CN1835633A - Updating protocal method of secret keys - Google Patents

Updating protocal method of secret keys Download PDF

Info

Publication number
CN1835633A
CN1835633A CN 200510113030 CN200510113030A CN1835633A CN 1835633 A CN1835633 A CN 1835633A CN 200510113030 CN200510113030 CN 200510113030 CN 200510113030 A CN200510113030 A CN 200510113030A CN 1835633 A CN1835633 A CN 1835633A
Authority
CN
China
Prior art keywords
terminal
key
random number
authentication key
step
Prior art date
Application number
CN 200510113030
Other languages
Chinese (zh)
Other versions
CN100346668C (en
Inventor
王正伟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to CN200510037046 priority Critical
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 200510113030 priority patent/CN100346668C/en
Publication of CN1835633A publication Critical patent/CN1835633A/en
Application granted granted Critical
Publication of CN100346668C publication Critical patent/CN100346668C/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Abstract

The method features setting the control parameters for controlling the updating of authentication key at the network side and comprises: a) the terminal sends the request message of renewing key to the network side, which carries relevant information of control parameters for controlling the renewing of authentication key; b) after receiving the request message for renewing key, according to the control parameters saved by itself the network side decides if the relevant information of control parameters in the request message of updating key is legal; if yes, then renewing key; otherwise, ending the process of updating key.

Description

一种密钥更新协商方法 A SECRET KEY negotiation method update

技术领域 FIELD

本发明涉及通信安全技术,具体涉及一种鉴权密钥更新协商方法。 The present invention relates to security communication technology, particularly to a method for negotiating authentication key updating.

背景技术 Background technique

GSM通信系统中,在移动终端中保存国际移动用户标识IMSI、鉴权密钥KI和HLR/AUC中针对该移动终端对应保存IMSI和KI,以用于移动终端和网络相互鉴权。 GSM communication system, the mobile terminal stored in the international mobile subscriber identity IMSI, authentication key KI and HLR / AUC, and KI corresponding stored IMSI for the mobile terminal, the mobile terminal and a network for mutual authentication. 其中,IMSI和KI在用户卡的整个生命周期内是保持不变的。 Which, IMSI and KI throughout the life cycle of user cards remain the same. 关于GSM通信系统的鉴权知识,较WCDMA简单很多,3GPP相关规范有明确的阐述,在此不再赘述。 Authentication knowledge about GSM communication system is much simpler than WCDMA, 3GPP related specifications are stated clearly, it is not repeated here.

现有的第三代移动通信系统中的鉴权流程,在移动终端中保存国际移动用户标识IMSI、鉴权密钥KI和序列号SQNMS,HLR/AUC中针对该移动终端对应保存IMSI、KI和序列号SQNHE,以用于移动终端和网络相互鉴权。 Authentication process prior to the third generation mobile communication systems, international mobile subscriber identity IMSI stored in the mobile terminal, the authentication key KI and the sequence number SQNMS, HLR / AUC stored corresponding IMSI for the mobile terminal, and KI sequence number SQNHE, the mobile terminal and a network for mutual authentication. 其中,IMSI和KI在用户卡的整个生命周期内是保持不变的。 Which, IMSI and KI throughout the life cycle of user cards remain the same.

3G通信系统的现有鉴权流程主要为:HLR/AUC产生随机数RAND,根据随机数RAND和KI产生期望响应XRES、加密密钥CK、完整性密钥IK;根据随机数RAND、序列号SQNHE、鉴权密钥KI和鉴权管理域AMF产生出MAC-A,根据MAC-A,SQNHE、AK和AMF得到鉴权标记AUTN(Authentication Token)。 3G communication systems existing authentication process mainly: HLR / AUC generates a random number RAND, an expected response XRES is generated based on the random number RAND and KI, cipher key CK, an integrity key the IK; random number RAND, the sequence number SQNHE , authentication key KI and the authentication management field AMF to generate a MAC-A, according to MAC-A, SQNHE, AK AMF and obtain authentication token AUTN (authentication Token). 由RAND和XRES、CK、IK和AUTN组成鉴权五元组,将该五元组发送给MSC/VLR保存。 RAND and the XRES, CK, IK and AUTN authentication quintuple composition, the quintuple to a MSC / VLR saved. 当然,实际当中,HLR/AUC是应MSC/VLR的请求才将产生的相应的一个或多个五元组发送给MSC/VLR的。 Of course, the actual them, HLR / AUC is a corresponding request of the MSC / VLR or only produced to a plurality quintuple the MSC / VLR. 鉴权时,MSC/VLR将对应五元组中RAND和AUTN发送给终端,终端根据自己保存的KI验证AUTN的一致性,如果一致性验证不通过,则向MSC/VLR返回鉴权失败信息;若一致性验证通过,则判断SQNHE是否属于可接受的范围:若属于,则终端判断出对网络鉴权通过,终端向MSC/VLR返回自己产生的鉴权响应,并根据AUTN中的SQNHE更新SQNMS,MSC/VLR比较终端返回的鉴权响应和对应五元组中的XRES是否一致来判断终端的合法性;若判断出SQNHE不属于可接受范围,则终端根据SQNMS产生再同步标记AUTS(Resynchronisation Token),对MSC/VLR返回再同步请求或同步失败(Synchronisation failure)消息,同时附上产生的再同步标记AUTS,也即消息中包含AUTS。 When authentication, MSC / VLR to the corresponding terminal quintuple RAND and AUTN are sent to the terminal to verify the consistency of the AUTN based on their stored KI, if the consistency verification is not passed, then the MSC / VLR returns the authentication failure information; if consistency verification is passed, it is determined whether SQNHE acceptable range: if it is a, the terminal determines that the authentication is passed to the network, the terminal returns the authentication response generated by itself to MSC / VLR, and updating SQNHE according to the SQNMS AUTN, MSC / VLR compare the authentication response returned by the terminal and the corresponding five-tuple in the XRES to determine the legitimacy of the terminal are consistent; if judged SQNHE not acceptable, then the terminal synchronization flag AUTS (resynchronisation Token) produced according SQNMS of MSC / VLR returns a synchronization failure or resynchronization request (Synchronisation failure) message, together with the AUTS generated resynchronization markers, i.e. the message contained AUTS. MSC/VLR接收到再同步标记AUTS时,将AUTS和对应五元组中的RAND发送给HLR/AUC,HLR/AUC根据对应保存的KI和接收到的RAND,判断AUTS的合法性,如果不合法,则HLR/AUC向MSC/VLR返回AUTS不合法信息;如果判断出AUTS合法,则HLR/AUC根据AUTS中的SQNMS更新SQNHE,并产生一个新的鉴权五元组发送给MSC/VLR,MSC/VLR接收到新的五元组后,删除对应的旧的五元组并利用新五元组重新对终端鉴权。 MSC / VLR receives the resynchronization marker AUTS, the AUTS and the corresponding five-tuple in the RAND transmitted to the HLR / AUC, HLR / AUC according to the stored correspondence KI and the received RAND, judging the legitimacy of the AUTS, if not legal , the HLR / AUC returned AUTS illegal information to MSC / VLR; AUTS is judged if valid, the HLR / AUC according to the SQNMS AUTS updated SQNHE, and generates a new authentication quintuple sent to the MSC / VLR, MSC / VLR receives the new five-tuple, remove the corresponding old pentad pentad using a new re-authentication terminal.

终端通过比较自己保存的SQNMS和AUTN中的SQNHE是否满足预定的条件来判断SQNHE是否可以接受,该预定条件可以是SQNHE和SQNMS的差值在一个预定范围内,例如,是否(SQNHE-SQNMS)大于0,或者是否(SQNHE-SQNMS)大于0且小于256。 Terminal predetermined condition by comparing their SQNMS stored in SQNHE and AUTN meets acceptable to determine whether the SQNHE, the predetermined condition may be the difference SQNHE and SQNMS within a predetermined range, e.g., whether (SQNHE-SQNMS) is greater than 0, or if (SQNHE-SQNMS) is greater than 0 and less than 256. 如果SQNHE和SQNMS的差值在所述预定范围内,则判断出SQNHE是可接受的;否则判断出SQNHE是不可接受的。 If the difference SQNHE and SQNMS within the predetermined range, it is determined to be acceptable SQNHE; SQNHE otherwise judged unacceptable.

关于3G鉴权流程的详细内容,可以参照3GPP规范,为了突出本发明重点,本文不对其进行详细阐述。 For details on the 3G authentication process, reference can 3GPP specification, in order to focus the present invention, not described in detail herein set forth.

不论是二代的GSM系统,还是三代的WCDMA系统,都可能存在用户卡克隆现象。 Whether the second generation GSM system, or three generations of WCDMA system, the user card cloning phenomenon may exist. 在GSM系统应用中用户卡克隆已是普遍存在的问题,而且操作起来很容易;WCDMA系统中增强了协议的安全性,使得用户卡中的鉴权密钥更加安全。 In the GSM system application user card cloning already is a common problem, and it is easy to operate; WCDMA system enhances the security agreement, making the user authentication key cards more secure. 但是,本领域技术人员都知道,克隆用户卡的关键是要攻破用户卡的鉴权密钥,因此,和GSM系统一样,WCDMA系统中,由于用户卡中的鉴权密钥的不变性,使得WCDMA系统的这种安全也是暂时的,难以保证用户卡中的鉴权密钥在将来的应用中不被攻破,因此,WCDMA系统中仍然无法从根本上解决用户卡被克隆的问题。 However, those skilled in the art will know that the key card is to clone the user key of the user authentication card break, therefore, and as the GSM system, WCDMA system, since the user authentication key invariance card, so that this security WCDMA system is temporary, it is difficult to ensure that the card user authentication key is not compromised in future applications, therefore, WCDMA system still does not solve the problem user card is cloned fundamentally.

克隆用户卡的这种现象不但给合法用户带来损失,还会影响到运营商的服务质量。 This phenomenon is not only user card cloning cause losses to legitimate users, but also affect the quality of service operators. 后来有人发现,反用户卡克隆的最有效手段之一,是不断地更新用户卡的鉴权密钥,通过更新鉴权密钥,可以达到防止非法用户卡继续使用的目的。 Later it was discovered that one of the most effective means of anti-user card cloning, and is constantly updated user card authentication key, by updating the authentication key, you can achieve the purpose of preventing unauthorized users continue to use the card. 例如,通过不断地更新用户卡的鉴权密钥,可以避免或发现合法用户卡被克隆。 For example, a legitimate user card is cloned by constantly updating user authentication key cards, can be avoided or discovered. 根据这种方法,通过鉴权密钥更新,可以有效地防止合法用户卡和克隆用户卡同时使用的情况出现。 According to this method, the authentication key updating can be effectively prevented valid user card and the user card clones appear simultaneously. 例如,合法用户卡通过更新鉴权密钥,可以使得克隆用户卡无法通过鉴权,从而不能继续使用。 For example, legitimate users by updating the card authentication key, the user can make cloned card can not pass authentication, and thus can not continue to use. 但是,只要合法用户卡能够更新鉴权密钥,就不能避免非法用户卡利用同样的方法更新鉴权密钥,例如,克隆用户卡在合法用户卡更新鉴权密钥之前,即克隆用户卡与合法用户卡所持有的鉴权密钥还是相同的时候,克隆用户卡抢先发起了更新鉴权密钥的协商流程,这样,保存在HLR/AUC中的鉴权密钥与克隆用户卡中的鉴权密钥得到同步更新,合法用户卡里的鉴权密钥由于没有跟着更新,反而变成无效鉴权密钥了,从而,使得合法用户卡不能使用。 However, as long as the card is the legitimate user can update the authentication key, it can not avoid the illegal card by the same method of updating the authentication key, for example, before the user card cloning legitimate authentication key updating user card, i.e. the card user Cloning legitimate user authentication key or card held by the same time, the first to clone the card user authentication key update launched the negotiation process, so, save in the HLR / AUC in user authentication key and card cloning authentication keys get updated simultaneously, legitimate card user authentication key because there is no follow updates have become invalid authentication key, and so that legitimate users can not use the card. 虽然,这个时候,合法用户发现自己的用户卡不能用时,可意思到用户卡被人克隆了,并可以到营业厅通过更改HLR/AUC中的鉴权密钥,同时刷新自己用户卡的鉴权密钥使得HLR/AUC中的鉴权密钥和自己用户卡的鉴权密钥再次保持一致,从而使得合法用户卡可以继续使用,非法克隆用户卡无法再继续使用,但是,这个处理过程还是会给用户带来麻烦,同时也会增加营业厅工作人员的工作量。 Although, this time, when legitimate users find their user cards can not be used, meaning the user can card was cloned, and can go to the operating room by changing the authentication key HLR / AUC in, and refresh their own user authentication card so that the authentication key key authentication key HLR / AUC and its own user card consistent again, so that legitimate users can continue to use the card, the card can no longer illegal clone users continue to use, however, this process will still bring trouble to the user, but also increase the workload of the operating room staff.

因此,如何有效地协商鉴权密钥的更新,使得克隆用户卡无法执行有效的鉴权密钥更新操作,是一个值得研究的问题。 Therefore, how to effectively negotiate update authentication key, making clone cards can not perform effective user authentication key update is a problem worthy of study.

发明内容 SUMMARY

有鉴于此,本发明要解决技术问题是提供一种密钥更新协商方法,通过该方法可以限制非法用户使用非法克隆的用户卡更新鉴权密钥,进而防止非法用户通过克隆用户卡更新了鉴权密钥而导致合法用户卡不能继续使用的情况出现。 Accordingly, the present invention is to solve the technical problem is to provide a key update method of negotiation, by which the user can limit the use of the illegal user card illegally cloned update authentication key, thereby preventing illegal user updates the user card by cloning discriminator right keys and lead to legitimate users can not continue to use the card appears.

本发明提供的解决上述问题的技术方案为:a.终端向网络侧发送密钥更新请求消息,并携带用于控制鉴权密钥更新的控制参数的相关信息;b.网络侧接收到所述密钥更新请求消息后,根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数的相关信息是否合法,如果合法,则执行密钥更新,否则,结束密钥更新流程。 Solve the above problems the present invention provides a technical solution as follows: a terminal transmits a key update request message to the network side, and to carry related control information of the authentication key updating control parameters; b. The network side is received. after the key update request message, according to the control parameters stored their information determines control parameters in the key update request message is legitimate, if valid, the key update is executed, otherwise, the key update process ends.

优选地,步骤a中所述携带的用于控制鉴权密钥更新的控制参数的相关信息是该控制参数本身,步骤b中所述根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数相关信息是否合法进一步是,网络侧比较自己保存的所述控制参数和密钥更新请求消息中的控制参数是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关请求信息非法。 Related information is preferably, a step for controlling said carrying authentication key updated control parameter is the control parameter itself, step b according to their stored in the control parameter determines the key update request message control parameters related to the legality of further information, the network side of the control comparing yourself to save the parameters and parameter control key update request is consistent message, if agreed, the relevant information is considered legitimate, otherwise considered the relevant request information illegally.

优选地,步骤a中所述携带的用于控制鉴权密钥更新的控制参数的相关信息是根据该控制参数计算得到,步骤b中所述根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数相关信息是否合法进一步是,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果,比较自己计算得到的计算结果和密钥更新请求消息中的控制参数的相关信息是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关信息非法。 Related information is preferably, a step for controlling said carrying authentication key updated control parameter is the control parameter calculated according to step b according to their stored in the control parameter determines the key update request whether the message is valid control parameters further information, the network side according to the control parameters stored in their corresponding calculation, the calculation result, the calculation result obtained by comparing their calculated control parameters and the key update request message is whether the information is consistent, if agreed, the relevant information is considered legitimate, otherwise considered the relevant information illegally.

优选地,步骤a中所述计算还根据鉴权密钥进行的,即终端根据用于控制鉴权密钥更新的控制参数和鉴权密钥进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和对应终端用户的鉴权密钥进行相应的计算,得到一个计算结果。 Preferably, the step a further calculation according to the authentication key, i.e. authentication key for controlling the terminal according to the updated control parameters and said calculated key authentication information; accordingly, step b , the network-side control parameter calculation according to the their respective stored, a calculation result is obtained according to the means controlling its own stored authentication key parameter corresponding to the end user and the corresponding calculation, the calculation result.

优选地,步骤a中所述计算还根据随机数进行的,即终端根据用于控制鉴权密钥更新的控制参数和随机数进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和所述随机数进行相应的计算,得到一个计算结果;所述随机数由终端保存或产生并发送给网络侧,或者由网络侧产生并发送给终端。 Preferably, the step a further calculation according to the random number, i.e., the terminal according to the control parameter for controlling an authentication key and a random number calculated by the update-related information; accordingly, step b, the network side said stored according to their respective control parameter calculation means to obtain a calculation result in accordance with the control parameters stored in its own random number and the corresponding calculation to obtain a calculation result; the random number stored by the terminal or generated and sent to the network side or the network side is generated and sent to the terminal.

优选地,步骤a中所述计算还根据鉴权密钥和随机数进行的,即终端根据用于控制鉴权密钥更新的控制参数和鉴权密钥以及随机数进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和鉴权密钥以及所述随机数进行相应的计算,得到一个计算结果;所述随机数由终端保存或产生并发送给网络侧,或者由网络侧产生并发送给终端。 Preferably, the step a further calculation performed according to the random number and authentication key, i.e. authentication key for controlling the terminal according to the updated control parameters and an authentication key and a random number is calculated to obtain the related information ; accordingly, step b, the network side according to their respective calculations of the control parameter stored, to obtain a control parameter calculation means and the random number and authentication key held by itself according to the corresponding calculated to obtain a calculation result; or generate the random number stored by the terminal and sent to the network side, the network side is generated or sent to the terminal.

优选地,在步骤a之前,终端产生第一随机数,向网络侧HLR/AUC发送密钥更新请求消息,并携带该随机数;网络侧接收到终端发送的密钥更新请求消息后,产生第二随机数,根据对应终端用户的鉴权密钥和第一随机数进行计算得到第二计算结果,然后将第二随机数和第二计算结果发送给终端;终端接收到HLR/AUC发送的第二随机数和第二计算结果后,根据终端保存的鉴权密钥和第一随机数进行计算得到第一计算结果,终端比较第二计算结果和第一计算结果是否一致,如果不一致,则认为网络侧非法,然后接收密钥更新流程,否则,终端在步骤a根据获取的控制参数、保存的鉴权密钥和第二随机数进行计算得到获取的控制参数的相关信息,并将该相关信息发送给HLR/AUC;对应地,在步骤b,网络侧接收到所述相关信息后,根据自己保存的所述控制参数、对应终 Preferably, before step a, the terminal generates a first random number, / AUC transmits a key update request message to the network side HLR and carries the random number; after the network side receives the key update request message sent by the terminal, generates a first two random numbers, corresponding to the end user in accordance with the authentication key and the first random number to obtain a second calculation result is calculated, and then a second random number and sends the calculation result to the second terminal; terminal receives the HLR / AUC transmission of after two random number and the second calculation result, the terminal according to the stored authentication key and the first random number is calculated to obtain a first calculation result, the terminal and the first calculation result of the second comparison results are the same, if not, that illegal network side, and then receives the key update procedure, otherwise, according to the control terminal of the acquired parameters, stored authentication key and the second random number information calculated by the control parameter obtained in step a, and the related information sent to the HLR / AUC; after correspondingly, in step B, the network side receives the related information according to the stored control parameters themselves, the corresponding final 用户的鉴权密钥和第二随机数进行计算得到第四计算结果,网络侧比较自己计算得到的第四计算结果和所述相关信息是否一致,如果不一致,则认为所述相关信息非法,然后结束密钥更新流程,否则,网络侧根据对应终端用户的鉴权密钥和第一随机数与第二随机数中的任意一个随机数进行计算产生新鉴权密钥。 User authentication key and the second random number calculated by the fourth calculation result, whether or not the fourth network side comparing their results calculated and the related information, and if not, the information is considered illegal, and key update process ends, otherwise, the network generates a random number calculated in accordance with any new authentication key corresponding to the end-user authentication key and the first random number and second random numbers.

优选地,在步骤a还包括终端产生新鉴权密钥的步骤。 Preferably, the step a further comprises the step of generating a new terminal authentication key.

优选地,在步骤a还包括终端产生新鉴权密钥的步骤,终端和网络侧执行密钥更新是指,终端和网络侧分别根据鉴权密钥和所述随机数采用一致的算法进行计算产生新鉴权密钥。 Preferably, the step a further comprises the step of generating a new authentication key terminal, the terminal and the network refers to a key update, the terminal and the network side respectively according to the same algorithm to calculate the authentication key and the random number a new authentication key.

优选地,所述终端包括用户设备和用户卡,所述自己保存的控制参数是指设置于用户设备中的控制参数或者设置于用户卡中的控制参数。 Preferably, the terminal comprises a user equipment and a user card, the control parameter refers to its own stored control parameter settings in the user equipment or the user card is provided in the control parameters.

优选地,所述控制参数可以是密码,或终端的身份标识,或用户自定义的任意值。 Preferably, the control parameter value may be any identity code, or a terminal, or user-defined.

本发明提供的上述技术方案中,终端在发送密钥更新请求时,要求携带一个控制参数的相关信息,网络侧通过对该控制参数的相关信息的合法性进行验证,从而判断出所述密钥更新请求消息是否合法,这样网络侧就避免了错误响应非法克隆用户卡的密钥更新请求以及所导致的正常用户卡无法使用的问题。 The above technical solutions provided by the present invention, when the terminal transmits a key update request, the relevant information required to carry a control parameter, the network side of the legitimacy of the related information to authenticate the control parameters, and judges that the key update request message is legitimate, so that the network side to avoid the problem of illegal clone user error response card key update request and the normal user can not use the card as a result of. 由此,非法用户即使克隆了用户卡也无法通过克隆的用户卡更新鉴权密钥,进而达到防止非法用户通过非法克隆的用户卡更新鉴权密钥的目的。 Accordingly, even if the illegal user can not be cloned by cloning the user card of the card user authentication key update, and then to prevent the illegal user authentication to update the user card illegally key cloning purposes. 由于合法用户卡可以通过身份标识到营业厅设置或获得相应的用于控制鉴权密钥更新的控制参数,因此,该方法可以保证合法用户有效执行鉴权密钥的协商操作。 Since the card can identify legitimate users to the operating room setting or to obtain the corresponding control parameters for controlling the authentication key update, therefore, this method can ensure the effective implementation of negotiation operation legitimate user authentication key by identity 这样,合法用户卡通过不断或定期地更新鉴权密钥,不但提高了鉴权密钥的安全性,也防止了克隆用户卡正常使用。 In this way, the legitimate user card by continuously or periodically update the authentication key, not only improves the security of the authentication key, but also prevents the user card cloning normal use.

附图说明 BRIEF DESCRIPTION

图1为本发明具体实施方式的流程图。 DETAILED DESCRIPTION FIG. 1 is a flowchart of the embodiment of the invention.

图2是本发明的具体实施方式的第一实施例流程图。 FIG 2 is a flowchart illustrating a first example of specific embodiments of the present invention.

图3是本发明的具体实施方式的第二实施例流程图。 FIG 3 is a flowchart of a second embodiment of the specific embodiments of the present invention.

图4是本发明的具体实施方式的第三实施例流程图。 FIG 4 is a flowchart illustrating a third embodiment of the specific embodiments of the present invention.

具体实施方式 Detailed ways

本发明密钥更新协商方法通过在网络侧HLR/AUC设置密钥更新控制参数,终端在请求密钥更新时,要想HLR/AUC传送该控制参数的相关信息,使得网络侧HLR/AUC通过终端传送的所述相关信息,可以区分请求密钥更新的用户卡是否为一个合法用户卡,从而保证HLR/AUC不会错误地响应一个非法克隆用户卡发起的密钥更新请求,进而保证克隆用户卡不能长期正常使用。 The present invention is a method for negotiating a key update through the network HLR / AUC provided key update control parameters, when the terminal requests a key update, to HLR / AUC transmitting information about the control parameter, the network side so that the HLR / AUC by the terminal the information transmitted can distinguish a key update request to a valid user card whether the card user, thus ensuring the HLR / AUC is not a key update request in response to user card illegally clone initiated erroneously, thus ensuring the user card cloning not long-term normal use.

首先,在HLR/AUC终端用户的签约数据里设置用于控制鉴权密钥更新的控制参数。 First, the subscription data in HLR / AUC end user's authentication key control parameter for controlling the update is provided. 当终端需要和HLR/AUC协商更新鉴权密钥时,向和HLR/AUC发送密钥更新请求消息,并携带用于控制鉴权密钥更新的控制参数的相关信息,网络侧根据自己保存的用于控制鉴权密钥更新的控制参数来验证终端的请求密钥更新消息中携带的用于控制鉴权密钥更新的控制参数的相关信息是否合法,从而决定是否执行密钥更新操作。 And when the terminal needs to HLR / AUC negotiated authentication key updating, and the HLR / AUC transmitting key update request message, and carries the information for controlling authentication keys updated control parameter, the network side according to their stored a request to update the control parameter of the authentication key to authenticate a terminal for controlling the key update message carries the authentication key of the control parameter update information is legitimate, to determine whether a key update operation. 当终端保存的或终端用户输入的控制参数和HLR/AUC设置的控制参数一致时,HLR/AUC会判断出终端的请求密钥更新消息中携带的用于控制鉴权密钥更新的控制参数的相关信息合法,这样,由于克隆用户卡并不知道HLR/AUC中对应合法用户卡设置的所述控制参数信息,因此,克隆用户卡在与HLR/AUC协商更新鉴权密钥时,其请求鉴权密钥更新的请求消息中就无法携带正确的用于控制鉴权密钥更新的控制参数的相关信息,因此,HLR/AUC会判断出其请求密钥更新消息中携带的用于控制鉴权密钥更新的控制参数的相关信息不合法,这样,克隆用户卡也即无法与HLR/AUC有效地协商鉴权密钥的更新。 When the same control parameters stored in the terminal or end user inputs and control parameters HLR / AUC provided, HLR / AUC judges that the terminal key update request message carries a control parameter for controlling the update of the authentication key legal information, so that, since the card user does not know cloning HLR / AUC corresponding to the legitimate card user control setting parameter information, therefore, the card user when updating cloned authentication and key agreement HLR / AUC, which requested the authentication right key update request message can not carry the information for controlling the correct authentication key updating of the control parameters, thus, HLR / AUC will determine its authentication request for controlling a key update message carries the the key control parameter update the relevant information is not legal, so, that is not user card cloning / AUC effectively negotiate update the authentication keys and HLR.

本发明中,终端和HLR/AUC之间协商密钥更新的消息传送可以通过未结构化补充(附加)业务数据USSD来实现,也可以通过短消息来实现,也可以通过增加特别的信令消息来实现。 In the present invention, negotiation between the terminal and the HLR / AUC key update message may be supplemented by unstructured (additional) service data USSD achieved, may be realized by a short message, or by adding a special signaling message to fulfill.

本发明用于控制密钥更新的所述控制参数可以是一个密码,例如是一个用户PIN码(SPIN:Subscriber Personal Identification Number),也可以一个终端的身份标识,例如是终端的国际移动台设备标识(IMEI:InternationalMobile Station Equipment Identity),当然,也可以用户自定义的一个任意值,例如,用户的别名,用户的头像信息,或者是用户的头像数据的摘要信息,等等。 The present invention is for controlling the key update control parameter may be a password, for example, a user PIN code (SPIN: Subscriber Personal Identification Number), the identity may be a terminal, for example, international mobile station identifier of the terminal device (IMEI: InternationalMobile Station Equipment Identity), of course, an arbitrary value may be user-defined, for example, the user's alias, the user's avatar information or summary information of the avatar of the user data, and the like.

下面结合附图对本发明的具体实施方式进行详细的说明:首先,在HLR/AUC中对应终端用户的签约数据里设置用于控制鉴权密钥更新的控制参数。 The following drawings of specific embodiments of the present invention will be described in detail in conjunction with: First, in the corresponding HLR / AUC the end-user's subscription data provided for controlling authentication key updated control parameter. 用户可以通过营业厅,或者通过营业厅提供的服务电话接口或服务网站,在HLR/AUC中自己的签约数据里保存所述控制参数,当然,也可以由HLR/AUC随机产生该控制参数,并将该控制参数提供给相应的终端用户。 Users can through the operating room, or telephone service interface or service website provided by the operating room, the HLR / AUC in its subscription data stored in the control parameters, of course, can also randomly generate the control parameters by the HLR / AUC, and the control parameters corresponding to the end-user. 所述终端包括用户设备UE和用户卡。 The terminal includes a user card and a user equipment UE.

在需要更新鉴权密钥时,执行如下流程:请参阅图1,图1为本发明具体实施方式的流程图。 When the authentication key needs to be updated, performing the following process: Referring to FIG. 1, a flowchart of a particular embodiment of the present invention, FIG.

在步骤100,HLR/AUC预先保存对应终端用户的用于控制鉴权密钥更新的控制参数。 In step 100, HLR / AUC corresponding to the end user pre-stored control parameters for controlling the authentication key updating.

步骤101,终端获取控制参数,根据该控制参数得到该控制参数的相关信息。 Step 101, the terminal acquires a control parameter, to obtain information about the control parameter based on the control parameter.

步骤103,终端向网络侧发送密钥更新请求消息,该请求消息中携带用于控制鉴权密钥更新的控制参数的相关信息。 Step 103, the terminal transmits a key update request message to the network, the request message carries information for controlling authentication keys updated control parameter.

步骤105,网络侧接收到所述密钥更新请求消息后,根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数的相关信息是否合法,如果合法,则执行步骤107,否则,结束密钥更新流程。 Step 105, the network side receives the key update request message, the control parameter is determined based on the information it maintains the control parameters in the key update request message is legitimate, if valid, step 107 is executed, otherwise, end key update process.

步骤107,HLR/AUC产生新鉴权密钥。 Step 107, HLR / AUC generates a new authentication key.

HLR/AUC产生了新鉴权密钥后,用新鉴权密钥替代原来的鉴权密钥执行与终端的鉴权。 After the HLR / AUC generates a new authentication key, the authentication key to replace the original authentication performed with the terminal with the new authentication key. 也即,HLR/AUC用新鉴权密钥产生鉴权元组。 I.e., HLR / AUC generates the authentication tuple with the new authentication key. 所述鉴权元组包括随机数RAND、期望响应XRES、加密密钥CK、完整性密钥IK和鉴权标记AUTN(Authentication Token)。 The authentication tuple comprises a random number RAND, an expected response XRES, an encryption key CK, the integrity key IK and the authentication token AUTN (Authentication Token). 产生鉴权元组时,HLR/AUC用随机数发生器产生的RAND和自身保存的鉴权密钥KI分别计算出XRES、CK、IK。 Authentication tuple is generated, RAND HLR / AUC generates the random number generator and stored by the authentication key KI were calculated XRES, CK, IK. 还根据RAND、KI、序列号SQNHE、鉴权管理域AMF产生AUTN。 The AMF is also generated AUTN RAND, KI, a serial number SQNHE, the authentication management field. 具体可以参见3GPP相关协议规定。 Specific can be found in the relevant 3GPP agreement.

步骤101或步骤103中,还可以包括终端产生新鉴权密钥的步骤。 Step 101 or step 103, the terminal may further comprise the step of generating the new authentication key. 只有当终端和HLR/AUC都相应地产生了新鉴权密钥时,双方在利用新鉴权密钥进行相互鉴权时才能够通过鉴权。 Only when the terminal and the HLR / AUC are accordingly when a new authentication key is generated, when the two sides in mutual authentication with the new authentication key through an authentication. 实际当中,可能会出现终端更新了鉴权密钥,但HLR/AUC没有更新鉴权密钥的情况发生,比如,由于某种原因,导致HLR/AUC判断终端更新密钥的请求消息非法,这时,HLR/AUC就不会更新鉴权密钥,此时,终端利用新产生的鉴权密钥对网络鉴权时将不会通过,这时,终端还可以退回到使用原来的鉴权密钥来对网络进行鉴权。 Practice, the terminal updates may occur authentication key, but HLR / AUC no authentication key updates occur, for example, for some reason, resulting in HLR / AUC determines the key update request message to the terminal illegally, this when, HLR / AUC authentication key is not updated, this time, a terminal authentication key using the newly generated on the network will not pass the authentication, then, the terminal can also be used to return to the original authentication key to the network for authentication. 因此,终端在更新密钥后,在没有利用新鉴权密钥对网络鉴权通过之前,还应该保存老的鉴权密钥,并在利用新鉴权密钥对网络鉴权通过时,再将老的鉴权密钥删去。 Therefore, the terminal after the update key, when not in use before the new authentication key to the network through authentication, you should also save the old authentication key, and take advantage of new authentication key to the network through authentication, and then the old authentication key deleted.

所述终端包括用户设备UE和用户卡。 The terminal includes a user card and a user equipment UE.

在步骤101中,所述终端获取控制参数可以是,终端的UE对应保存控制参数,终端直接获取UE保存的控制参数;也可以时用卡保存了控制参数,终端直接获取用户卡保存的控制参数;也可以是终端提示用户输入控制参数,终端根据用户输入获取所述控制参数。 In step 101, the terminal obtains the control parameters may be, the UE corresponding to the control parameters stored in the terminal, the terminal direct access to the control parameters stored in the UE; or when the card can be used to save the control parameters, the terminal direct access to the control parameters stored in the user card ; may also prompt the user to input the control parameters of the terminal, the terminal acquires the control parameter according to a user input.

当UE和用户卡都不保存控制参数时,可以是在需要更新鉴权密钥,也即,需要根据控制参数产生所述相关信息时,由UE提示用户输入控制参数,UE根据用户输入得到所述控制参数。 When the UE is not the card user and saving control parameter may be a need to update the authentication key, i.e., when the related information needs to be generated according to the control parameters by the UE to prompt the user to control parameters, to obtain the UE according to a user input said control parameters. 将控制参数保存在终端的UE或者用卡里的好处是,不需要在每次更新鉴权密钥时,都让用户输入控制参数,这样会具有更好的用户体验。 The control parameters are stored in the UE terminal or with a benefit card that does not require each update authentication key, let the user input control parameters, it will have a better user experience.

步骤101中,所述根据控制参数得到的控制参数的相关信息可以是该控制参数本身,对应的步骤105中根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数的相关信息是否合法是指,网络侧比较自己保存的所述控制参数和密钥更新请求消息中的控制参数是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关请求信息非法。 In step 101, the control-related information according to the control parameters can be obtained for the control parameter itself, in step 105 the control parameters corresponding to the key update request information determines control parameters based on the message whether it maintains legal means to save their own network-side comparison of the control parameters and key control parameter update request if the message is consistent, if agreed, the relevant information is considered legitimate, otherwise considered the relevant information on illegal request.

步骤101中,所述根据控制参数得到控制参数的相关信息可以是,根据该控制参数计算得到所述相关信息,对应的步骤105中根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数的相关信息是否合法是指,网络侧HLR/AUC根据自己保存的所述控制参数进行相应的计算,得到一个计算结果,比较自己计算得到的计算结果和密钥更新请求消息中的控制参数的相关信息是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关信息非法。 In step 101, the control parameter obtained according to the control parameter may be related information, the control parameter calculated according to the relevant information, in step 105 the corresponding control parameters stored in their own determination of the key update request message whether legitimate information refers to control parameter, the network side HLR / AUC according to the control parameters stored in their respective calculation, the calculation result, comparing their results calculated control parameters and key update request message the information is consistent, if agreed, the relevant information is considered legitimate, otherwise considered the relevant information illegally.

为了更好地展现本发明的思想和意义,以下将通过具体实施例来对本发明进行详细阐述。 In order to better show the idea and sense of the present invention, the following will be made in detail to specific embodiments of the present invention.

请参阅图2,图2所示为本发明具体实施方式的第一实施例,本实施例中终端在计算所述相关信息时还根据鉴权密钥进行计算,即终端根据获取的控制参数和鉴权密钥进行计算得到所述相关信息;相应地,步骤b中,网络侧HLR/AUC根据自己保存的所述控制参数和对应终端用户的鉴权密钥进行相应的计算,得到一个计算结果,HLR/AUC通过比较自己计算得到的计算结果和密钥更新请求消息中的所述相关信息是否一致来判断该请求消息是否合法。 Please refer to FIG. 2, FIG. 2 of the first embodiment illustrated specific embodiments of the present disclosure, embodiments of the present embodiment is calculated according to the terminal authentication key in the calculation of the correlation Shihai information, i.e. the control terminal according to the acquired parameters and calculate the authentication key information; accordingly, step b, the network side HLR / AUC and the control parameters corresponding to the end-user authentication key corresponding to their calculated according to the stored, a calculation result obtained , HLR / AUC calculated by comparing own results of calculations and the key update message related information agree to determine whether the request message is legitimate requests.

在步骤200,HLR/AUC预先保存对应终端用户的用于控制鉴权密钥更新的控制参数。 In step 200, HLR / AUC corresponding to the end user pre-stored control parameters for controlling the authentication key updating.

在步骤201,终端获取控制参数,根据控制参数和鉴权密钥进行计算得到该控制参数的相关信息。 In step 201, the terminal acquires the control parameters, the relevant information the control parameter calculated according to the control parameters and authentication key.

步骤203,终端向网络侧发送密钥更新请求消息,该请求消息中携带用于控制鉴权密钥更新的控制参数的相关信息。 Step 203, the terminal transmits a key update request message to the network, the request message carries information for controlling authentication keys updated control parameter.

步骤205,网络侧HLR/AUC接收到所述密钥更新请求消息后,根据自己保存的所述控制参数和对应终端用户的鉴权密钥进行计算得到一个计算结果。 Step 205, the network side HLR / AUC receives a key update request computing the message, the authentication key is calculated according to the control parameter stored in their corresponding result of the end user.

步骤207,HLR/AUC比较自己计算得到的计算结果和密钥更新请求消息中的控制参数的相关信息是否一致,如果一致,则认为合法,并则执行步骤209,否则,结束密钥更新流程。 Step 207, HLR / AUC comparing the calculated results and key update themselves whether to get information request message control parameters of the agreement, if the agreement is considered legitimate, and execute step 209, otherwise, the end of the key update process.

步骤209,HLR/AUC产生新鉴权密钥。 Step 209, HLR / AUC generates a new authentication key.

实际当中,由于按照现有3GPP规范,鉴权密钥保存在用户卡中,因此,如果控制参数在用户设备UE中设置时,在用户卡需要根据控制参数计算所述相关信息时,UE需要将控制参数传送给用户卡;如果控制参数在用户卡中设置时,在用户卡需要根据控制参数计算所述相关信息时,可以直接获取自己保存的控制参数,UE就不需要将控制参数传送给用户卡。 Practice, since in accordance with the existing 3GPP specifications, the user authentication key stored in the card, and therefore, if the control parameters are set in the user equipment UE, when a user card is required to calculate the control parameters according to the relevant information, the UE needs transmit a control parameter to the user card; If the control parameter settings in the user card, the user card is required to calculate the correlation parameters based on the control information, the control parameters may be obtained directly held by itself, the UE will not require the user to control the transmission parameters to the card.

本实施例中,在步骤201中,终端可以利用一个随机数来替代所述鉴权密钥来产生所述相关信息。 In this embodiment, at step 201, the terminal may use a random number instead of the authentication key to generate the related information. 相应地,在步骤205中,HLR/AUC可以根据自己保存的所述控制参数和所述随机数进行计算得到所述计算结果,以用于在步骤207中和密钥更新请求消息中的控制参数的相关信息进行一致性比较。 Accordingly, in step 205, HLR / AUC, and the parameters may be controlled based on the own stored random number is calculated to obtain the calculation result, the control parameters for the request in step 207 and the key update message related compares information for consistency. 这里的随机数可以由终端保存或产生并发送个HLR/AUC,也可以由HLR/AUC产生并发送给终端。 Where the random number can be saved or generated and transmitted a HLR / AUC by the terminal, may be generated concurrently by the HLR / AUC to the terminal. 所述终端保存,可以是终端保存了上次鉴权时,由网络侧下发的随机数。 Saved by the terminal, the terminal may be saved last authentication issued by the network side of the random number. 关于鉴权时,网络侧向终端下发的参数信息可以参见3GPP相关规范说明。 When the authentication on the network side to the terminal may send the parameter information related see 3GPP specification. 终端可以在发送所述请求密钥更新消息给HLR/AUC之前,先向HLR/AUC发送一个请求随机数的请求消息,HLR/AUC将产生的随机数通过该消息响应发送给终端。 The terminal may send the request before the key update message to the HLR / AUC, transmission Xianxiang HLR / AUC request message requesting a random number, the random number HLR / AUC transmits the generated response message to the terminal through. 或者终端在发送所述请求密钥更新消息给HLR/AUC之前,先向HLR/AUC发送一个更新密钥准备消息,并在消息中携带自己保存或产生的随机数,HLR/AUC接收到该消息后,保存该随机数,以用于后面的对密钥更新请求消息的处理。 Or the terminal transmitting the request message before the key update HLR / AUC to, Xianxiang HLR / AUC sending a key update message to prepare and carry save himself or the generated random number in the message, HLR / AUC receives the message after saving the random number, for processing of the key update request message is presented later.

为了密钥更新请求消息的安全,以及新产生的鉴权密钥的安全,产生所述控制参数的相关信息时,还应该采用随机数和鉴权密钥来进行,同时,产生鉴权密钥时,也应该根据一个随机数来进行。 In order to secure key update request message, and a security authentication key newly generated, generating information when the control parameter, and the random number should also be used to the authentication key, and generates an authentication key when, also should be performed according to a random number.

请参阅图3,图3所示为本发明具体实施方式的第二实施例,本实施例中终端在根据获取的控制参数产生所述相关信息时,不但根据了鉴权密钥,还根据了随机数来进行,即终端根据获取的控制参数和鉴权密钥以及随机数进行计算得到所述相关信息;相应地,网络侧HLR/AUC根据自己保存的所述控制参数和对应终端用户的鉴权密钥以及所述随机数进行相应的计算,得到一个计算结果,HLR/AUC通过比较自己计算得到的计算结果和密钥更新请求消息中携带的所述相关信息是否一致来判断该请求消息是否合法,以决定是否执行密钥更新操作。 Refer to FIG. 3, a second embodiment of the present invention, FIG particular embodiment shown in Figure 3, the present embodiment when generating the terminal-related information according to the acquired control parameters, not only according to the authentication key, according to a further a random number, i.e. terminal to calculate the control parameters and related information according to an authentication key and a random number obtained; accordingly, the network side HLR / AUC control parameter corresponding to the end-user according to its own stored discriminator the right key and the corresponding random number calculation, the calculation result, HLR / AUC calculated by comparing own results of calculations and the key update message carries the same information to determine whether the request message is a request legal, to decide whether a key update operations. 所述随机数由终端保存或产生并发送给网络侧,或者由网络侧产生并发送给终端。 Saving the random number generated by the terminal or sent to the network side or the terminal generates and sends the network side. 本实施例中,所述随机数由网络侧产生并发送给终端。 In this embodiment, the random number is generated and sent to the terminal by the network side.

在步骤300,HLR/AUC预先保存对应终端用户的用于控制鉴权密钥更新的控制参数。 In step 300, HLR / AUC corresponding to the end user pre-stored control parameters for controlling the authentication key updating.

在步骤301,终端向网络侧HLR/AUC发送密钥更新请求消息。 In step 301, the terminal / AUC transmits a key update request message to the network side HLR.

步骤303,HLR/AUC接收到终端发送的密钥更新请求消息后,产生一个随机数发送给终端。 Step 303, HLR / AUC receives the key update request message sent by the terminal, the terminal generates a random number to send.

步骤305,终端根据获取的控制参数、鉴权密钥和所述随机数进行计算得到控制参数的相关信息,根据所述随机数和鉴权密钥进行计算产生新鉴权密钥。 Step 305, terminal information control parameters calculated in accordance with the control parameter acquired authentication key and the random number, calculates a new authentication key according to the random number and the authentication key.

在这里,所述终端获取控制参数可以是,终端的UE对应保存控制参数,终端直接获取UE保存的控制参数;也可以时用卡保存了控制参数,终端直接获取用户卡保存的控制参数;也可以是终端提示用户输入控制参数,终端根据用户输入获取所述控制参数。 Here, the terminal obtains the control parameters may be, the UE corresponding to the control parameters stored in the terminal, the terminal direct access to the control parameters stored in the UE; or when the card can be used to save the control parameters, the terminal direct access to the control parameters stored in the user card; also a terminal may prompt the user for the control parameters, the terminal acquires the control parameter according to a user input.

当UE和用户卡都不保存控制参数时,可以是在需要更新鉴权密钥,也即,需要根据控制参数产生所述相关信息时,由UE提示用户输入控制参数,UE根据用户输入得到所述控制参数。 When the UE is not the card user and saving control parameter may be a need to update the authentication key, i.e., when the related information needs to be generated according to the control parameters by the UE to prompt the user to control parameters, to obtain the UE according to a user input said control parameters. 将控制参数保存在终端的UE或者用卡里的好处是,不需要在每次更新鉴权密钥时,都让用户输入控制参数,这样会具有更好的用户体验。 The control parameters are stored in the UE terminal or with a benefit card that does not require each update authentication key, let the user input control parameters, it will have a better user experience.

步骤307,终端向网络侧发送所述相关信息。 Step 307, the terminal transmits the correlation information to the network side.

步骤309,网络侧HLR/AUC接收到所述密钥更新请求消息后,根据自己保存的所述控制参数和对应终端用户的鉴权密钥以及所述随机数进行计算得到一个计算结果。 Step 309, the network side HLR / AUC receives a calculation result of the key update request message, according to their calculated to obtain the control parameter stored in the corresponding end-user and an authentication key and the random number.

步骤311,HLR/AUC比较自己计算得到的计算结果和所述相关信息是否一致,如果一致,则认为合法,并则执行步骤313,否则,结束密钥更新流程。 Step 311, HLR / AUC obtained by comparing the calculated own calculations and the related information is consistent, if the agreement is considered legitimate, and execute step 313, otherwise, the end of the key update process.

步骤313,HLR/AUC根据对应终端用户的鉴权密钥和所述随机数采用和终端计算新鉴权密钥一致的算法进行计算产生新鉴权密钥。 Step 313, HLR / AUC generates a new authentication key is calculated according to the corresponding end user authentication key and the random number using the same algorithm and the terminal calculates the new authentication key.

实际当中,由于按照现有3GPP规范,鉴权密钥保存在用户卡中,因此,如果控制参数在用户设备UE中设置时,在用户卡需要根据控制参数计算所述相关信息时,UE需要将控制参数传送给用户卡;如果控制参数在用户卡中设置时,在用户卡需要根据控制参数计算所述相关信息时,可以直接获取自己保存的控制参数,UE就不需要将控制参数传送给用户卡。 Practice, since in accordance with the existing 3GPP specifications, the user authentication key stored in the card, and therefore, if the control parameters are set in the user equipment UE, when a user card is required to calculate the control parameters according to the relevant information, the UE needs transmit a control parameter to the user card; If the control parameter settings in the user card, the user card is required to calculate the correlation parameters based on the control information, the control parameters may be obtained directly held by itself, the UE will not require the user to control the transmission parameters to the card.

为了增强用户卡的安全性,针对第二实施例,还增加了终端产生随机数,并用该随机数参与所述相关信息的计算,以及新鉴权密钥的计算,同时还增加终端对HLR/AUC的认证。 To enhance the security the user's card, for the second embodiment, also increased the terminal generates a random number, and to participate in the calculation of the correlation information, and calculates a new authentication key using the random number, while also increasing the terminal HLR / AUC certification.

请参阅图4,图4所示为本发明具体实施方式的第三实施例,本实施例中终端在根据获取的控制参数产生所述相关信息时,不但根据了鉴权密钥,还根据了两个随机数来进行,其中第一随机数由终端产生,并发送给HLR/AUC,第二随机数由HLR/AUC产生并发送给终端;即终端根据获取的控制参数、鉴权密钥、第一随机数和第二随机数进行计算得到所述相关信息;相应地,网络侧HLR/AUC根据自己保存的所述控制参数、对应终端用户的鉴权密钥、第一随机数和第二随机数进行相应的计算,得到一个计算结果,HLR/AUC通过比较自己计算得到的计算结果和密钥更新请求消息中携带的所述相关信息是否一致来判断该请求消息是否合法,以决定是否执行密钥更新操作。 Please refer to FIG. 4, which illustrates a third embodiment of the present invention specific embodiments, the present embodiment when generating the terminal-related information according to the acquired control parameters, not only according to the authentication key, according to a further random number to two, wherein a first random number generated by the terminal, and sends the HLR / AUC, the second random number is generated and sent to the terminal by the HLR / AUC; i.e., a control terminal according to the parameter acquired authentication key, the first random number and the second random number is calculated to obtain the relevant information; accordingly, the network side HLR / AUC according to the control parameters stored in its own, the authentication key corresponding to the end user, the first and second random numbers the corresponding random number calculation, the calculation result, HLR / AUC calculated by comparing own results of calculations and the key update message carries the same information to determine whether the request is legitimate request message to decide whether to perform key update operations. 执行密钥更新操作时,终端和HLR/AUC都根据了第一随机数和第二随机数来进行计算。 When a key update operation, the terminal and HLR / AUC are in accordance with the first random number and second random number to be calculated. 本实施例中,所述随机数由网络侧产生并发送给终端。 In this embodiment, the random number is generated and sent to the terminal by the network side.

在步骤400,HLR/AUC预先保存对应终端用户的用于控制鉴权密钥更新的控制参数。 In step 400, HLR / AUC corresponding to the end user pre-stored control parameters for controlling the authentication key updating.

在步骤401,终端产生第一随机数,向网络侧HLR/AUC发送密钥更新请求消息,并携带该随机数。 In step 401, the terminal generates a first random number, / AUC transmits a key update request message to the network side HLR and carries the random number.

步骤403,HLR/AUC接收到终端发送的密钥更新请求消息后,产生第二随机数,根据对应终端用户的鉴权密钥、自己预先保存的控制参数、第一随机数和第二随机数按照第一算法进行计算得到第二计算结果,然后将第二随机数和第二计算结果发送给终端。 Step 403, HLR / AUC receives the key update request message sent by a terminal, generating a second random number, according to the authentication key corresponding to the end user, pre-stored control parameters themselves, the first random number and second random number calculating a second calculation result obtained in accordance with a first algorithm and a second random number and sends the calculation result to the second terminal.

步骤405,终端接收到HLR/AUC发送的第二随机数和第二计算结果后,根据终端保存的鉴权密钥、获取的控制参数、第一随机数和第二随机数按照第一算法进行计算得到第一计算结果。 Step 405, After receiving the second random number and the second calculation result HLR / AUC transmitted, the terminal authentication key according to the stored control parameters acquired first random number and the second random number in accordance with a first algorithm first calculation result calculated.

步骤407,终端比较第二计算结果和第一计算结果是否一致,如果一致,则,认为HLR/AUC合法,并执行步骤409,否则,认为HLR/AUC非法,并结束密钥更新流程。 In step 407, the terminal compares the first and second calculation results are consistent, if agreed, then, that the HLR / AUC legal and step 409, otherwise, that the HLR / AUC illegal, and end key update process.

步骤409,终端根据获取的控制参数、保存的鉴权密钥、第一随机数和第二随机数按照第二算法进行计算得到控制参数的相关信息,并根据所述第一随机数、第二随机数和鉴权密钥进行计算产生新鉴权密钥,终端将产生的所述相关信息发送给HLR/AUC。 In step 409, the terminal according to the acquired control parameters, stored authentication key, the first random number and the second random number information calculated in accordance with a second algorithm of the control parameter, and according to the first random number, the second random number and the authentication key to generate a new authentication key is calculated, the transmitting terminal generates information to HLR / AUC.

在这里,所述终端获取控制参数可以是,终端的UE对应保存控制参数,终端直接获取UE保存的控制参数;也可以是用户卡保存了控制参数,终端直接获取用户卡保存的控制参数;也可以是终端提示用户输入控制参数,终端根据用户输入获取所述控制参数。 Here, the terminal obtains control parameters may be, the UE corresponding to the control parameters stored in the terminal, the terminal direct access to the control parameters stored in the UE; user card may be stored control parameters, the terminal direct access to the control parameters stored in the user card; also a terminal may prompt the user for the control parameters, the terminal acquires the control parameter according to a user input.

当UE和用户卡都不保存控制参数时,可以是在需要更新鉴权密钥,也即,需要根据控制参数产生所述相关信息时,由UE提示用户输入控制参数,UE根据用户输入得到所述控制参数。 When the UE is not the card user and saving control parameter may be a need to update the authentication key, i.e., when the related information needs to be generated according to the control parameters by the UE to prompt the user to control parameters, to obtain the UE according to a user input said control parameters. 将控制参数保存在终端的UE或者用卡里的好处是,不需要在每次更新鉴权密钥时,都让用户输入控制参数,这样会具有更好的用户体验。 The control parameters are stored in the UE terminal or with a benefit card that does not require each update authentication key, let the user input control parameters, it will have a better user experience.

步骤411,网络侧HLR/AUC接收到发自终端的所述相关信息后,根据自己保存的所述控制参数、对应终端用户的鉴权密钥、第一随机数和第二随机数按照第二算法进行计算得到第四计算结果。 Step 411, the network side HLR / AUC upon receiving the information sent from the terminal, according to the stored control parameters themselves, the authentication key corresponding to the end user, the first random number and second random number in accordance with a second algorithm to calculate the fourth calculation results.

步骤413,HLR/AUC比较自己计算得到的第四计算结果和所述接收自终端的相关信息是否一致,如果一致,则认为所述相关信息合法,并则执行步骤415,否则,结束密钥更新流程。 Step 413, HLR / AUC compares its own calculation result calculated by the fourth and the information received from the terminal are the same, if they are consistent, the information is considered valid, and step 415 is executed, otherwise, the end of the key update Process.

步骤415,HLR/AUC根据对应终端用户的鉴权密钥、第一随机数和第二随机数采用和终端计算新鉴权密钥一致的算法进行计算产生新鉴权密钥。 Step 415, HLR / AUC according to an authentication key corresponding to the end user, the first random number and second random number and using the same terminal calculates the new authentication key generation algorithm calculates a new authentication key.

终端在步骤409和HLR/AUC在步骤415计算新鉴权密钥时,可以仅根据对应的鉴权密钥和两个随机数中的任意一个进行计算得到。 Terminal at step 409 and HLR / AUC new authentication key is calculated in step 415, it may be any according to the corresponding two authentication key and a random number is performed only calculated. 在仅根据对应鉴权密钥和第一随机数计算新鉴权密钥的情况下,终端产生新鉴权密钥的操作也可以不在步骤409执行,而是在步骤401执行,这种情况属于该劣,因为,在步骤407,终端可能对网络侧HLR/AUC验证不通过。 In the case where only the calculation according to the new authentication key corresponding to the authentication key and the first random number, the terminal generates a new authentication key operation can not be performed in step 409, but is performed at step 401, this case belongs to the inferior, because, at step 407, the network-side terminal may HLR / AUC authentication fails. 本领域技术人员根据该实施例和本简化指示可以得到对应的简化应用,因此,本发明不再赘述该简化实施例。 Those skilled in the art may be simplified according to this embodiment corresponding to the application of the present embodiment and a simplified indication, therefore, no further description of the simplified embodiment.

作为简化的处理,HLR/AUC在步骤403中计算第二计算结果时,可以只根据对应鉴权密钥、自己保存的控制参数和第一随机数来进行,而不让所述第二随机数参与计算;对应地,终端在步骤405中,计算第一计算结果时,可以只根据保存的鉴权密钥、获取的控制参数和第一随机数来进行,而不让所述第二随机数参与计算。 As simplified processing, HLR / AUC second calculation result calculated in step 403 may be based on only a corresponding authentication key, the control parameters and their storage to a first random number, the second random number without giving participate in the calculation; correspondingly, the terminal in step 405, the calculation result of the first calculation may be performed only according to the stored authentication key, and the control parameter acquired first random number, the second random number without giving involved in the calculation. 本领域技术人员根据该实施例和本简化指示可以得到对应的简化应用,因此,本发明不再赘述该简化实施例。 Those skilled in the art may be simplified according to this embodiment corresponding to the application of the present embodiment and a simplified indication, therefore, no further description of the simplified embodiment.

当然,作为进一步简化处理,HLR/AUC在步骤403中计算第二计算结果时,可以只根据对应鉴权密钥和第一随机数来进行,而不让所述保存的控制参数和第二随机数参与计算;对应地,终端在步骤405中,计算第一计算结果时,可以只根据保存的鉴权密钥和第一随机数来进行,而不让所述获取的控制参数和第二随机数参与计算。 Of course, as a further simplified, the second calculation result when the HLR / AUC calculated in step 403 may be performed only according to the corresponding first random number and the authentication key, without letting the control parameter and the stored second random calculating the number of participation; correspondingly, the terminal in step 405, the calculation result of the first calculation may be performed only according to the stored first random number and the authentication key, without letting the control parameter and the acquired second random the number involved in the calculation. 本领域技术人员根据该实施例和本简化指示可以得到对应的简化应用,因此,本发明不再赘述该简化实施例。 Those skilled in the art may be simplified according to this embodiment corresponding to the application of the present embodiment and a simplified indication, therefore, no further description of the simplified embodiment.

作为简化的处理,终端在步骤409产生所述相关信息时,可以只根据获取的控制参数、保存的鉴权密钥和第二随机数进行计算得到所述控制参数的相关信息,而不再让所述第一随机数参与计算;对应地,HLR/AUC在步骤411计算第四计算结果时,只根据自己保存的所述控制参数、对应终端用户的鉴权密钥和第二随机数进行计算来得到第四计算结果,而不再让所述第一随机数参与计算。 As a simplified process, the terminal-related information generating step 409, the control parameters can be obtained according to the stored authentication key and the second random number calculated only get information of said control parameter, not let involved in the calculation of the first random number; correspondingly, HLR / AUC the fourth calculation result of the calculation at step 411, only the control parameters stored in their corresponding end-user authentication key and the second random number calculated fourth calculation result obtained without let the first random number computation. 本领域技术人员根据该实施例和本简化指示可以得到对应的简化应用,因此,本发明不再赘述该简化实施例。 Those skilled in the art may be simplified according to this embodiment corresponding to the application of the present embodiment and a simplified indication, therefore, no further description of the simplified embodiment.

本领域技术任意很容易理解,步骤411计算第四计算结果的操作也可以在步骤403完成。 Technical any of the art will readily appreciate, the results of the fourth calculation step 411 operation may be completed in step 403.

所述第一算法和第二算法可以相同,实际当中,可以通过调整参数顺序来改变计算结果。 Said first and second algorithms may be the same practice, the results may be varied by adjusting the parameter order. 例如,在计算所述第一计算结果和第二计算结果时,可以先根据鉴权密钥与第一随机数进行,而后再结合其它运算参数进行计算;在计算所述相关信息与第四计算结果时,先根据鉴权密钥与所述控制参数进行,而后再结合其它运算参数进行计算。 For example, in the calculation of the first calculation result and second calculation result, in accordance with the first authentication key and the first random numbers, but then in conjunction with other operational parameters are calculated; in the fourth calculating the correlation information calculation As a result, according to the authentication key and the first control parameter, and then in connection with other operation parameters are calculated. 算法设计将保证在调整参数顺序后,将得到不同的输出结果。 Algorithm design will ensure that after the parameter adjustment sequence, will get a different output.

上述MSC/VLR为电路域设备,对于分组域的网络,对应的MSC/VLR设备为SGSN,因此本发明可以等同应用于分组域。 Above MSC / VLR is a CS domain device, the network packet domain, the corresponding MSC / VLR to the SGSN device, thus the present invention can be equally applied to the packet domain.

上述各个具体实施方式或实施例中,终端和HLR/AUC产生新鉴权密钥,以及计算第一计算结果、第二计算结果,计算所述控制参数的相关信息,计算第四计算结果等等的计算,可以是使用成熟的摘要算法,相应摘要算法可以参见《应用密码学》一书或相关的算法论文或报告;特别地,对于第二、第三实施例,产生新密钥时,也可以使用3GPP协议中提到的由随机数RAND和鉴权密钥KI产生加密密钥CK或完整性密钥IK的算法来进行。 Various embodiments or the above-described embodiments, the terminal and the HLR / AUC generates a new authentication key, and calculates a first calculation result and second calculation results, the calculated information of said control parameter, the fourth calculation results and the like calculation may use sophisticated digest algorithm, corresponding digest algorithm can be found in "applied cryptography" book or paper or algorithms associated report; in particular, when the second, the third embodiment, generating a new key, also algorithm may be used to produce the encrypted key CK or integrity key IK of a random number RAND and the authentication key KI 3GPP protocol referred to.

本发明用于控制密钥更新的所述控制参数可以是一个密码,例如是一个用户PIN码SPIN;也可以一个终端的身份标识,例如是终端的IMEI;当然,也可以用户自定义的一个任意值,例如,用户的别名,用户的头像信息,或者是用户的头像数据的摘要信息,等等。 The present invention is for controlling the key update control parameter may be a password, for example, a user PIN code SPIN; identity may be a terminal, for example terminal IMEI; of course, may be a user-defined arbitrary values, e.g., the user's alias, the user's avatar information or digest information, the user's picture data and the like.

可以理解,以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 It will be appreciated, the above embodiments are merely preferred embodiments of the present invention, not intended to limit the present invention, any modifications within the spirit and principle of the present invention, equivalent substitutions, improvements, etc., are all included in the present invention, within the scope of protection.

Claims (11)

1.一种密钥更新协商方法,应用于通信网络中,其特征在于,所述方法包括,在网络侧设置用于控制鉴权密钥更新的控制参数:a.终端向网络侧发送密钥更新请求消息,并携带用于控制鉴权密钥更新的控制参数的相关信息;b.网络侧接收到所述密钥更新请求消息后,根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数的相关信息是否合法,如果合法,则执行密钥更新,否则,结束密钥更新流程。 A negotiation key update method applied to a communication network, wherein the method comprises, at the network side is provided for the control parameter update authentication key:. A terminal transmits a key to the network side update request message, and carries the information for controlling a control parameter of the authentication key updating;. b after the network side receives the key update request message, in accordance with their control parameter stored in the key update request message determines Related information control parameter is legitimate, if valid, the key update, otherwise, the key update process.
2.根据权利要求1所述的方法,其特征在于:步骤a中所述携带的用于控制鉴权密钥更新的控制参数的相关信息是该控制参数本身,步骤b中所述根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数相关信息是否合法进一步是,网络侧比较自己保存的所述控制参数和密钥更新请求消息中的控制参数是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关请求信息非法。 2. The method according to claim 1, wherein: the information carried in a step for controlling authentication key updated control parameter is the control parameter itself, the step (b) according to their storage the control parameter is determined whether the key update request message control parameter is further related to legal information, the network side compares its own stored in the control parameter and the control parameter whether the key update request message is consistent, if yes, that the relevant legal information, otherwise, considered the request for information related to illegal.
3.根据权利要求1所述的方法,其特征在于:步骤a中所述携带的用于控制鉴权密钥更新的控制参数的相关信息是根据该控制参数计算得到,步骤b中所述根据自己保存的所述控制参数判断密钥更新请求消息中的控制参数相关信息是否合法进一步是,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果,比较自己计算得到的计算结果和密钥更新请求消息中的控制参数的相关信息是否一致,如果一致,则认为所述相关信息合法,否则,认为所述相关信息非法。 3. The method according to claim 1, wherein: the information carried in a step for controlling the authentication key updating control parameters are calculated in accordance with the control parameter, according to said step b it maintains the control parameter is determined whether the key update request message control parameter is further related to legal information, the network side according to their respective calculations of the control parameter stored, to obtain a calculation result calculated by comparing own calculation whether the results of relevant information and key control parameter update request message is consistent, if agreed, the relevant information is considered legitimate, otherwise considered the relevant information illegally.
4.根据权利要求3所述的方法,其特征在于:步骤a中所述计算还根据鉴权密钥进行的,即终端根据用于控制鉴权密钥更新的控制参数和鉴权密钥进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和对应终端用户的鉴权密钥进行相应的计算,得到一个计算结果。 4. The method according to claim 3, wherein: said step a further calculation according to the authentication key, i.e., for controlling the terminal according to the updated control parameters authentication key and authentication key the calculated correlation information; accordingly, step b, the network side according to their respective calculations of the control parameters stored, a calculation result obtained is the authentication means corresponding to the control parameters and their end users based on the stored key corresponding calculation, a calculation result obtained.
5.根据权利要求3所述的方法,其特征在于:步骤a中所述计算还根据随机数进行的,即终端根据用于控制鉴权密钥更新的控制参数和随机数进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和所述随机数进行相应的计算,得到一个计算结果;所述随机数由终端保存或产生并发送给网络侧,或者由网络侧产生并发送给终端。 The method according to claim 3, wherein: said step of calculating further be a random number, i.e., calculated with the terminal authentication key for controlling a control parameter and update the nonce related information; accordingly, step b, the network side according to the control parameters stored in their respective calculated to obtain a control parameter calculation means and the random number is calculated based on the their respective stored, to give a calculation result; or generating the random number stored by the terminal and sent to the network side, the network side is generated or sent to the terminal.
6.根据权利要求3所述的方法,其特征在于:步骤a中所述计算还根据鉴权密钥和随机数进行的,即终端根据用于控制鉴权密钥更新的控制参数和鉴权密钥以及随机数进行计算得到所述相关信息;相应地,步骤b中,网络侧根据自己保存的所述控制参数进行相应的计算,得到一个计算结果是指根据自己保存的所述控制参数和鉴权密钥以及所述随机数进行相应的计算,得到一个计算结果;所述随机数由终端保存或产生并发送给网络侧,或者由网络侧产生并发送给终端。 6. The method according to claim 3, wherein: said step of calculating a further authentication key and performed according to the random number, i.e., the terminal key update control parameters for controlling authentication and authentication according to key and a random number is calculated to obtain the relevant information; accordingly, step b, the network side corresponding to the calculated control parameters stored in its own, to obtain a control parameter calculation means based on said stored and their authentication key and the random number corresponding calculated to obtain a calculation result; or generate the random number stored by the terminal and sent to the network side, the network side is generated or sent to the terminal.
7.根据权利要求3所述的方法,其特征在于:在步骤a之前,终端产生第一随机数,向网络侧HLR/AUC发送密钥更新请求消息,并携带该随机数;网络侧接收到终端发送的密钥更新请求消息后,产生第二随机数,根据对应终端用户的鉴权密钥和第一随机数进行计算得到第二计算结果,然后将第二随机数和第二计算结果发送给终端;终端接收到HLR/AUC发送的第二随机数和第二计算结果后,根据终端保存的鉴权密钥和第一随机数进行计算得到第一计算结果,终端比较第二计算结果和第一计算结果是否一致,如果不一致,则认为网络侧非法,然后接收密钥更新流程,否则,终端在步骤a根据获取的控制参数、保存的鉴权密钥和第二随机数进行计算得到获取的控制参数的相关信息,并将该相关信息发送给HLR/AUC;对应地,在步骤b,网络侧接收到所述相关信息后,根据 7. The method according to claim 3, wherein: before step a, the terminal generates a first random number, / AUC transmits a key update request message to the network side HLR and carries the random number; the network side receives the key update request message sent by a terminal, generating a second random number to obtain a second calculation result calculated according to the corresponding terminal user authentication key and the first random number, and then transmits the second random number and the second calculation result to the terminal; after receiving the second random number and the second calculation result HLR / AUC transmitted, the terminal according to the stored authentication key and the first random number is calculated to obtain a first calculation result and second calculation result comparison terminal if the first calculation result, and if not, the network side is considered illegal, and then receives the key update procedure, otherwise, according to the control terminal of the acquired parameters, stored authentication key and a second random number obtained in step a calculated acquiring control parameters related information and transmits the related information to the HLR / AUC; after correspondingly, in step B, the network side receives the relevant information, in accordance with 己保存的所述控制参数、对应终端用户的鉴权密钥和第二随机数进行计算得到第四计算结果,网络侧比较自己计算得到的第四计算结果和所述相关信息是否一致,如果不一致,则认为所述相关信息非法,然后结束密钥更新流程,否则,网络侧根据对应终端用户的鉴权密钥和第一随机数与第二随机数中的任意一个随机数进行计算产生新鉴权密钥。 The already stored control parameters corresponding to the end-user authentication key and the second random number calculated by the fourth calculation result, whether or not the fourth network side comparing their results calculated and the related information, and if not , the relevant information is considered illegal, then the key update procedure ends, otherwise, the network-side is calculated to generate a new random number corresponding to the end-user discriminator according to any of the authentication key and the first random number and the second random numbers right keys.
8.根据权利要求1到7中任一所述的方法,其特征在于:在步骤a还包括终端产生新鉴权密钥的步骤。 8. The method according to any of claims 1 to 7, wherein: in step a further comprises the step of generating a new terminal authentication key.
9.根据权利要求5或6或7所述的方法,其特征在于:在步骤a还包括终端产生新鉴权密钥的步骤,终端和网络侧执行密钥更新是指,终端和网络侧分别根据鉴权密钥和所述随机数采用一致的算法进行计算产生新鉴权密钥。 9. The method of claim 5 or 6 or according to claim 7, wherein: in step a further comprises the step of generating a new authentication key terminal, the terminal and the network refers to a key update, the terminal and the network side, respectively, generating a new authentication key according to the authentication key and the random number is calculated using the same algorithm.
10.根据权利要求1所述的方法,其特征在于:所述终端包括用户设备和用户卡,所述自己保存的控制参数是指设置于用户设备中的控制参数或者设置于用户卡中的控制参数。 Controlling said terminal device comprises a user card and a user, the control parameter refers to its own stored control parameter settings in the user equipment or the user card is provided: 10. A method according to claim 1, characterized in that parameter.
11.根据权利要求1所述的方法,其特征在于:所述控制参数可以是密码,或终端的身份标识,或用户自定义的任意值。 11. The method according to claim 1, wherein: the control parameter may be a password, or the identity of the terminal, or any user-defined value.
CN 200510113030 2005-09-02 2005-09-29 Updating protocal method of secret keys CN100346668C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200510037046 2005-09-02
CN 200510113030 CN100346668C (en) 2005-09-02 2005-09-29 Updating protocal method of secret keys

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN 200510113030 CN100346668C (en) 2005-09-02 2005-09-29 Updating protocal method of secret keys
PCT/CN2006/002257 WO2007025484A1 (en) 2005-09-02 2006-09-01 Updating negotiation method for authorization key and device thereof
CN 200680012329 CN101160784B (en) 2005-09-02 2006-09-01 Cipher key updating negotiation method and apparatus

Publications (2)

Publication Number Publication Date
CN1835633A true CN1835633A (en) 2006-09-20
CN100346668C CN100346668C (en) 2007-10-31

Family

ID=37003199

Family Applications (2)

Application Number Title Priority Date Filing Date
CN 200510113030 CN100346668C (en) 2005-09-02 2005-09-29 Updating protocal method of secret keys
CN 200680012329 CN101160784B (en) 2005-09-02 2006-09-01 Cipher key updating negotiation method and apparatus

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN 200680012329 CN101160784B (en) 2005-09-02 2006-09-01 Cipher key updating negotiation method and apparatus

Country Status (2)

Country Link
CN (2) CN100346668C (en)
WO (1) WO2007025484A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009043294A1 (en) * 2007-09-28 2009-04-09 Huawei Technologies Co., Ltd. The method and device for updating the key in the active state
CN103442012A (en) * 2013-09-02 2013-12-11 中国联合网络通信集团有限公司 Method and device for realizing subscription information transfer between devices of Internet of things
CN103607277A (en) * 2013-11-18 2014-02-26 中国联合网络通信集团有限公司 Secret key updating processing method, device and system
US8737616B2 (en) 2008-11-13 2014-05-27 Huawei Technologies Co., Ltd. Method and apparatus for identifying CGA public key, and method, apparatus, and system for determining CGA public key

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI102235B1 (en) * 1996-01-24 1998-10-30 Nokia Telecommunications Oy Authentication keys control mobile communication system
FI108977B (en) 1999-11-22 2002-04-30 Nokia Corp Telecommunications services billing
CN1457173A (en) 2002-05-08 2003-11-19 英华达股份有限公司 Updating network encrypted pins method

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009043294A1 (en) * 2007-09-28 2009-04-09 Huawei Technologies Co., Ltd. The method and device for updating the key in the active state
CN101400059B (en) 2007-09-28 2010-12-08 华为技术有限公司 Cipher key updating method and device under active state
US8023658B2 (en) 2007-09-28 2011-09-20 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8144877B2 (en) 2007-09-28 2012-03-27 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8300827B2 (en) 2007-09-28 2012-10-30 Huawei Technologies Co., Ltd. Method and apparatus for updating key in an active state
US10057769B2 (en) 2007-09-28 2018-08-21 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US9031240B2 (en) 2007-09-28 2015-05-12 Huawei Technologies Co., Ltd. Method and apparatus for updating a key in an active state
US8737616B2 (en) 2008-11-13 2014-05-27 Huawei Technologies Co., Ltd. Method and apparatus for identifying CGA public key, and method, apparatus, and system for determining CGA public key
CN103442012B (en) * 2013-09-02 2016-06-22 中国联合网络通信集团有限公司 Method and device that CAMEL-Subscription-Information migrates is realized between internet of things equipment
CN103442012A (en) * 2013-09-02 2013-12-11 中国联合网络通信集团有限公司 Method and device for realizing subscription information transfer between devices of Internet of things
CN103607277A (en) * 2013-11-18 2014-02-26 中国联合网络通信集团有限公司 Secret key updating processing method, device and system
CN103607277B (en) * 2013-11-18 2016-08-03 中国联合网络通信集团有限公司 The processing method of key updating, system and key management platform

Also Published As

Publication number Publication date
CN101160784B (en) 2010-10-27
WO2007025484A1 (en) 2007-03-08
CN101160784A (en) 2008-04-09
CN100346668C (en) 2007-10-31

Similar Documents

Publication Publication Date Title
JP3742772B2 (en) Integrity check in communication systems
ES2604579T3 (en) Method and system for delegating security procedures to a visited domain
RU2446606C1 (en) Method of access with authentication and access system with authentication in wireless multi-hop network
ES2367692T3 (en) Improved security design for cryptopraphy in mobile communication systems.
US8122250B2 (en) Authentication in data communication
KR101376700B1 (en) Method and apparatus for security protection of an original user identity in an initial signaling message
RU2424634C2 (en) Method and apparatus for base station self-configuration
KR101350538B1 (en) Enhanced security for direct link communications
CN100454808C (en) Authentication method
RU2414086C2 (en) Application authentication
US7370350B1 (en) Method and apparatus for re-authenticating computing devices
CN101371491B (en) Method and arrangement for the creation of a wireless mesh network
JP4772959B2 (en) Secure processing for authentication of wireless communication devices
KR101084938B1 (en) Techniques for secure channelization between uicc and a terminal
US8738898B2 (en) Provision of secure communications connection using third party authentication
JP5123209B2 (en) Method, system, and authentication center for authentication in end-to-end communication based on a mobile network
US8245039B2 (en) Extensible authentication protocol authentication and key agreement (EAP-AKA) optimization
ES2706540T3 (en) User equipment credentials system
US20020197979A1 (en) Authentication system for mobile entities
US7596225B2 (en) Method for refreshing a pairwise master key
US20060079205A1 (en) Mutual authentication with modified message authentication code
US20090019284A1 (en) Authentication method and key generating method in wireless portable internet system
JP2011254512A (en) Cryptographic key generation
US20060059344A1 (en) Service authentication
RU2406251C2 (en) Method and device for establishing security association

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted