KR20100047099A - Method of generating and updating a encryption key - Google Patents

Method of generating and updating a encryption key Download PDF

Info

Publication number
KR20100047099A
KR20100047099A KR1020080128828A KR20080128828A KR20100047099A KR 20100047099 A KR20100047099 A KR 20100047099A KR 1020080128828 A KR1020080128828 A KR 1020080128828A KR 20080128828 A KR20080128828 A KR 20080128828A KR 20100047099 A KR20100047099 A KR 20100047099A
Authority
KR
South Korea
Prior art keywords
gtek
mbs
key
counter
nonce
Prior art date
Application number
KR1020080128828A
Other languages
Korean (ko)
Inventor
한진백
Original Assignee
엘지전자 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 엘지전자 주식회사 filed Critical 엘지전자 주식회사
Publication of KR20100047099A publication Critical patent/KR20100047099A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Abstract

The present invention relates to an efficient method for generating and updating encryption keys for multicast broadcast services. In one embodiment of the present invention, a method for generating an encryption key for a multicast and broadcast service (MBS) includes transmitting a request message for requesting encryption key information for an MBS to a base station and encrypting the first group traffic from the base station. Receiving a response message including an MBS authentication key (MAK), a group traffic encryption key nonce and a GTEK counter to generate a key (GTEK) and a first GTEK using the MAK, GTEK nonce and GTEK counters It may include the step of generating.

Description

Method of generating and updating a Encryption Key}

The present invention relates to an efficient key generation and update method for a multicast broadcast service in a security problem of a wireless access system.

Hereinafter will be briefly described a security problem for a multimedia application.

As network technologies have improved, many technical improvements have been made in the multimedia streaming area for wireless networks. While providing multimedia services to multiple terminals, security issues for multimedia applications have become an important issue. There are a number of issues in the multimedia application layer, including client authentication, secure data transmission, and key management. The question is how to incorporate security mechanisms into multimedia streaming.

Multicast Broadcast Service (MBS) refers to a service flow that delivers MBS information to a plurality of terminals. The MBS service flow has a set of quality of service (QoS) parameters and security through a set of encryption keys is required. In addition, the service flow for transferring the MBS data may be activated by individual terminals performing a normal operation. While the MBS service is active, the terminal can recognize parameters related to the service.

The Multicast / Broadcast Protocol is provided only to specific recipients from the source. Multicast and broadcast protocols require access control mechanisms that allow only authorized members to access group communications. In general, access control is to encrypt multimedia data using an encryption key. This encryption key is defined as a session key shared by all authorized members.

Authorized members perform the Group Key Agreement (GKA) protocol to generate a common encryption key. The GKA protocol is intended to prevent unauthorized illegal subscribers impersonating members and obtaining a shared session key. That is, only members with a shared session key can be authorized and can decrypt multimedia data transmitted from a source. In addition, only authorized members can be guaranteed the confidentiality of the data.

In this specification, various wireless access systems will be described. In particular, MBS (Multicast / Broadcast Service) security defined in the IEEE 802.16 system uses PKMv2 (Privacy and Key Management Sublayer version 2) to transmit multimedia broadcast information.

PKMv2 is used to encrypt a broadcast connection between a base station (BS) and a subscriber station (SS). Thus, using PKMv2 can provide strong protection for services over broadband wireless networks. For MBS security, MBS requires MBS Group Security Association (GSA). The MBS GSA refers to security information shared by a plurality of base stations and one or more terminals in order to support secure MBS contents.

Each terminal may establish the MBS security association in the initialization procedure. The information shared by one MBS GSA includes key information such as Cryptographic suite, MBS Authorization Keys (MAKs), and MBS Group Traffic Encryption Keys (MGTEKs) used within each GSA. MBS GSAs are identified through 16-bit Security Association Identifiers (SAIDs). Each terminal may configure one or more MBS GSAs with its serving base station. The terminal may receive and set key information (eg, keying material) of the MBS GSA through the PKMv2 protocol. In one security association (SA), key information has a limited period, and when the base station delivers SA key information of the MBS to the terminal, the remaining period of the corresponding key information may be provided together.

The IEEE 802.16 system, one of the broadband wireless access systems, defines MBRA (Multicast and Broadcast Rekeying Algorithm) for key renewal for MBS.

MBRA is used to renew traffic keys for multicast and broadcast services or MBS rather than unicast services. However, in a general communication system, MBRA has a large waste and overhead of radio resources in terms of key management including generation, renewal, and distribution of GTEKs and resource utilization of an air interface. In addition, the general communication system has a problem that the update of the secure and flexible GTEK is not made according to the subscriber's MBS subscription or termination.

In addition, a typical communication system must redistribute a new GTEK to specific group subscribers each time a GTEK is updated. However, the GTEK update method is not considered when a specific UE newly joins the MBS group (or MBS area) to receive the MBS, and when the UE leaves the MBS group to terminate the MBS. Therefore, the MBRA generally used has a problem that the efficiency of key distribution and the security of key management are not sufficiently considered.

SUMMARY OF THE INVENTION The present invention has been made to solve the problems of general technology as described above, and an object of the present invention is to provide an efficient data communication and MBS of which security and reliability are guaranteed.

Another object of the present invention is to provide an efficient key distribution method and a key management method considering security.

Still another object of the present invention is to provide a method for generating and updating GTEKs using information shared between the terminal and the base station. In addition, by safely and efficiently generating and updating the GTEK, the terminal and the base station enhance the safety of the MBS and the use efficiency of network resources, and provide the MBS service without affecting the quality of service.

Still another object of the present invention is to provide an MBS of which confidentiality is secured by allocating and distributing a temporary encryption key for a newly subscribed terminal or a leaving terminal.

Another object of the present invention is to provide an optimized key management method for improving the security of key management and increasing the efficiency of network resources. Accordingly, a method of minimizing the overhead of messages transmitted and received for key management can be provided.

In order to solve the above technical problem, the present invention relates to an efficient key generation and renewal method for a multicast broadcast service in a security problem of a wireless access system.

According to an aspect of the present invention, there is provided a method for generating an encryption key for a multicast and broadcast service (MBS), comprising: transmitting a request message for requesting encryption key information for the MBS to a base station; Receiving a response message including MBS authentication key (MAK), group traffic encryption key nonce and GTEK counter to generate GTEK, and using the MAK, GTEK nonce and GTEK counter to establish a first GTEK It may comprise the step of generating.

One aspect of the present invention may further comprise receiving a group key update command message for updating the first GTEK from the base station. At this time, the group key update command message may include an updated GTEK counter. In addition, the group key update command message may be transmitted whenever the first GTEK is updated. In addition, the group key update command message may be transmitted with a predetermined time period.

In generating the first GTEK of the aspect of the present invention, the first GETK may be generated using one or more of a group security association identifier and a non-once push counter.

In an aspect of the present invention, the request message may be a PKM key request message, and the response message may be a PKM key response message.

In another aspect of the present invention, there is provided a method for generating an encryption key for a multicast and broadcast service (MBS), the method comprising: receiving a message requesting encryption key information for MBS from a first terminal and encrypting the first group traffic to the first terminal; Transmitting a response message comprising a first group traffic encryption key nonce (first GTEK nonce) and a first GTEK counter to generate a key (GTEK) and a first using the first GTEK nonce and the first GTEK counter Generating a GTEK.

Another aspect of the present invention may further include transmitting a group key update command message for updating the first GTEK from the base station to the first terminal. At this time, the group key update command message may include an updated first GTEK counter. In addition, the group key update command message may be transmitted whenever the first GTEK is updated.

In the step of generating the first GTEK of another aspect of the present invention, the first GETK may be generated further using one or more of a group security association identifier and a non-push counter.

In another aspect of the present invention, when the second terminal joins the MBS, receiving a message requesting encryption key information from the second terminal and including a first GTEK nonce and a second GTEK counter at the second terminal. The method may further include transmitting a response message and generating a second GTEK using the first GTEK nonce and the second GTEK counter. At this time, the second GTEK may be updated together with the first GTEK when the first GTEK is updated.

In another aspect of the present invention, the second GTEK may be generated even when the second terminal releases the MBS. In addition, the first GTEK and the second GTEK may have different durations.

According to another aspect of the present invention, when a second terminal joins the MBS, the base station includes a group key update command message including one or more of an MBS authentication key, a second GTEK nonce, and a second GTEK counter to the second terminal. The method may further include generating a second GTEK using at least one of an MBS authentication key, a second GTEK nonce, and a second GTEK counter. At this time, the second GTEK may be updated together with the first GTEK when the first GTEK is updated. In addition, the first GTEK and the second GTEK may have different durations.

According to embodiments of the present invention has the following effects.

First, using the embodiments of the present invention can provide or receive an efficient data communication, MBS guaranteed security and reliability.

Secondly, in the present invention, an encryption key for MBS can be efficiently and reliably distributed using information shared between the terminal and the base station.

Third, by generating and updating GTEKs respectively using encryption key materials shared by the terminal and the base station, the confidentiality and the security can be improved.

Fourth, the confidentiality of the MBS can be provided by allocating and distributing a temporary encryption key for a newly subscribing terminal or a leaving terminal.

Fifth, by using the encryption key management method disclosed in the present invention, it is possible to reduce the overhead in terms of encryption key management and to provide a security-guaranteed service.

In still another aspect of the present invention, there is provided a method of generating an encryption key for a multicast and broadcast service (MBS), the method comprising: transmitting a request message for requesting encryption key information for the MBS to a base station and a first group traffic encryption key from the base station; The method may include receiving a response message including a group traffic encryption key nonce and a GTEK counter for generating a GTEK, and generating a first GTEK using the GTEK nonce and the GTEK counter.

The present invention relates to a security problem of a wireless access system, and relates to an efficient key generation and update method for a multicast broadcast service.

The following embodiments are a combination of elements and features of the present invention in a predetermined form. Each component or feature may be considered to be optional unless otherwise stated. Each component or feature may be embodied in a form that is not combined with other components or features. In addition, some components and / or features may be combined to form an embodiment of the present invention. The order of the operations described in the embodiments of the present invention may be changed. Some components or features of one embodiment may be included in another embodiment or may be replaced with corresponding components or features of another embodiment.

In the description of the drawings, procedures or steps, which may obscure the gist of the present invention, are not described, and procedures or steps that can be understood by those skilled in the art are not described.

In the present specification, embodiments of the present invention have been described based on data transmission / reception relations between a base station and a terminal. Here, the base station has a meaning as a terminal node of a network that directly communicates with the terminal. The specific operation described as performed by the base station in this document may be performed by an upper node of the base station in some cases.

That is, various operations performed for communication with a terminal in a network composed of a plurality of network nodes including a base station may be performed by the base station or other network nodes other than the base station. In this case, the 'base station' may be replaced by terms such as a fixed station, a Node B, an eNode B (eNB), and an access point. In addition, a 'mobile station' may be a user equipment (UE), a subscriber station (SS), a mobile subscriber station (MSS), or a mobile terminal. May be replaced by the term.

In addition, the transmitting end refers to a node transmitting data or voice service, and the receiving end refers to a node receiving data or voice service. Therefore, in uplink, a terminal may be a transmitting end and a base station may be a receiving end. Similarly, in downlink, a terminal may be a receiving end and a base station may be a transmitting end.

On the other hand, the mobile terminal of the present invention PDA (Personal Digital Assistant), cellular phone, PCS (Personal Communication Service) phone, GSM (Global System for Mobile) phone, WCDMA (Wideband CDMA) phone, MBS (Mobile Broadband System) phone And the like can be used.

Embodiments of the invention may be implemented through various means. For example, embodiments of the present invention may be implemented by hardware, firmware, software, or a combination thereof.

In the case of a hardware implementation, the method according to embodiments of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs). Field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, and the like.

In the case of an implementation by firmware or software, the method according to the embodiments of the present invention may be implemented in the form of a module, a procedure, or a function that performs the functions or operations described above. The software code may be stored in a memory unit and driven by a processor. The memory unit may be located inside or outside the processor, and may exchange data with the processor by various known means.

Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802 system, 3GPP system, 3GPP LTE system and 3GPP2 system. That is, steps or parts which are not described to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the above documents. In addition, all terms disclosed in the present document can be described by the above standard document. In particular, embodiments of the present invention may be supported by one or more of the standard documents P802.16-2004, P802.16e-2005, and P802.16Rev2 documents of the IEEE 802.16 system.

Specific terms used in the following description are provided to help the understanding of the present invention, and the use of the specific terms may be modified in other forms without departing from the technical spirit of the present invention.

1 is a diagram illustrating an example of a multicast broadcast key update algorithm performed in an initial management connection procedure.

In FIG. 1, a subscriber station (SS) may have traffic key information before receiving a specific MBS. The initial group traffic encryption key request and exchange procedure between the base station (BS) and the terminal may be performed using a PKMv2 key request message and a PKMv2 key response message. Once the terminal and the base station share the key information, the terminal does not request new key information from the base station.

Referring to FIG. 1, the terminal may transmit a PKMv2 key request message to the base station and request MBS traffic key information used at the base station (S101).

In response to the step S101, the base station transmits a PKMv2 key response message including the traffic key information to the terminal (S102).

Table 1 below shows an example of a PKMv2 key reply message format.

Attribute Contents Key sequence number AK sequence number SAID Security association identifier-GSAID for MBS. TEK-Parameters "Older" generation of key parameter relevnat to SAID-GTEK parameters for the MBS. TEK-Parameters "Newer" generation of key parameter relevnat to SAID-GTEK parameters for the MBS. GKEK-Parameters "Older" generation of GKEK-related parameters for MBS. GKEK-Parameters "Newer" generation of GKEK-related parameters for MBS. Nonnce A same random number included in the PKMv2 Key-Request message. HMAC / CMAC digest Message digest calculated using AK.

Referring to Table 1, the attribute fields included in the PKMv2 key response message are as follows. The Key Sequence Number field indicating the authentication key sequence number, the Security Association Identifier (SAID) as the group security association identifier for the MBS, the Group Key Encryption Key (GKEK) field for the MBS, and MBS HMAC / calculated using a Group Traffic Encryption Key (GTEK) field, a Nonce field and an Authorization Key (AK) that have the same value as the random number included in the PKMv2 key request message. One or more of the CMAC digests (HMAC / CMAC digest) may be included. In this case, GTEK is an encryption key corresponding to a multicast service or a broadcast service.

The TEK parameter attribute field is a compound attribute field and may include all keys corresponding to TEK generation of a specific SAID. For example, it may include TEK, remaining period of TEK, TEK sequence number and CBC IV. The base station always maintains two types of keying materials per SAID, and may distribute two active keying materials to the terminal.

In addition, the GKEK Parameters Attribute field indicates a compound attribute field including all GKEK related parameters corresponding to the GSAID. The GKEK parameter attribute field may include GKEK, remaining period of GKEK, sequence number of GKEK, and the like.

The GKEK and the GTEK are encrypted to reliably provide the MBS to the terminal. In particular, the GTEK is encrypted with a GKEK to provide a multicast service or broadcast service, and the GKEK is encrypted with a key encryption key (KEK).

The base station manages the M & B TEK Grace Time (M & B TEK Grace Time) for each Group Security Association Identifier (GSAID), where the GSAID is a security association identifier for a multicast service or a broadcast service. In addition, the M & B TEK grace time at the base station means a time slightly earlier than the expiration time of the distributed group traffic encryption key (GTEK), that is, the M & B grace time at the base station is the TEK grace time (TEK) managed by the terminal. Longer than Grace Time).

Before the GTEK Active life time expires and before the start of the M & B TEK Grace time, the base station issues a PKMv2 Group-Key-Update-Command message in GKEK update mode. Transmit to more terminals. At this time, the PKMv2 group key update command message includes updated GKEK information (S103).

In step S103, GKEK is used to encrypt a new group traffic encryption key (GTEK). In this case, the GKEK may be randomly generated at the base station or the authentication server.

After the M & B TEK grace time, the base station transmits a PKMv2 Group Key Update Command (PKMv2 Group Key Update Command) of the group traffic encryption key update mode (GTEK update mode) to one or more terminals (S104).

In step S104, the base station may distribute a new group key traffic encryption key (GTEK) to the terminals through the PKMv2 group key update command message. At this time, the GTEK is encrypted using the GKEK transmitted in step S103. In addition, the base station may distribute other MBS key information to a terminal receiving a specific multicast service or broadcast service using a PKMv2 group key update command message.

Referring to FIG. 1, the terminal may maintain two consecutive traffic key information per GSAID to which access is allowed. In addition, the terminal may check whether the new traffic key information is received through the operation of the traffic encryption key state machine. If the terminal receives new traffic key information (eg, GTEK), the TEK grace time managed by the terminal does not work. If the terminal does not receive the new traffic key information, the terminal requests the new traffic key information to the base station before the latest group traffic encryption key expires and within the TEK grace time.

If the terminal shares the valid GKEK and GTEK with the base station after step S103 and step S104, the terminal does not need to request new traffic key information from the base station. When the terminal does not receive at least one PKMv2 key update command message in step S103 or step S104, the PKMv2 key request message may be transmitted to the base station again to request new traffic key information.

2 is a diagram illustrating another example of a multicast broadcast key update algorithm.

MBS security, defined in IEEE 802.16, one of the wireless access systems, is a mechanism that uses PKMv2 to transmit multimedia broadcast information. MBS security provides strong protection for services over broadband wireless networks by encrypting the broadcast connection between the terminal and the base station.

To this end, the MBS requires the MBS Group Security Association (GSA), and the MBS GSA includes one or more base stations (BS) and one or more subscriber stations (SS) to support secure MBS content. It means shared security information. Each terminal may set up an MBS GSA in an initialization procedure, and information shared by one MBS GSA may include cryptographic suites, MBS Authorization Keys (MAKs), and MGTEKs (MBSs) used in each GSA. Key information such as Group Traffic Encryption Keys). In embodiments of the present invention, it is assumed that a MAK can be transmitted from a higher entity or generated at a serving base station.

Like the unicast SA, the MBS GSA is identified through a 16-bit SAID, and each terminal may configure one or more MBS GSAs with its serving BS. The terminal may receive and set a keying material of the MBS GSA through the PKMv2 protocol.

The key material of a specific SA has a limited period, and when the base station delivers the SA key material of the MBS to the terminal, it may provide the remaining period of the key material together. The terminal SS may acquire traffic key information before receiving a specific multicast service, broadcast service or MBS through an initial GTEK request exchange procedure. The initial GTEK request and exchange procedure may refer to FIG. 1.

The base station BS manages the M & B TEK grace time for each GSAID. M & B grace time is defined only for multicast service or broadcast service. M & B TEK Grace Time means the time interval and is measured before expiration of a previously received GTEK. In addition, the M & B grace time of the base station is longer than the TEK grace time of the terminal.

Before the old GTEK expires, the base station distributes the updated traffic key information (eg, GKEK and / or GTEK) using two PKMv2 group key update command messages. The PKMv2 group key update command message is classified according to the key update mode.

Referring to FIG. 2, the base station may transmit a PKMv2 group key update command message in a GKEK update mode to respective terminals in order to distribute a new GKEK (S201).

In step S201, the base station may provide a PKMv2 group key update command message to terminals receiving a specific multicast service, broadcast service or MBS. At this time, the base station transmits a PKMv2 group key update command message in the GKEK update mode to each terminal before the current GKEK expires and before the last M & B TEK Grace Time of the GTEK corresponding to the current GKEK starts. Can be.

The PKMv2 group key update command message may be transmitted to the terminal in the initial management connection of FIG. In order to reduce the load of the base station updating the traffic key information, the base station may transmit a PKMv2 group key update command message in the GKEK update mode to each terminal periodically or intermittently. At this time, GKEK is required to encrypt a new GTEK, and GKEK may be arbitrarily generated by a base station or a network entity.

The base station may transmit a PKMv2 group key update command message of the GTEK update mode to each terminal in order to distribute a new GTEK (S202).

Table 2 below shows an example of a PMKv2 group key update command message format that can be used in step S202.

Attribute Contents Key Sequence Number AK sequence number for GKEK update mode. GKEK sequence number for GTEK update mode. GSAID Security associate identifier Key push mode Usage code of PKMv2 Group-Keu-Update-Command Message. Key push counters Counter one greater than that of older generation. GTEK-Parameters "Newer" generation of GTEK related parameters relevant to GSAID. The GETK-Parameter is the TEK-Parameters for multicast broadcast service or MBS. GKEK-Parameters "Newer" generation of GKEK related parameters for multicast broadcast service or MBS. HMAC / CMAC Digest Message integrity code of this message.

Referring to Table 2, the PKMv2 group key update command message includes a key sequence number, a group security association identifier (GSAID), a key push mode indicating a code used for the group key update command message, and a previous message. HMAC / CMAC indicating the integrity code of the key push counter with a value greater than the key push mode generated in the table, the GKEK parameter field for generating the GTEK related to the GSAID, and the group key update command message. It may include a digest (HMAC / CMAC digest) field.

The PKMv2 group key update command message is used to deliver and update GKEK related parameters or GTEK related parameters to terminals receiving a specific multicast service, broadcast service or MBS. The key sequence number indicates an AK sequence number shared by the terminal and the base station in the GKEK update mode, and indicates a GKEK sequence number in the GTEK update mode.

GSAID is a SAID for a multicast or broadcast group. There are two types of PKMv2 group key update command messages: one is GKEK update mode and the other is GTEK update mode. The Key Push Counter is used to prevent Replay Attack.

The GTEK Parameters Attribute field is a compound attribute field and may include key materials corresponding to the new GTEK of the GSAID. The GTEK parameter attribute field may include GTEK, remaining period of GTEK, sequence number of GTEK, associated GKEK sequence number and CBC IV.

Referring again to FIG. 2, it is assumed in FIG. 2 that the duration of GKEK is n times the duration of GTEK (eg, an integer greater than 1). That is, when GTEK is updated n times, GKEK is updated once. Accordingly, the base station may periodically transmit a PKMv2 group key update command message of the updated GTEK mode to each terminal before the GTEK lifetime and the M & B TEK grace time expire (S203 and S204).

As the duration time of the GKEK in step S201 expires, the base station transmits a PKMv2 group key update command message of the GKEK update mode to the terminal in order to distribute the new GKEK to each terminal (S205).

In addition, the base station transmits a PKMv2 group key update command message of the GTEK update mode to each terminal in order to distribute a new GTEK to each terminal (S206).

1 and 2 illustrate the basic concept of updating GKEK and GTEK information used in embodiments of the present invention, and may be applied to the embodiments described below.

MBS refers to a service flow that delivers multicast and broadcast information to a plurality of terminals. This service flow has a set of QoS parameters and requires encryption through the corresponding key.

Accordingly, as an embodiment of the present invention, the terminal and the base station may include information such as MBS Authorization Key (MAK), GTEK Counter, GTEK Nonces and Nonce Push Counter. You can create a GTEK or update the GTEK periodically.

In addition, it is assumed in embodiments of the present invention that the base station can arbitrarily generate a MAK. That is, after the GKEK required for the encryption of the GTEK is set, the base station can deliver the GTEK nonce and GTEK counter used for the generation and update of the GTEK to the terminal. Therefore, in the actual MBS provision, it is possible to improve the use efficiency of network resources or the safety of data when creating, updating, and distributing GTEKs.

In embodiments of the present invention, the GTEK may be generated in exchange of a PKM key request / response message, or may be generated using a PKM key update command message. Hereinafter, methods of generating GTEK will be described.

3 is a diagram for one example of a multicast broadcast key update method performed in an initial management connection procedure according to one embodiment of the present invention.

Referring to FIG. 3, a mobile station (MS) may request MBS traffic key information used by the serving base station by transmitting a PKMv2 key request message to a serving base station (SBS) (S301).

The serving base station transmits a PKMv2 key response message including the traffic key information to the terminal in response to step S301 (S303).

Table 3 below shows an example of a key reply message format that can be used in step S303.

Attribute Contents Key sequence number AK sequence number for GKEK update or GKEK sequence number for GTEK update mode SAID Security association identifier: GSAID for MBS. TEK-Parameters "Older" generation of key parameter relevant to SAID-GTEK Nonces for MBS. TEK-Parameters "Newer" generation of key parameter relevant to SAID-GTEK Nonce for MBS. GKEK-Parameters "Older" generation of GKEK-related parameters for MBS. GKEK-Parameters "Newer" generation of GKEK-related parameters for MBS. GTEK Nonce A same random number included in the PKMv2 Key-Request message MAK MBS Authorization Key GKEK counter GTEK counter used to derive the "Newer" GTEK Parameters. HMAC / CMAC digest Message Integrity Code of this message

The key response message message may include GTEK nonnce, GTEK counter, and MAK (MBS AK) field as traffic key information. The key response message is transmitted in unicast from the serving base station to the terminal.

Referring to Table 3, GTEK may be included in the TEK parameter attribute field. GTEK nonnce can be used for the generation of the initial GTEK. The size of the GTEK nonce may be equal to or smaller than the size of the GTEK. The base station transmits a GTEK nonce to the terminal for generation of an initial GTEK.

In Table 3, the MAK field is a key generated from the upper layer and delivered for MBS protection in the link layer. However, in the embodiment of the present invention, it is assumed that the MAK may be arbitrarily generated at the base station. For example, the MAK may be arbitrarily generated at the base station to generate an encryption key for the MBS service for the users whose authentication process is successfully completed. For descriptions of the remaining fields or parameters not described in Table 3, the description of Table 1 may be referred to. GTEK nonce and MAK can be encrypted using KEK.

The terminal may generate the GTEK using the GTEK nonce, the GTEK counter, and the MAK field included in the PKM key response message. At this time, the base station may also generate the same GTEK using the GTEK, GTEK counter and MAK field transmitted to the terminal (S305).

Thereafter, while receiving the MBS service, the life time of the GTEK generated by the terminal and the serving base station expires, or the GTEK may need to be updated due to the change of encryption information. In this case, the serving base station may periodically or intermittently transmit a PKM key update command message including one or more of a GTEK parameter and a GTEK counter to the terminal (S307).

Through this, the serving base station and the terminal can each update the same GTEK. Table 4 below shows an example of a PKM Group Key Update Command message format that can be used in step S307.

Attribute Contents Key Sequence Number AK sequence number for GKEK update mode; GKEK sequence number for GTEK update mode GSAID Security associate identifier Key push mode Usage code of PKMv2 Group-Keu-Update-Command Message Key push counters Counter one greater than that of older generation GTEK Counter GTEK Counter used to derive the "Newer" GTEK Parameters. One greater than that of older generation GKEK-Parameters (Optional) "Newer" generation of GKEK Nonce for "Newer" GTEK derivation for multicast, broadcast service of MBS HMAC / CMAC Digest Message integrity code of this message.

Referring to Table 4, the PKM group key update command message may include one or more of a key sequence number field, a GSAID, a key push mode field, a key push counter field, a GTEK counter field, a GKEK parameter field, and an HMAC / CMAC digest field. have.

In step S305, the base station and the terminal may use the GTEK counter field to update the GTEK after generating the first GTEK. Therefore, the PKM group key update command message for GTEK update does not need to include the GTEK nonce. In embodiments of the present invention the GTEK nonce and MAK may be encrypted via KEK. Fields or parameters not described in Table 4 may refer to Table 2.

The serving base station may perform update of the GTEK by periodically or intermittently transmitting the PKM group key update command message of Table 4 to the terminal. The GTEK nonce may be transmitted from the base station to the terminal for generation of the first GTEK whenever GKEK update is made.

To update the GTEK, the serving base station may transmit a PKM group key update command message including an increased GTEK counter or an indicator indicating that the GTEK counter has been increased. For example, after the generation of the GTEK, the serving base station may transmit only the GTEK counter incremented by 1 during GTEK update to the terminal by including it in the GTEK group key update command message. That is, the serving base station does not include key material information such as GTEK nonce and MAK, and generates a group key update command message including a GTEK counter field, thereby reducing waste of radio resources. Therefore, the resource waste of the air interface can be significantly reduced.

However, as a modified embodiment of the present invention, the GTK nonce may be included in the PKM group key update command message. That is, after generating the initial GTEK, the base station transmits the GTEK nonce in the group key update command message to the terminal only when the GTEK is first updated. Thereafter, the base station transmits a group key update command message including only the GTEK counter or the GTEK counter indicator to the terminal, thereby updating the GTEK at the base station and the terminal, respectively.

Hereinafter, as another embodiment of the present invention, a method of updating an MBS GTEK for a user newly joining or leaving a specific MBS group (or MBS area) will be described.

If new users join or leave the MBS group after GTEK has already been set up and distributed for users of a particular MBS group, an update of GKEK and GTEK to reflect this is required. However, updating the GKEK for all users included in a specific MBS group whenever a user joins or leaves a specific MBS group may cause an excessive load on the system.

However, even if the GKEK is not updated, security of the MBS service can be maintained if only GTEK is updated. In another embodiment of the present invention, the base station may generate a new GTEK nonce separate from the GTEK nonce used to generate the GTEK currently used by the specific MBS group, and deliver the new GTEK nonce to users who newly join or leave the specific MBS group. At this time, the GTEK counter may be initialized. Alternatively, the GTEK counter can be used as is without initialization. That is, by newly creating a new GTEK for a new subscriber or leaver, it is possible to establish security for the MBS provided to the new subscriber or leaver.

Therefore, GTEK different from GTEK used by existing terminals of a specific MBS group is generated and used, which can ensure forward security and backward security in terms of security. That is, since the MAK is transmitted only to terminals authenticated for access to the MBS, even if it is possible to receive the GTEK nonce, it means that the GTEK cannot be updated without the MAK.

4 is a view showing an example of an improved MBRA management method as another embodiment of the present invention.

4 illustrates a method of generating a GTEK using key material included in a group key update command message unlike FIG. 3.

As shown in FIG. 4, the generation of the GKEK necessary for the provision of the MBS may be performed through a primary management CID in the GKEK update mode. At this time, GKEK is used to encrypt the GTEK nonce used to generate n GTEK x +1 to GTEK x + n during the GKEK Life Time. Accordingly, the serving base station (SBS) may transmit a PKMv2 group key update command message including a GKEK for encrypting the GTEK to the mobile station (MS) (S401).

In order to generate a GTEK for security of the MBS, the base station may transmit a PKM group key update command message including a basic CID (Basic CID) including a GTEK nonce in the GTEK update mode to the terminal. That is, the serving base station may transmit a group key update command message including a GTEK nonce, a MAC, and a GTEK counter to the terminal. Accordingly, the terminal and the base station may generate the GTEK using the GTEK nonce, the MAK, and the GTEK counter (S403).

Equation 1 below shows one of methods for generating GTEK in embodiments of the present invention.

Figure 112008086817956-PAT00001

Referring to Equation 1, MAK, GTEK Nonnce, GTEK Counter and GSAID may be used to generate and update GTEK. At this time, the GTEK nonce may be encrypted with KEK or GKEK. In addition, the base station and the terminal may generate a GTEK by further including a nonce push counter in Equation 1 above.

If it is necessary to update the GTEK periodically or intermittently after the step S403, the serving base station does not include the GTEK nonce and the MAK in the group key update command message in the GTEK update mode, and increases the GTEK counter to a predetermined size (eg, For example, only one by one) may be transmitted to the terminal. That is, all GTEK updates made after the initial GTEK setting and before the GKEK update may be performed by the terminal and the base station, respectively, using the same GTEK nonce and an incremented GTEK counter (S405 and S407).

The serving base station and the terminal may generate an updated GTEK using the incremented GTEK counter and Equation 1. At this time, the MAK, GTEK nonce, nonce push counter and GSAID may be the same as the conventional one.

If the GKEK set in step S401 expires, the base station enters the GKEK update mode and transmits a main management CID to the terminal to newly generate or update the GKEK. At this time, in order to generate a new GTEK corresponding to the newly updated GKEK, the base station may transmit a PKM key update command message including the new GTEK nonce to the terminal (S409).

Figure 4 shows that when updating the first GTEK after setting up GKEK in the MBS group (or MBS region), the serving base station sends a PKM group key update command message including a GTEK nonce, GTEK counter and MAK to all subscribers in the MBS group. This shows how to update GTEK. However, the initial GTEK may be generated in each of the terminal and the base station through the exchange of the PKMv2 key request message and the PKMv2 key response message (see FIG. 3). Subsequent GTEK update may be performed using a GTEK counter (incremented by 1 for each GTEK update) included in the PKMv2 group key update command message. In each case, the GTEK nonce can be encrypted with KEK or GKEK.

FIG. 5 is a diagram illustrating a GTEK update method when there are new subscribers or service leavers in MBS according to another embodiment of the present invention.

When MBS is provided using a specific GTEK, if there are subscribers who subscribe to or terminate the service, it is necessary to change the GTEK to maintain MBS security. To this end, in another embodiment of the present invention, in addition to the GTEK counter (first counter) that is already in use, a separate GTEK counter (second counter) may be defined for new subscribers who have newly subscribed to the service or subscribers who terminate the service. have.

Referring to FIG. 5, when a GTEK has already been set up and distributed for subscribers of a particular MBS group, and new subscribers join or leave the service group while MBS is being provided (hereinafter, "new subscriber") May occur.

That is, the GTEK (second GTEK) created for new subscribers can be updated together with the GTEK (first GTEK) already in use when the next common GTEK is updated. In this way, two types of GTEKs (first GTEK and second GTEK) may be used by separating the existing and new subscribers. Even in this case, the GTEK nonce is encrypted via KEK (or GKEK).

For example, there is a need for a GTEK update method for a new subscriber or service canceler, in which case the GTEK can be updated via the key response message of FIG. 1 or 3. In other words, the GTEK nonce and GTEK counter (second GTEK counter) for new subscribers may be performed via the exchange of PKMv2 key request / response messages in the same way as the initial GTEK generation. In another embodiment of the present invention, for this case, each base station sets a new GTEK counter (second GTEK counter) separate from the GTEK counter (first GTEK counter) for the currently set GTEK for new subscribers or service terminaters. Can be used.

Thus, a new GTEK (second GTEK) is created that is different from the GTEK (first GTEK) used by existing subscribers of the MBS group, which in terms of security is either forward secrecy or backward secrecy. It can mean to ensure.

Apart from the currently set GTEK counter (the first GTEK counter), the newly set GTEK counter (the second GTEK counter) is used to update the currently set GTEK counter (the first GTEK) for all existing subscribers in the MBS group. It is replaced by an incremented value of 1 GTEK counter) and used again to create a common GTEK (first GTEK) of that MBS group. Thus, the newly created GTEK (second GTEK) can be used temporarily only until the currently set GTEK (first GTEK) is updated.

FIG. 6 is a diagram illustrating a GTEK updating method when there are new subscribers or service leavers in an MBS area according to another embodiment of the present invention.

 If there are new terminals entering or leaving the specific MBS area, it is necessary to update the GTEK (first GTEK) to maintain the security of the MBS for these terminals. To this end, in another embodiment of the present invention, in addition to the GTEK nonce (first nonce) that is already used, a separate GTEK nonce (second nonce) for UEs newly entering or leaving the MBS region may be defined.

That is, the base station may transmit a group key update command message including a new GTEK nonce (second nonce), a GTEK counter, a MAK, and a GSAID to the terminal. At this time, the GTEK counter may be initialized and transmitted. Alternatively, the GTEK counter may use the same GTEK counter as the GTEK counter used in the existing specific MBS area. Accordingly, a new terminal and a base station newly entering a specific MBS region may generate a new GTEK (second GTEK) using a new GTEK nonce (second nonce), a GTEK counter, a MAK, and a GSAID.

The GTEK (second GTEK) for the newly entered terminal in the MBS area may expire at the time when the existing GTEK (first GTEK) expires and may be updated together when the first GTEK is updated.

The invention can be embodied in other specific forms without departing from the spirit and essential features of the invention. Accordingly, the above detailed description should not be construed as limiting in all aspects and should be considered as illustrative. The scope of the invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the invention are included in the scope of the invention. In addition, claims that do not have an explicit citation in the claims may be combined to form an embodiment or included in a new claim by amendment after the application.

1 is a diagram illustrating an example of a multicast broadcast key update algorithm performed in an initial management connection procedure.

2 is a diagram illustrating another example of a multicast broadcast key update algorithm.

3 is a diagram for one example of a multicast broadcast key update method performed in an initial management connection procedure according to one embodiment of the present invention.

4 is a view showing an example of an improved MBRA management method as another embodiment of the present invention.

FIG. 5 is a diagram illustrating a GTEK update method when there are new subscribers or service leavers in an MBS managed by a serving base station according to another embodiment of the present invention.

FIG. 6 is a diagram illustrating a GTEK updating method when there are new subscribers or service leavers in an MBS area according to another embodiment of the present invention.

Claims (17)

In the encryption key generation method for multicast and broadcast services (MBS), Transmitting a request message for requesting encryption key information for the MBS to a base station; Receiving a response message including an MBS authentication key (MAK), a group traffic encryption key nonce and a GTEK counter for generating a first group traffic encryption key (GTEK) from the base station; And Generating the first GTEK using the MAK, the GTEK nonce and the GTEK counter. The method of claim 1, Receiving a group key update command message for updating the first GTEK from the base station, The group key update command message includes the updated GTEK counter. 3. The method of claim 2, The group key update command message is transmitted every time the first GTEK is updated. 3. The method of claim 2, The group key update command message is transmitted with a predetermined time period. The method of claim 1, In generating the first GTEK, The first GETK is generated using a Group Security Association Identifier (GSID). The method of claim 5, In generating the first GTEK, The first GETK is generated using a non push push counter (Nonce push counter). The method of claim 1, The request message is a PKM key request message, And the response message is a PKM key response message. In the encryption key generation method for multicast and broadcast services (MBS), Receiving a message requesting encryption key information for the MBS from a first terminal; A response message including an MBS authentication key (MBS AK), a first group traffic encryption key nonce (first GTEK nonce), and a first GTEK counter for generating a first group traffic encryption key (GTEK) to the first terminal; Transmitting; And Generating the first GTEK using the MBS authentication key, the first GTEK nonce and the first GTEK counter. The method of claim 8, Transmitting a group key update command message for updating the first GTEK to the first terminal, The group key update command message includes the updated first GTEK counter. The method of claim 9, The group key update command message is transmitted every time the first GTEK is updated. The method of claim 8, In generating the first GTEK, The first GETK is generated by using at least one of a group security association identifier and a non-spur counter. The method of claim 9, If a second terminal joins the MBS, Receiving a message requesting encryption key information from the second terminal; Transmitting a response message including the MBS authentication key, the first GTEK nonce and the second GTEK counter to the second terminal; And Generating a second GTEK using the MBS authentication key, the first GTEK nonce and the second GTEK counter, And the second GTEK is updated to the first GTEK together when the first GTEK is updated. The method of claim 12, The second GTEK is generated even when the second terminal releases the MBS. The method of claim 12, And wherein the first GTEK and the second GTEK have different lifetimes. The method of claim 9, If a second terminal joins the MBS, Transmitting a group key update command message including the MBS authentication key, a second GTEK nonce, and a second GTEK counter to the second terminal; And Generating a second GTEK using the MBS authentication key, the second GTEK nonce and the second GTEK counter; And the second GTEK is updated to the first GTEK together when the first GTEK is updated. The method of claim 15, And the first GTEK and the second GTEK have different lifetimes. In the encryption key generation method for multicast and broadcast services (MBS), Transmitting a request message for requesting encryption key information for the MBS to a base station; Receiving a response message including a group traffic encryption key nonce (GTEK nonce) and a GTEK counter for generating a first group traffic encryption key (GTEK) from the base station; And Generating the first GTEK using the GTEK nonce and a GTEK counter.
KR1020080128828A 2008-10-27 2008-12-17 Method of generating and updating a encryption key KR20100047099A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US10885808P 2008-10-27 2008-10-27
US61/108,858 2008-10-27
US10992608P 2008-10-31 2008-10-31
US61/109,926 2008-10-31

Publications (1)

Publication Number Publication Date
KR20100047099A true KR20100047099A (en) 2010-05-07

Family

ID=42634976

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020080128828A KR20100047099A (en) 2008-10-27 2008-12-17 Method of generating and updating a encryption key

Country Status (1)

Country Link
KR (1) KR20100047099A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013073869A1 (en) * 2011-11-17 2013-05-23 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
KR20190077353A (en) * 2017-09-25 2019-07-03 에누티티 코뮤니케-숀즈 가부시키가이샤 Communication device, communication method, and program

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013073869A1 (en) * 2011-11-17 2013-05-23 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
KR20130054911A (en) * 2011-11-17 2013-05-27 삼성전자주식회사 Method and apparatus for handling security key to authenticate with a mobile station in a radio communication system
US9380459B2 (en) 2011-11-17 2016-06-28 Samsung Electronics Co., Ltd. Method and apparatus for managing security keys for communication authentication with mobile station in wireless communication system
KR20190077353A (en) * 2017-09-25 2019-07-03 에누티티 코뮤니케-숀즈 가부시키가이샤 Communication device, communication method, and program

Similar Documents

Publication Publication Date Title
JP5288210B2 (en) Unicast key management method and multicast key management method in network
US9161216B2 (en) Traffic encryption key management for machine to machine multicast group
US8160254B2 (en) Method for managing group traffic encryption key in wireless portable internet system
US9432844B2 (en) Traffic encryption key management for machine to machine multicast group
US8738913B2 (en) Method of deriving and updating traffic encryption key
CN102291680B (en) Encrypted group calling method based on long term evolution (TD-LTE) trunking communication system
KR101527714B1 (en) Method and system for the continuous transmission of encrypted data of a broadcast service to a mobile terminal
US20150319172A1 (en) Group authentication and key management for mtc
CN102379134B (en) Securing messages associated with a multicast communication session within a wireless communications system
RU2530331C2 (en) Multicast key negotiation method suitable for group calling system and respective system
US8842832B2 (en) Method and apparatus for supporting security in muliticast communication
US20230179400A1 (en) Key management method and communication apparatus
US20240015008A1 (en) Method and device for distributing a multicast encryption key
CN101459875A (en) A method for security handling in a wireless access system supporting multicast broadcast services
US20150200779A1 (en) Method, System, And Terminal For Communication Between Cluster System Encryption Terminal And Encryption Module
KR20100047099A (en) Method of generating and updating a encryption key
KR101670743B1 (en) Method and Apparatus for traffic count key management and key count management
CN101162991B (en) System and method for performing authorization to broadcast service content
US20230037970A1 (en) MBS Security in UE Mobility
CN116830533A (en) Method and apparatus for distributing multicast encryption keys
KR20090127210A (en) Method of updating multicast/broadcast service key information
KR101002829B1 (en) Method for protecting mbms service data in multimedia broadcast/multicast service system
KR20120074234A (en) Method and apparatus for supproting security in muliticast communication
CN116918300A (en) Method for operating a cellular network
CN115918119A (en) Key updating method, device, equipment and storage medium

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination