CN1406005A - Safety-alliance (SA) generation method for safety communication between nodes of network area - Google Patents
Safety-alliance (SA) generation method for safety communication between nodes of network area Download PDFInfo
- Publication number
- CN1406005A CN1406005A CN01141735A CN01141735A CN1406005A CN 1406005 A CN1406005 A CN 1406005A CN 01141735 A CN01141735 A CN 01141735A CN 01141735 A CN01141735 A CN 01141735A CN 1406005 A CN1406005 A CN 1406005A
- Authority
- CN
- China
- Prior art keywords
- network node
- network
- kac
- kmc
- security association
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention includes following processing steps. One key administration center (KAC) is set up in the network area for each manager. The KAC is connected to each network nodes in the network area respectively. When one network node in the network area for the manager requests to make the secretive communication to one network node in the other network area of the another manager, the agent of the KAC in the two network areas negotiate about the security alliance (SA). The negotiated SA is distributed to the network nodes in respective network areas. The two network nodes in the network areas of the two managers utilize the SA received to carry out the secretive communication from end to end. The entity with monitoring function can be setup, obtaining the SA from the KAC so as to decrypt and monitor the communication between the network nodes of the sending party and the target party.
Description
Technical field
The present invention relates to a kind of Wideband Code Division Multiple Access (WCDMA) (WCDMA) mobile communication system technology; be when realizing the network configuration safety of the third generation (3G) mobile communication system; carry out the production method of the Security Association (SA) of end-to-end protection, more precisely a kind of management of key or distribution method.
Background technology
Universal mobile telecommunications system (UMTS:Universal Mobile Telecommunication Systems) is to adopt the 3-G (Generation Three mobile communication system) of WCDMA air interface.There is the network configuration of three kinds of versions in the UMTS system, comprising: R99, R4 and R5.Owing in the version structure of R4, R5, can adopt the IP technology also can on public network, transmit, therefore must adopt necessary safeguard measure to guarantee the fail safe of network signal.As in 3G R5 structure; protect MAP by adopting MAPSec (MAP safety) mechanism that MAP (MAP) agreement is encrypted; in addition, also require to provide to protect only IP-based signaling protocol based on the network area security mechanism (NDS/IP) of IP agreement.
At present, in 3G network region security (NDS/IP) standard, do not provide safety protecting mechanism end to end.
In conjunction with referring to Fig. 1, it is the MAP SA model of consulting, safety zone A represents the network area of the A of operator, safety zone B represents the network area of the B of operator, in MAPSec agreement (referring to TS 33200v400), introduce a new network function unit KAC (KMC) who separates with node (NE, or title network element), KAC among the figure
ABe the KMC of safety zone A, KAC
BBe the KMC of safety zone B, NE
A1, NE
A2Be respectively two nodes of safety zone A, NE
BIt is the node of safety zone B.Dot the IKE agreement among the figure and connect, represent to have the ESP tunnel of confidentiality and integrity protection with two-wire, represent that with heavy line safe MAP operates, Zd represents two KAC of KMC
AWith KAC
BBetween connection, Ze represents KMC and each internodal connection in the same safety zone, Zf represents the connection between the intermediate node of different safety zones.If the NE of the A of operator
AThe NE of node needs and the B of operator
BNode carries out MAPSec communication, NE
ANeed request KAC
AWith KAC
BNE is set up in help
AWith NE
BBetween MAP Security Association (SA), the key management essence that realizes MAPSec communication is to adopt KAC to consult NE as the agency
ANode and NE
BUse the secret communication method of Security Association (SA) between node.
IPSec ESP agreement is used to realize NDS/IP, promptly adopts IPSec ESP protocol technology by data packets for transmission between network entity is encrypted, and realizes network security protection, to guarantee the safe transmission of signaling and data.But this IPSec ESP agreement is employing to be realized piecemeal to the mode that each section carries out enciphering/deciphering, directly consults two Security Associations (SA) between the network node by employing the Internet Key Exchange (IKE) agreement (referring to RFC2409) in each section.
Yet people generally wish; can directly provide network area security mechanism (NDS/IP) in the end-to-end protection mode; realize simple, as need not to consider the protection of middle process node security advantage because have; but in the encryption of reality is used; because each internodal key needs to consult alone; unify control and manage with regard to bad, also just be not easy to realize the function of Lawful Interception.Therefore, how to consult with distributing network unit (NE) between Security Association (key parameter) just become to realize the difficult point problem of end-to-end network security protection.
From above analysis as can be known, although IKE mechanism can be used as the Automatic Negotiation Mechanism of the ipsec security alliance (SA) between the NE of different operators, it has the following critical defect:
(1) all NE equipment all must be realized complicated IKE agreement, comprise slow-footed PKI mechanism of needs realization and complicated certification authentication process;
(2) key agreement is independent separately, can not manage concentratedly, thereby overall security can't be guaranteed;
(3) because key agreement adopts end-to-end mode, monitor the key advance to decipher usefulness and must independently win from each NE tables of equipment and get, realize that therefore monitor function is quite complicated.
Summary of the invention
The objective of the invention is to design a kind of Security Association (SA) production method that is used for secure communication between nodes of network area, enforcement at above-mentioned three critical defects End to End Encryption mode that is NDS/IP proposes a kind of concentrated key management and distribution method, can solve cipher controlled and problem of management well, thereby make the realization of Lawful Interception function become easy.
The technical scheme that realizes the object of the invention is such: a kind of Security Association (SA) production method that is used for secure communication between nodes of network area is characterized in that comprising following treatment step:
A. for the network area of each operator is provided with a KMC (KAC), each KMC (KAC) is connected respectively with each network node in the present networks zone;
B. when the network node in the requirement of the network node in the carrier network zone and another carrier network zone carries out secure communication, by the Security Association (SA) between two KMCs (KAC) agent negotiation two network nodes in two carrier network zones, and the Security Association (SA) that consults is distributed to this network node in the network area separately respectively;
C. use the Security Association (SA) that receives to carry out secure communication between two network nodes of this of two carrier network zones.
Described step B further comprises:
A. send the request that to carry out secure communication with the target side network node by the KMC (KAC) of transmit leg network node to the present networks zone;
B. the KMC of transmit leg network node (KAC) uses KMC (KAC) the negotiation transmit leg network node of the Internet Key Exchange (IKE) agreement and target side network node and the Security Association (SA) between the target side network node;
C. the KMC of transmit leg network node (KAC) stores this Security Association that consults (SA) respectively with the KMC (KAC) of target side network node, and respectively to transmit leg network node and the distribution of target side network node.
Among described step a and the step c, the internal security mechanism of also formulating by the transmit leg network area between transmit leg network node and its KMC (KAC) communicates protection; The internal security mechanism that formulate also according to target square network area between target side network node and its KMC (KAC) communicates protection.
The internal security mechanism that formulate internal security mechanism that formulate described transmit leg network area or target side network area is between network node and its KMC (KAC) physical circuit to be set.
Also comprise a monitor function entity is set, by obtaining the Security Association (SA) that carries out secure communication between transmit leg network node and target side network node, monitor communicating by letter between transmit leg network node and target side network node.
Described acquisition process further comprises:
A. by the KMC (KAC) of monitor function entity inquiry transmit leg network node or the KMC (KAC) of target side network node, obtain carrying out between transmit leg network node and target side network node the Security Association (SA) of secure communication;
B. this Security Association (SA) of obtaining of monitor function entity utilization is decrypted monitoring to the secure communication between transmit leg network node and target side network node.
Described monitor function entity is a computer or a server.
3G R4, R5 system configuration require network security preferably can provide in the end-to-end protection mode, when communication is encrypted between to network node, also should be able to provide legal monitor function.Security Association (SA) production method that is used for secure communication between nodes of network area of the present invention is by adopting the IPSec SA production method based on the agency, for realizing that End to End Encryption provides key management and distribution method.
The present invention is applied to MAPSec key management model in network area safety (NDS/IP) mechanism, promptly by providing the KAC of KMC to consult IPSec SA between two nodes of network area.The beneficial effect of the inventive method is:
(1) realization of the Internet Key Exchange (IKE) agreement is concentrated in the KMC (KAC) finish, owing to no longer implement complicated IKE agreement on the network node (NE), thus simplified the realization of the ipsec protocol of NE greatly;
(2) because IPSec SA is finished by unified negotiation of the KAC of KMC, thereby be easy to realize security integrated management to SA;
(3) the realization Lawful Interception is more prone to, the department that implements to monitor can directly inquire about and be stored in the SA that has consulted among the KAC, just can carry out the circuit deciphering to current communication then and monitor.
Description of drawings
Fig. 1 is the model schematic diagram that the network node in two safety zones is consulted MAP SA in the background technology.
Fig. 2 is the model schematic diagram that the network node in technical solution of the present invention two safety zones is consulted IPSec SA.
Fig. 3 is the schematic flow sheet that technical solution of the present invention realizes Lawful Interception.
Embodiment
In conjunction with referring to Fig. 2, consult structure and the flow process of IPSec SA when utilizing method of the present invention to implement to carry out secure communication between network node in two safety zones shown in the figure.
Safety zone A represents the network area of the A of operator, and safety zone B represents the network area of the B of operator, KAC
ABe the KMC of safety zone A, KAC
BBe the KMC of safety zone B, NE
ABe the node (also having other nodes NE) among the A of safety zone, NE
BIt is the node (also having other nodes NE) of safety zone B.
Suppose the network node NE of the A of operator
ANeed with the network node NE of the B of operator
BCarry out IPSec ESP communication, at first just need obtain IPSec SA.It obtains flow process and comprises:
Step 1., network node NE
AThe KAC of KMC to the A of operator
ASend one and network node NE
BCarry out the request of IPSec communication;
Step 2., the KAC of KMC
AUse the KAC of KMC of IKE agreement and the B of operator
BConsult network node NE
A-NE
BBetween IPSec SA;
Step 3., after IPSec SA consults to finish, the KAC of KMC
A, KAC
BThe storage and respectively to network node NE
A, NE
BDistribute this IPSec SA;
Step 4., network node NE
AWith NE
BUse this IPSec SA to carry out IPSec ESP secure communication by the encryption and decryption operation.
In step 1. and 3., KAC
ATo NE
ABetween and KAC
BTo NE
BBetween safeguard protection can realize by the security mechanism that operator formulates for the present networks intra-zone, as safety method or some other safety method that can adopt physical circuit.
Referring to Fig. 3, the structure and the flow process that realize Lawful Interception are shown further on the basis of structure shown in Figure 2 and flow process.
A monitor function entity is set, as common computer or server apparatus.Its flow process of carrying out Lawful Interception is:
1. step inquires about KAC by the monitor function entity
AOr KAC
B, therefrom can inquire current NE at an easy rate
A-NE
BBetween carry out the IPSec SA that secure communication is adopted, promptly the monitor function entity does not need separately from each network node NE
AOr NE
BIn obtain IPSec SA;
Step 2., the monitor function entity uses this IPSec SA, to NE
A-NE
BBetween secure communication be decrypted, realize to monitor.
Method of the present invention is by the KMC that each network area is set (KAC), and by the IPSec SA between KMC (KAC) the agent negotiation different operators network node, realize secure communication between Area Node, this method also is convenient to realize the function of Lawful Interception.
Method of the present invention, the application of key agreement and key is separated, the agency of KMC (KAC) who allows the ike negotiation process unification of the complexity that all scripts are finished by node (NE) give after the separation finishes, NE just finishes the encryption process of simple request and IPSec SA, realizes between two Area Nodes (NE) that ipsec protocol is simpler thereby make; Carry out the audit and the distribution of Security Association (SA) by KMC (KAC) is unified, be convenient to IPSec SA is carried out security integrated management; Owing to can directly from KMC (KAC), obtain IPSec SA, Lawful Interception be become be more prone to.
Technical scheme of the present invention can be applicable in the 3G core network.
Claims (7)
1. Security Association (SA) production method that is used for secure communication between nodes of network area is characterized in that comprising following treatment step:
A. for the network area of each operator is provided with a KMC (KAC), each KMC (KAC) is connected respectively with each network node in the present networks zone;
B. when the network node in the requirement of the network node in the carrier network zone and another carrier network zone carries out secure communication, by the Security Association (SA) between two KMCs (KAC) agent negotiation two network nodes in two carrier network zones, and the Security Association (SA) that consults is distributed to this network node in the network area separately respectively;
C. use the Security Association (SA) that receives to carry out secure communication between two network nodes of this of two carrier network zones.
2. a kind of Security Association (SA) production method that is used for secure communication between nodes of network area according to claim 1 is characterized in that described step B further comprises:
A. the KMC (KAC) of network node to the present networks zone by transmit leg sends the request that will carry out secure communication with the network node of target side;
B. the KMC of transmit leg network node (KAC) uses KMC (KAC) the negotiation transmit leg network node of the Internet Key Exchange (IKE) agreement and target side network node and the Security Association (SA) between the target side network node;
C. the KMC of transmit leg network node (KAC) stores this Security Association that consults (SA) respectively with the KMC (KAC) of target side network node, and respectively to transmit leg network node and the distribution of target side network node.
3. a kind of Security Association (SA) production method that is used for secure communication between nodes of network area according to claim 2, it is characterized in that: among described step a and the step c, the internal security mechanism of also formulating by the transmit leg network area between transmit leg network node and its KMC (KAC) communicates protection; The internal security mechanism that formulate also according to target square network area between target side network node and its KMC (KAC) communicates protection.
4. a kind of Security Association (SA) production method that is used for secure communication between nodes of network area according to claim 3 is characterized in that: the internal security mechanism that formulate internal security mechanism that formulate described transmit leg network area or target side network area is between network node and its KMC (KAC) physical circuit to be set.
5. a kind of Security Association (SA) production method that is used for secure communication between nodes of network area according to claim 1, it is characterized in that: also comprise a monitor function entity is set, by obtaining the Security Association (SA) that carries out secure communication between transmit leg network node and target side network node, monitor communicating by letter between transmit leg network node and target side network node.
6. a kind of Security Association (SA) production method that is used for secure communication between nodes of network area according to claim 5 is characterized in that described acquisition process further comprises:
A. by the KMC (KAC) of monitor function entity inquiry transmit leg network node or the KMC (KAC) of target side network node, obtain carrying out between transmit leg network node and target side network node the Security Association (SA) of secure communication;
B. this Security Association (SA) of obtaining of monitor function entity utilization is decrypted monitoring to the secure communication between transmit leg network node and target side network node.
7. according to claim 5 or 6 described a kind of Security Association (SA) production methods that are used for secure communication between nodes of network area, it is characterized in that: described monitor function entity is a computer or a server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011417358A CN1138367C (en) | 2001-09-17 | 2001-09-17 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011417358A CN1138367C (en) | 2001-09-17 | 2001-09-17 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1406005A true CN1406005A (en) | 2003-03-26 |
| CN1138367C CN1138367C (en) | 2004-02-11 |
Family
ID=4676371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011417358A Expired - Fee Related CN1138367C (en) | 2001-09-17 | 2001-09-17 | Safety-alliance (SA) generation method for safety communication between nodes of network area |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1138367C (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100450000C (en) * | 2003-08-20 | 2009-01-07 | 华为技术有限公司 | Method for realizing share of group safety alliance |
| CN1874343B (en) * | 2005-06-03 | 2010-04-21 | 华为技术有限公司 | Method for creating IPSec safety alliance |
| CN1753348B (en) * | 2004-09-22 | 2010-07-28 | 华为技术有限公司 | Method of realizing changing open talk to secret talk |
| CN1855806B (en) * | 2005-04-27 | 2010-09-01 | 株式会社东芝 | Communication device and communication method |
| CN101917272A (en) * | 2010-08-12 | 2010-12-15 | 西安西电捷通无线网络通信股份有限公司 | Secret communication method and system among neighboring user terminals |
| CN101309273B (en) * | 2008-07-16 | 2011-06-01 | 杭州华三通信技术有限公司 | Method and device for generating safety alliance |
| CN101227494B (en) * | 2008-01-09 | 2013-06-12 | 中兴通讯股份有限公司 | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network |
| CN103188228A (en) * | 2011-12-29 | 2013-07-03 | 中兴通讯股份有限公司 | Method for achieving safety protection from end to end, security gateway and system |
| US8582766B2 (en) | 2005-01-07 | 2013-11-12 | Inventergy, Inc. | Method for ensuring media stream security in IP multimedia sub-system |
| CN103546442A (en) * | 2012-07-17 | 2014-01-29 | 中兴通讯股份有限公司 | Communication monitoring method and communication monitoring device for browsers |
| WO2021196987A1 (en) * | 2020-03-30 | 2021-10-07 | 华为技术有限公司 | Method and device for transmitting service in network |
| CN113872845A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Method for establishing VXLAN tunnel and related equipment |
-
2001
- 2001-09-17 CN CNB011417358A patent/CN1138367C/en not_active Expired - Fee Related
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100450000C (en) * | 2003-08-20 | 2009-01-07 | 华为技术有限公司 | Method for realizing share of group safety alliance |
| CN1753348B (en) * | 2004-09-22 | 2010-07-28 | 华为技术有限公司 | Method of realizing changing open talk to secret talk |
| US9167422B2 (en) | 2005-01-07 | 2015-10-20 | Inventergy, Inc. | Method for ensuring media stream security in IP multimedia sub-system |
| US9537837B2 (en) | 2005-01-07 | 2017-01-03 | Inventergy, Inc. | Method for ensuring media stream security in IP multimedia sub-system |
| US8582766B2 (en) | 2005-01-07 | 2013-11-12 | Inventergy, Inc. | Method for ensuring media stream security in IP multimedia sub-system |
| CN1855806B (en) * | 2005-04-27 | 2010-09-01 | 株式会社东芝 | Communication device and communication method |
| CN1874343B (en) * | 2005-06-03 | 2010-04-21 | 华为技术有限公司 | Method for creating IPSec safety alliance |
| CN101227494B (en) * | 2008-01-09 | 2013-06-12 | 中兴通讯股份有限公司 | Method for establishing Internet safety protocol safe alliance when accessing multi grouping data network |
| CN101309273B (en) * | 2008-07-16 | 2011-06-01 | 杭州华三通信技术有限公司 | Method and device for generating safety alliance |
| CN101917272A (en) * | 2010-08-12 | 2010-12-15 | 西安西电捷通无线网络通信股份有限公司 | Secret communication method and system among neighboring user terminals |
| CN103188228A (en) * | 2011-12-29 | 2013-07-03 | 中兴通讯股份有限公司 | Method for achieving safety protection from end to end, security gateway and system |
| CN103188228B (en) * | 2011-12-29 | 2018-05-01 | 中兴通讯股份有限公司 | A kind of method, security gateway and system for realizing End-to-End Security protection |
| CN103546442A (en) * | 2012-07-17 | 2014-01-29 | 中兴通讯股份有限公司 | Communication monitoring method and communication monitoring device for browsers |
| CN103546442B (en) * | 2012-07-17 | 2018-10-23 | 中兴通讯股份有限公司 | The communication monitoring method and device of browser |
| WO2021196987A1 (en) * | 2020-03-30 | 2021-10-07 | 华为技术有限公司 | Method and device for transmitting service in network |
| CN113872845A (en) * | 2020-06-30 | 2021-12-31 | 华为技术有限公司 | Method for establishing VXLAN tunnel and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1138367C (en) | 2004-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7181012B2 (en) | Secured map messages for telecommunications networks | |
| US8976968B2 (en) | Intercepting a communication session in a telecommunication network | |
| US20060031936A1 (en) | Encryption security in a network system | |
| DE60201522T2 (en) | ENABLE LEGAL CAPTURE OF IP CONNECTIONS | |
| US20080187137A1 (en) | Method and Apparatus for Ensuring Privacy in Communications Between Parties | |
| US20090182668A1 (en) | Method and apparatus to enable lawful intercept of encrypted traffic | |
| CN1138367C (en) | Safety-alliance (SA) generation method for safety communication between nodes of network area | |
| JPH03210847A (en) | Communication circuit netz | |
| AU2001255191A1 (en) | Security link management in dynamic networks | |
| CN1592193A (en) | System and method for secure remote access | |
| CA2540590C (en) | System and method for secure access | |
| CN101079738A (en) | Secured communication channel using network management software as the basis to manage networks | |
| KR20030056700A (en) | Method for controlling internet information security system in ip packet level | |
| CN100571133C (en) | The implementation method of media flow security transmission | |
| US20050204160A1 (en) | Method for establishing directed circuits between parties with limited mutual trust | |
| US20040044910A1 (en) | Method and system for access in open service architecture | |
| JP3700671B2 (en) | Security management system | |
| US20030154408A1 (en) | Method and apparatus for secured unified public communication network based on IP and common channel signaling | |
| CN1581869A (en) | Dual-status-based multi-party communication method | |
| US7116786B2 (en) | Interception of secure data in a mobile network | |
| Hatefi et al. | A new framework for secure network management | |
| CN116248302A (en) | SSL VPN communication tunnel module, application monitoring module and mobile terminal safety access system | |
| CN113473470A (en) | Charging pile networking communication system based on 5G and bidirectional communication method | |
| 杨博 et al. | Mobile agent security facility for network management | |
| Qu et al. | Secure service management in virtual service networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040211 Termination date: 20160917 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |