network device, and the first information is used to determine a second shared key, where the second shared key is a key shared between the terminal device and the anchor network element;
the processing module 1002 is further configured to determine a second shared key according to the first information, and generate the first shared key according to the second shared key, the identifier of the terminal device, and the identifier of the first network device;
the transceiving module 1001 is further configured to send a seventh message to the first network device, where the seventh message includes the first shared key.
In some embodiments, the device information of the terminal device comprises one or more of: license plate, electron license plate, electronic toll collection system ETC equipment number, vehicle identification number VIN, equipment number.
In some embodiments, the processing module 1002 is further configured to determine a validity period corresponding to the first shared key;
the transceiver module 1001 is further configured to send a validity period corresponding to the first shared key to the first network device.
In some embodiments, the processing module 1002 is specifically configured to determine, when it is determined that the key shared between the terminal device and the anchor network element is within the corresponding validity period, the second shared key according to the first information.
Fig. 11 is a schematic structural diagram of a certificate issuing apparatus according to another embodiment of the present application. As shown in fig. 11, the certificate issuing apparatus shown in this embodiment may be the terminal device (or a component available to the terminal device) or the first network device (or a component available to the first network device) or the anchor network element (or a component available to the anchor network element) mentioned in the foregoing method embodiment. The certificate issuing apparatus may be configured to implement the method corresponding to the terminal device or the first network device or the anchor point network element described in the foregoing method embodiment, specifically refer to the description in the foregoing method embodiment.
The certificate issuing apparatus 1100 may include one or more processors 1100, where the processors 1100 may also be referred to as processing units and may implement certain control or processing functions. The processor 1100 may be a general-purpose processor, a special-purpose processor, or the like. For example, a baseband processor, or a central processor. The baseband processor may be configured to process communication protocols and communication data, and the central processor may be configured to control the communication device, execute software programs, and process data of the software programs.
In an alternative design, the processor 1101 may also have instructions 1103 or data (e.g., intermediate data) stored therein. The instructions 1103 may be executed by the processor, so that the certificate issuing apparatus 1100 executes the method corresponding to the terminal device, the first network device, or the anchor network element, described in the above method embodiment.
In yet another possible design, the certificate issuing apparatus 1100 may include a circuit that may implement the functions of transmitting or receiving or communicating in the foregoing method embodiments.
Optionally, the certificate issuing apparatus 1100 may include one or more memories 1102, on which instructions 1104 may be stored, and the instructions may be executed on the processor, so that the certificate issuing apparatus 1100 executes the method described in the above method embodiment.
Optionally, the memory may also store data. The processor and the memory may be provided separately or may be integrated together.
Optionally, the certificate issuing apparatus 1100 may further include a transceiver 1105 and/or an antenna 1106. The processor 1101 may be referred to as a processing unit, and controls a certificate issuing apparatus (a terminal device or a first network device or an anchor network element). The transceiver 1105 may be referred to as a transceiving unit, a transceiver, a transceiving circuit, or a transceiver, etc. for implementing transceiving functions of the certificate issuing apparatus.
In one design, if the certificate issuing apparatus is used to implement the operation corresponding to the terminal device in each of the embodiments described above,
a first message may be sent, for example, by transceiver 1105, to a first network device, the first message requesting that the first network device issue a registration certificate, the first message including a public key and first information, wherein the first information is used to determine device information of the terminal device; and the transceiver 1105 receives a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
In another design, if the certificate issuing apparatus is used to implement the operation corresponding to the first network device in the above embodiments,
a first message sent by a terminal device may be received, for example, by the transceiver 1105, where the first message is used to request that the first network device issue a registration certificate, and the first message includes a public key and first information, where the first information is used to determine device information of the terminal device;
the processor 1101 obtains the device information of the terminal device according to the first information, and generates the registration certificate according to the device information of the terminal device and the public key;
the transceiver 1105 sends a second message to the terminal device, the second message including the registration certificate.
In another design, if the certificate issuing apparatus is used to implement operations corresponding to the anchor network element in the embodiments described above,
first information sent by a first network device may be received, for example, by transceiver 1105, the first information used to determine device information for the terminal device; the processor 1101 determines the device information of the terminal device according to the first information; the transceiver 1105 sends the device information of the terminal device to the first network device, where the device information of the terminal device and the public key are used to generate a registration certificate of the terminal device; alternatively, the processor 1101 determines a permanent identifier of the terminal device according to the first information; accordingly, the transceiver 1105 sends the permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine the device information of the terminal device.
For specific implementation processes of the processor 1101 and the transceiver 1105, reference may be made to the related descriptions of the above embodiments, and details are not described here again.
The processor 1101 and the transceiver 1105 described herein may be implemented on an Integrated Circuit (IC), an analog IC, a Radio Frequency Integrated Circuit (RFIC), a mixed signal IC, an Application Specific Integrated Circuit (ASIC), a Printed Circuit Board (PCB), an electronic device, or the like. The processor and transceiver may also be fabricated using various 1C process technologies, such as Complementary Metal Oxide Semiconductor (CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (PMOS), Bipolar Junction Transistor (BJT), Bipolar CMOS (bicmos), silicon germanium (SiGe), gallium arsenide (GaAs), and the like.
Although in the above description of the embodiment, the certificate issuing apparatus 1100 is described taking a terminal device or a first network device as an example, the scope of the communication apparatus described in the present application is not limited to the terminal device or the first network device described above, and the structure of the communication apparatus may not be limited to that of fig. 11. The certificate issuing apparatus 1100 may be a stand-alone device or may be part of a larger device. For example, the device may be:
(1) a stand-alone integrated circuit IC, or chip, or system-on-chip or subsystem;
(2) a set of one or more ICs, which optionally may also include storage components for storing data and/or instructions;
(3) an ASIC, such as a modem (MSM);
(4) a module that may be embedded within other devices;
(5) receivers, wireless devices, mobile units, network devices, and the like;
(6) others, and so forth.
Fig. 12 is a schematic structural diagram of a terminal device according to an embodiment of the present application. The terminal device may be applicable to the terminal devices described in the above embodiments of the present application. For convenience of explanation, fig. 12 shows only main components of the terminal device. As shown in fig. 12, the terminal apparatus 1200 includes a processor, a memory, a control circuit, an antenna, and an input-output device. The processor is mainly used for processing communication protocols and communication data, controlling the whole terminal equipment, executing software programs and processing data of the software programs. The memory is used primarily for storing software programs and data. The radio frequency circuit is mainly used for converting baseband signals and radio frequency signals and processing the radio frequency signals. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are used primarily for receiving data input by a user and for outputting data to the user.
When the terminal device is turned on, the processor can read the software program in the storage unit, interpret and execute the instruction of the software program, and process the data of the software program. When data needs to be sent wirelessly, the processor outputs a baseband signal to the radio frequency circuit after performing baseband processing on the data to be sent, and the radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal outwards in the form of electromagnetic waves through the antenna. When data is sent to the terminal, the radio frequency circuit receives radio frequency signals through the antenna, converts the radio frequency signals into baseband signals and outputs the baseband signals to the processor, and the processor converts the baseband signals into the data and processes the data.
Those skilled in the art will appreciate that fig. 12 shows only one memory and processor for ease of illustration. In an actual terminal, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, and the like, which is not limited in this application.
As an alternative implementation manner, the processor may include a baseband processor and a central processing unit, where the baseband processor is mainly used to process a communication protocol and communication data, and the central processing unit is mainly used to control the whole terminal, execute a software program, and process data of the software program. The processor in fig. 12 integrates the functions of the baseband processor and the central processing unit, and those skilled in the art will understand that the baseband processor and the central processing unit may also be independent processors, and are interconnected through a bus or the like. Those skilled in the art will appreciate that the terminal device may include a plurality of baseband processors to accommodate different network formats, the terminal device may include a plurality of central processors to enhance its processing capability, and various components of the terminal device may be connected by various buses. The baseband processor can also be expressed as a baseband processing circuit or a baseband processing chip. The central processing unit can also be expressed as a central processing circuit or a central processing chip. The function of processing the communication protocol and the communication data may be built in the processor, or may be stored in the storage unit in the form of a software program, and the processor executes the software program to realize the baseband processing function.
In one example, the antenna and the control circuit having the transceiving function may be regarded as the transceiving module 1201 of the terminal device 1200, and the processor having the processing function may be regarded as the processing module 1202 of the terminal device 1200. As shown in fig. 12, the terminal apparatus 1200 includes a transceiver module 1201 and a processing module 1202. A transceiver module may also be referred to as a transceiver, a transceiving device, etc. Optionally, a device for implementing a receiving function in the transceiver module 1201 may be regarded as a receiving module, and a device for implementing a sending function in the transceiver module 1201 may be regarded as a sending module, that is, the transceiver module 1201 includes the receiving module and the sending module exemplarily, the receiving module may also be referred to as a receiver, a receiving circuit, and the like, and the sending module may be referred to as a transmitter, a sending circuit, and the like.
Fig. 13 is a schematic structural diagram of a communication system according to an embodiment of the present application. As shown in fig. 13, the communication system 1300 according to the present embodiment may include: terminal equipment 1301, first network equipment 1302 and anchor point network element 1303. The number of terminal apparatuses 1301 may be one or more. The terminal device 1301 may adopt the structure of the apparatus embodiment shown in fig. 8, 11, or 12, and accordingly, may execute the technical solution related to the terminal device of any one of the above method embodiments, and the implementation principle and the technical effect thereof are similar, and are not described herein again. The first network device 1302 may adopt the structure of the apparatus embodiment shown in fig. 9 or fig. 11, and accordingly, may execute the technical solution related to the first network device of any of the above method embodiments, and the implementation principle and the technical effect are similar, and are not described herein again. The anchor network element may adopt the structure of the apparatus embodiment shown in fig. 10 or fig. 11, and accordingly, may execute the technical solution of any of the above method embodiments regarding the anchor network element.
It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. Each functional module in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Claims (26)
1. A certificate issuing method, comprising:
a terminal device sends a first message to a first network device, wherein the first message is used for requesting the first network device to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining device information of the terminal device;
and the terminal equipment receives a second message sent by the first network equipment, wherein the second message comprises the registration certificate, and the registration certificate is generated according to the equipment information of the terminal equipment and the public key.
2. The method of claim 1, further comprising:
the terminal equipment decrypts the second message according to the first shared key to obtain the registration certificate; the second message is obtained by encrypting according to a first shared key, and the first shared key is a key shared between the terminal device and the first network device.
3. The method according to claim 1 or 2, wherein before the terminal device sends the first message to the first network device, the method further comprises:
and the terminal equipment generates a public and private key pair.
4. The method according to any one of claims 1 to 3, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
5. A certificate issuing method, comprising:
a first network device receives a first message sent by a terminal device, wherein the first message is used for requesting the first network device to issue a registration certificate, the first message comprises a public key and first information, and the first information is used for determining device information of the terminal device;
the first network equipment acquires the equipment information of the terminal equipment according to the first information, and generates the registration certificate according to the equipment information of the terminal equipment and the public key;
the first network device sends a second message to the terminal device, the second message including the registration certificate.
6. The method of claim 5, wherein the first network device sends a second message to the terminal device, comprising:
the first network device encrypts the second message according to a first shared key to obtain an encrypted second message, wherein the first shared key is a key shared between the terminal device and the first network device;
and the first network equipment sends the encrypted second message to the terminal equipment.
7. The method of claim 5, wherein the obtaining, by the first network device, the device information of the terminal device according to the first information comprises:
the first network equipment sends the first information to an anchor point network element and requests the anchor point network element to send equipment information of the terminal equipment corresponding to the first information;
and the first network equipment receives the equipment information of the terminal equipment, which is sent by the anchor point network element.
8. The method of claim 5, wherein the obtaining, by the first network device, the device information of the terminal device according to the first information comprises:
the first network equipment sends the first information to an anchor point network element;
the first network equipment receives the permanent identifier of the terminal equipment sent by the anchor point network element;
and the first network equipment determines the equipment information of the terminal equipment according to the permanent identifier of the terminal equipment.
9. The method according to any one of claims 5 to 8, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
10. A certificate issuing method, comprising:
the method comprises the steps that an anchor point network element receives first information sent by first network equipment, wherein the first information is used for determining equipment information of terminal equipment;
the anchor point network element determines the equipment information of the terminal equipment according to the first information;
the anchor point network element sends the equipment information of the terminal equipment to the first network equipment, and the equipment information of the terminal equipment and the public key are used for generating a registration certificate of the terminal equipment; alternatively, the first and second electrodes may be,
the anchor point network element determines a permanent identifier of the terminal equipment according to the first information;
and the anchor point network element sends the permanent identifier of the terminal equipment to the first network equipment, wherein the permanent identifier of the terminal equipment is used for determining the equipment information of the terminal equipment.
11. The method of claim 10, wherein the determining the device information of the terminal device according to the first information comprises:
the anchor point network element determines a permanent identifier of the terminal equipment according to the first information;
and the anchor point network element determines the equipment information of the terminal equipment according to the permanent identifier of the terminal equipment.
12. The method according to claim 10 or 11, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
13. A certificate issuing apparatus characterized by comprising:
a transceiver module, configured to send a first message to a first network device, where the first message is used to request the first network device to issue a registration certificate, and the first message includes a public key and first information, where the first information is used to determine device information of a terminal device;
the transceiver module is further configured to receive a second message sent by the first network device, where the second message includes the registration certificate, and the registration certificate is generated according to the device information of the terminal device and the public key.
14. The apparatus of claim 13, further comprising: a processing module;
the processing module is configured to decrypt the second message according to the first shared key to obtain the registration certificate; the second message is obtained by encrypting according to a first shared key, and the first shared key is a key shared between the terminal device and the first network device.
15. The apparatus of claim 13 or 14,
and the processing module is also used for generating a public and private key pair.
16. The apparatus according to any one of claims 13 to 15, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
17. A certificate issuing apparatus characterized by comprising:
a transceiver module, configured to receive a first message sent by a terminal device, where the first message is used to request a first network device to issue a registration certificate, and the first message includes a public key and first information, where the first information is used to determine device information of the terminal device;
the transceiver module is further configured to obtain device information of the terminal device according to the first information;
the processing module is further used for generating the registration certificate according to the equipment information of the terminal equipment and the public key;
the transceiver module is further configured to send a second message to the terminal device, where the second message includes the registration certificate.
18. The apparatus of claim 17,
the processing module is further configured to encrypt the second message according to a first shared key to obtain an encrypted second message, where the first shared key is a key shared between the terminal device and the first network device;
correspondingly, the transceiver module is configured to send the encrypted second message to the terminal device.
19. The apparatus of claim 17,
the transceiver module is specifically configured to send the first information to an anchor point network element, and request the anchor point network element to send device information of the terminal device corresponding to the first information;
the transceiver module is further configured to receive the device information of the terminal device sent by the anchor point network element.
20. The apparatus of claim 17,
the transceiver module is specifically configured to send the first information to an anchor point network element, so that the anchor point network element determines a permanent identifier of the terminal device according to the first information;
the transceiver module is further configured to receive a permanent identifier of the terminal device sent by the anchor point network;
the processing module is further configured to determine device information of the terminal device according to the permanent identifier of the terminal device.
21. The apparatus according to any one of claims 17 to 20, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
22. A certificate issuing apparatus characterized by comprising:
the terminal equipment comprises a transceiving module, a receiving module and a sending module, wherein the transceiving module is used for receiving first information sent by first network equipment, and the first information is used for determining equipment information of the terminal equipment or a permanent identifier of the terminal equipment;
the processing module is used for determining the equipment information of the terminal equipment according to the first information, and the equipment information of the terminal equipment and the public key are used for generating a registration certificate of the terminal equipment;
the transceiver module is further configured to send device information of the terminal device to the terminal device;
the processing module is further configured to determine a permanent identifier of the terminal device according to the first information;
the transceiver module is further configured to send a permanent identifier of the terminal device to the first network device, where the permanent identifier of the terminal device is used to determine device information of the terminal device.
23. The apparatus of claim 22,
the processing module is specifically configured to determine the permanent identifier of the terminal device according to the first information;
the processing module is further configured to determine device information of the terminal device according to the permanent identifier of the terminal device.
24. The apparatus according to any one of claims 22 or 23, wherein the device information of the terminal device comprises one or more of: license plate, electronic license plate, vehicle identification number VIN, equipment number.
25. A certificate issuing apparatus characterized by comprising: a memory and a processor;
the memory for storing program code;
the processor, invoking the program code, when executed, is configured to perform the certificate issuing method of any one of claims 1 to 4 or 5 to 9 or 10 to 12.
26. A computer-readable storage medium storing a computer program comprising at least one code section executable by a computer to control the computer to perform the certificate issuing method according to any one of claims 1 to 4 or 5 to 9 or 10 to 12.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910913345.9A CN112654013B (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
| CN202210659360.7A CN115379414A (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910913345.9A CN112654013B (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210659360.7A Division CN115379414A (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112654013A true CN112654013A (en) | 2021-04-13 |
| CN112654013B CN112654013B (en) | 2022-06-14 |
Family
ID=75342306
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210659360.7A Pending CN115379414A (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
| CN201910913345.9A Active CN112654013B (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210659360.7A Pending CN115379414A (en) | 2019-09-25 | 2019-09-25 | Certificate issuing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN115379414A (en) |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1614903A (en) * | 2003-11-07 | 2005-05-11 | 华为技术有限公司 | Method for authenticating users |
| CN1691584A (en) * | 2004-04-22 | 2005-11-02 | 华为技术有限公司 | A method for deleting session transaction ID and related information |
| CN1697370A (en) * | 2004-05-14 | 2005-11-16 | 华为技术有限公司 | Method for mobile terminal in WLAN to apply for certificate |
| CN1770685A (en) * | 2004-11-05 | 2006-05-10 | 华为技术有限公司 | Method for ensuring user identity mark secret |
| CN1838593A (en) * | 2005-03-07 | 2006-09-27 | 富士施乐株式会社 | Certificate acquisition system, certificate acquisition method, management communication apparatus and certification authority |
| CN101043328A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Cipher key updating method of universal leading frame |
| CN102299797A (en) * | 2010-06-23 | 2011-12-28 | 财团法人工业技术研究院 | Authentication method, key distribution method and authentication and key distribution method |
| CN102740286A (en) * | 2012-05-23 | 2012-10-17 | 杨涛 | Floating vehicle-based traceability vehicle self-networking communication privacy protection method |
| CN104394000A (en) * | 2014-12-11 | 2015-03-04 | 江苏大学 | Batched certification method based on pseudonym verification public key in vehicle-mounted network |
| CN104780141A (en) * | 2014-01-10 | 2015-07-15 | 电信科学技术研究院 | Method and equipment for acquiring message certificate in Internet-of-vehicles system |
| US20150257003A1 (en) * | 2012-10-29 | 2015-09-10 | Telefonaktiebolaget L M Ericsson (Publ) | Protecting a payload sent in a communications network |
| US20160234683A1 (en) * | 2013-09-13 | 2016-08-11 | Vodafone Ip Licensing Limited | Methods and systems for operating a secure mobile device |
| CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
| CN107360002A (en) * | 2017-08-15 | 2017-11-17 | 武汉信安珞珈科技有限公司 | A kind of application method of digital certificate |
| CN108390885A (en) * | 2018-03-01 | 2018-08-10 | 北京华为数字技术有限公司 | A kind of method and device obtaining device identification |
| CN108650220A (en) * | 2018-03-27 | 2018-10-12 | 北京安御道合科技有限公司 | Provide, obtain method, the equipment of mobile terminal certificate and automobile end chip certificate |
| CN109196817A (en) * | 2016-04-05 | 2019-01-11 | 株式会社自动网络技术研究所 | Communication system and vehicular communication unit |
| US20190036896A1 (en) * | 2017-07-27 | 2019-01-31 | Cisco Technology, Inc. | Generic Bootstrapping Architecture (GBA) Based Security Over Constrained Application Protocol (CoAP) for IoT Devices |
| US20190156019A1 (en) * | 2017-11-22 | 2019-05-23 | Aeris Communications, Inc. | Secure authentication of devices for internet of things |
-
2019
- 2019-09-25 CN CN202210659360.7A patent/CN115379414A/en active Pending
- 2019-09-25 CN CN201910913345.9A patent/CN112654013B/en active Active
Patent Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1614903A (en) * | 2003-11-07 | 2005-05-11 | 华为技术有限公司 | Method for authenticating users |
| CN1691584A (en) * | 2004-04-22 | 2005-11-02 | 华为技术有限公司 | A method for deleting session transaction ID and related information |
| CN1697370A (en) * | 2004-05-14 | 2005-11-16 | 华为技术有限公司 | Method for mobile terminal in WLAN to apply for certificate |
| CN1770685A (en) * | 2004-11-05 | 2006-05-10 | 华为技术有限公司 | Method for ensuring user identity mark secret |
| CN1838593A (en) * | 2005-03-07 | 2006-09-27 | 富士施乐株式会社 | Certificate acquisition system, certificate acquisition method, management communication apparatus and certification authority |
| CN101043328A (en) * | 2006-03-24 | 2007-09-26 | 华为技术有限公司 | Cipher key updating method of universal leading frame |
| CN102299797A (en) * | 2010-06-23 | 2011-12-28 | 财团法人工业技术研究院 | Authentication method, key distribution method and authentication and key distribution method |
| US20110320802A1 (en) * | 2010-06-23 | 2011-12-29 | Industrial Technology Research Institute | Authentication method, key distribution method and authentication and key distribution method |
| CN102740286A (en) * | 2012-05-23 | 2012-10-17 | 杨涛 | Floating vehicle-based traceability vehicle self-networking communication privacy protection method |
| US20150257003A1 (en) * | 2012-10-29 | 2015-09-10 | Telefonaktiebolaget L M Ericsson (Publ) | Protecting a payload sent in a communications network |
| US20160234683A1 (en) * | 2013-09-13 | 2016-08-11 | Vodafone Ip Licensing Limited | Methods and systems for operating a secure mobile device |
| CN104780141A (en) * | 2014-01-10 | 2015-07-15 | 电信科学技术研究院 | Method and equipment for acquiring message certificate in Internet-of-vehicles system |
| CN104394000A (en) * | 2014-12-11 | 2015-03-04 | 江苏大学 | Batched certification method based on pseudonym verification public key in vehicle-mounted network |
| CN106921496A (en) * | 2015-12-25 | 2017-07-04 | 卓望数码技术(深圳)有限公司 | A kind of digital signature method and system |
| CN109196817A (en) * | 2016-04-05 | 2019-01-11 | 株式会社自动网络技术研究所 | Communication system and vehicular communication unit |
| US20190036896A1 (en) * | 2017-07-27 | 2019-01-31 | Cisco Technology, Inc. | Generic Bootstrapping Architecture (GBA) Based Security Over Constrained Application Protocol (CoAP) for IoT Devices |
| CN107360002A (en) * | 2017-08-15 | 2017-11-17 | 武汉信安珞珈科技有限公司 | A kind of application method of digital certificate |
| US20190156019A1 (en) * | 2017-11-22 | 2019-05-23 | Aeris Communications, Inc. | Secure authentication of devices for internet of things |
| CN108390885A (en) * | 2018-03-01 | 2018-08-10 | 北京华为数字技术有限公司 | A kind of method and device obtaining device identification |
| CN108650220A (en) * | 2018-03-27 | 2018-10-12 | 北京安御道合科技有限公司 | Provide, obtain method, the equipment of mobile terminal certificate and automobile end chip certificate |
Non-Patent Citations (5)
| Title |
|---|
| 3RD GENERATION PARTNERSHIP: "Security aspect for LTE support of Vehicle-to-Everything (V2X) services", 《3GPP TS 33.185》 * |
| 3RD GENERATION PARTNERSHIP: "Zh and Zn Interfaces based on the Diameter protocol", 《3GPP TS 29.109》 * |
| ERICSSON: "bootstrapping security", 《ERICSSON WHITE PAPER》 * |
| HUAWEI: "Security of UE to V2X Control Funtion interface", 《3GPP TSG SA WG3 (SECURITY) MEETING #84 S3-161023》 * |
| HUAWEI: "Security of UE to V2X Control Funtion interface", 《3GPP TSG SA WG3 (SECURITY) MEETING #84 S3-161176》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112654013B (en) | 2022-06-14 |
| CN115379414A (en) | 2022-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110474875B (en) | Discovery method and device based on service architecture | |
| CN109428874B (en) | Registration method and device based on service architecture | |
| US9923721B2 (en) | Key agreement and authentication for wireless communication | |
| CN108347417B (en) | Network authentication method, user equipment, network authentication node and system | |
| US10924268B2 (en) | Key distribution method, and related device and system | |
| US8001584B2 (en) | Method for secure device discovery and introduction | |
| AU2016247689A1 (en) | Technique for managing profile in communication system | |
| CN107689864B (en) | Authentication method, server, terminal and gateway | |
| CN113518348B (en) | Service processing method, device, system and storage medium | |
| US20100023768A1 (en) | Method and system for security key agreement | |
| CN112491533B (en) | Key generation method and device | |
| CN103988480A (en) | Systems and methods for authentication | |
| CN112994873B (en) | Certificate application method and equipment | |
| JP2016519873A (en) | Establishing secure voice communication using a generic bootstrapping architecture | |
| EP4247027A1 (en) | Communication method and apparatus | |
| CN112602290B (en) | Identity authentication method and device and readable storage medium | |
| EP4327505A2 (en) | Methods and apparatus for provisioning, authentication, authorization, and user equipment (ue) key generation and distribution in an on-demand network | |
| CN108882233B (en) | IMSI encryption method, core network and user terminal | |
| WO2023279283A1 (en) | Method for establishing secure vehicle communication, and vehicle, terminal and system | |
| CN113365243B (en) | Communication method, device, equipment and system | |
| CN112654013B (en) | Certificate issuing method and device | |
| CN113098830A (en) | Communication method and related product | |
| WO2009004590A2 (en) | Method, apparatus, system and computer program for key parameter provisioning | |
| CN114915942A (en) | Communication key configuration method and device | |
| CN114978556A (en) | Slice authentication method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |