CN116980127B

CN116980127B - Session key negotiation method, device and equipment

Info

Publication number: CN116980127B
Application number: CN202311219503.3A
Authority: CN
Inventors: 朱云; 李元骅; 赵亚新; 张国庆
Original assignee: Beijing Shudun Information Technology Co ltd
Current assignee: Beijing Shudun Information Technology Co ltd
Priority date: 2023-09-21
Filing date: 2023-09-21
Publication date: 2023-12-19
Anticipated expiration: 2043-09-21
Also published as: CN116980127A

Abstract

The invention provides a session key negotiation method, a device and equipment, wherein the method comprises the following steps: acquiring first random number information and first identification information of a first satellite and second identification information of a second satellite; obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information; transmitting the first session key negotiation request message to a second satellite; receiving a second session key negotiation request message sent by the second satellite; analyzing the second session key negotiation request message to obtain second random number information of the second satellite; and obtaining a session key according to the first random number information and the second random number information. The scheme of the invention can increase communication efficiency, reduce delay, lower satellite cost and reduce power consumption.

Description

Session key negotiation method, device and equipment

Technical Field

The present invention relates to the technical field of satellite communications, and in particular, to a session key negotiation method, apparatus and device.

Background

Satellite communication has the advantages of space crossing, remote communication, broadcasting and the like which are not influenced by ground environment, and is an important way for data information interactive transmission.

With the continuous expansion of satellite usage scenarios, in some usage scenarios, there is a high requirement for satellite timeliness, and a large number of satellites with low cost and low power consumption in distributed deployment are effective ways to meet this scenario requirement. How to effectively reduce the power consumption of the satellite-borne equipment, reduce the cost and reduce the communication delay is the primary problem to be solved.

Disclosure of Invention

The invention aims to solve the technical problem of providing a session key negotiation method, a session key negotiation device and session key negotiation equipment, which can increase communication efficiency, reduce delay, reduce satellite cost and reduce power consumption.

In order to solve the technical problems, the technical scheme of the invention is as follows:

a session key negotiation method, applied to a first satellite, comprising:

acquiring first random number information and first identification information of a first satellite and second identification information of a second satellite;

obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information;

transmitting the first session key negotiation request message to a second satellite;

receiving a second session key negotiation request message sent by the second satellite;

analyzing the second session key negotiation request message to obtain second random number information of the second satellite;

and obtaining a session key according to the first random number information and the second random number information.

Optionally, according to the first random number information, the first identification information and the second identification information, a first session key negotiation request message is obtained, including:

splicing the first random number information, the first identification information and the second identification information to obtain a first session key negotiation request plaintext;

acquiring a first current key of the first satellite;

carrying out hash calculation on a plaintext of a first session key negotiation request through the first current key to obtain a check value;

and obtaining a first session key negotiation request message according to the check value and the first session key negotiation request plaintext.

Optionally, according to the check value and the first session key negotiation request plaintext, a first session key negotiation request message is obtained, including:

acquiring a second current key of a second satellite;

and encrypting the check value and the first session key negotiation request plaintext through the second current key to obtain the first session key negotiation request message.

Optionally, acquiring the first current key includes:

acquiring a first effective key index of the first satellite;

inquiring a preset first key group according to the first effective key index to obtain a first current key;

obtaining a second current key for a second satellite, comprising:

acquiring a second effective key index of the second satellite;

and inquiring a preset second key group according to the second effective key index to obtain a second current key.

Optionally, the second session key negotiation request message is obtained by the second satellite through the following method:

analyzing the first session key negotiation request message according to a second current key, and carrying out identity verification and integrity verification according to an analysis result;

acquiring second random number information of a second satellite under the condition that verification is passed;

splicing the second random number information, the first identification information and the second identification information to obtain a second session key negotiation request plaintext;

obtaining a second current key of a second satellite, and carrying out hash calculation on a plaintext of the second session key negotiation request according to the second current key to obtain a check value;

and obtaining a first current key of the first satellite, and encrypting the check value and a second session key negotiation request plaintext through the first current key to obtain a second session key negotiation request message.

Optionally, the parsing the first session key negotiation request message according to the second current key, and performing identity verification and integrity verification according to the parsing result, including:

acquiring a second current key;

analyzing the first session key negotiation request message according to the second current key to obtain a check value and a first session key negotiation request plaintext;

carrying out hash calculation on the plaintext of the first session key negotiation request according to a first current key, comparing a calculation result with a check value, and carrying out integrity verification;

under the condition that the integrity verification is passed, analyzing the first session key negotiation request plaintext to obtain first identification information, second identification information and first random number information;

and carrying out identity verification on the first satellite according to the first identification information.

Optionally, parsing the second session key negotiation request message to obtain second random number information of the second satellite includes:

analyzing the second session key negotiation request message through the first current key to obtain second identification information, check value information and second random number information of a second satellite;

integrity verification is carried out according to the verification value, and the second satellite identity is verified according to the second identification information;

and confirming to obtain the second random number information when the verification is passed.

The invention also provides a session key negotiation device, which comprises:

the acquisition module is used for acquiring first random number information and first identification information of the first satellite and second identification information of the second satellite;

the processing module is used for obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information; the first session key negotiation request message is sent to a second satellite, and the second session key negotiation request message sent by the second satellite is received; analyzing the second session key negotiation request message to obtain second random number information of the second satellite; and obtaining a session key according to the first random number information and the second random number information.

The present invention also provides a computing device comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method as described above.

The invention also provides a computer readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above.

The scheme of the invention at least comprises the following beneficial effects:

according to the scheme, the first random number information and the first identification information of the first satellite and the second identification information of the second satellite are obtained; obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information; transmitting the first session key negotiation request message to a second satellite; receiving a second session key negotiation request message sent by the second satellite; analyzing the second session key negotiation request message to obtain second random number information of the second satellite; and obtaining a session key according to the first random number information and the second random number information. The communication efficiency can be increased, the time delay can be reduced, the satellite cost can be reduced, and the power consumption can be reduced. The method is suitable for a session key negotiation scene in low-cost and low-power consumption satellite communication.

Drawings

Fig. 1 is a flow chart of a session key negotiation method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a typical topology of satellite Internet communications in accordance with an embodiment of the present invention;

FIG. 3 is a session key negotiation flow diagram of an embodiment of the present invention;

FIG. 4 is a diagram of a device unique identification and preset random number and key relationship in accordance with an embodiment of the present invention;

FIG. 5 is a diagram of a session key negotiation request message format according to an embodiment of the present invention;

FIG. 6 is a diagram of a relationship between information of a pair of parties according to an embodiment of the present invention;

fig. 7 is a block diagram of a session key negotiation apparatus according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

As shown in fig. 1, an embodiment of the present invention proposes a session key negotiation method applied to a first satellite, including:

step 11, acquiring first random number information and first identification information of a first satellite and second identification information of a second satellite;

step 12, obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information;

step 13, the first session key negotiation request message is sent to a second satellite;

step 14, receiving a second session key negotiation request message sent by the second satellite;

step 15, analyzing the second session key negotiation request message to obtain second random number information of the second satellite;

and step 16, obtaining a session key according to the first random number information and the second random number information.

As shown in fig. 2, in the present embodiment, the satellite internet is a communication technology for realizing internet connection on a global scale by deploying communication satellites in earth orbit. In some application scenarios, satellite communications are required to provide low-latency services. However, two main problems faced by the existing satellite communication technology are high power consumption and high cost caused by the satellite carrying on-board equipment, and high delay. The application provides a session key negotiation method, which realizes the technical effect of reducing communication delay in a satellite communication session with low cost and low power consumption based on the technical characteristics of key prefabrication, random number prefabrication (generated by ground equipment) and identity authentication and key negotiation.

Specifically, to realize communication between satellites, the first satellite and the second satellite which need to communicate need to confirm the identities of the two parties, confirm the identities without errors and confirm the session key, and the communication between satellites can be realized after the process is completed. The method and the device integrate the identity confirmation process and the key negotiation process into one session process, confirm the identities of the two parties in the message through the identification information of the satellite and confirm the session key through the random number, thereby reducing communication delay.

As shown in fig. 3, a first satellite firstly transmits a first session key negotiation request message to a second satellite, the second satellite analyzes the message to verify the integrity of the message and the identity of the satellite, then assembles the second session key negotiation request message and transmits the message to the first satellite, and the first satellite determines a session key according to random number information in the message after analyzing the message. The session key is preferably obtained by exclusive-or of the first random number and the second random number.

In an alternative embodiment of the present invention, step 12 may include:

step 121, splicing the first random number information, the first identification information and the second identification information to obtain a first session key negotiation request plaintext;

step 122, obtaining a first current key of the first satellite;

step 123, hash calculation is performed on the plaintext of the first session key negotiation request through the first current key, so as to obtain a check value;

and step 124, obtaining a first session key negotiation request message according to the check value and the first session key negotiation request plaintext.

In this embodiment, in order to ensure security and confidentiality of inter-satellite communication, a key is required to encrypt a message, and in order to reduce communication delay, a symmetric encryption method is used to encrypt the message. In order to reduce the power consumption of the satellite-borne device, a key used for session encryption and a random number used for generating the session key are prefabricated in the satellite device, namely, the satellite itself is not provided with a random number generator or a key generator, and the key and the random number are prefabricated on the ground and are imported into the satellite.

As shown in fig. 4, the satellite device in the present application is pre-configured with a random array and a key set, where the random array is used to generate a session key, and the key set is used for session key negotiation and identity authentication between satellites. The key group and the random array are generated when equipment is initialized on the ground, the generation rule accords with the requirements of related specifications, the key group and the random array are transmitted and imported into the satellite through the password key, and related operations accord with the requirements of key management.

Specifically, each satellite device corresponds to a unique identification information ID, and the identification is generated according to a relevant specification when the device is registered, so that the unique identification information ID has uniqueness and can identify the device identity. Each satellite ID corresponds to a plurality of random numbers and a plurality of keys, the number of the random numbers and the number of the keys are related to the service life of satellite design and the valid period of the keys, and the random numbers and the number of the keys are calculated for specific equipment according to a related calculation formula. In addition, the relationship between the unique device identifier and the preset random number is similar to the relationship between the unique device identifier and the preset secret key, the formula of the preset random number is the same as the formula of the preset secret key number, and the strategy of the preset secret key and the strategy of the preset random number are mutually independent. In an alternative embodiment, the number of pre-keys is calculated asWherein y represents the preset service life of the satellite, unit year and c represent the validity period of the key, unit year and r represent redundancy, and the formula calculation is rounded up. For example, when the service life of the satellite is y=7 years, the update period c=0.5 years (6 months) of the key, and the redundancy is r=0, thenThe total number of keys sum=14, i.e. 14 keys, is required to meet the preset key requirement under the existing key policy. For another example, if the service life of the satellite is y=7 years, the update period c=0.5 years (6 months), and the redundancy is r=0.3I.e. 19 keys can meet the preset key requirements under the current key policy. It should be noted that, the above calculation method is a preset session encryption key number calculation method in the key negotiation process. In the satellite device, a key encryption key is also preset for encrypting key information of other satellites stored in the satellite device. Thus, in one satellite, the number of keys stored in the satellite is。

In addition, as shown in fig. 4, the satellite also stores therein validation random number index information and validation key index information, the index information indicating a random number or key currently validated in the random array or key set. Specifically, the index updating mode includes two modes of sequential updating and random updating, and the preferred use of sequential updating in the application is that the random number and the secret key are sequentially effective.

The sequential update means that the index value is initialized to 0 and then sequentially increased. Taking the key validation index as an example, key usage may begin with a key index of 0 in order, with the validation index sequentially increasing. When the key is used up, the method has two strategies, namely, recycling, and when the last key is used up, re-using the index 0 as an effective index; and the other is supplement, when the supplement condition is met, an early warning notice is returned through a remote sensing interface, and a ground key management system adds or updates a key through a management and control interface, so that static and dynamic combined satellite-borne key management is realized, and the flexibility is high.

The random update refers to that the index value is 0 during initialization, and the next index value is calculated randomly. Taking the key index as an example, when the key is used for the first time, the key with the index of 0 is used, the key index used next time is calculated randomly and stored (simultaneously synchronized to other networking satellites) after the key negotiation is completed, the key with the designated index is directly obtained when the session negotiation is performed for the second time, the key index used next time is calculated and stored (simultaneously synchronized to other networking satellites) after the key negotiation is completed, and each negotiation is performed according to the flow.

As shown in fig. 5, based on the preset content, the first satellite first assembles a first session key negotiation request plaintext according to a first random number, first identification information of the first satellite and second identification information of a second satellite requesting a session, where the first random number, the first identification information and the second identification information are spliced according to a specified rule to obtain a character string X. And then acquiring a first current key which is currently effective in a preset key group according to the key index, carrying out hash calculation on the plaintext of the first session key negotiation request through the first current key to obtain a check value M, and then obtaining a first session key negotiation request message according to the check value M and the plaintext of the first session key negotiation request.

In an alternative embodiment of the present invention, step 124 may include:

step 1241, obtaining a second current key of a second satellite;

step 1242, encrypt, by using the second current key, the check value and the plaintext of the first session key negotiation request, to obtain the first session key negotiation request packet.

As shown in fig. 6, in this embodiment, in addition to the key set and the random array of the present star, unique identification information and key information of the other party are stored in advance in the satellite device. Each unique identification information of each satellite corresponds to a specific satellite, each unique identification information corresponds to a group of keys, the keys are prefabricated keys of the satellites, and the key index of each satellite which is currently effective is recorded. The information of the other party can be preset when the equipment registration is initialized, and the information can be dynamically updated through a satellite-ground control interface, so that dynamic and static combination is realized, and the information is updated timely according to a networking strategy.

If the key effective strategy adopts a key order effective mode, the satellite maintains the information association relation of the satellite, and the satellite key index are determined without depending on a ground management system. If the key used is randomly determined, after the next key index used is determined, the ground management system is informed of the information, and the ground management system resynchronizes to the associated satellite of the network. The information needs to be synchronized to each networked satellite through the ground management system when the satellite's key is added or updated, or when an active key index is specified.

The calculation formula of the key number of the satellites stored in the satellites in the embodiment is thatWherein sum represents the total amount of the counter keys to be stored, < >>The number of keys representing the ith satellite and n representing a total of n satellites; wherein->Equal to->Under the condition that the strategies of preset keys of all stars are consistent, the calculation formula of the number of keys of the other stars to be stored is +.>。

In this embodiment, after obtaining the check value and the plaintext of the first session key negotiation request, the current effective key of the opposite party (the second satellite), that is, the second current key, is queried, and the check value and the plaintext of the first session key negotiation request are encrypted by the second current key, so as to obtain the first session key negotiation request message C.

In an optional embodiment of the present invention, obtaining the first current key includes:

acquiring a first effective key index of the first satellite;

obtaining a second current key for a second satellite, comprising:

acquiring a second effective key index of the second satellite;

In this embodiment, the first current key is obtained according to a first valid key index of the first satellite, and the second current key is obtained according to a second valid key index of the second satellite.

In an optional embodiment of the present invention, the second session key negotiation request message is obtained by the second satellite through the following method:

step 21, analyzing the first session key negotiation request message according to the second current key, and performing identity verification and integrity verification according to the analysis result;

step 22, obtaining second random number information of a second satellite under the condition that verification is passed;

step 23, splicing the second random number information, the first identification information and the second identification information to obtain a second session key negotiation request plaintext;

step 24, obtaining a second current key of a second satellite, and performing hash computation on a plaintext of the second session key negotiation request according to the second current key to obtain a check value;

and step 25, obtaining a first current key of the first satellite, and encrypting the check value and the second session key negotiation request plaintext through the first current key to obtain a second session key negotiation request message.

In an alternative embodiment of the present invention, step 21 may include:

step 211, obtaining a second current key;

step 212, resolving the first session key negotiation request message according to the second current key to obtain a check value and a first session key negotiation request plaintext;

step 213, hash calculation is performed on the plaintext of the first session key negotiation request according to the first current key, and the calculation result is compared with the check value to perform integrity verification;

step 214, in the case that the integrity verification passes, resolving the plaintext of the first session key negotiation request to obtain first identification information, second identification information and first random number information;

and step 215, performing identity verification on the first satellite according to the first identification information.

In this embodiment, as shown in fig. 5, after receiving a first session key negotiation request message from a first satellite, a second satellite first obtains a second current key through a key index, and parses the message through the second current key to obtain a check value and a first session key negotiation request plaintext. The second satellite inquires a first current key of the first satellite, carries out hash calculation on a plaintext through negotiation request of the first current key and the first session key to obtain a calculation result, compares the calculation result with a check value obtained through analysis, and confirms message integrity under the same condition. And then resolving the plaintext according to the first session key negotiation request to obtain a first random number, first identification information and second identification information of the first satellite. The second satellite compares the second identification information obtained by analysis with the local ID stored by the second satellite to confirm whether the second satellite is the target satellite. And then comparing the analyzed first identification information with the other party information stored in the second satellite, inquiring whether the first satellite is prestored, and judging whether the first satellite is in the networking range of the second satellite or not, so as to verify the identity of the first satellite.

And under the condition that the identity verification and the integrity verification pass, the second satellite assembles a second key negotiation request message. Based on the method similar to the method for assembling the first key negotiation request message, the second satellite firstly obtains second random number information according to the random number effective index, then inquires the first identification information and the second identification information, and splices the second random number information, the first identification information and the second identification information to obtain a second session key negotiation request plaintext. And then carrying out hash calculation on the plaintext of the second session key negotiation request through the second current key to obtain a check value. Inquiring a first current key of the first satellite, and encrypting the plaintext and the check value through the first current key to obtain a second session key negotiation request message. It should be noted that, as shown in fig. 5, the session key negotiation request message further includes other information for recording a software version, a time stamp, an algorithm (an algorithm of HMAC), and the like.

In an alternative embodiment of the present invention, step 15 may include:

step 151, analyzing the second session key negotiation request message through the first current key to obtain second identification information, check value information and second random number information of the second satellite;

step 152, performing integrity verification according to the verification value, and verifying the second satellite identity according to the second identification information;

and step 153, confirming that the second random number information is obtained when the verification is passed.

In this embodiment, based on a method similar to the method for parsing the first key negotiation request message by the second satellite, the first satellite parses the second key negotiation request message, where the parsing method includes obtaining a first current key of the first satellite, parsing to obtain plaintext information and check value information, and then performing hash computation by using the second current key to verify the integrity of the message. And then obtaining second random number information, first identification information and second identification information. And verifying whether the satellite is a target satellite or not and whether the second satellite is within the networking range of the satellite or not, thereby verifying the identity of the second satellite and confirming the second random number information. And obtaining a session key according to the second random number information and the first random number information. Preferably, in the present application, the session key is obtained by xoring the first random number and the second random number.

The session key negotiation mechanism based on the symmetric key can complete identity authentication and key negotiation in one request, simplifies the negotiation flow, has high processing speed in the session key negotiation process based on the symmetric key, simplifies the key negotiation flow and accelerates the key negotiation speed. Inter-satellite session key negotiation can be realized rapidly, inter-satellite communication is realized, and signal delay is reduced; and the hardware performance requirement is reduced, the power consumption is reduced, and the mass deployment of low-cost satellites is facilitated.

The present invention also provides a session key negotiation apparatus 70 comprising:

an acquisition module 71, configured to acquire first random number information and first identification information of a first satellite, and second identification information of a second satellite;

a processing module 72, configured to obtain a first session key negotiation request packet according to the first random number information, the first identification information, and the second identification information; the first session key negotiation request message is sent to a second satellite, and the second session key negotiation request message sent by the second satellite is received; analyzing the second session key negotiation request message to obtain second random number information of the second satellite; and obtaining a session key according to the first random number information and the second random number information.

acquiring a first current key of the first satellite;

acquiring a second current key of a second satellite;

Optionally, acquiring the first current key includes:

acquiring a first effective key index of the first satellite;

obtaining a second current key for a second satellite, comprising:

acquiring a second effective key index of the second satellite;

acquiring a second current key;

It should be noted that, the device is a device corresponding to the above method, and all implementation manners in the above method embodiments are applicable to the embodiment of the device, so that the same technical effects can be achieved.

Embodiments of the present invention also provide a computing device comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.

Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or a combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art after reading this description of the invention.

The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.

While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims

1. A session key negotiation method, applied to a first satellite, comprising:

2. The session key negotiation method according to claim 1, wherein obtaining a first session key negotiation request message according to the first random number information, the first identification information and the second identification information comprises:

acquiring a first current key of the first satellite;

3. The session key negotiation method according to claim 2, wherein obtaining a first session key negotiation request message according to the check value and a first session key negotiation request plaintext comprises:

acquiring a second current key of a second satellite;

4. The session key negotiation method according to claim 3,

acquiring the first current key, including:

acquiring a first effective key index of the first satellite;

obtaining a second current key for a second satellite, comprising:

acquiring a second effective key index of the second satellite;

5. The session key negotiation method according to claim 1, wherein the second session key negotiation request message is obtained by the second satellite through the following method:

6. The session key negotiation method according to claim 5, wherein parsing the first session key negotiation request message according to a second current key, and performing identity verification and integrity verification according to a parsing result, comprises:

acquiring a second current key;

7. The session key negotiation method according to claim 1, wherein parsing the second session key negotiation request message to obtain second random number information of the second satellite comprises:

8. A session key agreement device, comprising:

9. A computing device, comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method of any one of claims 1 to 7.

10. A computer readable storage medium storing instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1 to 7.