CN113872755A

CN113872755A - Key exchange method and device

Info

Publication number: CN113872755A
Application number: CN202010622317.4A
Authority: CN
Inventors: 江伟玉; 刘冰洋; 王闯
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-06-30
Filing date: 2020-06-30
Publication date: 2021-12-31

Abstract

The embodiment of the application discloses a method and a device for exchanging keys, which relate to the field of communication, and the method comprises the following steps: encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext; encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext; generating a first message, wherein the first message comprises a first ciphertext, a second ciphertext and a first key update parameter; a first message is sent to the intermediary device. By the method, the problem that the authenticatable secret key is safely exchanged when two devices which are not mutually acquainted are communicated is solved, and the authenticatable secret key is exchanged under the condition that two communication entities do not share the secret key.

Description

Key exchange method and device

Technical Field

The present application relates to the field of communications, and in particular, to a method and an apparatus for exchanging a key.

Background

Secure communication between two entities of the internet typically relies on establishing a secure channel to securely transfer data to provide confidentiality and integrity of the transferred data. The establishment of a secure channel typically requires the secure exchange of authenticatable keys in advance. The existing authenticatable key exchange technology has the problems of forward security, lack of a key updating mechanism and incapability of dealing with the risk of key leakage. The attacker can realize the fake identity attack by acquiring the old leaked secret key.

Therefore, aiming at the problems existing in the prior art, how to realize the secure exchange of authenticatable keys between two devices which are not mutually identified is an urgent problem to be solved.

Disclosure of Invention

The application provides a key exchange method and a key exchange device, which solve the problem of the secure exchange of authenticatable keys when two devices which are not mutually acquainted communicate with each other, and complete the exchange of the authenticatable keys under the condition that two communication entities do not share the keys.

The authenticatable key exchange between two mutually unidentified devices according to the embodiment of the present application may be communication between a terminal device and the terminal device, communication between the terminal device and a network device, or communication between the network device and the network device, that is, the method of the embodiment of the present application may be used as long as the authenticatable key exchange is required for the communication between the mutually unidentified devices. In the embodiment of the application, the first terminal may be a terminal device or a network device; the second terminal may be a terminal device or a network device.

In order to achieve the purpose, the technical means are as follows: in a first aspect, the present application provides a key exchange method, which may be applied to a terminal, or may be applied to a communication apparatus that may support the terminal and an access device of the terminal to implement the method, for example, the communication apparatus includes a chip system; the method may also be applied to a network device, or the method may be applied to a communication apparatus that may support the network device to implement the method, for example, the communication apparatus includes a system-on-chip, and the method includes:

encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext; encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext; generating a first message, wherein the first message comprises a first ciphertext, a second ciphertext and a first key update parameter; a first message is sent to the intermediary device.

By the method, the problem that the authenticatable secret key is safely exchanged when two devices which are not mutually acquainted are communicated is solved, and the effect of completing the authenticatable secret key exchange is achieved under the condition that two communication entities do not share the secret key. The temporary secret key can be flexibly updated by encrypting the first temporary secret key through the first secret key updating parameter, so that the secret key updating parameters for encrypting the temporary secret key at each time are different, and further, the harm and the secret key updating complexity caused by secret key leakage are reduced.

In a possible implementation manner, encrypting the first temporary key according to the first terminal key, the second terminal identifier, and the first key update parameter to obtain a first ciphertext includes: obtaining a first identity encryption key according to the first terminal key, the second terminal identifier and the first key updating parameter; and encrypting the first temporary key according to the first identity encryption key to obtain a first ciphertext.

By introducing the first key updating parameter, under the condition of single key leakage, different key updating parameters are used in the next data packet transmission, and the security of the key is effectively ensured.

In another possible implementation, encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext includes: obtaining a first encryption authentication key according to the first terminal identifier, the second terminal identifier and the first temporary key, wherein the first encryption authentication key comprises a first confidentiality key and a first integrity verification key; and encrypting the first challenge parameter according to the first confidentiality key to obtain a second ciphertext.

The first confidentiality key is a symmetric key used for encrypting the related information of the challenge parameter, provides confidentiality of the related information such as the challenge parameter and the like, and prevents illegal entity eavesdropping on a link; the first integrity key is an input key of a hash function with a key, and generates a verification code of key information (such as identity identifiers, ciphertext of challenge parameters and other information) in a data message, so that the key information is prevented from being tampered by an illegal entity.

And obtaining the second ciphertext through the first temporary key, so that the first terminal and the second terminal do not need to share the key in advance, and signaling interaction between the devices is reduced.

In another possible implementation, the first challenge parameter includes a first Diffie-Hellman key agreement parameter.

When the attack is received, the first Diffie-Hellman key negotiation parameter is used, and the security of the key is effectively ensured.

In another possible embodiment, the first message further comprises a first message authentication code.

In another possible implementation, the first message authentication code is generated based on the first session identifier, the first terminal identification, the second ciphertext, and the first key update parameter.

In a second aspect, the present application provides a key exchange method, which is applicable to a terminal, or a communication apparatus that can support the terminal and an access device of the terminal to implement the method, for example, the communication apparatus includes a chip system; the method may also be applied to a network device, or the method may be applied to a communication apparatus that may support the network device to implement the method, for example, the communication apparatus includes a system-on-chip, and the method includes:

and receiving a fourth message from the intermediate device, wherein the fourth message comprises a fifth ciphertext, a sixth ciphertext and a second key update parameter, the fifth ciphertext is obtained by encrypting the first challenge parameter and the second challenge parameter by the second terminal according to the second temporary key, and the sixth ciphertext is obtained by encrypting the second temporary key by the second identity encryption key.

By the method, the problem that the authenticatable secret key is safely exchanged when two devices which are not mutually acquainted are communicated is solved, and the effect of completing the authenticatable secret key exchange is achieved under the condition that two communication entities do not share the secret key.

In another possible implementation manner, the first challenge parameter and the second challenge parameter are obtained according to the first terminal key, the second terminal identifier, the second key update parameter, and the fifth ciphertext.

In another possible embodiment, the first identity decryption key is obtained from the first terminal key, the second terminal identity and the second key update parameter.

The temporary key can be flexibly updated by introducing the second key updating parameter, so that the key updating parameters for encrypting the temporary key at each time are different, and further, the harm and the key updating complexity caused by key leakage are reduced.

In another possible implementation, the sixth ciphertext is decrypted based on the first identity decryption key to obtain the second temporary key.

In another possible implementation, the fifth ciphertext is decrypted according to the second temporary key, so as to obtain the first challenge parameter and the second challenge parameter.

In another possible embodiment, the first challenge parameter comprises a first Diffie-Hellman key agreement parameter; the second challenge parameter comprises a third Diffie-Hellman key agreement parameter.

By combining proxy re-encryption with Diffie-Hellman key agreement parameters, the forward security problem existing in the key exchange process is solved.

In another possible implementation manner, if the first challenge parameter obtained by decrypting the fifth ciphertext is matched with the first challenge parameter used for encrypting the second ciphertext, the first shared session key and the first session key confirmation message a are generated, and the second terminal is accessed.

In another possible implementation, the first session shared key is obtained according to the first challenge parameter and the second challenge parameter; the first session shared key is a channel key for protecting the security of session messages, and prevents an illegal entity from eavesdropping and tampering session information.

Optionally, the first terminal generates a random number x, and determines the key agreement parameter g based on x^x. Receiving g determined by the second terminal according to the generated random number y^yX and g^yPerforming power square operation to obtain a session shared key g^xy。

By power-of-square operation, even if the attacker obtains g^xAnd g^yThere is no way to obtain the session shared key g^xy. Therefore, the security of the session key is effectively ensured.

Obtaining a second encryption key and a second integrity key according to the first session shared key;

obtaining a first session key confirmation message A according to the second integrity key and the second challenge parameter;

and sending a first session key confirmation message A to the second terminal.

The methods of the first and second aspects described above may be implemented individually, or may be implemented in combination with the methods of the first and second aspects.

In a third aspect, the present application provides a key exchange method, where the method is applicable to a terminal, or the method is applicable to a communication apparatus that can support the terminal and an access device of the terminal to implement the method, for example, the communication apparatus includes a chip system; the method may also be applied to a network device, or the method may be applied to a communication apparatus that may support the network device to implement the method, for example, the communication apparatus includes a system-on-chip, and the method includes: receiving a second message of the intermediate device, wherein the second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device; and decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain the first challenge parameter.

In another possible implementation manner, decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key update parameter, and the third ciphertext to obtain the first challenge parameter includes: obtaining a first decryption key according to the second terminal key, the first terminal identifier and the first key update parameter; decrypting the third ciphertext according to the first decryption key to obtain a first temporary key; and decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter.

In another possible implementation, decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter includes: obtaining a first encryption authentication key according to the first terminal identifier, the second terminal identifier and the first temporary key, wherein the first encryption authentication key comprises a first confidentiality key and a first integrity verification key; and decrypting the second ciphertext according to the first confidentiality key to obtain a first challenge parameter.

In another possible implementation, the fourth ciphertext is obtained according to the second terminal key, the first terminal identifier, the second key update parameter, and the second temporary key.

In another possible implementation, the first challenge parameter and the second challenge parameter are encrypted according to the second temporary key to obtain a fifth ciphertext.

In another possible implementation, encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext includes: obtaining a second encryption authentication key according to the first terminal identifier, the second terminal identifier and the second key updating parameter, wherein the second encryption authentication key comprises a second confidentiality key and a second integrity verification key; and encrypting the first challenge parameter and the second challenge parameter according to the second confidentiality key to obtain a fifth ciphertext.

In another possible implementation, the second challenge parameter includes a second Diffie-Hellman key agreement parameter.

In another possible embodiment, the second message further comprises the first message authentication code.

In another possible implementation, a third message is sent to the intermediate device, where the third message includes the fourth ciphertext, the fifth ciphertext, and the second key update parameter.

In another possible embodiment, the third message further comprises a second message authentication code.

In another possible implementation, the second message authentication code is generated according to the first session identifier, the first terminal identifier, the second terminal identifier, the fifth ciphertext, and the first key update parameter.

In another possible implementation, the first message authentication code is verified according to the first session identifier, the first terminal identifier, the second terminal identifier, the first key update parameter, the second ciphertext, and the first integrity key;

and if the first message authentication code is matched with the first message authentication code carried in the second message, the verification is successful.

In a fourth aspect, the present application provides a key exchange method, which is applicable to a terminal, or a communication apparatus that can support the terminal and an access device of the terminal to implement the method, for example, the communication apparatus includes a chip system; the method may also be applied to a network device, or the method may be applied to a communication apparatus that may support the network device to implement the method, for example, the communication apparatus includes a system-on-chip, and the method includes: receiving a first session key confirmation message code a from the first terminal: obtaining a first session shared key according to the first challenge parameter and the second challenge parameter; obtaining a second confidentiality key and a second integrity key according to the first terminal identification, the second terminal identification and the first session shared key; obtaining a second confirmation message code B according to the second integrity key; if the second acknowledgment message code B is the same as the first acknowledgment message code a, the verification is successful.

By the method, the problem that the authenticatable secret key is safely exchanged when two devices which are not mutually acquainted are communicated is solved, and the effect of completing the authenticatable secret key exchange is achieved under the condition that two communication entities do not share the secret key. Through bidirectional challenge verification, the security problems of replay attack, identity counterfeiting and the like are effectively solved.

The methods of the third and fourth aspects may be implemented individually or in combination, or may be implemented in combination with the methods of the first and second aspects.

In a fifth aspect, the present application further provides a communication device for implementing the method described in the first aspect and/or the second aspect. The communication apparatus is a terminal device or an access device of the terminal, such as an access point AP, a router, or the like, or a communication apparatus supporting the terminal or the access device of the terminal, and implements the method described in the first aspect and/or the second aspect, for example, the communication apparatus includes a chip system. For example, the communication apparatus includes: a processing unit and a transceiving unit. The processing unit is used for encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext, and encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext; and the transceiving unit is used for sending the first message to the intermediate device.

Optionally, the receiving unit is configured to receive a fourth message from the intermediate device, where the fourth message includes a fifth ciphertext, a sixth ciphertext, and a second key update parameter, the fifth ciphertext is obtained by encrypting, by the second terminal, the first challenge parameter and the second challenge parameter according to the second temporary key, and the sixth ciphertext is obtained by encrypting, by the second identity encryption key, the second temporary key.

In a sixth aspect, the present application further provides a communication device for implementing the method described in the first aspect and/or the second aspect. The communication apparatus is a network device or a communication apparatus supporting a network device implementing the method described in the first aspect and/or the second aspect, for example, the communication apparatus includes a chip system. For example, the communication apparatus includes: a transceiving unit and a processing unit. A processing unit and a transceiving unit. The processing unit is used for encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext, and encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext; and the transceiving unit is used for sending the first message to the intermediate device.

In a seventh aspect, the present application further provides a communication apparatus for implementing the method described in the third aspect and/or the fourth aspect. The communication apparatus is a terminal device or an access device of the terminal, such as an access point AP, a router, or the like, or an access device supporting the terminal or the terminal, and implements the method described in the third aspect and/or the fourth aspect, for example, the communication apparatus includes a chip system. For example, the communication apparatus includes: a transceiving unit and a processing unit. The receiving and sending unit is used for receiving a second message of the intermediate device, the second message comprises a second ciphertext, a third ciphertext and a first key updating parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device; and the processing unit is used for decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain the first challenge parameter. The processing unit is further used for obtaining a fourth ciphertext according to the second terminal key, the first terminal identifier, the second key updating parameter and the second temporary key; and the processing unit is further used for encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext.

Optionally, the receiving and sending unit is configured to receive the first session key confirmation message code a from the first terminal; the processing unit is used for obtaining a first session shared key according to the first challenge parameter and the second challenge parameter; the processing unit is used for obtaining a second confidentiality key and a second integrity key according to the first terminal identifier, the second terminal identifier and the first session shared key; the processing unit is used for obtaining a second confirmation message code B according to the second integrity key; and the processing unit is used for successfully verifying if the second confirmation message code B is the same as the first confirmation message code A. The detailed method is the same as that described in the third aspect and/or the fourth aspect, and is not described herein again.

In an eighth aspect, the present application further provides a communication apparatus for implementing the method described in the third aspect and/or the fourth aspect. The communication apparatus is a network device or a communication apparatus supporting a network device to implement the method described in the third aspect and/or the fourth aspect, for example, the communication apparatus includes a chip system. For example, the communication apparatus includes: a transceiving unit and a processing unit. The receiving and sending unit is used for receiving a second message of the intermediate device, the second message comprises a second ciphertext, a third ciphertext and a first key updating parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device; and the processing unit is used for decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain the first challenge parameter. The processing unit is further used for obtaining a fourth ciphertext according to the second terminal key, the first terminal identifier, the second key updating parameter and the second temporary key; and the processing unit is further used for encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext.

In a ninth aspect, the present application further provides a communication device for implementing the method described in the first aspect and/or the second aspect. The communication apparatus is a terminal or an access device of the terminal, such as an access point AP, a router, or the like, or a communication apparatus supporting the terminal to implement the method described in the first aspect and/or the second aspect, for example, the communication apparatus includes a chip system. The communication apparatus is a network device or a communication apparatus supporting a network device implementing the method described in the first aspect and/or the second aspect, for example, the communication apparatus includes a chip system. For example, the communication device comprises a processor for implementing the functionality of the method described in the first aspect and/or the second aspect. The communication device may also include a memory for storing program instructions and data. The memory is coupled to the processor, and the processor may call and execute the program instructions stored in the memory for implementing the functions in the methods described in the first and/or second aspects. The communication means may also comprise a communication interface for the communication means to communicate with other devices. Exemplarily, if the communication device is a terminal device, the other device is a network device; if the communication device is a network device, the other device is a terminal device.

In one possible arrangement, the communication device comprises: a transceiver and a processor. The processor is used for encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext; the processor is further used for encrypting the first challenge parameter according to the first temporary secret key to obtain a second ciphertext; the processor is further used for generating a first message, wherein the first message comprises a first ciphertext, a second ciphertext and a first key update parameter; a transceiver to transmit a first message to an intermediary device. The detailed method is the same as that described in the first aspect and/or the second aspect, and is not described herein again.

In a tenth aspect, the present application further provides a communication apparatus for implementing the method described in the third and/or fourth aspect. The communication apparatus is a terminal or an access device of the terminal, such as an access point AP, a router, or the like, or a communication apparatus supporting the terminal to implement the method described in the third aspect and/or the fourth aspect, for example, the communication apparatus includes a chip system. The communication apparatus is a network device or a communication apparatus supporting a network device to implement the method described in the third aspect and/or the fourth aspect, for example, the communication apparatus includes a chip system. For example, the communication device comprises a processor for implementing the functionality of the method described in the third and/or fourth aspect. The communication device may also include a memory for storing program instructions and data. The memory is coupled to the processor, and the processor may call and execute the program instructions stored in the memory to implement the functions in the method described in the third aspect and/or the fourth aspect. The communication means may also comprise a communication interface for the communication means to communicate with other devices. Exemplarily, if the communication device is a terminal device, the other device is a network device; if the communication device is a network device, the other device is a terminal device.

In one possible arrangement, the communication device comprises: a transceiver and a processor. The transceiver receives a second message of the intermediate device, wherein the second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device; and the processor decrypts the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain the first challenge parameter. The detailed method is the same as that described in the third aspect and/or the fourth aspect, and is not described herein again.

In an eleventh aspect, the present application further provides a computer-readable storage medium comprising: computer software instructions; the computer software instructions, when executed in the communication device, cause the communication device to perform the method of any of the first to fourth aspects described above.

In a twelfth aspect, the present application also provides a computer program product comprising instructions that, when run in a communication apparatus, cause the communication apparatus to perform the method of any of the first to fourth aspects described above.

In a thirteenth aspect, the present application provides a chip system, which includes a processor and may further include a memory, and is configured to implement the functions of the network device, the terminal, or the application server in the foregoing method. The chip system may be formed by a chip, and may also include a chip and other discrete devices.

In a fourteenth aspect, the present application further provides a communication system, where the communication system includes a terminal or an access device of the terminal, and a communication apparatus supporting the terminal to implement the method described in any of the first to fourth aspects.

In the present application, the names of the first terminal, the second terminal and the communication means do not constitute a limitation on the devices themselves, which may appear by other names in practical implementations. Provided that the function of each device is similar to that of the present application, and that the devices are within the scope of the claims of the present application and their equivalents.

Drawings

Fig. 1 is a diagram illustrating an architecture of a communication system according to an embodiment of the present application;

fig. 2 is a flowchart of a key exchange method according to an embodiment of the present application;

fig. 3 is a flowchart of another key exchange method provided in an embodiment of the present application;

fig. 4 is a schematic diagram illustrating a communication device according to an embodiment of the present disclosure;

fig. 5 is a schematic composition diagram of another communication device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a possible implementation manner of a terminal device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a possible implementation manner of a network device according to an embodiment of the present application;

Detailed Description

The network device in the technical solution of the embodiment of the present application may be any device with a wireless or wired transceiving function or a chip that can be disposed on the device, where the device includes but is not limited to: evolved Node B (eNB), Radio Network Controller (RNC), Node B (NB), Base Station Controller (BSC), Base Transceiver Station (BTS), Home Base Station (e.g., Home evolved NodeB, or Home Node B, HNB), BaseBand Unit (BBU), Access Point (AP) in Wireless Fidelity (WIFI) system, Wireless relay Node, Wireless backhaul Node, Transmission Point (TP), or Transmission reception Point (Transmission reception Point), router, etc., and may also be 5G, such as NR, gbb in the system, or Transmission Point (TRP or TP), one or a group of Base stations in the 5G system may include multiple antennas, or may also be a Network panel, or a Network panel, such as a baseband unit (BBU), or a Distributed Unit (DU), etc.

In some deployments, the gNB may include a Centralized Unit (CU) and a DU. The gNB may also include a Radio Unit (RU). The CU implements part of the function of the gNB, and the DU implements part of the function of the gNB, for example, the CU implements Radio Resource Control (RRC) and Packet Data Convergence Protocol (PDCP) layers, and the DU implements Radio Link Control (RLC), Medium Access Control (MAC) and Physical (PHY) layers. Since the information of the RRC layer eventually becomes or is converted from the information of the PHY layer, the higher layer signaling, such as RRC layer signaling or PHCP layer signaling, may also be considered to be transmitted by the DU or by the DU + RU under this architecture. It is to be understood that the network device may be a CU node, or a DU node, or a device including a CU node and a DU node. In addition, the CU may be divided into network devices in the access network RAN, or may be divided into network devices in the core network CN, which is not limited herein.

It should also be understood that the terminal device in the embodiment of the present application may be a terminal device or an access device of a terminal. A terminal device may also be referred to as a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. May be a wireless terminal device capable of receiving base station scheduling and indication information and may be a device providing voice and/or data connectivity to a user or a handheld device having wireless connection capability or other processing device connected to a wireless modem. Wireless terminal devices, which may be mobile terminal devices such as mobile telephones (or "cellular" telephones), computers, and data cards, such as portable, pocket, hand-held, computer-included, or vehicle-mounted mobile devices, may communicate with one or more core networks or the internet via a radio access network (e.g., a RAN). Examples of such devices include Personal Communication Service (PCS) phones, cordless phones, Session Initiation Protocol (SIP) phones, Wireless Local Loop (WLL) stations, Personal Digital Assistants (PDAs), tablet computers (pads), and computers with wireless transceiving functions. A wireless terminal device may also be referred to as a system, a subscriber unit (subscriber unit), a subscriber station (subscriber station), a mobile station (mobile station), a Mobile Station (MS), a remote station (remote station), an Access Point (AP), a remote terminal device (remote terminal), an access terminal device (access terminal), a user terminal device (user terminal), a user agent (user agent), a Subscriber Station (SS), a user terminal device (CPE), a terminal (terminal), a User Equipment (UE), a Mobile Terminal (MT), etc. For URLLC application scenarios, the terminal device may be a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote surgery (remote medical supply), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), and so on. The access device of the terminal may be an access point AP, a router, etc. The embodiments of the present application do not limit the application scenarios.

To facilitate understanding of the embodiments of the present application, a brief description of several terms referred to in the present application will be given first.

First terminal key: is the long-term key of the first terminal. After the first terminal leaves the factory, the first terminal carries an initial key, namely a long-term key corresponding to the first terminal. Or a permanent key distributed by an authority server after the device accesses the network, such as a key in a SIM card. Or a key that is initially configured. The embodiment of the present application does not limit the manner of obtaining the first key. The second terminal key is as above.

A first terminal identification: to be able to identify all physical quantities of the first terminal. And the corresponding first terminal can be found through the first terminal identifier. For example, the ID of the first terminal may be, the ID of the user may be, the IP address may be, an identifier assigned to another device may be, and the like. The first terminal identifier is not specifically limited in the embodiment of the application, and may be the first terminal identifier as long as the first terminal can be uniquely identified.

In the embodiment of the present application, other identifiers, such as the second terminal identifier, also have a wide interpretation space, and as long as the second terminal can be uniquely identified, the other identifiers may be corresponding second terminal identifiers.

The first temporary key: generated by means of random numbers. For example, the first terminal may generate a random number through a generation algorithm, so as to generate the first temporary key through the random number. Optionally, the first terminal may also generate the first temporary key directly through a random number generation algorithm. The first temporary key is made temporary or random by a first temporary key generated by a random number.

First key update parameter: are constantly changing parameters. Such as, but not limited to, a time parameter, or generated by a random number. Illustratively, the first key update parameter is a parameter that is continuously dynamically updated over time. Optionally, the first terminal may generate a random number through a generation algorithm, so as to generate the first key update parameter through the random number. Optionally, the first terminal may also generate the first key update parameter directly through a random number generation algorithm. And the first key updating parameter is used for generating a key at the local terminal so as to obtain a ciphertext. Through the key updating parameter, the dynamic updating of the key of the identity authentication is supported, the updating of the permanent key is not needed, and the risk of key leakage is solved.

The first challenge parameter: the first challenge parameter comprises a Diffie-Hellman key agreement parameter. The Diffie-Hellman key agreement parameter allows both parties to create a key over an insecure channel without any prior knowledge of the other party at all. Illustratively, assume that the first terminal generates a random number x and the second terminal generates a random number y, and there are two Diffie-Hellman key agreement parameters, denoted as first Diffie-Hellman key agreement parameter g^xSecond Diffie-Hellman key agreement parameter g^y. In the process of carrying out key exchange between the first terminal and the second terminal, the whole g is obtained by decryption according to the ciphertext^x，g^yThe first terminal based on the generated x and the received g^yCan obtain g^xyThe first terminal generates y and g based on the received^xCan obtain g^xy. That is, x and y cannot be decrypted separately. Even g^x，g^yLeakage, attacker according to g^x，g^yG cannot be obtained^xyTherefore, the security of the session key is effectively ensured.

Alternatively, the Diffie-Helmman key parameter calculation may be implemented on an elliptic curve. The first terminal and the second terminal are based on the shared elliptic curve parameters: and generating a key based on the discrete logarithm problem of the elliptic curve by using the elliptic curve E, the order N and the base point G. Exemplary, such as the Elliptic Curve DH Key Agreement Protocol (ECDH). Suppose that the first terminal generates a random number X and the second terminal generates a random number y, and there are two Diffie-Hellman key agreement parameters, the first Diffie-Hellman key agreement parameter X, where X ═ X ] G represents a point multiplication operation on an elliptic curve. And the second Diffie-Hellman key negotiation parameter is Y, wherein Y is [ Y ] G, the first terminal calculates to obtain [ xy ] G according to X and the received Y, and the second terminal calculates to obtain [ xy ] G according to Y and the received X. The attacker can not obtain [ xy ] G according to X and Y, thereby effectively ensuring the security of the session key.

Optionally, it is assumed that the first terminal generates a random number x and the second terminal generates a random number y, and that there are two Diffie-Hellman key agreement parameters, the first Diffie-HAn ellman key agreement parameter X, where X ═ g^xmod P, the second Diffie-Hellman key agreement parameter is Y, where Y is g^ymod P, P is a predefined modulus. The first terminal calculates g according to x and the received Y^xymod P; the second terminal calculates g according to y and the received X^xy mod P。

Optionally, the first challenge parameter further includes a random number key M. When an attacker carries out replay attack, M in the replayed data packet is out of date due to the fact that M is randomly generated, and the destination terminal cannot be accessed through the replayed data packet, so that the safety of conversation is effectively guaranteed.

The random number x, y may be a private key, g, corresponding to a temporary Diffie-Helmman key^x，g^yMay be a corresponding public key to the temporary Diffie-hellman key.

First encryption authentication key: the first cryptographic authentication key includes a first confidentiality key and a first integrity verification key. The first confidentiality key is a symmetric key used for encrypting the related information of the challenge parameter, and provides confidentiality of the related information such as the challenge parameter and the like, so that an illegal entity on a link is prevented from eavesdropping; the first integrity key is an input key of a hash function with a key, and generates a verification code of key information (such as identity identifiers, ciphertext of challenge parameters and other information) in a data message, so that the key information is prevented from being tampered by an illegal entity.

First session shared key: the channel key for protecting the security of the session message prevents an illegal entity from eavesdropping and tampering the session message.

In addition, in order to facilitate understanding of the embodiments of the present application, the following description is made.

First, in the embodiments of the present application, for convenience of description, first, second and various numerical numbers in the embodiments shown below are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application. For example, to distinguish between different network devices.

Second, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.

Third, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, and c, may represent: a, or, b, or, c, or, a and b, or, a and c, or, b and c, or, a, b and c. Wherein a, b and c may be single or plural respectively.

The real-time mode of the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

For the convenience of understanding the embodiments of the present application, the communication system shown in fig. 1 is used as a communication system suitable for the data transmission method provided in the embodiments of the present application. Fig. 1 shows an exemplary architecture 100 of a communication system that can be applied to embodiments of the present application. As shown in fig. 1, the communication system includes at least one terminal 101 and an Internet Service Provider (ISP) network. An ISP may be a telecommunications operator that provides a comprehensive set of internet access services, information services and value added services to a large number of users. The ISP network may include network devices 102 and 103 (e.g., border routers and switches), etc. The server may include at least one server 104. The plurality of servers may be independent and different physical devices, functions of the plurality of servers may be integrated on the same physical device (for example, a plurality of servers in the jurisdiction of a cloud service provider), or functions of a part of servers may be integrated on one physical device. One or more services (e.g., gaming services) may be run on each server. Services may also be referred to as applications. Each service may be deployed on, and run supported by, multiple servers. The terminal 101 is connected to the network device 102 or the network device 103 by wireless or wired means. Network device 102 or network device 103 would be connected by wireless or wired means. The network device 102 or the network device 103 is connected to the control center server 104 by wireless or wired means. The terminal 101 is connected to another terminal 105 by wire or wirelessly. The terminal equipment may be fixed or mobile. Fig. 1 is a schematic diagram, and other devices, such as a wireless relay device and a wireless backhaul device, may also be included in the communication system, which are not shown in fig. 1. The embodiments of the present application do not limit the number of terminals, network devices, and servers included in the communication system.

In the embodiment of the present application, the two mutually-unknown terminals may communicate with the terminal 101 and the terminal 105 shown in fig. 1, may communicate between the terminal 101 and the network device 102, and may communicate between the network device 102 and the network device 103. For example, the present application may be applied to an end-to-end secure communication scenario between two entities in an enterprise network or a campus network. The enterprise network or the campus network has a large number of terminal devices (including a large number of IoT devices) and some non-resource-limited servers, PCs, and other devices, and has its own network access and packet forwarding devices, such as WIFI, switches, routers, and other network devices. Before a terminal device can securely communicate with other devices on the campus or enterprise network, it is usually necessary to perform an authenticatable key exchange and negotiate a secure key to establish a secure channel. Security protocols such as TLS, DTLS, Quic, and IPsec all have a process that can authenticate key exchanges. When a client accesses a server of an open service of the internet, one-way authentication that authenticates only the identity of the server may be employed. In a campus network scenario, a server in an enterprise or a campus usually has a need to authenticate a client to prevent an illegal device from accessing the server, and thus, a bidirectional authentication needs to be performed. The interactive messages between two terminal devices need network devices such as an AP, a WIFI and a switch to forward, so that the messages transmitted from end to end can all pass through the network devices. The application does not limit the communication of terminals which are not mutually acquainted.

Secure communication between two mutually unrelated end entities of the internet typically relies on establishing a secure channel to securely transfer data to provide confidentiality and integrity of the transferred data. The establishment of a secure channel typically requires the secure exchange of authenticatable keys in advance. The existing authenticatable key exchange technology has the problems of forward security, lack of a key updating mechanism and incapability of dealing with the risk of key leakage. The attacker can realize the fake identity attack by acquiring the old leaked secret key.

Therefore, to solve the problems existing in the prior art, an embodiment of the present application provides a key exchange method, including: the first terminal encrypts the first temporary secret key according to the first terminal secret key, the second terminal identification and the first secret key updating parameter to obtain a first ciphertext; encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext; generating a first message, wherein the first message comprises a first ciphertext, a second ciphertext and a first key update parameter; and the first terminal sends the generated first message to the intermediate equipment. The second terminal receives a second message of the intermediate device, wherein the second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device; and decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain the first challenge parameter.

By the method, the embodiment of the application solves the safety problem existing in the key exchange between the two communication entities, provides support for end-to-end communication safety, and can prevent man-in-the-middle attack in the key exchange process. By introducing proxy re-encryption techniques, an authenticatable key exchange can be accomplished without the two communicating entities sharing a secret key.

Fig. 2 is a schematic flow chart of a data processing method 200 provided by the embodiment of the present application, which is illustrated from the perspective of device interaction. As shown, the method 200 may include steps S201 to S224. The steps in method 200 are described in detail below.

In step S201, the first terminal encrypts the first temporary key according to the first terminal key, the second terminal identifier, and the first key update parameter, to obtain a first ciphertext.

Optionally, encrypting the first temporary key according to the first terminal key, the second terminal identifier, and the first key update parameter to obtain a first ciphertext, where the encrypting the first temporary key includes: obtaining a first identity encryption key according to the first terminal key, the second terminal identifier and the first key updating parameter; and encrypting the first temporary key according to the first identity encryption key to obtain a first ciphertext.

The temporary secret key can be flexibly updated by encrypting the first temporary secret key through the first secret key updating parameter, so that the secret key updating parameters for encrypting the temporary secret key at each time are different, and further, the harm and the secret key updating complexity caused by secret key leakage are reduced.

In step S202, the first challenge parameter is encrypted according to the first temporary key, and a second ciphertext is obtained.

Optionally, encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext, including: obtaining a first encryption authentication key according to the first terminal identifier, the second terminal identifier and the first temporary key, wherein the first encryption authentication key comprises a first confidentiality key and a first integrity verification key; and encrypting the first challenge parameter according to the first confidentiality key to obtain a second ciphertext.

Optionally, the first challenge parameter comprises a first Diffie-Hellman key agreement parameter.

In step S203, a first message is generated, where the first message includes the first ciphertext, the second ciphertext, and the first key update parameter.

Optionally, the first message further comprises a first message authentication code.

In one possible implementation, the first message authentication code is generated based on the first session identifier, the first terminal identification, the second ciphertext, and the first key update parameter. The first terminal may generate the first authentication code according to the first session identifier, the first terminal identifier, the second ciphertext, and the first key update parameter by using a hash algorithm HMAC. The hash algorithm may also be referred to as a hash (hash) function. By hash algorithm, it is meant a function that changes an arbitrarily long string of input messages to a fixed length string of output.

In step S204, the first terminal sends the first message to the intermediate device.

In step S205, the intermediate device re-encrypts the first ciphertext proxy to obtain a third ciphertext.

Optionally, the proxy re-encryption key of the intermediary device is obtained by local storage, or by requesting a remote server.

In one possible embodiment, the proxy re-encryption key is obtained through local storage, that is, the intermediate device stores and maintains the proxy re-encryption key in which the first terminal identifier and the second terminal identifier are paired.

In another possible embodiment, the proxy re-encryption key is obtained by requesting the remote server, that is, the intermediate device requests to obtain the proxy re-encryption key paired with the first terminal identifier and the second terminal identifier by sending a request message to the first network device.

As shown in fig. 3, which is a method for obtaining a proxy re-encryption key by requesting a remote server from the perspective of device interaction, the method 300 may include step S2051, step S2052, and step S2053.

In step S2051, the intermediate device transmits a first request message to the first network device.

The first request message comprises a first terminal identification and a second terminal identification.

In step S2052, the first network device receives the first request message.

In step S2053, the first network device obtains the proxy re-encryption key according to the first terminal identifier, the first terminal key, the second terminal identifier, and the second terminal key.

The first network device is a trusted network, stores a first terminal key and a second terminal key, and is used for generating a proxy re-encryption key.

For example, the first network device may be an authoritative server, and after receiving the message of the intermediate device, the authoritative server queries the first terminal key in the key database according to the first terminal identifier, queries the second terminal key according to the second terminal identifier, calculates to obtain the proxy re-encryption key, and sends the proxy re-encryption key to the intermediate device.

In step S206, the intermediate device sends a second message to the second terminal.

In step S207, the second terminal receives the second message of the intermediate device. The second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device.

Optionally, the second message further comprises the first message authentication code.

In step S208, the second ciphertext is decrypted according to the second terminal key, the first terminal identifier, the first key update parameter, and the third ciphertext to obtain the first challenge parameter.

Optionally, the second terminal queries to verify whether the first key update parameter is expired. If the first key updating parameter is expired, further deciding the authentication identification of key exchange and terminating the protocol; if the first key update parameter is not expired, the execution is continued.

Optionally, decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key update parameter, and the third ciphertext to obtain the first challenge parameter, including: obtaining a first decryption key according to the second terminal key, the first terminal identifier and the first key update parameter; decrypting the third ciphertext according to the first decryption key to obtain a first temporary key; and decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter.

Optionally, decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter includes: obtaining a first encryption authentication key according to the first terminal identifier, the second terminal identifier and the first temporary key, wherein the first encryption authentication key comprises a first confidentiality key and a first integrity verification key; and decrypting the second ciphertext according to the first confidentiality key to obtain a first challenge parameter.

In step S209, a fourth ciphertext is obtained according to the second terminal key, the first terminal identifier, the second key update parameter, and the second temporary key.

In step S210, the first challenge parameter and the second challenge parameter are encrypted according to the second temporary key, and a fifth ciphertext is obtained.

Optionally, encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext, where the method includes: obtaining a second encryption authentication key according to the first terminal identifier, the second terminal identifier and the second key updating parameter, wherein the second encryption authentication key comprises a second confidentiality key and a second integrity verification key; and encrypting the first challenge parameter and the second challenge parameter according to the second confidentiality key to obtain a fifth ciphertext.

Optionally, the second challenge parameter comprises a second Diffie-Hellman key agreement parameter.

When the attack is received, the second Diffie-Hellman key negotiation parameter is used, and the security of the key is effectively ensured.

In step S211, the second terminal transmits a third message to the intermediate device. And the third message comprises a fourth ciphertext, a fifth ciphertext and a second key update parameter.

Optionally, the third message further comprises a second message authentication code.

Optionally, verifying the first message authentication code according to the first session identifier, the first terminal identifier, the second terminal identifier, the first key update parameter, the second ciphertext, and the first integrity key; and if the first message authentication code is matched with the first message authentication code carried in the second message, the verification is successful.

In step S212, the intermediate device performs proxy re-encryption on the fourth ciphertext to obtain a sixth ciphertext.

In step S213, the intermediate device sends a fourth message to the first terminal. The first terminal receives the fourth message. The fourth message comprises a fifth ciphertext, a sixth ciphertext and a second key update parameter, the fifth ciphertext is obtained by the second terminal encrypting the first challenge parameter and the second challenge parameter according to a second temporary key, and the sixth ciphertext is obtained by encrypting the second temporary key by a second identity encryption key.

In step S214, the first terminal obtains a first challenge parameter and a second challenge parameter according to the first terminal key, the second terminal identifier, the second key update parameter, and the fifth ciphertext.

Optionally, the first identity decryption key is obtained according to the first terminal key, the second terminal identifier and the second key update parameter.

Optionally, the sixth ciphertext is decrypted according to the first identity decryption key, so as to obtain a second temporary key.

Optionally, the fifth ciphertext is decrypted according to the second temporary key, so as to obtain the first challenge parameter and the second challenge parameter.

Optionally, the first challenge parameter comprises a first Diffie-Hellman key agreement parameter; the second challenge parameter comprises a second Diffie-Hellman key agreement parameter.

In step S215, if the first challenge parameter obtained by decrypting the fifth ciphertext matches the first challenge parameter used to encrypt the second ciphertext, the second terminal is accessed.

In step S216, a first session shared key is obtained according to the first challenge parameter and the second challenge parameter.

In step S217, a second ciphering key and a second integrity key are obtained from the first session shared key.

In step S218, the second challenge parameter is encrypted according to the second integrity key, and the first key confirmation message a is obtained.

In step S219, the first terminal transmits a fifth message to the intermediate device. Wherein the fifth message is the first session key confirmation message a.

In step S220, the second terminal receives a fifth message from the intermediate device. Wherein the fifth message is the first session key confirmation message a.

In step S221, the second terminal obtains the first session shared key according to the first challenge parameter and the second challenge parameter.

In step S222, the second terminal obtains a second encryption key and a second integrity key according to the first terminal identifier, the second terminal identifier and the first session shared key.

In step S223, the second terminal obtains a second confirmation message code B according to the second integrity key.

In step S224, if the second acknowledgment message code B is the same as the first acknowledgment message code a, the verification is successful.

In the embodiments provided in the foregoing application, the method provided in the embodiments of the present application is introduced from the perspective of interaction between the first terminal, the intermediate device, and the second terminal, respectively. It is understood that, for each network element, for example, the first terminal, the intermediate device and the second terminal, to implement each function in the method provided in the embodiment of the present application, the first terminal, the intermediate device and the second terminal include corresponding hardware structures and/or software modules for executing each function. Those of skill in the art will readily appreciate that the present application is capable of hardware or a combination of hardware and computer software implementing the various illustrative algorithm steps described in connection with the embodiments disclosed herein. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, the first terminal, the intermediate device, and the second terminal may be divided into the functional modules according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.

Fig. 4 shows a possible example of the composition of the communication device 600 referred to above and in the embodiments, which is capable of performing the steps performed by the first terminal and the second terminal in any of the method embodiments of the present application, in the case of dividing the respective functional modules with corresponding respective functions. As shown in fig. 4, the communication apparatus may include: a transceiver 601 and a processing unit 602.

When the communication device is the first terminal or a communication device supporting the first terminal to implement the method provided in the embodiments, the communication device may be a system-on-chip, for example.

The transceiver 601 is configured to support a communication device to perform the method described in the embodiments of the present application.

For example, the transceiver 601 is configured to execute or support the communication device to execute S204, S206, and S207 in the data processing method shown in fig. 2.

The processing unit 602 is configured to support a communication device to execute the method described in the embodiments of the present application.

For example, the processing unit 602 is configured to execute or support the communication device to execute S201, S202, and S203 in the data processing method illustrated in fig. 3.

It should be understood that the specific processes of the units for executing the corresponding steps are already described in detail in the above method embodiments, and therefore, for brevity, detailed descriptions thereof are omitted.

It should also be understood that when the first terminal and/or the second terminal is a terminal device and the communication apparatus 600 is a terminal device, the transceiver 601 in the communication apparatus 600 may correspond to the transceiver 2020 in the terminal device 2000 shown in fig. 6, and the processing unit 602 in the communication apparatus 600 may correspond to the processor 2010 in the terminal device 2000 shown in fig. 6.

It should also be understood that when the communication device 600 is a chip configured in the first terminal, the transceiver 601 in the communication device 600 may be an input/output interface.

When the communication apparatus is a network device or a communication apparatus supporting the network device to implement the method provided in the embodiment, for example, the communication apparatus may be a system on a chip.

For example, the transceiver 601 is configured to execute or support the communication device to execute S204, S206, and S207 in the data processing method shown in fig. 2, and S2051 and S2052 in the data processing method shown in fig. 3.

For example, the processing unit 602 is configured to execute or support the communication device to execute S201, S202, and S203 in the data processing method shown in fig. 2, and S2053 in the data processing method shown in fig. 4.

It should also be understood that when the communication apparatus 600 is a network device, the transceiver 601 in the communication apparatus 600 may correspond to the transceiver 3200 in the network device 3000 shown in fig. 7, and the processing unit 602 in the communication apparatus 600 may correspond to the processor 3100 in the network device 3000 shown in fig. 7.

It should also be understood that when the communication device 600 is a chip configured in a network device, the transceiver 601 in the communication device 600 may be an input/output interface.

It should be noted that all relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.

The communication device provided by the embodiment of the application is used for executing the method of any embodiment, so that the same effects as the method of the embodiment can be achieved.

Fig. 5 shows a communication apparatus 700 provided in an embodiment of the present application, for implementing the functions of the first terminal and/or the second terminal in the above-described method. The communication apparatus 700 may be a network device or an apparatus in a network device. The communication device 700 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. Alternatively, the communication device 700 is used to implement the functions of the terminal in the above-described method. The communication apparatus 700 may be a terminal device, or an apparatus in a terminal access device. The communication device 700 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. Alternatively, the communication apparatus 700 is configured to implement the function of the first network device in the above method. The communication device 700 may be an application server or a device in an application server. The communication device 700 may be a chip system. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.

The communication apparatus 700 includes at least one processor 701, configured to implement the functions of the terminal device and the network device in the method provided in the embodiment of the present application. Illustratively, the processor 701 may be configured to encrypt the first temporary key based on the first terminal key, the second terminal identification and the first key update parameter. For details, reference is made to the detailed description in the method example, and details are not repeated here.

The communications apparatus 700 can also include at least one memory 702 for storing program instructions and/or data. A memory 702 is coupled to the processor 701. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, and may be an electrical, mechanical or other form for information interaction between the devices, units or modules. The processor 701 may cooperate with the memory 702. The processor 701 may execute program instructions stored in the memory 702. At least one of the at least one memory may be included in the processor.

The communications apparatus 700 can also include a communication interface 703 for communicating with other devices over a transmission medium such that the apparatus used in the communications apparatus 700 can communicate with other devices. Illustratively, if the communication device is a network device, the other device is a terminal. If the communication device is a terminal, the other equipment is network equipment. If the communication device is a terminal, the other equipment is an application server. The processor 701 is configured to send and receive data by using the communication interface 703, and is configured to implement the method performed by the first terminal, the second terminal, and the first network device in the embodiments corresponding to fig. 2 and fig. 3.

In the embodiment of the present application, a specific connection medium among the communication interface 703, the processor 701, and the memory 702 is not limited. In the embodiment of the present application, the communication interface 703, the processor 701, and the memory 702 are connected by a bus 704 in fig. 7, the bus is represented by a thick line in fig. 7, and the connection manner between other components is merely schematic illustration and is not limited thereto. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.

In the embodiments of the present application, the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.

In the embodiment of the present application, the memory may be a nonvolatile memory, such as a Hard Disk Drive (HDD) or a solid-state drive (SSD), and may also be a volatile memory, for example, a random-access memory (RAM). The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.

Fig. 6 is a schematic structural diagram of a terminal device 2000 according to an embodiment of the present application. The terminal device 2000 can be applied to the system shown in fig. 1, and performs the functions of the terminal device in the above method embodiment.

As shown, the terminal device 2000 includes a processor 2010 and a transceiver 2020. Optionally, the terminal device 2000 further comprises a memory 2030. Wherein the processor 2010, the transceiver 2020, and the memory 2030 are interconnected via the interconnection path for communicating control and/or data signals, the memory 2030 is used for storing a computer program, and the processor 2010 is used for retrieving and executing the computer program from the memory 2030 to control the transceiver 2020 to transmit and receive signals. Optionally, the terminal device 2000 may further include an antenna 2040, configured to transmit uplink data or uplink control signaling output by the transceiver 2020 by using a wireless signal.

The processor 2010 and the memory 2030 may be combined into a processing device, and the processor 2010 is configured to execute the program codes stored in the memory 2030 to achieve the above functions. In particular, the memory 2030 may be integrated with the processor 2010 or may be separate from the processor 2010. The processor 2010 may correspond to the processing unit in fig. 4.

The transceiver 2020 may correspond to the transceiver 601 in fig. 4, and may also be referred to as a transceiver. The transceiver 2020 may include a receiver (or receiver, receiving circuit) and a transmitter (or transmitter, transmitting circuit). Wherein the receiver is used for receiving signals, and the transmitter is used for transmitting signals.

It should be understood that, for example, when the first terminal and/or the second terminal are terminal devices, the terminal device 2000 shown in fig. 6 can implement various processes in the implementation manner related to one possible terminal device in the embodiments of the method 200 shown in fig. 2 and/or the method 300 shown in fig. 3. The operations and/or functions of the modules in the terminal device 2000 are respectively to implement the corresponding flows in the above-described method embodiments. Specifically, reference may be made to the description of the above method embodiments, and the detailed description is appropriately omitted herein to avoid redundancy.

The processor 2010 may be configured to perform the actions described in the preceding method embodiments that are implemented within the terminal device, and the transceiver 2020 may be configured to perform the actions described in the preceding method embodiments that the terminal device transmits to or receives from the network device. Please refer to the description of the previous embodiment of the method, which is not repeated herein.

Optionally, the terminal device 2000 may further include a power supply 2050 for supplying power to various devices or circuits in the terminal device.

In addition, in order to further improve the functions of the terminal device, the terminal device 2000 may further include one or more of an input unit 2060, a display unit 2070, an audio circuit 2080, a camera 2090, a sensor 2100, and the like, and the audio circuit may further include a speaker 2082, a microphone 2084, and the like.

It should be understood that, when the first terminal and/or the second terminal is a network device, for example, fig. 7 is a schematic structural diagram in a possible implementation manner of the network device provided in the embodiment of the present application, and for example, the schematic structural diagram may be a structural diagram of a base station. The base station 3000 can be applied to the system shown in fig. 1, and performs the functions of the network device in the above method embodiment.

As shown, the base station 3000 may include one or more radio frequency units, such as a Remote Radio Unit (RRU) 3100 and one or more baseband units (BBUs) (also referred to as digital units, DUs) 3200. The RRU 3100 may be referred to as a transceiver unit, and corresponds to the transceiver unit 601 in fig. 4. Alternatively, the transceiving unit 3100 may also be referred to as a transceiver, transceiving circuit, or transceiver, etc., which may comprise at least one antenna 3101 and a radio frequency unit 3102. Alternatively, the transceiving unit 3100 may include a receiving unit and a transmitting unit, the receiving unit may correspond to a receiver (or receiver, receiving circuit), and the transmitting unit may correspond to a transmitter (or transmitter, transmitting circuit). The RRU 3100 part is mainly used for transceiving and converting radio frequency signals to baseband signals, for example, for sending indication information to a terminal device. The BBU 3200 section is mainly used for performing baseband processing, controlling a base station, and the like. The RRU 3100 and the BBU 3200 may be physically disposed together or may be physically disposed separately, i.e. distributed base stations.

The BBU 3200 is a control center of the base station, and may also be referred to as a processing unit, and may correspond to the processing unit 602 in fig. 4, and is mainly used for completing baseband processing functions, such as channel coding, multiplexing, modulating, spreading, and the like. For example, the BBU (processing unit) may be configured to control the base station to perform an operation procedure related to the network device in the foregoing method embodiment, for example, to generate the foregoing indication information.

In an example, the BBU 3200 may be formed by one or more boards, and the boards may collectively support a radio access network of a single access system (e.g., an LTE network), or may respectively support radio access networks of different access systems (e.g., an LTE network, a 5G network, or other networks). The BBU 3200 also includes a memory 3201 and a processor 3202. The memory 3201 is used to store necessary instructions and data. The processor 3202 is used for controlling the base station to perform necessary actions, for example, for controlling the base station to execute the operation flow related to the network device in the above method embodiment. The memory 3201 and processor 3202 may serve one or more boards. That is, the memory and processor may be provided separately on each board. Multiple boards may share the same memory and processor. In addition, each single board can be provided with necessary circuits.

It should be appreciated that the base station 3000 shown in fig. 7 is capable of implementing the processes of the method 200 of fig. 2 and/or the method 300 embodiment of fig. 3 involving the intermediary device and the first network device. The operations and/or functions of the respective modules in the base station 3000 are respectively for implementing the corresponding flows in the above-described method embodiments. Specifically, reference may be made to the description of the above method embodiments, and the detailed description is appropriately omitted herein to avoid redundancy.

BBU 3200 as described above can be used to perform actions described in previous method embodiments as being implemented internally by a network device, while RRU 3100 can be used to perform actions described in previous method embodiments as being sent by or received from a terminal device by a network device. Please refer to the description of the previous embodiment of the method, which is not repeated herein.

The embodiment of the application also provides a processing device, which comprises a processor and an interface; the processor is used for executing the communication method in the method embodiment.

It should be understood that the processing means may be a chip. For example, the processing device may be a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.

In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The software module may be located in ram, flash memory, rom, prom, eprom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.

It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.

It will be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

According to the method provided by the embodiment of the present application, the present application further provides a computer program product, which includes: computer program code which, when run on a computer, causes the computer to perform the method of any of the embodiments shown in figures 2 and 3.

According to the method provided by the embodiment of the present application, the present application also provides a computer readable medium storing program code, which when run on a computer causes the computer to execute the method of any one of the embodiments shown in fig. 2 and 3.

According to the method provided by the embodiment of the present application, the present application further provides a system, which includes the foregoing one or more terminal devices and one or more network devices.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.

The network device in the foregoing device embodiments completely corresponds to the terminal device and the network device or the terminal device in the method embodiments, and the corresponding module or unit executes the corresponding steps, for example, the communication unit (transceiver) executes the steps of receiving or transmitting in the method embodiments, and other steps besides transmitting and receiving may be executed by the processing unit (processor). The functions of the specific elements may be referred to in the respective method embodiments. The number of the processors may be one or more.

As used in this specification, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between 2 or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components may communicate by way of local and/or remote processes based on a signal having one or more data packets (e.g., data from two components interacting with another component in a local system, distributed system, and/or across a network, such as the internet with other systems by way of the signal).

Those of ordinary skill in the art will appreciate that the various illustrative logical blocks and steps (step) described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

In the above embodiments, the functions of the functional units may be fully or partially implemented by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions (programs). The procedures or functions described in accordance with the embodiments of the present application are generated in whole or in part when the computer program instructions (programs) are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of key exchange, comprising:

encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext;

encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext;

generating a first message, wherein the first message comprises the first ciphertext, the second ciphertext, and the first key update parameter;

and sending the first message to the intermediate device.

2. The method of claim 1, wherein the encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key update parameter to obtain the first ciphertext comprises:

obtaining the first identity encryption key according to the first terminal key, the second terminal identifier and the first key update parameter;

and encrypting the first temporary key according to the first identity encryption key to obtain the first ciphertext.

3. The method of claim 1, the encrypting the first challenge parameter according to the first temporary key to obtain a second ciphertext, comprising:

obtaining a first encryption authentication key according to the first terminal identifier, the second terminal identifier and the first temporary key, wherein the first encryption authentication key comprises a first confidentiality key and a first integrity verification key;

and encrypting the first challenge parameter according to the first confidentiality key to obtain the second ciphertext.

4. A method according to claim 1 or 3, comprising:

the first challenge parameter comprises a first Diffie-Hellman key agreement parameter.

5. The method of claim 1, wherein the first message further comprises a first message authentication code.

6. The method of claim 5, comprising:

and generating the first message authentication code according to the first session identifier, the first terminal identifier, the second ciphertext and the first key update parameter.

7. The method of claim 1, further comprising:

and receiving a fourth message from the intermediate device, wherein the fourth message comprises a fifth ciphertext, a sixth ciphertext and a second key update parameter, the fifth ciphertext is obtained by encrypting the first challenge parameter and the second challenge parameter by the second terminal according to a second temporary key, and the sixth ciphertext is obtained by encrypting the second temporary key by a second identity encryption key.

8. The method of claim 7, further comprising:

and obtaining a first challenge parameter and a second challenge parameter according to the first terminal key, the second terminal identifier, the second key update parameter and the fifth ciphertext.

9. The method of claim 8, further comprising:

and obtaining a first identity decryption key according to the first terminal key, the second terminal identifier and the second key update parameter.

10. The method of claim 9, further comprising:

and decrypting the sixth ciphertext according to the first identity decryption key to obtain a second temporary key.

11. The method of claim 10, further comprising:

and decrypting the fifth ciphertext according to the second temporary key to obtain a first challenge parameter and a second challenge parameter.

12. The method according to claim 8 or 11, characterized in that the method further comprises:

the first challenge parameter comprises a first Diffie-Hellman key agreement parameter;

the second challenge parameter comprises a second Diffie-Hellman key agreement parameter.

13. The method of claim 12, further comprising:

and if the first challenge parameter obtained by decrypting the fifth ciphertext is matched with the first challenge parameter used for encrypting the second ciphertext, generating a first shared session key and a first session key confirmation message A, and accessing the second terminal.

14. The method of claim 13, further comprising:

obtaining the first session shared key according to the first challenge parameter and the second challenge parameter;

obtaining the first session key confirmation message A according to the second integrity key and the second challenge parameter;

and sending the first session key confirmation message A to the second terminal.

15. A method of key exchange, comprising:

receiving a second message of the intermediate device, wherein the second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device;

and decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain a first challenge parameter.

16. The method of claim 15, the decrypting the second ciphertext according to the second terminal key, the first terminal identification, the first key update parameter, and the third ciphertext to obtain the first challenge parameter, comprising:

obtaining a first decryption key according to the second terminal key, the first terminal identifier and the first key update parameter;

decrypting the third ciphertext according to the first decryption key to obtain a first temporary key;

and decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter.

17. The method of claim 16, the decrypting the second ciphertext according to the first temporary key to obtain the first challenge parameter, comprising:

and decrypting the second ciphertext according to the first confidentiality key to obtain the first challenge parameter.

18. The method according to any one of claims 15-17, comprising: and obtaining a fourth ciphertext according to the second terminal key, the first terminal identifier, the second key updating parameter and the second temporary key.

19. The method according to any one of claims 15-18, comprising: and encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext.

20. The method of claim 19, the encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext, comprising:

obtaining a second encryption authentication key according to the first terminal identifier, the second terminal identifier and a second key updating parameter, wherein the second encryption authentication key comprises a second confidentiality key and a second integrity verification key;

and encrypting the first challenge parameter and the second challenge parameter according to the second confidentiality key to obtain the fifth ciphertext.

21. The method according to claim 19 or 20, comprising:

22. The method of claim 15, wherein the second message further comprises a first message authentication code.

23. The method according to any one of claims 15-21, comprising: sending a third message to the intermediate device, the third message including the fourth ciphertext, the fifth ciphertext, and the second key update parameter.

24. The method of claim 23, wherein the third message further comprises a second message authentication code.

25. The method of claim 24, comprising:

and generating a second message authentication code according to the first session identifier, the first terminal identifier, the second terminal identifier, the fifth ciphertext and the first key update parameter.

26. The method according to any one of claims 15-25, comprising:

verifying the first message authentication code according to a first session identifier, the first terminal identifier, the second terminal identifier, the first key update parameter, the second ciphertext, and the first integrity key;

27. The method of claim 15, further comprising:

receiving a first session key confirmation message code a from the first terminal:

obtaining a first session shared key according to the first challenge parameter and the second challenge parameter;

obtaining a second confidentiality key and a second integrity key according to the first terminal identification, the second terminal identification and the first session shared key;

obtaining a second confirmation message code B according to the second integrity key;

and if the second confirmation message code B is the same as the first confirmation message code A, the verification is successful.

28. A communications apparatus, comprising:

the processing unit is used for encrypting the first temporary key according to the first terminal key, the second terminal identifier and the first key updating parameter to obtain a first ciphertext;

the processing unit is further configured to encrypt the first challenge parameter according to the first temporary key to obtain a second ciphertext;

the processing unit is further configured to generate a first message, where the first message includes the first ciphertext, the second ciphertext, and the first key update parameter;

a receiving and sending unit, configured to send the first message to an intermediate device.

29. The apparatus of claim 28, the processing unit to further:

30. The apparatus of claim 28, the processing unit to further:

31. The apparatus of claim 28 or 30, comprising:

32. The apparatus of claim 28, wherein the first message further comprises a first message authentication code.

33. The apparatus of claim 32, the processing unit to further:

34. The apparatus of claim 28, the transceiver unit further configured to:

35. The apparatus of claim 34, the processing unit to further:

36. The apparatus of claim 35, the processing unit to further:

37. The apparatus of claim 36, the processing unit to further:

38. The apparatus of claim 37, the processing unit to further:

39. The apparatus of claim 35 or 38, further comprising:

40. The apparatus of claim 38, the processing unit to further:

and if the first challenge parameter obtained by decrypting the fifth ciphertext is matched with the first challenge parameter obtained by encrypting the second ciphertext, generating a first shared session key and a first session key confirmation message A, and accessing the second terminal.

41. The apparatus of claim 40, the processing unit to further:

42. A communications apparatus, comprising:

the receiving and sending unit is used for receiving a second message of the intermediate device, wherein the second message comprises a second ciphertext, a third ciphertext and a first key update parameter, and the third ciphertext is obtained by the first ciphertext through proxy re-encryption of the intermediate device;

and the processing unit is used for decrypting the second ciphertext according to the second terminal key, the first terminal identifier, the first key updating parameter and the third ciphertext to obtain a first challenge parameter.

43. The apparatus of claim 42, the processing unit to further:

44. The apparatus of claim 43, the processing unit to further:

45. The apparatus of any one of claims 42-44, the processing unit to further:

and obtaining a fourth ciphertext according to the second terminal key, the first terminal identifier, the second key updating parameter and the second temporary key.

46. The apparatus of any of claims 42-45, the processing unit to further:

and encrypting the first challenge parameter and the second challenge parameter according to the second temporary key to obtain a fifth ciphertext.

47. The apparatus of claim 46, the processing unit to further:

48. The apparatus of claim 46 or 47, comprising:

49. The apparatus of claim 42, wherein the second message further comprises a first message authentication code.

50. The apparatus of any of claims 42-48, the transceiver unit further to:

sending a third message to the intermediate device, the third message including the fourth ciphertext, the fifth ciphertext, and the second key update parameter.

51. The apparatus of claim 50, wherein the third message further comprises a second message authentication code.

52. The apparatus of claim 51, comprising:

53. The apparatus of any one of claims 42-52, the processing unit to further:

54. The apparatus of claim 42, further comprising:

the transceiver unit is configured to receive a first session key confirmation message code a from the first terminal:

the processing unit is further configured to obtain a first session shared key according to the first challenge parameter and the second challenge parameter;

the processing unit is further configured to obtain a second confidentiality key and a second integrity key according to the first terminal identifier, the second terminal identifier, and the first session shared key;

the processing unit is further configured to obtain a second confirmation message code B according to the second integrity key;

the processing unit is further configured to verify the second acknowledgment message code B successfully if the second acknowledgment message code B is the same as the first acknowledgment message code a.

55. A communications apparatus, comprising: at least one processor, a memory, and a bus, wherein the memory is to store a computer program such that the computer program, when executed by the at least one processor, implements the key exchange method of any one of claims 1-14 or the key exchange method of any one of claims 15-27.

56. A computer-readable storage medium, comprising: computer software instructions;

the computer software instructions, when run in a computer device or a chip built into a computer device, cause the computer device to perform the key exchange method of any one of claims 1-14, or the key exchange method of any one of claims 15-27.