CN1921378B - Method and system for negotiating new discrimination key - Google Patents
Method and system for negotiating new discrimination key Download PDFInfo
- Publication number
- CN1921378B CN1921378B CN2006101523651A CN200610152365A CN1921378B CN 1921378 B CN1921378 B CN 1921378B CN 2006101523651 A CN2006101523651 A CN 2006101523651A CN 200610152365 A CN200610152365 A CN 200610152365A CN 1921378 B CN1921378 B CN 1921378B
- Authority
- CN
- China
- Prior art keywords
- authentication
- key
- module
- new
- rand
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to a method for consulting identification key, which comprises: the first module sends identification parameter to the identification proxy, carried with refresh key request message; the identification proxy sends the identification parameters with refresh key request to the second module; the second module based on the identification program identifies the identification parameters, to generate second new key; then sending the special identification response generated by second new key to the identification proxy; the proxy judges if the special identification response and the special respected response are same, if they are, the identification is succeed, and sending success message to the first module; the first module will confirm the second module responses the refresh key request successfully, to refresh the first key. The invention also discloses a relative system.
Description
Technical field
The present invention relates to the communication security technology, particularly a kind of method and system of consulting new authentication secret key.
Background technology
Along with popularizing rapidly of communication system and growing with each passing day of type of service, the particularly demand of data service such as ecommerce, electronic trade, the information security status in the communication system is remarkable day by day.Two of information security key problems are authentication and encryption in communication system.Wherein, authentication is the main means of the identification communication participant identity true and false, and the safe and effective negotiation of key is the important prerequisite that ensures communication safety.
In the existing method for authenticating, the AKA among the 3GPP (authentication and key agreement) for example, employing be the anchor root key mechanism, promptly root key remains constant.This mode realizes and manages simply, but has following potential safety hazard:
One, root key leaks
Key leaks and may have a mind to, and also may be unintentionally, comprising:
1, root key is write by the card vendor, and card vendor's staff has been leaked root key;
Write when 2, root key is runed by operator, the staff of operator has been leaked root key.
3, the attendant of attaching position register/AUC (HLR/AUC) has been leaked the association key data.For example, by the mode of bribing or coercing, directly obtain root key from the attendant there of HLR/AUC.
4, assault HLR/AUC obtains root key.
5, from air interface intercept and capture the authentication parameter that the network of some issues (AUTN, RAND) and terminal return Authentication Response (RES), calculate root key by attack to algorithm.
Two, there is not effective remedial measure
After giving away secrets, root key do not have effective remedial measure! Unless change the data of associated user among subscriber card and the HLR/AUC simultaneously, for example, the user changes card to the business hall, does not have other remedial measure.Be problematic in that the user is basic, and the root key of just can't finding is divulged a secret!
In sum, how solving the potential safety hazard of anchor root key, is a problem that is worth solution.
Summary of the invention
In view of this, the invention provides a kind of method and system of consulting new authentication secret key, realize efficient consulting new authentication secret key.
For achieving the above object, the present invention adopts following technical scheme:
A kind of method of consulting new authentication secret key is preserved first key and second key corresponding with first key respectively in first module that intercoms mutually and second module, this method comprises:
A, first module are obtained the authentication parameter that comprises key refresh request information, and the authentication parameter that obtains is sent to authentication agent;
The described authentication parameter that obtains comprises: the random number RA ND of generation, message authentication coding MAC-A, special Expected Response SXRES;
B, authentication agent send authentication request to second module, and carry the part authentication parameter that comprises key refresh request, carry RAND and MAC-A at least in this part authentication parameter;
C, second module receive authentication request, and after the first module authentication is passed through, generate special Authentication Response SRES according to second new key that produces, and SRES is sent to authentication agent;
D, authentication agent transmit the authentication successful information to first module after the second module authentication is passed through;
After E, first module receive the authentication successful information, upgrade first key.
Preferably, first module produces first new key according to the RAND and first key in the steps A;
First key according to RAND and preservation in the steps A generates SXRES, perhaps generates SXRES according to first new key that produces.
Preferably, first module produces first new key according to the RAND and first key in the step e;
First key according to RAND and preservation in the steps A generates SXRES.
Preferably, upgrading first key described in the step e is meant with alternative first key of first new key.
Preferably, second module described in the step C is carried out authentication to first module and is: second module produces expectation message authentication coding XMAC-A, and judges the consistency of MAC-A and XMAC-A, when the two is consistent, determines that authentication passes through;
Authentication agent described in the step D carries out authentication to second module: the consistency of SRES and SXRES relatively, when the two unanimity, determine that authentication passes through.
Preferably, producing second new key described in the step C is: second module generates according to second key of RAND that receives and preservation;
The generation of described second new key is to finish after second module receives authentication request, before producing XMAC-A, perhaps after producing XMAC-A and the consistency checking of MAC-A and XMAC-A by after finish.
Preferably, described key refresh request information is for to carry by the specific bit position among MAC-A or the described RAND.
Preferably, first key according to RAND and preservation directly generates described MAC-A in the steps A;
Directly generate described XMAC-A according to the RAND and second key among the step C.
Preferably, produce first new key according to the RAND and first key in the steps A, generate described MAC-A according to first new key again;
Produce second new key according to the RAND and second key among the step C, generate described XMAC-A according to second new key again.
Preferably, produce first new key according to the RAND and first key in the steps A, generate described MAC-A according to first new key and RAND again;
Produce second new key according to the RAND and second key among the step C, generate described XMAC-A according to second new key and RAND again.
Preferably, first module is further preserved the first sequence number SQN1, and second module is further preserved the second sequence number SQN2;
The authentication parameter that obtains described in the steps A further comprises SQN1;
The authentication parameter of part described in the step B further comprises SQN1.
Preferably, described key refresh request information is for to carry by specific bit position any among MAC-A, RAND or the SQN1.
Preferably, the SQN1 and first key according to RAND, preservation produces MAC-A in the steps A;
Second key according to the RAND, the SQN1 that receive and preservation among the step C produces XMAC-A.
Preferably,
After determining MAC-A described in the step C and XMAC-A is consistent, further comprise: judge according to the SQN2 that preserves whether the SQN1 that receives can accept, if unacceptable, then finishes this key agreement flow process, if can accept, then definite authentication is passed through.
Preferably, the authentication parameter that obtains described in the steps A further comprises authentication management field AMF, and the authentication parameter of part described in the step B further comprises AMF.
Preferably, described key refresh request information is for to carry by specific bit position any among MAC-A, RAND, SQN1 or the AMF.
Preferably, first key according to RAND, SQN1, AMF and preservation produces MAC-A in the steps A;
Produce XMAC-A according to SQN1, AMF, RAND and second key among the step C.
Preferably, authentication agent further carries the partial information of the authentication parameter information that is obtained from first module when first module transmits the authentication successful information;
Before first module is upgraded first key, further judge the consistency of the partial information of the authentication parameter information that authentication agent transmits,, then upgrade first key if consistent according to the partial information of the corresponding authentication parameter information of oneself preserving, otherwise, finish the consulting new authentication secret key flow process.
Preferably, the partial information of described authentication parameter information is: a kind of or combination in any among RAND, SQN1, SXRES and the XMAC-A.
Preferably, authentication successful information described in the step C transmits by the failed authentication report.
A kind of agreement new authorization key system, this system comprise first module, authentication agent and second module;
Described first module, be used to store first key, obtain the authentication parameter that comprises key refresh request information, and the authentication parameter that obtains is sent to described authentication agent, authentication parameter comprises random number RA ND, message authentication coding MAC-A, the special Expected Response SXRES of generation; Also be used for behind the authentication success message that receives described authentication agent transmission, more new key;
Described authentication agent, be used to receive the authentication parameter that described first module sends, and authentication request sent to described second module, in this request, carry the part authentication parameter that comprises key refresh request information, and receive the special Authentication Response SRES that described second module is returned; Also be used for described second module is carried out authentication, and after authentication is passed through, send the authentication success message to described first module;
Described second module, be used to store second key, receive the part authentication parameter that described authentication agent sends, finish authentication described first module, and after authentication is passed through, generate special Authentication Response SRES according to second new key that produces and send to described authentication agent.
Preferably, described first module comprises first key storing unit, the first new key generation unit, authentication parameter generation unit and interface unit;
Described first key storing unit is used to preserve first key;
The described first new key generation unit, be used to produce random number, and, produce first new key, and the random number and first new key that produces sent to described authentication parameter generation unit according to this random number and first key that from described first key storing unit, reads;
Described authentication parameter generation unit is used to receive the random number and first new key that the described first new key generation unit sends, and obtains authentication parameter, and authentication parameter is sent to described interface unit;
Described interface unit is used to receive the authentication parameter that described authentication parameter generation unit sends, and this parameter is sent to described authentication agent; Also be used to receive the authenticating result that described authentication agent returns, and after the authentication success, first new key that the described first new key generation unit is produced writes in described first key preservation unit.
Preferably, described authentication agent comprises the first module interface unit, authenticating unit and the second module interface unit;
The described first module interface unit is used to receive the authentication request that described first module sends, and part authentication parameter is wherein sent to the described second module interface unit; Also be used to receive the authenticating result that described authenticating unit sends, and it is transmitted to described first module;
The described second module interface unit is used for the authentication parameter that the described first module interface unit sends is sent to described second module, and the special Authentication Response SRES that will be received from described second module is transmitted to described authenticating unit;
Described authenticating unit, be used to receive the authentication parameter of described first module interface unit transmission and the special Authentication Response SRES that the described second module interface unit sends, carry out the authentication of first module, and authenticating result is sent to the described first module interface unit second module.
Preferably, described second module comprises second key storing unit, the second new key generation unit, authenticating unit and interface unit,
Described second key storing unit is used to preserve second key;
The described second new key generation unit, be used for the random number RA ND that described reception interface unit sends, and, produce second new key, and the random number and first new key that produces sent to described authenticating unit according to this random number and second key that from described second key storing unit, reads;
Described interface unit is used to receive the authentication parameter that described authentication agent sends, and this parameter is sent to described authenticating unit, and random number is sent to the described second new key generation unit; Also be used to receive the special Authentication Response SRES that described authenticating unit sends;
Described authenticating unit is used to receive the authentication parameter that described interface unit sends, and carries out the authentication of second module to first module, and produces special Authentication Response SRES and send to described interface unit.
Preferably, described first module is the HLR/AUC of attaching position register AUC, and described authentication agent is VLR Visitor Location Register service universal grouping wireless business supporting node VLR/SGSN, and described second module is Subscriber Identity Module USIM.
As seen from the above technical solution, the present invention is in authentication process, and first module has been carried key refresh request information when authentication agent sends authentication parameter in authentication parameter, and also promptly first module is sent key refresh request simultaneously when sending authentication parameter; Authentication agent will comprise that the part authentication parameter of key refresh request information sends to second module, notifies more new key of second module; After second module is received authentication parameter, according to authentication procedure authentication parameter is carried out consistency checking, and after this checking is passed through, generate second new key, the special Authentication Response that will utilize second new key to produce then sends to authentication agent, when also promptly having responded the authentication request of authentication agent, also responded the first module key refresh request; Authentication agent judges whether special Authentication Response is consistent with special Expected Response, if unanimity then shows the authentication success, so send the authentication successful information to first module; After first module receives this authentication successful information, can confirm that second module has successfully produced new key, so, just can be relievedly new key more, because, in follow-up authentication process, second module can be judged first module and whether upgraded key by attempt using new key to carry out authentication, thereby reaches the mutual affirmation of both sides to key updating.As seen, method of the present invention can be implemented in the negotiation of finishing new authentication secret key in the authentication process, so KI can be implemented to upgrade in authentication process as required at any time, has solved the existing potential safety hazard of anchor root key.
Description of drawings
Fig. 1 is the method overview flow chart of consulting new authentication secret key of the present invention.
Fig. 2 is an agreement new authorization key system overall construction drawing of the present invention.
Fig. 3 is the method flow diagram of consulting new authentication secret key in the embodiment of the invention one.
Fig. 4 is an agreement new authorization key system structure chart in the embodiment of the invention one.
Fig. 5 is the method flow diagram of consulting new authentication secret key in the embodiment of the invention two.
Fig. 6 is the method flow diagram of consulting new authentication secret key in the embodiment of the invention three.
Fig. 7 is a method flow diagram of using first example of the present invention in the AKA of 3GPP.
Fig. 8 is a method flow diagram of using second example of the present invention in the AKA of 3GPP.
Fig. 9 is a method flow diagram of using the 3rd example of the present invention in the AKA of 3GPP.
Embodiment
For making purpose of the present invention, technological means and advantage clearer,, the specific embodiment of the present invention is described below in conjunction with the accompanying drawing embodiment that develops simultaneously.
Basic thought of the present invention is: first module has been carried key refresh request information when authentication agent sends authentication parameter in authentication parameter; Authentication agent will comprise that the part authentication parameter of key refresh request information sends to second module; After second module is received authentication parameter, according to authentication procedure authentication parameter is carried out generating second new key after consistency checking passes through, the special Authentication Response that will utilize second new key to produce then sends to authentication agent; Authentication agent judges whether special Authentication Response is consistent with special Expected Response, if unanimity then shows the authentication success, so send the authentication success message to first module; After first module receives this message, the key refresh request of oneself of can having confirmed the second module success response, promptly successful real estate has been given birth to second new key, so, can upgrade oneself first key relievedly.
Fig. 1 is the method overview flow chart of consulting new authentication secret key of the present invention.Wherein, in first module that intercoms mutually and second module, preserve first key and second key respectively, and second key is corresponding with first key.As shown in Figure 1, this method comprises:
In this step, the authentication parameter that obtains comprises: the random number of generation (RAND), message authentication coding (MAC-A) and special Expected Response (SXRES).
Step 12, authentication agent sends authentication request to second module, and carries and comprise the more part authentication parameter of new key authentication request information.
In this step, in this part authentication parameter, carry RAND and MAC-A at least.
Step 13, second module receives authentication request, and after the first module authentication is passed through, produces special Authentication Response (SRES) according to second new key that produces, and SRES is sent to authentication agent.
Fig. 2 is an agreement new authorization key system overall construction drawing of the present invention.Method shown in Figure 1 can be implemented in this system.As shown in Figure 2, this system comprises: first module 21, authentication agent 22 and second module 23.
In this system, first module 21 is used to store first key, obtains the authentication parameter that comprises key refresh request information, and the authentication parameter that obtains is sent to authentication agent 22, and authentication parameter comprises RAND, MAC-A, the SXRES of generation; Also be used for behind the authentication success message that receives authentication agent 22 transmissions, more new key.
By as seen above-mentioned, utilize method and system of the present invention, can in the process of authentication, finish the process that new authentication secret key is consulted, make it possible to realize as required the renewal of KI, solved the potential safety hazard that the anchor root key exists.
In order to show spirit of the present invention more fully, come further the present invention to be explained in detail below by specific embodiment.
Embodiment one:
Fig. 3 is the method flow diagram of consulting new authentication secret key in the embodiment of the invention one.As shown in Figure 3, this flow process comprises:
Step 302 generates first new key (NewAK1) and authentication parameter according to the random number RA ND of generation and first key (AK1) of preservation, and authentication parameter is sent to authentication agent.
In this step, can generate NewAK1 according to RAND and AK1; And comprise RAND, MAC-A and SXRES in the authentication parameter that generates, and key refresh request information.
Wherein, MAC-A generates according to the AK1 that preserves in the RAND and first module in the present embodiment, and SXRES produces according to NewAK1;
Key refresh request information can be represented by a bit among the RAND, perhaps can also represent by a bit among the MAC-A.When a bit in utilizing RAND was represented, being provided with of this bit can be carried out before generating MAC-A; When a bit in utilizing MAC-A was represented, being provided with of this bit can be carried out after generating MAC-A.
In this step, carry the mode of key refresh request information according to authentication parameter in the step 302, second module is taken out corresponding RAND or MAC-A from authentication parameter, according to the wherein setting of specific bit position, determines to carry out key updating.
Step 305 judges whether second module is passed through the authentication of first module, if pass through, and then execution in step 306 and subsequent step thereof, otherwise execution in step 311.
In this step, second module to the authentication of first module can for: second module produces the message authentication coding (XMAC-A) of expectation according to RAND and second key (AK2), and relatively whether XMAC-A is consistent with the MAC-A that receives, if it is consistent, then second module is passed through the authentication of first module, otherwise second module is not passed through the authentication of first module.
In this step, first module can judge whether the SXRES that first module sends is consistent with the SRES of second module transmission for: authentication agent to the authentication of second module, if unanimity then authenticating result is the authentication success, and because SRES and SXRES all produce according to new key, so new authentication secret key is consulted successfully; If inconsistent, then authenticating result is a failed authentication, and new authentication secret key is consulted failure.
In this step, after first module is received the information of authentication success, determine that promptly second module has correctly generated new authentication secret key, so upgrade the KI of self.Wherein, more new authentication secret key can for: substitute AK1 with NewAK1.
So far, new authentication secret key is consulted the flow process end.
When producing SXRES according to NewAK1 in the step 302, can further be to produce described SXRES according to RAND and NewAK1; Accordingly, when producing SRES according to NewAK2 in the step 307, can further produce described SRES according to RAND and NewAK2.
Authentication agent can further carry the partial information of the authentication parameter information that is obtained from first module when first module transmits the authentication successful information, for example carry described random number RA ND when sending the authentication successful information; Before first module is upgraded first key, further judge the consistency of the RAND that authentication agent transmits,, upgrade first password again if consistent according to the partial information of the corresponding authentication parameter information of oneself preserving, otherwise, the consulting new authentication secret key flow process finished.Certainly, the partial information of described authentication parameter information also can be SXRES etc.
In the present embodiment, SXRES produces according to first new key.In fact, in actual applications, first module produces the algorithm of special Expected Response and algorithm that second module produces special Authentication Response can be inconsistent, and second module can be after producing second new key, to produce special Authentication Response according to second new key again; And first module can not produce first new key earlier, but directly produces special Expected Response according to first key and random number, and behind the authentication success message that receives the authentication agent transmission, just produces first new key.
In the present embodiment, produced first new authentication secret key in first module, and in step 302, be used for second module MAC-A of the first module authentication is generated according to original first key, when therefore second module was to the first module authentication in step 305, the XMAC-A of second module also generated according to original second key.In actual applications, can also carry out according to first new key when generating MAC-A in the step 302, corresponding, step 305 and 306 execution sequence are changed mutually, and also generate according to second new key when generating XMAC-A in the step 305.Further, can also carry out according to the random number and first new key when generating MAC-A in the step 302, corresponding, step 305 and 306 execution sequence are changed mutually, and also generate according to the random number and second new key when generating XMAC-A in the step 305.
By above-mentioned flow process as can be seen, in authentication process, finished the flow process that new authentication secret key is consulted simultaneously.On behalf of new authentication secret key, first module then consult successfully to the success of the second module authentication.Therefore, realize the renewal of KI, solved the potential safety hazard of anchor root key.
More than the method flow of the consulting new authentication secret key that provides in the present embodiment is provided, in addition, present embodiment also provides agreement new authorization key system, the method for above-mentioned consulting new authentication secret key can be implemented in this system.Fig. 4 is an agreement new authorization key system structure chart among the embodiment one.As shown in Figure 4, this system comprises:
In first module 410 of this system, first key storing unit 411 is used to preserve first key;
The first new key generation unit 412, be used to produce random number, and, produce first new key, and the random number and first new key that produces sent to authentication parameter generation unit 413 according to this random number and first key that from first key storing unit 411, reads;
Authentication parameter generation unit 413 is used to receive the random number and first new key that the first new key generation unit 412 sends, and produces authentication parameter, and authentication parameter is sent to interface unit 414;
In authentication agent 420, the first module interface unit 421 is used for receiving the authentication request that the interface unit 414 of first module 410 sends, and part authentication parameter is wherein sent to the second module interface unit 422; Also be used to receive the authenticating result that authenticating unit sends, and it is transmitted to interface unit 414 in first module 410;
The second module interface unit 423 be used for the authentication parameter that the first module interface unit 421 sends is sent to the interface unit 431 of second module 430, and the SRES that will be received from the interface unit 431 is transmitted to authenticating unit 424;
Authenticating unit 424 is used to receive the authentication parameter of the first module interface unit, 421 transmissions and the SRES that the second module interface unit 423 sends, and carries out the authentication of first module to second module, and authenticating result is sent to the first module interface unit 421.
In second module 430, second key storing unit 431 is used to preserve second key;
The second new key generation unit 432, be used for the random number RA ND that reception interface unit 431 sends, and, produce second new key, and the random number and first new key that produces sent to authenticating unit 433 according to this random number and second key that from second key storing unit 431, reads;
Authenticating unit 433 is used for the authentication parameter that reception interface unit 434 sends, and carries out the authentication of second module to first module, and generation SRES sends to interface unit 434.
The above-mentioned structure of consulting the new key system in the present embodiment that is.As can be seen, in this system, can use the method flow of consulting new authentication secret key shown in Figure 3, thereby in authentication process, realize the flow process of consulting new authentication secret key, the efficient and the fail safe that improve authentication protocol.
Embodiment two:
In the present embodiment, first module is further preserved the first sequence number SQN1, and second module is further preserved the second sequence number SQN2; The described authentication parameter that first module sends authentication agent to further comprises the first sequence number SQN1, and first module has been utilized the sequence number in first module when producing authentication parameter.Authentication agent further carries SQN1 when second module sends authentication request, promptly carry RAND, MAC-A and SQN1.
The method flow diagram of consulting new authentication secret key in Fig. 5 embodiment of the invention two.As shown in Figure 5, this flow process comprises:
Step 502 generates first new key (NewAK1) and authentication parameter according to the random number RA ND of generation and first key (AK1), the sequence number (SQN1) of preservation, and authentication parameter is sent to authentication agent.
In this step, can generate NewAK1 according to RAND and AK1; And comprise RAND, MAC-A and the SXRES that has generated in the authentication parameter that generates, and key refresh request information.
Wherein, MAC-A generates according to AK1 that preserves in random number RA ND, first module and SQN1 in the present embodiment, and SXRES produces according to NewAK1;
Key refresh request information can represent that being provided with of this bit can be carried out by a bit among the SQN1 before generating MAC-A.
In this step, carry the mode of key refresh request information according to authentication parameter in the step 502, second module is taken out corresponding SQN1 from authentication parameter, according to the wherein setting of specific bit position, determines to carry out key updating.
Whether step 505, second module judge authentication parameter by consistency checking, if pass through, then execution in step 506 and subsequent step thereof are consulted flow process otherwise finish this new authentication secret key.
In this step, second module judge authentication parameter whether by consistency checking can for: second module produces XMAC-A according to RAND, AK2 and SQN1, and relatively whether XMAC-A is consistent with the MAC-A that receives, if it is consistent, then execution in step 506, otherwise, finish this new authentication secret key and consult flow process.
In this step, whether second module can be accepted according to SQN2 checking SQN1, can be to judge that the difference of SQN2 and SQN1 is whether in certain scope, for example, whether (SQN1-SQN2) is greater than 0, and perhaps whether (SQN1-SQN2) is greater than 0 and less than 65536, or the like.If difference in described scope, is then judged SQN2 and can be accepted, otherwise, judge that SQN2 cannot accept.
In this step, authentication agent just repeats no more here to identical among the mode of the authentication of second module and the embodiment one.
Whether step 510, first module are judged the second module authentication successful, if then execution in step 511, otherwise execution in step 512.
Step 511 after first module receives the authentication successful information, is upgraded first key, and finishes this new authentication secret key and consult flow process.
In this step, after first module is received the message of authentication success, determine that promptly second module has correctly generated i.e. second new key of new authentication secret key, so upgrade the KI of self, i.e. first key.Wherein, upgrade first key can for: substitute AK1 with NewAK1.
So far, new authentication secret key is consulted the flow process end.
When producing SXRES according to NewAK1 in the step 502, can further be to produce described SXRES according to RAND and NewAK1; Accordingly, when producing SRES according to NewAK2 in the step 508, can further produce described SRES according to RAND and NewAK2.
For key refresh request information, can represent by a bit among RAND or the MAC-A equally in the present embodiment, and when a bit in utilizing RAND was represented, being provided with of this bit can be carried out before generating MAC-A; When a bit in utilizing MAC-A was represented, being provided with of this bit can be carried out after generating MAC-A.
In the present embodiment, produced first new authentication secret key in first module, and in step 502, be used for second module MAC-A of the first module authentication is generated according to original first key, when therefore second module was to the first module authentication in step 305, the XMAC-A of second module also generated according to original second key.In actual applications, can also carry out according to first new key when generating MAC-A in the step 502, corresponding, step 505~506 are changed mutually with the execution sequence of step 507, and also generate according to second new key when generating XMAC-A in the step 505.Further, can also carry out according to any one or two among first new key and random number and the SQN1 when generating MAC-A in the step 502, accordingly, the execution sequence of step 505~506 and step 507 is changed mutually, and when generating XMAC-A in the step 505 also according to any one or two generations among second new key and random number and the SQN1.
The difference of present embodiment and embodiment one is, in the present embodiment, utilized sequence number SQN1 when first module generates MAC-A in the step 502, so it is corresponding, also used sequence number SQN1 when second module generates XMAC-A in step 505, and key refresh request information also can be to carry by sequence number SQN1 in the step 502.When second module is carried out authentication to first module, also increased the process that step 506 is promptly verified sequence number SQN1, the fail safe that has improved authentication.The operation of other step two embodiment is roughly the same.Two embodiment all can be implemented in and carry out the purpose that new authentication secret key is consulted in the authentication process, have solved the potential safety hazard that the anchor root key exists.
Implement in the agreement new authorization key system (Fig. 4) that method in the present embodiment also can provide in embodiment one.And in this system, first key in first module 410 is preserved unit 411, is further used for preserving SQN1; Second key in second module 430 is preserved unit 431, is further used for preserving SQN2; Authenticating unit 433 in second module 430 is further used for preserving the SQN2 that reads in the unit 431 according to second key, and whether the SQN1 that checking receives can accept.
As seen, the method and system in the present embodiment can be realized the negotiation of new authentication secret key, solves the potential safety hazard that the anchor root key exists.
The described authentication parameter that sends authentication agent in the step 302 to is authentication management field (AMF) further.Authentication agent further carries AMF in the step 303 when second module sends authentication request, promptly carries RAND, MAC-A and AMF.Below in conjunction with implementing two, the situation that further comprises AMF in the authentication parameter is set forth.
Embodiment three:
In the present embodiment, the authentication parameter of generation has further comprised authentication management field AMF.
The method flow diagram of consulting new authentication secret key in Fig. 6 embodiment of the invention three.As shown in Figure 6, this flow process comprises:
Step 601, first module produces a random number RA ND.
Step 602 generates first new key (NewAK1) and authentication parameter according to first key (AK1), the sequence number (SQN1) of random number RA ND that produces and preservation and the AMF that is provided with, and authentication parameter is sent to authentication agent.
In this step, can generate NewAK1 according to RAND and AK1; And comprise RAND, MAC-A and SXRES in the authentication parameter that generates, and key refresh request information.
Wherein, MAC-A generates according to the AMF of the AK1, the SQN1 that preserve in random number RA ND, first module and setting in the present embodiment, and SXRES produces according to NewAK1;
Key refresh request information can represent that being provided with of this bit can be carried out by a bit among the AMF before generating MAC-A.
Step 603, authentication agent will comprise that the part authentication parameter of RAND, MAC-A, AMF and SQN1 sends to second module.
Step 604, second module receives authentication parameter, determines to carry out key updating.
In this step, carry the mode of key refresh request information according to authentication parameter in the step 602, second module is taken out corresponding AMF from authentication parameter, according to the wherein setting of specific bit position, determines to carry out key updating.
Whether step 605, second module judge authentication parameter by consistency checking, if pass through, then execution in step 606 and subsequent step thereof are consulted flow process otherwise finish this new authentication secret key.
In this step, second module judge authentication parameter whether by consistency checking can for: second module produces XMAC-A according to RAND, AK2, AMF and SQN1, and relatively whether XMAC-A is consistent with the MAC-A that receives, if it is consistent, then execution in step 606, otherwise, finish this new authentication secret key and consult flow process.
Step 606, second module judges according to SQN2 whether SQN1 can accept, if unacceptable, then finish this new authentication secret key and consults flow process, otherwise judge that second module passes through execution in step 607 to the authentication of first module.
In this step, whether second module can be accepted according to SQN2 checking SQN1, can be to judge that the difference of SQN2 and SQN1 is whether in certain scope, for example, whether (SQN1-SQN2) is greater than 0, and perhaps whether (SQN1-SQN2) is greater than 0 and less than 65536, or the like.If difference in described scope, is then judged SQN2 and can be accepted, otherwise, judge that SQN2 cannot accept.
Step 607, second module generates second new key (NewAK2) according to the second key A K2 of the RAND that receives and self preservation.
Step 608, second module produces SRES according to the NewAK2 that generates, and this SRES is sent to authentication agent.
Step 609, authentication agent be to the authentication of second module, and authenticating result is sent to first module.
In this step, authentication agent just repeats no more here to identical among the mode of the authentication of second module and embodiment one and the embodiment two.
Whether step 610, first module are judged the second module authentication successful, if success, then execution in step 610, otherwise execution in step 612.
Step 611, first module is upgraded first key, and finishes this new authentication secret key and consult flow process.
Step 612, first module abandon first new key of generation, and finish this new authentication secret key and consult flow process.
In this step, after first module is received the message of authentication success, determine that promptly second module has correctly generated new authentication secret key, i.e. second new key is so upgrade the KI of self, i.e. first key.Wherein, upgrade first key can for: substitute AK1 with NewAK1.
So far, new authentication secret key is consulted the flow process end.
When producing SXRES according to NewAK1 in the step 602, can further be to produce described SXRES according to RAND and NewAK1; Accordingly, when producing SRES according to NewAK2 in the step 608, can further produce described SRES according to RAND and NewAK2.
For key refresh request information, can represent by a bit among RAND, AMF or the MAC-A equally in the present embodiment, and when a bit in utilizing RAND or AMF was represented, being provided with of this bit can be carried out before generating MAC-A; When a bit in utilizing MAC-A was represented, being provided with of this bit can be carried out after generating MAC-A.
In the present embodiment, produced first new authentication secret key in first module, and in step 602, be used for second module MAC-A of the first module authentication is generated according to original first key, when therefore second module was to the first module authentication in step 605, the XMAC-A of second module also generated according to original second key.In actual applications, can also carry out according to first new key when generating MAC-A in the step 602, corresponding, step 605~606 are changed mutually with the execution sequence of step 607, and also generate according to second new key when generating XMAC-A in the step 605.Further, can also be when generating MAC-A in the step 602 according to any one or a plurality of carrying out among first new key and random number, AMF and the SQN1, accordingly, the execution sequence of step 605~606 and step 607 is changed mutually, and when generating XMAC-A in the step 605 also according to any one or a plurality of generation among second new key and random number, AMF and the SQN1.
By as seen above-mentioned, the difference of present embodiment and embodiment two is, utilized authentication management field AMF when first module generates MAC-A in step 602, and this AMF sent to second module by authentication agent, so it is corresponding, also used AMF when second module generates XMAC-A in step 605, and key refresh request information also can be to carry by sequence number AMF in the step 602.In addition, the operation of other steps and embodiment two are roughly the same.As can be seen, the execution mode in the present embodiment can be realized the purpose of consulting new authentication secret key equally, improves the fail safe of right discriminating system.
Implement in the agreement new authorization key system (Fig. 4) that method in the present embodiment also can provide in embodiment one.
Among above-mentioned execution mode and each embodiment, preserving first key in second key of preserving in second module and first module can be symmetric key, and for example, described second key is identical with first key.
The mode of described generation second new key can be consistent with the mode of the mode of described generation first new key, the mode that generates SRES and generation SXRES.The mode that generates SRES can be consistent with the mode that generates SXRES, also can be inconsistent.This generating mode can be more known algorithms in certain digest algorithm, computations or safe calculating field, just repeats no more here.
With three concrete examples the application mode of the present invention in 3GPP authentication and key agreement AKA is described below.In 3GPP authentication and key agreement AKA, in portable terminal (MS), preserve IMSI International Mobile Subscriber Identity (IMSI), KI (KI) and sequence number (SQNMS).Preserve IMSI, KI and sequence number SQNHE at this portable terminal correspondence among the HLR/AUC of network side, to be used for portable terminal and network mutual authentication.When HLR/AUC produces the authentication tuple, produce random number (RAND, Random Challenge) earlier, produce Expected Response (XRES according to random number and KI, Expected Response), encryption key (CK, Cipher Key), Integrity Key (IK, IntegrityKey); Produce message authentication coding (MAC-A) according to random number, sequence number, KI and authentication management field (AMF), according to MAC-A, SQNHE, AK and AMF obtain authentication signature AUTN (Authentication Token).Form the authentication five-tuple by RAND and XRES, CK, IK and AUTN.
Please participate in related specifications about existing authentication of 3GPP and key agreement flow process, repeat no more here.
When in 3GPP authentication and key agreement AKA, using embodiment of the present invention, first module promptly is embodied as HLR/AUC, authentication agent promptly is embodied as VLR Visitor Location Register/service universal packet wireless business affair (GPRS) support node (VLR/SGSN), and second module promptly is embodied as USIM.
In first example, HLR/AUC utilizes the new key that produces to replace original key to generate the authentication five-tuple, and utilizes AMF to carry the renewal key information, if long two bytes of AMF, i.e. 16 bits, the SXRES of generation is the XRES among the AKA, and SRES is the RES among the AKA.The method flow of consulting new authentication secret key specifically comprises as shown in Figure 7 in first example:
Step 704, usim card extracts the AMF that carries among the AUTN, is 1 according to its lowest order byte, determines to carry out key updating.
Step 705, USIM produces new authentication secret key NewKi according to the key K i that preserves, and according to NewKi network is carried out authentication, and after authentication is passed through, produces Authentication Response RES according to NewKi; Authentication Response is sent to VLR/SGSN.
In step 706, VLR/SGSN compares the consistency of RES and Expected Response XRES, and when unanimity, judges that network passes through the usim card authentication, sends the authentication success message to HLR/AUC simultaneously.
Step 707 after HLR/AUC receives the authentication success message that VLR/SGSN returns, confirms that usim card has produced new key NewKi, so according to the own NewKi renewal Ki that produces, for example, Ki is set to equal NewKi.
So far, the method flow of consulting new authentication secret key finishes in this example.
In second example, HLR/AUC utilizes original key to generate other parameter item except that XRES in the authentication five-tuple, and utilizes AMF to carry the renewal key information, establishes AMF long two bytes, i.e. 16 bits.The method flow of consulting new authentication secret key specifically comprises as shown in Figure 8 in second example:
Step 805, USIM produces new authentication secret key NewKi according to Ki, according to Ki network is carried out authentication, and after authentication is passed through, produces Authentication Response RES according to NewKi; Described Authentication Response is sent to VLR/SGSN.
Step 807 after HLR/AUC receives the authentication success message that VLR/SGSN returns, confirms that usim card has produced new key NewKi, so according to the own NewKi renewal Ki that produces, for example, Ki is set to equal NewKi.
So far, the method flow of consulting new authentication secret key finishes in this example.
In the step 806 of above-mentioned flow process, VLR/SGSN sends the authentication successful information to HLR/AUC and can transmit by failed authentication report, wherein failure reason value is the cause value of " authentication success " in the failed authentication report, then HLR/AUC is after receiving this report, and promptly the decidable authentication is successful.
By Fig. 7 and method flow shown in Figure 8 as can be seen, the difference of these two flow processs is, in first example shown in Figure 7, when step 701 generates the authentication five-tuple, be to utilize newly-generated key NewKi to replace original key K i, the authentication five-tuple of generation, corresponding with it, when in step 405, carrying out usim card, utilize newly-generated key NewKi to replace original key K i too, carry out authentication the authentication of network; And in second example, when step 801 generates the authentication five-tuple, utilize original key K i, RAND, AMF and SQN generation other authentication parameter except that XRES, when at this moment usim card is to network authentication in the Dui Ying step 805, also utilize original key K i to carry out authentication, and when the authentication success, use new key to produce Authentication Response.In a word, the mode of generation relevant parameter generally is consistent among HLR/AUC and the USIM.
In the step 806 of last example, VLR/SGSN sends the authentication success message to HLR/AUC and can transmit by failed authentication report, wherein failure reason value is the cause value of " authentication success " in the failed authentication report, after HLR/AUC receives the failed authentication report of failure reason value for " authentication success " cause value in the step 807 like this, can determine the authentication success.
In the 3rd example, HLR/AUC utilizes original key to generate other parameter item except that XRES in the authentication five-tuple, and utilizes AMF to carry the renewal key information, establishes AMF long two bytes, i.e. 16 bits.The method flow of consulting new authentication secret key specifically comprises as shown in Figure 9 in the 3rd example:
Step 901, HLR/AUC produces a random number RA ND, and the lowest order byte of AMF is set to 1 expression needs more new key; HLR/AUC produces new authentication secret key NewKi according to Ki, and Ki, RAND, SQNHE, AMF etc. produce other parameter item except XRES in the authentication five-tuple together, produces XRES according to NewKi, RAND.
Step 902, HLR/AUC sends to VLR/SGSN with the authentication five-tuple that produces;
Step 903, AUTN and RAND that VLR/SGSN will be received from the authentication tuple of HLR/AUC send to usim card;
Step 904, usim card extracts the AMF that carries among the AUTN, is 1 according to its lowest order byte, determines to carry out key updating.
Step 905, USIM produces new authentication secret key NewKi according to Ki, according to Ki network is carried out authentication, and after authentication is passed through, produces Authentication Response RES according to NewKi; Described Authentication Response is sent to VLR/SGSN.
Step 906, VLR/SGSN compares the consistency of RES and Expected Response XRES, and when unanimity, judgement is passed through the usim card authentication, produce a failed authentication report simultaneously, the failure reason value of failed authentication report is set to authentication success cause value, sends described failed authentication report to HLR/AUC, carries described RAND.
Step 907 after HLR/AUC receives the failed authentication report of VLR/SGSN transmission, after the affirmation usim card has correctly produced NewKi, is upgraded first key.
In this step, after HLR/AUC receives the failed authentication report of VLR/SGSN transmission, when judging failure reason value and be authentication success cause value, confirm that usim card has produced new key NewKi, so, judge whether the RAND that the RAND in the authentication identification report preserves in advance with oneself is consistent, if consistent, think that then new key consults successfully, according to the NewKi renewal Ki of oneself generation, for example, Ki is set to equal NewKi; Otherwise, finish new authentication secret key and consult flow process.
So far, the method flow of consulting new authentication secret key finishes in this example.
Different with the method flow in first and second examples, in the 3rd example, HLR/AUC can preserve the RAND in the corresponding authentication tuple, before new authentication secret key more, by the affirmation of RAND, improves accuracy and fail safe that KI upgrades.Certainly in actual applications, also can preserve other authentication parameter, before new authentication secret key more, the parameter of preserving be confirmed.
Above-mentionedly be in 3GPP authentication and key agreement AKA application mode of the present invention.As can be seen, the present invention can be implemented in the negotiation of finishing new authentication secret key in the authentication process, so KI can upgrade in authentication process at any time, has solved the existing potential safety hazard of anchor root key.
Reference diagram provided by the present invention only is used for helping to understand the present invention, when reference diagram and text text description are inconsistent, is as the criterion with the text text description.
Being preferred embodiment of the present invention only below, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (25)
1. the method for a consulting new authentication secret key is characterized in that, preserves first key and second key corresponding with first key respectively in first module that intercoms mutually and second module, and this method comprises:
A, first module are obtained the authentication parameter that comprises key refresh request information, and the authentication parameter that obtains is sent to authentication agent;
The described authentication parameter that obtains comprises: the random number RA ND of generation, message authentication coding MAC-A, special Expected Response SXRES;
B, authentication agent send authentication request to second module, and carry the part authentication parameter that comprises key refresh request information, carry RAND and MAC-A at least in this part authentication parameter;
C, second module receive authentication request, and after the first module authentication is passed through, generate special Authentication Response SRES according to second new key that produces, and SRES is sent to authentication agent;
D, authentication agent transmit the authentication successful information to first module after the second module authentication is passed through;
After E, first module receive the authentication successful information, upgrade first key.
2. method according to claim 1 is characterized in that, first module produces first new key according to the RAND and first key in the steps A;
First key according to RAND and preservation in the steps A generates SXRES, perhaps generates SXRES according to first new key that produces.
3. method according to claim 1 is characterized in that, first module produces first new key according to the RAND and first key in the step e;
First key according to RAND and preservation in the steps A generates SXRES.
4. method according to claim 1 is characterized in that, upgrades first key described in the step e and is meant with alternative first key of first new key.
5. method according to claim 1 is characterized in that,
Second module described in the step C is carried out authentication to first module: second module produces expectation message authentication coding XMAC-A, and judges the consistency of MAC-A and XMAC-A, when the two is consistent, determines that authentication passes through;
Authentication agent described in the step D carries out authentication to second module: the consistency of SRES and SXRES relatively, when the two unanimity, determine that authentication passes through.
6. method according to claim 5 is characterized in that,
Producing second new key described in the step C is: second module generates according to second key of RAND that receives and preservation;
The generation of described second new key is to finish after second module receives authentication request, before producing XMAC-A, perhaps after producing XMAC-A and the consistency checking of MAC-A and XMAC-A by after finish.
7. method according to claim 5 is characterized in that, described key refresh request information is for to carry by the specific bit position among MAC-A or the described RAND.
8. method according to claim 5 is characterized in that, first key according to RAND and preservation in the steps A directly generates described MAC-A;
Directly generate described XMAC-A according to the RAND and second key among the step C.
9. method according to claim 5 is characterized in that, produces first new key according to the RAND and first key in the steps A, generates described MAC-A according to first new key again;
Produce second new key according to the RAND and second key among the step C, generate described XMAC-A according to second new key again.
10. method according to claim 5 is characterized in that, produces first new key according to the RAND and first key in the steps A, generates described MAC-A according to first new key and RAND again;
Produce second new key according to the RAND and second key among the step C, generate described XMAC-A according to second new key and RAND again.
11. method according to claim 5 is characterized in that, first module is further preserved the first sequence number SQN1, and second module is further preserved the second sequence number SQN2;
The authentication parameter that obtains described in the steps A further comprises SQN1;
The authentication parameter of part described in the step B further comprises SQN1.
12. method according to claim 11 is characterized in that, described key refresh request information is for to carry by specific bit position any among MAC-A, RAND or the SQN1.
13. method according to claim 11 is characterized in that, the SQN1 and first key according to RAND, preservation in the steps A produce MAC-A;
Second key according to the RAND, the SQN1 that receive and preservation among the step C produces XMAC-A.
14. method according to claim 11 is characterized in that,
After determining MAC-A described in the step C and XMAC-A is consistent, further comprise: judge according to the SQN2 that preserves whether the SQN1 that receives can accept, if unacceptable, then finishes this key agreement flow process, if can accept, then definite authentication is passed through.
15. method according to claim 11 is characterized in that, the authentication parameter that obtains described in the steps A further comprises authentication management field AMF, and the authentication parameter of part described in the step B further comprises AMF.
16. method according to claim 15 is characterized in that, described key refresh request information is for to carry by specific bit position any among MAC-A, RAND, SQN1 or the AMF.
17. method according to claim 15 is characterized in that, first key according to RAND, SQN1, AMF and preservation in the steps A produces MAC-A;
Produce XMAC-A according to SQN1, AMF, RAND and second key among the step C.
18., it is characterized in that authentication agent further carries the partial information of the authentication parameter information that is obtained from first module according to claim 5,11 or 15 described methods when first module transmits the authentication successful information;
Before first module is upgraded first key, further judge the consistency of the partial information of the authentication parameter information that authentication agent transmits,, then upgrade first key if consistent according to the partial information of the corresponding authentication parameter information of oneself preserving, otherwise, finish the consulting new authentication secret key flow process.
19. method according to claim 18 is characterized in that, the partial information of described authentication parameter information is: a kind of or combination in any among RAND, SQN1, SXRES and the XMAC-A.
20., it is characterized in that the successful information of authentication described in the step C transmits by the failed authentication report according to claim 5,11 or 15 described methods.
21. an agreement new authorization key system is characterized in that, this system comprises first module, authentication agent and second module;
Described first module, be used to store first key, obtain the authentication parameter that comprises key refresh request information, and the authentication parameter that obtains is sent to described authentication agent, authentication parameter comprises random number RA ND, message authentication coding MAC-A, the special Expected Response SXRES of generation; Also be used for behind the authentication success message that receives described authentication agent transmission, upgrading first key;
Described authentication agent, be used to receive the authentication parameter that described first module sends, and authentication request sent to described second module, in this request, carry the part authentication parameter that comprises key refresh request information, and receive the special Authentication Response SRES that described second module is returned; Also be used for described second module is carried out authentication, and after authentication is passed through, send the authentication success message to described first module;
Described second module, be used to store second key, receive the part authentication parameter that described authentication agent sends, finish authentication described first module, and after authentication is passed through, generate special Authentication Response SRES according to second new key that produces and send to described authentication agent.
22. system according to claim 21 is characterized in that, described first module comprises first key storing unit, the first new key generation unit, authentication parameter generation unit and interface unit;
Described first key storing unit is used to preserve first key;
The described first new key generation unit, be used to produce random number, and, produce first new key, and the random number and first new key that produces sent to described authentication parameter generation unit according to this random number and first key that from described first key storing unit, reads;
Described authentication parameter generation unit is used to receive the random number and first new key that the described first new key generation unit sends, and obtains authentication parameter, and authentication parameter is sent to described interface unit;
Described interface unit is used to receive the authentication parameter that described authentication parameter generation unit sends, and sends to described authentication agent after forming authentication request; Also be used to receive the authenticating result that described authentication agent returns, and after the authentication success, first new key that the described first new key generation unit is produced writes in described first key preservation unit.
23. system according to claim 22 is characterized in that, described authentication agent comprises the first module interface unit, authenticating unit and the second module interface unit;
The described first module interface unit is used to receive the authentication request that described first module sends, and part authentication parameter is wherein sent to the described second module interface unit; Also be used to receive the authenticating result that described authenticating unit sends, and it is transmitted to described first module;
The described second module interface unit is used for the authentication parameter that the described first module interface unit sends is sent to described second module, and the special Authentication Response SRES that will be received from described second module is transmitted to described authenticating unit;
Described authenticating unit, be used to receive the authentication parameter of described first module interface unit transmission and the special Authentication Response SRES that the described second module interface unit sends, carry out the authentication of first module, and authenticating result is sent to the described first module interface unit second module.
24. system according to claim 21 is characterized in that, described second module comprises second key storing unit, the second new key generation unit, authenticating unit and interface unit,
Described second key storing unit is used to preserve second key;
The described second new key generation unit, be used to receive the random number RA ND that described interface unit sends, and, produce second new key, and the random number and second new key that produces sent to described authenticating unit according to this random number and second key that from described second key storing unit, reads;
Described interface unit is used to receive the authentication parameter that described authentication agent sends, and this parameter is sent to described authenticating unit, and random number is sent to the described second new key generation unit; Also be used to receive the special Authentication Response SRES that described authenticating unit sends;
Described authenticating unit is used to receive the authentication parameter that described interface unit sends, and carries out the authentication of second module to first module, and produces special Authentication Response SRES and send to described interface unit.
25. according to any described system in the claim 21 to 24, it is characterized in that, described first module is the HLR/AUC of attaching position register AUC, described authentication agent is VLR Visitor Location Register service universal grouping wireless business supporting node VLR/SGSN, and described second module is Subscriber Identity Module USIM.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101523651A CN1921378B (en) | 2006-09-28 | 2006-09-28 | Method and system for negotiating new discrimination key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101523651A CN1921378B (en) | 2006-09-28 | 2006-09-28 | Method and system for negotiating new discrimination key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1921378A CN1921378A (en) | 2007-02-28 |
| CN1921378B true CN1921378B (en) | 2010-07-28 |
Family
ID=37778965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006101523651A Active CN1921378B (en) | 2006-09-28 | 2006-09-28 | Method and system for negotiating new discrimination key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1921378B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917753A (en) * | 2015-05-04 | 2015-09-16 | 北京奇艺世纪科技有限公司 | Method and system for communication based on symmetric keys |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355425A (en) * | 2007-07-24 | 2009-01-28 | 华为技术有限公司 | Method, apparatus and system for implementing new member register of group key management |
| CN102045210B (en) * | 2009-10-10 | 2014-05-28 | 中兴通讯股份有限公司 | End-to-end session key consultation method and system for supporting lawful interception |
| CN101807236B (en) * | 2010-02-08 | 2012-11-28 | 深圳市同洲电子股份有限公司 | Authentication method, authentication system and corresponding terminal and headend equipment |
| CN101854630A (en) * | 2010-05-25 | 2010-10-06 | 中兴通讯股份有限公司 | Method, system and user equipment for realizing card authentication |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1596000A (en) * | 2003-09-08 | 2005-03-16 | 华为技术有限公司 | A method for dynamically updating group information in cluster service |
-
2006
- 2006-09-28 CN CN2006101523651A patent/CN1921378B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1596000A (en) * | 2003-09-08 | 2005-03-16 | 华为技术有限公司 | A method for dynamically updating group information in cluster service |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917753A (en) * | 2015-05-04 | 2015-09-16 | 北京奇艺世纪科技有限公司 | Method and system for communication based on symmetric keys |
| CN104917753B (en) * | 2015-05-04 | 2018-07-10 | 北京奇艺世纪科技有限公司 | A kind of method and system to be communicated based on symmetric key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1921378A (en) | 2007-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302502B (en) | A kind of secure access authentication method, user terminal and server-side | |
| CN101005359B (en) | Method and device for realizing safety communication between terminal devices | |
| CN101547095B (en) | Application service management system and management method based on digital certificate | |
| JP5579872B2 (en) | Secure multiple UIM authentication and key exchange | |
| CN100488280C (en) | Authentifying method and relative information transfer method | |
| CN101189827B (en) | Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method | |
| CN101828357B (en) | Credential provisioning method and device | |
| CN100512201C (en) | Method for dealing inserted-requested message of business in groups | |
| CN102201915A (en) | Terminal authentication method and device based on single sign-on | |
| KR101706117B1 (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
| BRPI0212814B1 (en) | METHOD FOR AUTHENTICING THE USER OF A TERMINAL, AUTHENTICATION SYSTEM, USER RIGHTS VERIFICATION DEVICE, AND | |
| KR101765917B1 (en) | Method for authenticating personal network entity | |
| CN106713279A (en) | Video terminal identity authentication system | |
| CN105187369B (en) | A kind of data access method and device | |
| CN108024243A (en) | A kind of eSIM is caught in Network Communication method and its system | |
| CN102143492B (en) | Method for establishing virtual private network (VPN) connection, mobile terminal and server | |
| CN105323754A (en) | Distributed authentication method based on pre-shared key | |
| CN1921378B (en) | Method and system for negotiating new discrimination key | |
| CN106027250A (en) | Identity card information safety transmission method and system | |
| CN106789024A (en) | A kind of remote de-locking method, device and system | |
| CN102892102A (en) | Method, system and device for binding mobile terminal and smart card in mobile network | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN108352982B (en) | Communication device, communication method, and recording medium | |
| CN103313244A (en) | Authentication method and device based on generic bootstrapping architecture (GBA) | |
| CN106789076B (en) | Interaction method and device for server and intelligent equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |