TWI801615B - Communication method between terminal and server, server communicating with terminal, and terminal communicating with server - Google Patents
Communication method between terminal and server, server communicating with terminal, and terminal communicating with server Download PDFInfo
- Publication number
- TWI801615B TWI801615B TW108121638A TW108121638A TWI801615B TW I801615 B TWI801615 B TW I801615B TW 108121638 A TW108121638 A TW 108121638A TW 108121638 A TW108121638 A TW 108121638A TW I801615 B TWI801615 B TW I801615B
- Authority
- TW
- Taiwan
- Prior art keywords
- server
- key
- request
- terminal
- request message
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Computer And Data Communications (AREA)
Abstract
本發明實施例提供了一種終端與伺服器的通訊方法和裝置,所述終端與伺服器的通訊包括:第一伺服器接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;所述第一伺服器向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;所述第一伺服器接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息,所述第二請求訊息由第一金鑰加密;所述第一伺服器根據所述第一金鑰解密所述第二請求訊息;所述第一伺服器根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;所述第一伺服器向所述終端發送第二請求應答訊息;所述第一伺服器刪除所述第一金鑰。本發明實施例中,終端可以用空中下載的方式,從應用伺服器獲得鑑別以及加密金鑰,解決了終端和應用伺服器之間金鑰的產生和運營商AKA協議強耦合的問題,使得金鑰的產生和使用更加靈活。 The embodiment of the present invention provides a communication method and device between a terminal and a server. The communication between the terminal and the server includes: the first server receives the first request message sent by the terminal, and the first request message is used for Make the first server send an authentication request to the second server, and obtain the first key from the second server; the first server sends a first request response message corresponding to the first request message to the terminal, and the second A request response message includes a second key; the first server receives a second request message sent by the terminal, the second request message includes a second key identifier, and the second key identifier is used to make The first server generates a second request response message corresponding to the second request message according to the second key corresponding to the second key identifier, and the second request message is encrypted by the first key; the first server decrypting the second request message according to the first key; encrypting the second request response message by the first server according to a second key corresponding to the second key identifier in the second request message; The first server sends a second request response message to the terminal; the first server deletes the first key. In the embodiment of the present invention, the terminal can obtain authentication and encryption keys from the application server in the form of over-the-air download, which solves the problem of strong coupling between the terminal and the application server and the strong coupling of the operator's AKA protocol, making the key The generation and use of keys are more flexible.
Description
本發明有關通訊技術領域,特別是有關一種終端與伺服器的通訊方法、一種終端與伺服器的通訊裝置。 The present invention relates to the technical field of communication, in particular to a communication method between a terminal and a server, and a communication device between a terminal and a server.
物聯網技術是繼電腦和網際網路之後的第三次資訊技術革命,具有即時性和交互性的特點,已經被廣泛應用於城市管理、數位家庭、定位導航、物流管理、安保系統等多個領域。物聯網安全課題變得越來越重要。物聯網設備需要透過一套安全機制來與應用伺服器之間進行通訊,保障服務以及用戶隱私資料的安全。 The Internet of Things technology is the third information technology revolution after computers and the Internet. It has the characteristics of immediacy and interactivity, and has been widely used in urban management, digital home, positioning and navigation, logistics management, security systems, etc. field. The topic of IoT security is becoming more and more important. IoT devices need to communicate with application servers through a set of security mechanisms to ensure the security of services and user privacy data.
為了解決應用伺服器和物聯網設備之間的鑑別以及秘密通道建立等問題,3GPP(第三代行動通訊標準化組織)定義了一種通用認證機制(General Bootstrapping Architecture,GBA)。GBA提供了一種在UE和伺服器之間建立共用金鑰的通用機制,它基於AKA鑑別機制來實現。AKA鑑別機制是2G/3G網路中使用的一種相互鑑別和金鑰協商的機制,GBA充分利用了AKA鑑別機制的優點來完成業務的安全引導過程。 In order to solve the problems of authentication between application servers and IoT devices and establishment of secret channels, 3GPP (Third Generation Mobile Communications Standardization Organization) defines a general authentication mechanism (General Bootstrapping Architecture, GBA). GBA provides a common mechanism for establishing a shared key between UE and server, which is implemented based on the AKA authentication mechanism. The AKA authentication mechanism is a mutual authentication and key negotiation mechanism used in 2G/3G networks. GBA makes full use of the advantages of the AKA authentication mechanism to complete the security boot process of services.
在GBA中,引導服務功能BSF(Bootstrapping Service Function)為GBA機制引入的網元。BSF可以透過Zh介面與歸屬位置暫存器HLR(Home Location Register)或者歸屬簽約伺服器HSS(Home Subscriber Server)獲取相關的用戶資料,例如國際行動用戶識別碼IMSI(International Mobile Subscriber Identification Number)以及Ki。BSF可以透過Ub介面與用戶設備(UE,User Equipment)透過認證與金鑰協商AKA(Authentication and Key Agreement)協議進行雙向鑑別,並且在成功鑑別後,產生共用金鑰。BSF會透過Zn介面將該共用金鑰以及相關金鑰參數、用戶資料等傳遞給網路應用功能NAF(Network Application Function)。共用金鑰將用於UE和NAF之間資訊的安全傳輸。 In the GBA, the Bootstrapping Service Function (BSF) is a network element introduced by the GBA mechanism. BSF can obtain relevant user information through Zh interface and home location register HLR (Home Location Register) or home subscription server HSS (Home Subscriber Server), such as International Mobile Subscriber Identification Number IMSI (International Mobile Subscriber Identification Number) and Ki . The BSF can perform two-way authentication with the user equipment (UE, User Equipment) through the Ub interface through the AKA (Authentication and Key Agreement) protocol, and after successful authentication, a shared key is generated. BSF will pass the common key and related key parameters, user information, etc. to the network application function NAF (Network Application Function) through the Zn interface. The shared key will be used for secure transmission of information between UE and NAF.
GBA方案雖然能夠為UE和NAF之間建立一條安全的通訊管道,但是共用金鑰的產生和AKA協議強耦合,使得建立安全通路的成本以及維護費用過高。 Although the GBA solution can establish a secure communication channel between the UE and the NAF, the generation of the shared key is strongly coupled with the AKA protocol, which makes the cost of establishing a secure channel and maintenance costs too high.
鑒於上述問題,提出了本發明實施例以便提供一種克服上述問題或者至少部分地解決上述問題的一種終端與伺服器的通訊方法、一種終端與伺服器的通訊裝置。 In view of the above problems, embodiments of the present invention are proposed to provide a communication method between a terminal and a server and a communication device between a terminal and a server, which overcome the above problems or at least partially solve the above problems.
為了解決上述問題,本發明實施例揭示了一種終端與伺服器的通訊方法,包括:第一伺服器接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證 請求,並且從第二伺服器獲取第一金鑰;所述第一伺服器向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;所述第一伺服器接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息,所述第二請求訊息由第一金鑰加密;所述第一伺服器根據所述第一金鑰解密所述第二請求訊息;所述第一伺服器根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;所述第一伺服器向所述終端發送第二請求應答訊息;所述第一伺服器刪除所述第一金鑰。 In order to solve the above problems, an embodiment of the present invention discloses a communication method between a terminal and a server, including: the first server receives a first request message sent by the terminal, and the first request message is used to make the first server Send the certificate to the second server request, and obtain the first key from the second server; the first server sends a first request response message corresponding to the first request message to the terminal, and the first request response message includes the second key; the The first server receives the second request message sent by the terminal, the second request message includes a second key identifier, and the second key identifier is used to make the first server according to the second key identifier The corresponding second key generates a second request response message corresponding to the second request message, the second request message is encrypted by the first key; the first server decrypts the second request message according to the first key request message; the first server encrypts the second request response message according to the second key corresponding to the second key identifier in the second request message; the first server sends the second request message to the terminal 2. A request response message; the first server deletes the first key.
本發明實施例還揭示了一種終端與伺服器的通訊方法,包括:所述終端向第一伺服器發送第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;所述終端接收所述第一伺服器發送的第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;所述終端向第一伺服器發送第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得 第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;較佳地,還包括:所述第二請求訊息由第一金鑰加密;較佳地,還包括:所述第一請求應答訊息包括第二金鑰標識;較佳地,還包括:所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;較佳地,還包括:所述終端刪除所述第一金鑰。 The embodiment of the present invention also discloses a communication method between a terminal and a server, including: the terminal sends a first request message to the first server, and the first request message is used to make the first server send a request to the second server sending an authentication request, and obtaining a first key from a second server; the terminal receives a first request response message corresponding to the first request message sent by the first server, and the first request response message includes the second Key; the terminal sends a second request message to the first server, the second request message includes a second key identifier, and the second key identifier is used to make The first server generates the second request response message corresponding to the second request message according to the second key corresponding to the second key identifier; preferably, the second request message is encrypted by the first key ; Preferably, it also includes: the first request response message includes a second key identification; Preferably, it also includes: the first request message includes a second key identification, and the second key identification is used In making the first server send the second key to the terminal through the first request response message; preferably, the method further includes: the terminal deleting the first key.
本發明實施例還揭示了一種終端與伺服器的通訊方法,包括:第一伺服器接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;所述第一伺服器向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;所述第一伺服器接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;所述第一伺服器向所述終端發送第二請求應答訊息。 The embodiment of the present invention also discloses a communication method between a terminal and a server, including: the first server receives the first request message sent by the terminal, and the first request message is used to make the first server send the second server The server sends an authentication request, and obtains the first key from the second server; the first server sends to the terminal a first request response message corresponding to the first request message, and the first request response message includes the second key ; The first server receives a second request message sent by the terminal, the second request message includes a second key identifier, and the second key identifier is used to make the first server according to the second The second key corresponding to the key identifier generates a second request response message corresponding to the second request message; the first server sends the second request response message to the terminal.
較佳地,還包括:所述第一伺服器根據所述第一金鑰解密所述第二請求訊息;所述第一伺服器根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;較佳地,還包括:所述第二請求訊息由第一金鑰加密。 Preferably, it further includes: the first server decrypts the second request message according to the first key; the first server identifies the corresponding The second key encrypts the second request response message; preferably, the second request message is encrypted by the first key.
較佳地,還包括:所述第一請求應答訊息包括第二金鑰標識;較佳地,還包括:所述第一伺服器接收終端發送的第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;較佳地,還包括:所述第一伺服器刪除所述第一金鑰。 Preferably, it further includes: the first request response message includes the second key identifier; preferably, it also includes: the first server receives the first request message sent by the terminal, and the first request message includes The second key identification, the second key identification is used to make the first server send the second key to the terminal through the first request response message; preferably, it also includes: the first server The device deletes the first key.
本發明實施例還揭示了一種終端與伺服器的通訊方法,包括:所述終端向第三伺服器發送第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;所述終端接收所述第三伺服器發送的第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰; 所述終端向第三伺服器發送第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;所述終端接收所述第三伺服器發送的所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。 The embodiment of the present invention also discloses a communication method between a terminal and a server, including: the terminal sends a third request message to the third server, and the third request message is used to make the third server send a request to the fourth server sending an authentication request, and obtaining a third key from a fourth server; the terminal receives a third request response message corresponding to the third request message sent by the third server, and the third request response message includes the fourth key; The terminal sends a fourth request message to the third server, the fourth request message includes a fourth key identifier, and the fourth key identifier is used to make the third server correspond to The fourth key generates a fourth request response message corresponding to the fourth request message; the terminal receives the fourth request response message sent by the third server, the fourth request response message includes the fifth key, The fifth key is obtained from the fifth server after the third server receives the fourth request message sent by the terminal, sends a request to the fifth server.
較佳地,還包括:所述第四請求訊息由第四金鑰加密。 Preferably, the method further includes: the fourth request message is encrypted by a fourth key.
較佳地,還包括:所述第三請求應答訊息包括第四金鑰標識;較佳地,還包括:所述終端向第三伺服器發送第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;較佳地,還包括:所述終端刪除所述第三金鑰以及第四金鑰。 Preferably, it also includes: the third request response message includes the fourth key identifier; preferably, it also includes: the terminal sends a third request message to the third server, and the third request message includes the fourth key identifier. Four key identifiers, the fourth key identifier is used to make the third server send the fourth key to the terminal through the third request response message; preferably, it also includes: the terminal deletes the The third key and the fourth key.
本發明實施例還揭示了一種終端與伺服器的通訊方法,包括:第三伺服器接收所述終端發送的第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰; 所述第三伺服器向所述終端發送第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;所述第三伺服器接收所述終端發送的第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;所述第三伺服器向終端發送所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。 The embodiment of the present invention also discloses a communication method between a terminal and a server, including: the third server receives the third request message sent by the terminal, and the third request message is used to make the third server send a request to the fourth server The server sends an authentication request, and obtains the third key from the fourth server; The third server sends a third request response message corresponding to the third request message to the terminal, the third request response message includes a fourth key; the third server receives the fourth key sent by the terminal A request message, the fourth request message includes a fourth key identifier, and the fourth key identifier is used to make the third server generate a fourth request message corresponding to the fourth key corresponding to the fourth key identifier. The fourth request-response message; the third server sends the fourth request-response message to the terminal, the fourth request-response message includes a fifth key, and the fifth key is for the third server to receive the terminal After the fourth request message is sent, a request is sent to the fifth server and obtained from the fifth server.
較佳地,還包括:所述第四請求訊息由第四金鑰加密。 Preferably, the method further includes: the fourth request message is encrypted by a fourth key.
較佳地,還包括:所述第三請求應答訊息包括第四金鑰標識;較佳地,還包括:所述第三伺服器接收所述終端發送的第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;較佳地,還包括:所述第三伺服器刪除所述第三金鑰以及第四金鑰。 Preferably, it also includes: the third request response message includes a fourth key identifier; preferably, it also includes: the third server receives the third request message sent by the terminal, and the third request The message includes a fourth key identifier, and the fourth key identifier is used to make the third server send the fourth key to the terminal through the third request response message; preferably, it also includes: the first The third server deletes the third key and the fourth key.
本發明實施例還揭示了一種終端與伺服器的通訊裝置,包括: 位於第一伺服器的接收模組,用於接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述第一伺服器的發送模組,用於向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述第一伺服器的接收模組,用於接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息,所述第二請求訊息由第一金鑰加密;位於所述第一伺服器的處理模組,用於根據所述第一金鑰解密所述第二請求訊息;位於所述第一伺服器的處理模組,用於根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;位於所述第一伺服器的發送模組,用於向所述終端發送第二請求應答訊息;位於所述第一伺服器的處理模組,用於刪除所述第一金鑰。 The embodiment of the present invention also discloses a communication device between a terminal and a server, including: The receiving module located in the first server is used to receive the first request message sent by the terminal, and the first request message is used to make the first server send an authentication request to the second server, and receive the authentication request from the second server The server obtains the first key; the sending module located in the first server is used to send the first request response message corresponding to the first request message to the terminal, and the first request response message includes the second key; located in The receiving module of the first server is configured to receive a second request message sent by the terminal, the second request message includes a second key identifier, and the second key identifier is used to make the first server The device generates a second request response message corresponding to the second request message according to the second key corresponding to the second key identifier, and the second request message is encrypted by the first key; processing at the first server a module, configured to decrypt the second request message according to the first key; a processing module located in the first server, configured to identify the corresponding The second key encrypts the second request response message; the sending module located in the first server is used to send the second request response message to the terminal; the processing module located in the first server, Used to delete the first key.
本發明實施例還揭示了一種終端與伺服器的通訊裝置,包括:位於所述終端的發送模組,用於向第一伺服器發送第 一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述終端的接收模組,用於接收所述第一伺服器發送的第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述終端的發送模組,用於向第一伺服器發送第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;位於所述終端的接收模組,用於接收所述第一伺服器發送的所述第二請求應答訊息。 The embodiment of the present invention also discloses a communication device between a terminal and a server, including: a sending module located at the terminal, used to send the first server to the first server A request message, the first request message is used to make the first server send an authentication request to the second server, and obtain the first key from the second server; the receiving module located at the terminal is used to receive The first request response message corresponding to the first request message sent by the first server, the first request response message includes the second key; the sending module located at the terminal is used to send to the first server A second request message, the second request message includes a second key identifier, and the second key identifier is used to make the first server generate a second request according to a second key corresponding to the second key identifier A second request response message corresponding to the message; a receiving module located at the terminal, configured to receive the second request response message sent by the first server.
較佳地,還包括:所述第二請求訊息由第一金鑰加密。 Preferably, the method further includes: the second request message is encrypted by the first key.
較佳地,還包括:所述第一請求應答訊息包括第二金鑰標識;較佳地,還包括:位於所述終端的發送模組,用於向第一伺服器發送第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;較佳地,還包括:所述終端刪除所述第一金鑰。 Preferably, it also includes: the first request response message includes a second key identifier; preferably, it also includes: a sending module located at the terminal, configured to send the first request message to the first server, The first request message includes a second key identifier, and the second key identifier is used to make the first server send the second key to the terminal through the first request response message; preferably, The method includes: the terminal deleting the first key.
本發明實施例還揭示了一種終端與伺服器的通訊裝置,包括:位於第一伺服器的接收模組,用於接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述第一伺服器的發送模組,用於向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述第一伺服器的接收模組,用於接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;位於所述第一伺服器的發送模組,用於向所述終端發送第二請求應答訊息。 The embodiment of the present invention also discloses a communication device between a terminal and a server, including: a receiving module located at the first server, used to receive the first request message sent by the terminal, and the first request message is used to make The first server sends an authentication request to the second server, and obtains the first key from the second server; the sending module located in the first server is used to send the first request message corresponding to the first request message to the terminal. A request response message, the first request response message includes a second key; a receiving module located at the first server is configured to receive a second request message sent by the terminal, and the second request message includes the second key Two key identifiers, the second key identifier is used to make the first server generate the second request response message corresponding to the second request message according to the second key corresponding to the second key identifier; located in the second key identifier A sending module of the server is used for sending the second request response message to the terminal.
較佳地,還包括:位於所述第一伺服器的處理模組,用於根據所述第一金鑰解密所述第二請求訊息;位於所述第一伺服器的處理模組,用於根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;較佳地,還包括:所述第二請求訊息由第一金鑰加密。 Preferably, it further includes: a processing module located in the first server, configured to decrypt the second request message according to the first key; a processing module located in the first server, configured to Encrypting the second request response message according to the second key corresponding to the second key identifier in the second request message; preferably, further comprising: the second request message is encrypted by the first key.
較佳地,還包括:所述第一請求應答訊息包括第二金鑰標識;較佳地,還包括:位於所述第一伺服器的接收裝置,用於接收終端發送的第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;較佳地,還包括:位於所述第一伺服器的處理模組,用於刪除所述第一金鑰。 Preferably, it also includes: the first request response message includes a second key identifier; preferably, it also includes: a receiving device located at the first server, configured to receive the first request message sent by the terminal, The first request message includes a second key identifier, and the second key identifier is used to make the first server send the second key to the terminal through the first request response message; preferably, It includes: a processing module located in the first server, used to delete the first key.
本發明實施例還揭示了一種終端與伺服器的通訊裝置,包括:位於所述終端的發送模組,用於向第三伺服器發送第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;位於所述終端的接收模組,用於接收所述第三伺服器發送的第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;位於所述終端的發送模組,用於向第三伺服器發送第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息; 位於所述所述終端的接收模組,用於接收所述第三伺服器發送的所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。 The embodiment of the present invention also discloses a communication device between a terminal and a server, including: a sending module located at the terminal, configured to send a third request message to the third server, and the third request message is used to make the first The third server sends an authentication request to the fourth server, and obtains the third key from the fourth server; the receiving module located at the terminal is used to receive the corresponding third request message sent by the third server The third request response message, the third request response message includes the fourth key; the sending module located at the terminal is used to send the fourth request message to the third server, the fourth request message includes the fourth key a key identifier, the fourth key identifier is used to make the third server generate a fourth request response message corresponding to the fourth request message according to the fourth key corresponding to the fourth key identifier; The receiving module located at the terminal is configured to receive the fourth request-response message sent by the third server, the fourth request-response message includes a fifth key, and the fifth key is the third After receiving the fourth request message sent by the terminal, the server sends a request to the fifth server, and obtains it from the fifth server.
較佳地,還包括:所述第四請求訊息由第四金鑰加密。 Preferably, the method further includes: the fourth request message is encrypted by a fourth key.
較佳地,還包括:所述第三請求應答訊息包括第四金鑰標識;較佳地,還包括:位於所述終端的發送模組,用於向第三伺服器發送第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;較佳地,還包括:位於所述終端的處理模組,用於刪除所述第三金鑰以及第四金鑰。 Preferably, it also includes: the third request response message includes a fourth key identifier; preferably, it also includes: a sending module located at the terminal, configured to send the third request message to a third server, The third request message includes a fourth key identifier, and the fourth key identifier is used to make the third server send the fourth key to the terminal through the third request response message; preferably, It includes: a processing module located in the terminal, used to delete the third key and the fourth key.
本發明實施例還揭示了一種終端與伺服器的通訊裝置,包括:位於第三伺服器的接收模組,用於接收所述終端發送的第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;位於所述第三伺服器的發送模組,用於向所述終端發 送第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;位於所述第三伺服器的接收模組,用於接收所述終端發送的第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;位於所述第三伺服器的發送模組,用於向終端發送所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。 The embodiment of the present invention also discloses a communication device between a terminal and a server, including: a receiving module located at a third server, configured to receive a third request message sent by the terminal, and the third request message is used to make The third server sends an authentication request to the fourth server, and obtains the third key from the fourth server; the sending module located in the third server is used to send the terminal to the terminal sending a third request response message corresponding to the third request message, the third request response message including a fourth key; a receiving module located in the third server, configured to receive the fourth request message sent by the terminal , the fourth request message includes a fourth key identifier, and the fourth key identifier is used to make the third server generate the fourth key corresponding to the fourth request message according to the fourth key corresponding to the fourth key identifier. Four request-response messages; the sending module located in the third server is used to send the fourth request-response message to the terminal, the fourth request-response message includes the fifth key, and the fifth key is the third After receiving the fourth request message sent by the terminal, the server sends a request to the fifth server, and obtains it from the fifth server.
較佳地,還包括:所述第四請求訊息由第四金鑰加密。 Preferably, the method further includes: the fourth request message is encrypted by a fourth key.
較佳地,還包括:所述第三請求應答訊息包括第四金鑰標識;較佳地,還包括:位於所述第三伺服器的接收模組,用於接收所述終端發送的第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;較佳地,還包括:位於所述第三伺服器的處理模組,用於刪除所述第三金鑰以及第四金鑰。 Preferably, it further includes: the third request response message includes a fourth key identifier; preferably, it also includes: a receiving module located at the third server, configured to receive the third key identifier sent by the terminal. A request message, the third request message includes a fourth key identifier, and the fourth key identifier is used to make the third server send the fourth key to the terminal through the third request response message; preferably Alternatively, it further includes: a processing module located in the third server, configured to delete the third key and the fourth key.
本發明實施例還揭示了一種裝置,包括:一個或多個處理器;和其上儲存有指令的一個或多個機器可讀媒體,當由所述一個或多個處理器執行時,使得所述裝置執行如上所述的一個或多個的方法。 The embodiment of the present invention also discloses an apparatus, including: one or more processors; and one or more machine-readable media storing instructions thereon, which, when executed by the one or more processors, cause the The device performs one or more of the methods described above.
本發明實施例還揭示了一個或多個機器可讀媒體,其上儲存有指令,當由一個或多個處理器執行時,使得裝置執行如權上所述的一個或多個的方法。 The embodiment of the present invention also discloses one or more machine-readable media, on which instructions are stored, and when executed by one or more processors, the device executes one or more methods as described above.
本發明實施例包括以下優點:在本發明實施例中,終端可以用空中下載的方式,從應用伺服器獲得鑑別以及加密金鑰,解決了終端和應用伺服器之間金鑰的產生和運營商AKA協議強耦合的問題,使得金鑰的產生和使用更加靈活。 The embodiment of the present invention has the following advantages: In the embodiment of the present invention, the terminal can obtain authentication and encryption keys from the application server in the form of over-the-air download, which solves the problem of key generation between the terminal and the application server and the operator The problem of strong coupling in the AKA protocol makes the generation and use of keys more flexible.
101:步驟 101: Steps
102:步驟 102: Step
103:步驟 103: Step
104:步驟 104: Step
105:步驟 105: Step
106:步驟 106: Step
107:步驟 107: Step
201:步驟 201: Step
202:步驟 202: Step
203:步驟 203: Step
204:步驟 204: step
301:步驟 301: Step
302:步驟 302: Step
303:步驟 303: Step
304:步驟 304: step
401:步驟 401: step
402:步驟 402: step
403:步驟 403: step
404:步驟 404: step
501:步驟 501: step
502:步驟 502: Step
503:步驟 503: step
504:步驟 504: step
1001:位於終端的發送模組 1001: The sending module located at the terminal
1002:位於終端的接收模組 1002: The receiving module located at the terminal
1003:位於終端的處理模組 1003: The processing module located in the terminal
2001:位於第三伺服器的發送模組 2001: Sending module on the third server
2002:位於第三伺服器的接收模組 2002: Receiving module on the third server
2003:位於第三伺服器的處理模組 2003: Processing module on third server
圖1是本發明的一種終端與伺服器的通訊方法實施例1的步驟流程圖;圖2是本發明的一種終端與伺服器的通訊方法實施例2的步驟流程圖;圖3是本發明的一種終端與伺服器的通訊方法實施例2的步驟流程圖;圖4是本發明的一種終端與伺服器的通訊方法實施例3的步驟流程圖;圖5是本發明的一種終端與伺服器的通訊方法實施例3 的系統架構圖;圖6是本發明的一種終端與伺服器的通訊方法實施例3的步驟流程圖;圖7是本發明的一種終端與伺服器的通訊裝置實施例2,3的步驟流程圖;圖8是本發明的一種終端與伺服器的通訊裝置實施例1,2,3的步驟流程圖; Figure 1 is a flow chart of the steps of Embodiment 1 of a communication method between a terminal and a server of the present invention; Figure 2 is a flow chart of the steps of Embodiment 2 of a method of communication between a terminal and a server of the present invention; Figure 3 is a flow chart of the steps of Embodiment 2 of a communication method between a terminal and a server of the present invention; A flow chart of the steps of Embodiment 2 of a communication method between a terminal and a server; FIG. 4 is a flow chart of the steps of Embodiment 3 of a communication method between a terminal and a server of the present invention; FIG. 5 is a flow chart of the steps of Embodiment 3 of a communication method between a terminal and a server of the present invention Communication method embodiment 3 Figure 6 is a flow chart of the steps of Embodiment 3 of a communication method between a terminal and a server of the present invention; Figure 7 is a flow chart of steps of Embodiments 2 and 3 of a communication device between a terminal and a server of the present invention ; FIG. 8 is a flow chart of the steps of Embodiments 1, 2, and 3 of a communication device between a terminal and a server of the present invention;
為使本發明的上述目的、特徵和優點能夠更加明顯易懂,下面結合圖式和具體實施方式對本發明作進一步詳細的說明。 In order to make the above objects, features and advantages of the present invention more comprehensible, the present invention will be further described in detail below in conjunction with the drawings and specific embodiments.
本發明實施例的核心構思之一在於,終端透過AKA的方式和BSF產生共用金鑰。共用金鑰用於建立終端、運營商網路以及應用伺服器之間的秘密通道。應用伺服器透過空中下載的方式將應用層和終端之間的鑑別以及加密金鑰發送至終端。 One of the core concepts of the embodiments of the present invention is that the terminal generates a shared key with the BSF through AKA. The shared key is used to establish a secret channel between the terminal, the operator's network, and the application server. The application server sends the authentication between the application layer and the terminal and the encryption key to the terminal through OTA.
以下,首先從伺服器的角度介紹終端與伺服器的通訊流程。 In the following, firstly, the communication process between the terminal and the server is introduced from the perspective of the server.
參照圖1,示出了本發明的一種終端與伺服器的通訊方法實施例1的步驟流程圖,具體可以包括如下步驟:步驟101,第一伺服器接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰; 具體地,第一伺服器為應用伺服器,也可以叫做NAF。第一請求訊息可以是應用請求(Application Request)。應用請求中攜帶引導會話標識(B-TID)。可選地,應用請求中還可以包括應用層資料載荷。在發送第一請求訊息之前,終端可以根據AKA協定產生的共用金鑰Ks來衍生出共用金鑰Ks_NAF。並且透過共用金鑰Ks_NAF來加密第一請求訊息。第一請求訊息中的引導會話標識(B-TID)可以不做為加密部分。第二伺服器可以是BSF。第一金鑰可以是共用金鑰Ks_NAF。NAF在收到第一請求訊息後,向BSF發送認證請求(Authentication Request),認證請求包括引導會話標識以及可選地,NAF標識(NAF-Id)。BSF根據引導會話標識找到在與終端進行AKA協商中產生的共用金鑰Ks。並且根據共用金鑰Ks衍生出共用金鑰Ks_NAF。之後BSF向第一伺服器發送認證回應訊息(Authentication Answer),回應訊息中包括共用金鑰Ks_NAF。可選地,認證回應訊息中還可以包括Ks_NAF使用期限(key_lifetime)。當試用期到期後,終端需要和BSF之間重新透過共用金鑰Ks衍生出新的共用金鑰Ks_NAF。第一伺服器在收到共用金鑰Ks_NAF後,會儲存共用金鑰Ks_NAF。並且在終端和第一伺服器之間利用利用共用金鑰Ks_NAF來加解密空口訊息。 Referring to FIG. 1 , it shows a flow chart of the steps of Embodiment 1 of a communication method between a terminal and a server according to the present invention, which may specifically include the following steps: Step 101, the first server receives the first request message sent by the terminal, The first request message is used to make the first server send an authentication request to the second server, and obtain the first key from the second server; Specifically, the first server is an application server, which may also be called NAF. The first request message may be an application request (Application Request). The application request carries a bootstrap session identifier (B-TID). Optionally, the application request may also include application layer data payload. Before sending the first request message, the terminal can derive the shared key Ks_NAF according to the shared key Ks generated by the AKA protocol. And the first request message is encrypted by the shared key Ks_NAF. The bootstrap session identifier (B-TID) in the first request message may not be used as an encrypted part. The second server may be BSF. The first key may be the common key Ks_NAF. After receiving the first request message, the NAF sends an authentication request (Authentication Request) to the BSF, and the authentication request includes a bootstrap session identifier and optionally, a NAF identifier (NAF-Id). The BSF finds the shared key Ks generated during the AKA negotiation with the terminal according to the bootstrap session identifier. And the shared key Ks_NAF is derived according to the shared key Ks. Then the BSF sends an authentication response message (Authentication Answer) to the first server, and the response message includes the shared key Ks_NAF. Optionally, the authentication response message may also include a Ks_NAF lifetime (key_lifetime). When the trial period expires, the terminal needs to re-generate a new shared key Ks_NAF through the shared key Ks with the BSF. After receiving the shared key Ks_NAF, the first server stores the shared key Ks_NAF. And the shared key Ks_NAF is used between the terminal and the first server to encrypt and decrypt air interface messages.
步驟102,所述第一伺服器向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;
具體地,第一請求應答訊息可以是應用應答(Application Answer)訊息。第二金鑰可以是應用層共用金鑰K2。共用金鑰K2可以是由第一伺服器自己管理。也可以是由一個應用層金鑰管理伺服器管理。當使用應用層金鑰管理伺服器進行管理時,第一伺服器首先透過發送請求訊息從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第一請求應答訊息將共用金鑰K2發送至終端。同時,第一伺服器也會儲存共用金鑰K2。可選地,第一請求應答訊息可以由第一金鑰,即共用金鑰Ks_NAF加密。由於NAF和終端都擁有共用金鑰Ks_NAF,第一請求應答訊息可以由共用金鑰Ks_NAF加密並且發送至終端,並且由終端解密。
步驟103,所述第一伺服器接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息,所述第二請求訊息由第一金鑰加密;具體地,第二請求訊息可以是應用請求訊息。第二金鑰標識可以是應用層共用金鑰K2的唯一標識。第二請求訊息可以由共用金鑰Ks_NAF加密。可選地,第二請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第二金鑰標識可以不加密。第二金鑰標識可以作為指示來使得伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。
步驟104,所述第一伺服器根據所述第一金鑰解密所
述第二請求訊息;具體地,第二請求訊息可以是應用請求訊息。第一金鑰為共用金鑰Ks_NAF。第二請求訊息可以由共用金鑰Ks_NAF加密。可選地,第二請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第二金鑰標識可以不加密。第二金鑰標識可以作為指示來使得伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。
步驟105,所述第一伺服器根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;具體地,第二金鑰標識可以是應用層共用金鑰K2的唯一標識。第二金鑰為應用層共用金鑰K2。第一伺服器獲取應用請求訊息中的應用層共用金鑰K2的唯一標識,用應用層共用金鑰K2的唯一標識對應的應用層共用金鑰K2加密應用請求訊息對應的應用應答訊息。
步驟106,所述第一伺服器向所述終端發送第二請求應答訊息;具體地,第一伺服器可以是應用伺服器,也可以叫做NAF。第一伺服器向終端發送的第二請求應答訊息可以由應用層共用金鑰K2加密。可選地,第二請求應答訊息中可以包括第二金鑰標識。第二金鑰標識部分可以不加密。終端可以根據第二金鑰標識來用對應的應用層共用金鑰K2解密第二請求應答訊息;
步驟107,所述第一伺服器刪除所述第一金鑰。
具體地,第一伺服器可以是應用伺服器,也可以叫做NAF。第一金鑰可以是共用金鑰Ks_NAF。當終端和第一伺服器都擁有應用層共用金鑰K2後,沒有必要再儲存共用金鑰Ks_NAF。因此,第一伺服器可以在發送第二請求應答訊息後,刪除共用金鑰Ks_NAF。可選地,如果在第一應用請求訊息中就開始使用應用層共用金鑰K2加密,則第一伺服器可以在發送第一請求應答訊息後,刪除共用金鑰Ks_NAF。 Specifically, the first server may be an application server, which may also be called NAF. The first key may be the common key Ks_NAF. When both the terminal and the first server have the application layer shared key K2 , there is no need to store the shared key Ks_NAF. Therefore, the first server can delete the shared key Ks_NAF after sending the second request response message. Optionally, if the application layer shared key K2 is used for encryption in the first application request message, the first server may delete the shared key Ks_NAF after sending the first request response message.
參照圖2,示出了本發明的一種終端與伺服器的通訊方法實施例2的步驟流程圖,具體可以包括如下步驟:步驟201,所述終端向第一伺服器發送第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;具體地,第一伺服器為應用伺服器,也可以叫做NAF。第一請求訊息可以是應用請求(application request)。應用請求中攜帶引導會話標識(B-TID)。可選地,應用請求中還可以包括應用層資料載荷。在發送第一請求訊息之前,終端可以根據AKA協定產生的共用金鑰Ks來衍生出共用金鑰Ks_NAF。並且透過共用金鑰Ks_NAF來加密第一請求訊息。第一請求訊息中的引導會話標識(B-TID)可以不做為加密部分。第二伺服器可以是BSF。第一金鑰可以是共用金鑰Ks_NAF。NAF在收到第一請求訊息後,向BSF發送認證請求(Authentication Request),認證請求包括引導會話標識以及可選地,NAF標識(NAF-Id)。 BSF根據引導會話標識找到在與終端進行AKA協商中產生的共用金鑰Ks。並且根據共用金鑰Ks衍生出共用金鑰Ks_NAF。之後BSF向第一伺服器發送認證回應訊息(Authentication Answer),回應訊息中包括共用金鑰Ks_NAF。可選地,認證回應訊息中還可以包括Ks_NAF使用期限(key_lifetime)。當試用期到期後,終端需要和BSF之間重新透過共用金鑰Ks衍生出新的共用金鑰Ks_NAF。第一伺服器在收到共用金鑰Ks_NAF後,會儲存共用金鑰Ks_NAF。並且在終端和第一伺服器之間利用利用共用金鑰Ks_NAF來加解密空口訊息。 Referring to FIG. 2 , it shows a flow chart of the steps of Embodiment 2 of a communication method between a terminal and a server according to the present invention, which may specifically include the following steps: Step 201, the terminal sends a first request message to the first server, so The first request message is used to make the first server send an authentication request to the second server, and obtain the first key from the second server; specifically, the first server is an application server, which can also be called NAF. The first request message may be an application request. The application request carries a bootstrap session identifier (B-TID). Optionally, the application request may also include application layer data payload. Before sending the first request message, the terminal can derive the shared key Ks_NAF according to the shared key Ks generated by the AKA protocol. And the first request message is encrypted by the shared key Ks_NAF. The bootstrap session identifier (B-TID) in the first request message may not be used as an encrypted part. The second server may be BSF. The first key may be the common key Ks_NAF. After receiving the first request message, the NAF sends an authentication request (Authentication Request) to the BSF, and the authentication request includes a bootstrap session identifier and optionally, a NAF identifier (NAF-Id). The BSF finds the shared key Ks generated during the AKA negotiation with the terminal according to the bootstrap session identifier. And the shared key Ks_NAF is derived according to the shared key Ks. Then the BSF sends an authentication response message (Authentication Answer) to the first server, and the response message includes the shared key Ks_NAF. Optionally, the authentication response message may also include a Ks_NAF lifetime (key_lifetime). When the trial period expires, the terminal needs to re-generate a new shared key Ks_NAF through the shared key Ks with the BSF. After receiving the shared key Ks_NAF, the first server stores the shared key Ks_NAF. And the shared key Ks_NAF is used between the terminal and the first server to encrypt and decrypt air interface messages.
在本發明實施例中,所述步驟201可以包括如下子步驟:子步驟S2011,所述終端向第一伺服器發送第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;具體地,第二金鑰標識可以是應用層共用金鑰K2的標識。第二金鑰標識可以預置在終端上。第二金鑰標識可以包括在終端發送給第一伺服器的第一請求訊息中。並且可以指示第一伺服器將第二金鑰標識對應的第二金鑰透過第一請求訊息對應的第一請求應答訊息發送給終端。可選地,第一伺服器也可以先從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第一請求應答訊息將共用金鑰K2發送至終端。
In the embodiment of the present invention, the
步驟202,所述終端接收所述第一伺服器發送的第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;具體地,第一請求應答訊息可以是應用應答\(Application Answer)訊息。第二金鑰可以是應用層共用金鑰K2。共用金鑰K2可以是由第一伺服器自己管理。也可以是由一個應用層金鑰管理伺服器管理。當使用應用層金鑰管理伺服器進行管理時,第一伺服器首先透過發送請求訊息從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第一請求應答訊息將共用金鑰K2發送至終端。同時,第一伺服器也會儲存共用金鑰K2。可選地,第一請求應答訊息可以由第一金鑰,即共用金鑰Ks_NAF加密。由於NAF和終端都擁有共用金鑰Ks_NAF,第一請求應答訊息可以由共用金鑰Ks_NAF加密並且發送至終端,並且由終端解密。
在本發明實施例中,所述步驟202可以包括如下子步驟:子步驟S2021,所述第一請求應答訊息包括第二金鑰標識;具體地,第一請求應答訊息可以是應用應答(Application Answer)訊息。第二金鑰標識可以是應用層共用金鑰K2的標識。第二金鑰標識可以作為指示來使得第一伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。可選地,第二金鑰標識可以指示第一伺服器用第二金鑰來加密第二請求應答訊息。
In the embodiment of the present invention, the
步驟203,所述終端向第一伺服器發送第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;具體地,第二請求訊息可以是應用請求訊息。第二金鑰標識可以是應用層共用金鑰K2的唯一標識。第二請求訊息可以由共用金鑰Ks_NAF加密。可選地,第二請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第二金鑰標識可以不加密。第二金鑰標識可以作為指示來使得伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。可選地,第二請求訊息中也可以不包括第二金鑰標識,第一伺服器可以嘗試使用第一金鑰或者第二金鑰對第二請求訊息進行解密。第一伺服器可以根據引導會話標識判斷是否已經衍生出第二金鑰,如果存在,第一伺服器用第二金鑰來加密第二請求應答訊息,並且發送給終端。終端可以透過第二金鑰來解密第二請求應答訊息。
在本發明實施例中,所述步驟203可以包括如下子步驟:子步驟S2031,所述第二請求訊息由第一金鑰加密;具體地,第一金鑰為共用金鑰Ks_NAF。第二請求訊息可以由共用金鑰Ks_NAF加密。
In the embodiment of the present invention, the
步驟204,所述終端接收所述第一伺服器發送的所述第二請求應答訊息。
具體地,第一伺服器可以是應用伺服器,也可以叫做
NAF。第一伺服器向終端發送的第二請求應答訊息可以由應用層共用金鑰K2加密。可選地,第二請求應答訊息中可以包括第二金鑰標識。第二金鑰標識部分可以不加密。終端可以根據第二金鑰標識來用對應的應用層共用金鑰K2解密第二請求應答訊息;在本發明實施例中,所述步驟204可以包括如下子步驟:子步驟S2041,所述終端刪除所述第一金鑰;具體地,第一伺服器可以是應用伺服器,也可以叫做NAF。第一金鑰可以是共用金鑰Ks_NAF。當終端和第一伺服器都擁有應用層共用金鑰K2後,沒有必要再儲存共用金鑰Ks_NAF。因此,終端可以在接收到第二請求應答訊息後,刪除共用金鑰Ks_NAF。可選地,如果在第一應用請求訊息中就開始使用應用層共用金鑰K2加密,則終端可以在接收到第一請求應答訊息後,刪除共用金鑰Ks_NAF。
Specifically, the first server may be an application server, which may also be called NAF. The second request response message sent by the first server to the terminal may be encrypted by the application layer shared key K2 . Optionally, the second request response message may include the second key identifier. The identification part of the second key may not be encrypted. The terminal may use the corresponding application layer shared key K2 to decrypt the second request response message according to the second key identifier; in the embodiment of the present invention, the
參照圖3,示出了本發明的一種終端與伺服器的通訊方法實施例2的步驟流程圖,具體可以包括如下步驟:步驟301,第一伺服器接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;具體地,第一伺服器為應用伺服器,也可以叫做NAF。第一請求訊息可以是應用請求(application request)。應用請求中攜帶引導會話標識(B-TID)。可選 地,應用請求中還可以包括應用層資料載荷。在發送第一請求訊息之前,終端可以根據AKA協定產生的共用金鑰Ks來衍生出共用金鑰Ks_NAF。並且透過共用金鑰Ks_NAF來加密第一請求訊息。第一請求訊息中的引導會話標識(B-TID)可以不做為加密部分。第二伺服器可以是BSF。第一金鑰可以是共用金鑰Ks_NAF。NAF在收到第一請求訊息後,向BSF發送認證請求(Authentication Request),認證請求包括引導會話標識以及可選地,NAF標識(NAF-Id)。BSF根據引導會話標識找到在與終端進行AKA協商中產生的共用金鑰Ks。並且根據共用金鑰Ks衍生出共用金鑰Ks_NAF。之後BSF向第一伺服器發送認證回應訊息(Authentication Answer),回應訊息中包括共用金鑰Ks_NAF。可選地,認證回應訊息中還可以包括Ks_NAF使用期限(key_lifetime)。當試用期到期後,終端需要和BSF之間重新透過共用金鑰Ks衍生出新的共用金鑰Ks_NAF。第一伺服器在收到共用金鑰Ks_NAF後,會儲存共用金鑰Ks_NAF。並且在終端和第一伺服器之間利用利用共用金鑰Ks_NAF來加解密空口訊息。 Referring to FIG. 3 , it shows a flow chart of the steps of Embodiment 2 of a communication method between a terminal and a server according to the present invention, which may specifically include the following steps: Step 301, the first server receives the first request message sent by the terminal, The first request message is used to make the first server send an authentication request to the second server, and obtain the first key from the second server; specifically, the first server is an application server, which can also be called NAF . The first request message may be an application request. The application request carries a bootstrap session identifier (B-TID). optional Alternatively, the application request may also include application layer data payload. Before sending the first request message, the terminal can derive the shared key Ks_NAF according to the shared key Ks generated by the AKA protocol. And the first request message is encrypted by the shared key Ks_NAF. The bootstrap session identifier (B-TID) in the first request message may not be used as an encrypted part. The second server may be BSF. The first key may be the shared key Ks_NAF. After receiving the first request message, the NAF sends an authentication request (Authentication Request) to the BSF, and the authentication request includes a bootstrap session identifier and optionally, a NAF identifier (NAF-Id). The BSF finds the shared key Ks generated during the AKA negotiation with the terminal according to the bootstrap session identifier. And the shared key Ks_NAF is derived according to the shared key Ks. Then the BSF sends an authentication response message (Authentication Answer) to the first server, and the response message includes the shared key Ks_NAF. Optionally, the authentication response message may also include a Ks_NAF lifetime (key_lifetime). When the trial period expires, the terminal needs to re-generate a new shared key Ks_NAF through the shared key Ks with the BSF. After receiving the shared key Ks_NAF, the first server stores the shared key Ks_NAF. And the shared key Ks_NAF is used between the terminal and the first server to encrypt and decrypt air interface messages.
在本發明實施例中,所述步驟301可以包括如下子步驟:
In the embodiment of the present invention, the
子步驟S3011,所述第一伺服器接收終端發送的第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰; 具體地,第二金鑰標識可以是應用層共用金鑰K2的標識。第二金鑰標識可以預置在終端上。第二金鑰標識可以包括在終端發送給第一伺服器的第一請求訊息中。並且可以指示第一伺服器將第二金鑰標識對應的第二金鑰透過第一請求訊息對應的第一請求應答訊息發送給終端。可選地,第一伺服器也可以先從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第一請求應答訊息將共用金鑰K2發送至終端。 In sub-step S3011, the first server receives the first request message sent by the terminal, the first request message includes a second key identifier, and the second key identifier is used to enable the first server to pass through the first request message. A request response message sends the second key to the terminal; specifically, the second key identifier may be an identifier of the application layer common key K2 . The second key identifier can be preset on the terminal. The second key identifier may be included in the first request message sent by the terminal to the first server. And the first server may be instructed to send the second key corresponding to the second key identifier to the terminal through the first request response message corresponding to the first request message. Optionally, the first server may first obtain the common key K 2 from the application layer key management server. And the shared key K 2 is sent to the terminal through the first request response message.
步驟302,所述第一伺服器向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;具體地,第一請求應答訊息可以是應用應答(Application Answer)訊息。第二金鑰可以是應用層共用金鑰K2。共用金鑰K2可以是由第一伺服器自己管理。也可以是由一個應用層金鑰管理伺服器管理。當使用應用層金鑰管理伺服器進行管理時,第一伺服器首先透過發送請求訊息從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第一請求應答訊息將共用金鑰K2發送至終端。同時,第一伺服器也會儲存共用金鑰K2。可選地,第一請求應答訊息可以由第一金鑰,即共用金鑰Ks_NAF加密。由於NAF和終端都擁有共用金鑰Ks_NAF,第一請求應答訊息可以由共用金鑰Ks_NAF加密並且發送至終端,並且由終端解密。
在本發明實施例中,所述步驟302可以包括如下子步驟:
子步驟S3021,所述第一請求應答訊息包括第二金鑰標識;具體地,第一請求應答訊息可以是應用應答(Application Answer)訊息。第二金鑰標識可以是應用層共用金鑰K2的標識。第二金鑰標識可以作為指示來使得第一伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。可選地,第二金鑰標識可以指示第一伺服器用第二金鑰來加密第二請求應答訊息。
In the embodiment of the present invention, the
步驟303,所述第一伺服器接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;具體地,第二請求訊息可以是應用請求訊息。第二金鑰標識可以是應用層共用金鑰K2的唯一標識。第二請求訊息可以由共用金鑰Ks_NAF加密。可選地,第二請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第二金鑰標識可以不加密。第二金鑰標識可以作為指示來使得伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。可選地,第二請求訊息中也可以不包括第二金鑰標識,第一伺服器可以嘗試使用第一金鑰或者第二金鑰對第二請求訊息進行解密。第一伺服器可以根據引導會話標識判斷是否已經衍生出第二金鑰,如果存在,第一伺服器用第二金鑰來加密第二請求應答訊息,並且發送給終端。
終端可以透過第二金鑰來解密第二請求應答訊息。
在本發明實施例中,所述步驟303之後,所述步驟304之前可以包括如下子步驟:子步驟S3031,所述第一伺服器根據所述第一金鑰解密所述第二請求訊息;具體地,第二請求訊息可以是應用請求訊息。第一金鑰為共用金鑰Ks_NAF。第二請求訊息可以由共用金鑰Ks_NAF加密。可選地,第二請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第二金鑰標識可以不加密。第二金鑰標識可以作為指示來使得伺服器用第二金鑰標識對應的共用金鑰K2來解密第二請求訊息。
In the embodiment of the present invention, after the
子步驟S3032,所述第一伺服器根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;具體地,第二金鑰標識可以是應用層共用金鑰K2的唯一標識。第二金鑰為應用層共用金鑰K2。第一伺服器獲取應用請求訊息中的應用層共用金鑰K2的唯一標識,用應用層共用金鑰K2的唯一標識對應的應用層共用金鑰K2加密應用請求訊息對應的應用應答訊息。 Sub-step S3032, the first server encrypts the second request response message according to the second key corresponding to the second key identifier in the second request message; specifically, the second key identifier may be an application The unique identification of the layer common key K2 . The second key is the application layer common key K 2 . The first server obtains the unique identifier of the application layer shared key K2 in the application request message, and encrypts the application response message corresponding to the application request message with the application layer shared key K2 corresponding to the unique identifier of the application layer shared key K2 .
在本發明實施例中,所述步驟203可以包括如下子步驟:子步驟S3033,所述第二請求訊息有第一金鑰加密;具體地,第二請求資訊可以是應用請求訊息。第一金鑰可以是共用金鑰Ks_NAF。第二請求訊息可以由共用金
鑰Ks_NAF加密。可選地,第二請求訊息也可以由應用層共用金鑰K2加密。
In the embodiment of the present invention, the
步驟304,所述第一伺服器向所述終端發送第二請求應答訊息。
具體地,第一伺服器可以是應用伺服器,也可以叫做NAF。第一伺服器向終端發送的第二請求應答訊息可以由應用層共用金鑰K2加密。可選地,第二請求應答訊息中可以包括第二金鑰標識。第二金鑰標識部分可以不加密。終端可以根據第二金鑰標識來用對應的應用層共用金鑰K2解密第二請求應答訊息。 Specifically, the first server may be an application server, which may also be called NAF. The second request response message sent by the first server to the terminal may be encrypted by the application layer shared key K2 . Optionally, the second request response message may include the second key identifier. The identification part of the second key may not be encrypted. The terminal can use the corresponding application layer shared key K2 to decrypt the second request response message according to the second key identifier.
在本發明實施例中,所述步驟304可以包括如下子步驟:子步驟S3041,所述第一伺服器刪除所述第一金鑰;具體地,第一伺服器可以是應用伺服器,也可以叫做NAF。第一金鑰可以是共用金鑰Ks_NAF。當終端和第一伺服器都擁有應用層共用金鑰K2後,沒有必要再儲存共用金鑰Ks_NAF。因此,第一伺服器可以在發送第二請求應答訊息後,刪除共用金鑰Ks_NAF。可選地,如果在第一應用請求訊息中就開始使用應用層共用金鑰K2加密,則第一伺服器可以在發送第一請求應答訊息後,刪除共用金鑰Ks_NAF。
In the embodiment of the present invention, the
參照圖4,示出了本發明的一種終端與伺服器的通訊方法實施例3的步驟流程圖,具體可以包括如下步驟: Referring to FIG. 4 , it shows a flow chart of the steps of Embodiment 3 of a communication method between a terminal and a server according to the present invention, which may specifically include the following steps:
步驟401,所述終端向第三伺服器發送第三請求訊
息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;具體地,第三伺服器為應用層金鑰管理伺服器。圖5展示了實施例3的系統架構。終端可以首先透過AKA協定來產生共用金鑰Ks。之後可以透過Ks衍生出的共用金鑰Ks_NAF建立終端和應用層金鑰管理伺服器之間的秘密通道。應用層金鑰管理伺服器可以用來管理多個應用伺服器的金鑰分發。應用伺服器的金鑰也可以是根金鑰。應用層金鑰管理伺服器可以用應用層共用金鑰K2來替換共用金鑰Ks_NAF來建立終端和應用層金鑰管理伺服器之間的安全通路。之後,應用層金鑰管理伺服器可以將應用伺服器的金鑰或者根金鑰透過安全通路下發給終端,使得終端可以和多個應用伺服器之間建立安全連接。
第三請求訊息可以是應用請求(application request)。應用請求中攜帶引導會話標識(B-TID)。可選地,應用請求中還可以包括應用層資料載荷。在發送第三請求訊息之前,終端可以根據AKA協定產生的共用金鑰Ks來衍生出共用金鑰Ks_NAF。並且透過共用金鑰Ks_NAF來加密第三請求訊息。第三請求訊息中的引導會話標識(B-TID)可以不做為加密部分。第四伺服器可以是BSF。第三金鑰可以是共用金鑰Ks_NAF。應用層金鑰管理伺服器在收到第三請求訊息後,向BSF發送認證請求(Authentication Request),認證請求包括引導會話標識以及可選地,應用層金鑰管理伺服器標識。BSF根據引導會話標識找到在與終端進行 AKA協商中產生的共用金鑰Ks。並且根據共用金鑰Ks衍生出共用金鑰Ks_NAF。之後BSF向第三伺服器發送認證回應訊息(Authentication Answer),回應訊息中包括共用金鑰Ks_NAF。可選地,認證回應訊息中還可以包括Ks_NAF使用期限(key_lifetime)。當試用期到期後,終端需要和BSF之間重新透過共用金鑰Ks衍生出新的共用金鑰Ks_NAF。第三伺服器在收到共用金鑰Ks_NAF後,會儲存共用金鑰Ks_NAF。並且在終端和第三伺服器之間利用利用共用金鑰Ks_NAF來加解密空口訊息。 The third request message may be an application request. The application request carries a bootstrap session identifier (B-TID). Optionally, the application request may also include application layer data payload. Before sending the third request message, the terminal can derive the shared key Ks_NAF according to the shared key Ks generated by the AKA protocol. And the third request message is encrypted by the common key Ks_NAF. The bootstrap session identifier (B-TID) in the third request message may not be used as an encrypted part. The fourth server may be BSF. The third key may be the common key Ks_NAF. After receiving the third request message, the application layer key management server sends an authentication request (Authentication Request) to the BSF. The authentication request includes the boot session identifier and optionally, the application layer key management server identifier. BSF finds the Shared key Ks generated in AKA negotiation. And the shared key Ks_NAF is derived according to the shared key Ks. Then the BSF sends an authentication response message (Authentication Answer) to the third server, and the response message includes the shared key Ks_NAF. Optionally, the authentication response message may also include a Ks_NAF lifetime (key_lifetime). When the trial period expires, the terminal needs to re-generate a new shared key Ks_NAF through the shared key Ks with the BSF. After receiving the shared key Ks_NAF, the third server stores the shared key Ks_NAF. And between the terminal and the third server, the shared key Ks_NAF is used to encrypt and decrypt the air interface message.
在本發明實施例中,所述步驟401可以包括如下子步驟:子步驟S4011,所述終端向第三伺服器發送第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;具體地,第四金鑰標識可以是應用層共用金鑰K2的標識。第四金鑰標識可以預置在終端上。第四金鑰標識可以包括在終端發送給第三伺服器的第三請求訊息中。並且可以指示第三伺服器將第四金鑰標識對應的第四金鑰透過第三請求訊息對應的第三請求應答訊息發送給終端。可選地,第三伺服器也可以先從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第三請求應答訊息將共用金鑰K2發送至終端。
In the embodiment of the present invention, the
步驟402,所述終端接收所述第三伺服器發送的第三
請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;具體地,第三伺服器為應用層金鑰管理伺服器。第三請求應答訊息可以是應用應答(Application Answer)訊息。第四金鑰可以是應用層共用金鑰K2。應用層共用金鑰K2可以由應用層金鑰管理伺服器管理。應用金鑰管理伺服器可以將應用層共用金鑰K2下發給終端,以使得終端和應用層金鑰管理伺服器之間可以透過應用層共用金鑰K2建立安全通路。
在本發明實施例中,所述步驟402可以包括如下子步驟:子步驟S4021,所述第三請求應答訊息包括第四金鑰標識;具體地,第三請求應答訊息可以是應用應答(Application Answer)訊息。第四金鑰標識可以是應用層共用金鑰K2的標識。終端可以在發送第四請求訊息時,透過攜帶第四金鑰標識來使得應用層金鑰管理伺服器透過第四金鑰標識所對應的第四金鑰來解密第四請求訊息。可選地,第四金鑰標識也可以用來指示應用層金鑰管理伺服器用第四金鑰標識所對應的第四金鑰來加密第四請求應答訊息。
In the embodiment of the present invention, the
步驟403,所述終端向第三伺服器發送第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第
四金鑰產生第四請求訊息對應的第四請求應答訊息;具體地,第四請求訊息可以是應用請求訊息。第四金鑰標識可以是應用層共用金鑰K2的唯一標識。第四請求訊息可以由共用金鑰Ks_NAF加密。可選地,第四請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第四金鑰標識可以不加密。第四金鑰標識可以作為指示來使得伺服器用第四金鑰標識對應的共用金鑰K2來解密第四請求訊息。可選地,第四請求訊息中可以包括應用伺服器標識。應用伺服器標識用於指示應用層金鑰管理伺服器從應用伺服器標識所對應的應用伺服器獲取應用伺服器金鑰(AppKey)。應用層金鑰管理伺服器可以在接收到第四應用請求訊息後,向所述應用伺服器發送請求訊息,並且根據請求訊息對應的應答訊息來獲取應用伺服器金鑰(AppKey)。可選地,應用伺服器金鑰也可以叫做應用金鑰。應用伺服器標識也可以叫做應用標識。應用層金鑰管理伺服器可以根據應用標識與應用伺服器標識的映射關係確定應用伺服器標識以及對應的位址,並且向應用伺服器發送請求訊息。請求訊息可以是金鑰請求訊息。
在本發明實施例中,所述步驟403可以包括如下子步驟:子步驟S4031,所述第四請求訊息由第四金鑰加密;具體地,第四請求訊息可以是應用請求訊息。第四金鑰可以是應用層共用金鑰K2。應用請求訊息可以由應用層共用金鑰K2加密。可選地,應用請求訊息也可以由共用金
鑰Ks_NAF加密。
In the embodiment of the present invention, the
步驟404,所述終端接收所述第三伺服器發送的所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。
具體地,第三伺服器可以是應用層金鑰管理伺服器。第五伺服器可以是應用伺服器。第五金鑰可以是應用層伺服器的金鑰或者根金鑰。應用層金鑰管理伺服器可以在接收到第四應用請求訊息後,向所述應用伺服器發送請求訊息,並且根據請求訊息對應的應答訊息來獲取應用伺服器金鑰(AppKey)。可選地,應用伺服器金鑰也可以叫做應用金鑰。應用伺服器標識也可以叫做應用標識。應用層金鑰管理伺服器可以根據應用標識與應用伺服器標識的映射關係確定應用伺服器標識以及對應的位址,並且向應用伺服器發送請求訊息。請求訊息可以是金鑰請求訊息。第三伺服器向終端發送的第四請求應答訊息可以由應用層共用金鑰K2加密。可選地,第二請求應答訊息中可以包括第四金鑰標識。第四金鑰標識部分可以不加密。終端可以根據第二金鑰標識來用對應的應用層共用金鑰K2解密第二請求應答訊息。 Specifically, the third server may be an application layer key management server. The fifth server may be an application server. The fifth key may be the key of the application layer server or the root key. The application layer key management server may send a request message to the application server after receiving the fourth application request message, and obtain the application server key (AppKey) according to the response message corresponding to the request message. Optionally, the application server key can also be called an application key. The application server ID may also be called an application ID. The application layer key management server can determine the application server ID and the corresponding address according to the mapping relationship between the application ID and the application server ID, and send a request message to the application server. The request message may be a key request message. The fourth request response message sent by the third server to the terminal may be encrypted by the application layer shared key K2 . Optionally, the fourth key identifier may be included in the second request response message. The identification part of the fourth key may not be encrypted. The terminal can use the corresponding application layer shared key K2 to decrypt the second request response message according to the second key identifier.
在本發明實施例中,所述步驟404可以包括如下子步驟:子步驟S4041,所述終端刪除所述第三金鑰以及第四
金鑰;具體地,第三金鑰可以是共用金鑰Ks_NAF。當終端和應用伺服器都擁有應用伺服器金鑰Appkey後,沒有必要再儲存共用金鑰Ks_NAF和應用層共用金鑰K2。因此,終端可以在接收到第四請求應答訊息後,刪除共用金鑰Ks_NAF以及應用層共用金鑰K2。可選地,如果在第三應用請求訊息中就開始使用應用層共用金鑰K2加密,則終端可以在接收到第一請求應答訊息後,刪除共用金鑰Ks_NAF。並且在接收到第四請求應答訊息後,刪除應用層共用金鑰K2。
In the embodiment of the present invention, the
參照圖6,示出了本發明的一種終端與伺服器的通訊方法實施例3的步驟流程圖,具體可以包括如下步驟: Referring to FIG. 6 , it shows a flow chart of the steps of Embodiment 3 of a communication method between a terminal and a server according to the present invention, which may specifically include the following steps:
步驟501,第三伺服器接收所述終端發送的第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;具體地,第三伺服器為應用層金鑰管理伺服器。圖5展示了實施例3的系統架構。終端可以首先透過AKA協定來產生共用金鑰Ks。之後可以透過Ks衍生出的共用金鑰Ks_NAF建立終端和應用層金鑰管理伺服器之間的秘密通道。應用層金鑰管理伺服器可以用來管理多個應用伺服器的金鑰分發。應用伺服器的金鑰也可以是根金鑰。應用層金鑰管理伺服器可以用應用層共用金鑰K2來替換共用金鑰Ks_NAF來建立終端和應用層金鑰管理伺服器之間的安全通路。之後,應用層金鑰管理伺服器可以將應用伺服器的
金鑰或者根金鑰透過安全通路下發給終端,使得終端可以和多個應用伺服器之間建立安全連接。
第三請求訊息可以是應用請求(application request)。應用請求中攜帶引導會話標識(Bootstrapping Transaction Identifier,B-TID)。引導會話標識用於綁定簽約身分以及金鑰材料(keying material)。可選地,應用請求中還可以包括應用層資料載荷。在發送第三請求訊息之前,終端可以根據AKA協定產生的共用金鑰Ks來衍生出共用金鑰Ks_NAF。並且透過共用金鑰Ks_NAF來加密第三請求訊息。第三請求訊息中的引導會話標識(B-TID)可以不做為加密部分。第四伺服器可以是BSF。第三金鑰可以是共用金鑰Ks_NAF。應用層金鑰管理伺服器在收到第三請求訊息後,向BSF發送認證請求(Authentication Request),認證請求包括引導會話標識以及可選地,應用層金鑰管理伺服器標識。BSF根據引導會話標識找到在與終端進行AKA協商中產生的共用金鑰Ks。並且根據共用金鑰Ks衍生出共用金鑰Ks_NAF。之後BSF向第三伺服器發送認證回應訊息(Authentication Answer),回應訊息中包括共用金鑰Ks_NAF。可選地,認證回應訊息中還可以包括Ks_NAF使用期限(key_lifetime)。當試用期到期後,終端需要和BSF之間重新透過共用金鑰Ks衍生出新的共用金鑰Ks_NAF。第三伺服器在收到共用金鑰Ks_NAF後,會儲存共用金鑰Ks_NAF。並且在終端和第三伺服器之間利用利用共用金鑰Ks_NAF來加解密空口訊息。 The third request message may be an application request. The application request carries a Bootstrapping Transaction Identifier (B-TID). The bootstrap session ID is used to bind the signing identity and keying material. Optionally, the application request may also include application layer data payload. Before sending the third request message, the terminal can derive the shared key Ks_NAF according to the shared key Ks generated by the AKA protocol. And the third request message is encrypted by the common key Ks_NAF. The bootstrap session identifier (B-TID) in the third request message may not be used as an encrypted part. The fourth server may be BSF. The third key may be the common key Ks_NAF. After receiving the third request message, the application layer key management server sends an authentication request (Authentication Request) to the BSF. The authentication request includes the boot session identifier and optionally, the application layer key management server identifier. The BSF finds the shared key Ks generated during the AKA negotiation with the terminal according to the bootstrap session identifier. And the shared key Ks_NAF is derived according to the shared key Ks. Then the BSF sends an authentication response message (Authentication Answer) to the third server, and the response message includes the shared key Ks_NAF. Optionally, the authentication response message may also include a Ks_NAF lifetime (key_lifetime). When the trial period expires, the terminal needs to re-generate a new shared key Ks_NAF through the shared key Ks with the BSF. After receiving the shared key Ks_NAF, the third server stores the shared key Ks_NAF. And between the terminal and the third server, the shared key Ks_NAF is used to encrypt and decrypt the air interface message.
在本發明實施例中,所述步驟501可以包括如下子步驟:子步驟S5011,所述第三伺服器接收所述終端發送的第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;具體地,第四金鑰標識可以是應用層共用金鑰K2的標識。第四金鑰標識可以預置在終端上。第四金鑰標識可以包括在終端發送給第三伺服器的第三請求訊息中。並且可以指示第三伺服器將第四金鑰標識對應的第四金鑰透過第三請求訊息對應的第三請求應答訊息發送給終端。可選地,第三伺服器也可以先從應用層金鑰管理伺服器獲取共用金鑰K2。並且透過第三請求應答訊息將共用金鑰K2發送至終端。
In the embodiment of the present invention, the
步驟502,所述第三伺服器向所述終端發送第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;具體地,第三伺服器為應用層金鑰管理伺服器。第三請求應答訊息可以是應用應答(Application Answer)訊息。第四金鑰可以是應用層共用金鑰K2。應用層共用金鑰K2可以由應用層金鑰管理伺服器管理。應用金鑰管理伺服器可以將應用層共用金鑰K2下發給終端,以使得終端和應用層金鑰管理伺服器之間可以透過應用層共用金鑰K2建立安全通路。
在本發明實施例中,所述步驟502可以包括如下子步驟:子步驟S5021,所述第三請求應答訊息包括第四金鑰標識;具體地,第三請求應答訊息可以是應用應答(Application Answer)訊息。第四金鑰標識可以是應用層共用金鑰K2的標識。終端可以在發送第四請求訊息時,透過攜帶第四金鑰標識來使得應用層金鑰管理伺服器透過第四金鑰標識所對應的第四金鑰來解密第四請求訊息。可選地,第四金鑰標識也可以用來指示應用層金鑰管理伺服器用第四金鑰標識所對應的第四金鑰來加密第四請求應答訊息。
In the embodiment of the present invention, the
步驟503,所述第三伺服器接收所述終端發送的第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;具體地,第四請求訊息可以是應用請求訊息。第四金鑰標識可以是應用層共用金鑰K2的唯一標識。第四請求訊息可以由共用金鑰Ks_NAF加密。可選地,第四請求訊息也可以由共用金鑰K2加密。當用共用金鑰K2來加密時,第四金鑰標識可以不加密。第四金鑰標識可以作為指示來使得伺服器用第四金鑰標識對應的共用金鑰K2來解密第四請求訊息。可選地,第四請求訊息中可以包括應用伺服器標
識。應用伺服器標識用於指示應用層金鑰管理伺服器從應用伺服器標識所對應的應用伺服器獲取應用伺服器金鑰(AppKey)。應用層金鑰管理伺服器可以在接收到第四應用請求訊息後,向所述應用伺服器發送請求訊息,並且根據請求訊息對應的應答訊息來獲取應用伺服器金鑰(AppKey)。可選地,應用伺服器金鑰也可以叫做應用金鑰。應用伺服器標識也可以叫做應用標識。應用層金鑰管理伺服器可以根據應用標識與應用伺服器標識的映射關係確定應用伺服器標識以及對應的位址,並且向應用伺服器發送請求訊息。請求訊息可以是金鑰請求訊息。
在本發明實施例中,所述步驟403可以包括如下子步驟:子步驟S4031,所述第四請求訊息由第四金鑰加密;具體地,第四請求訊息可以是應用請求訊息。第四金鑰可以是應用層共用金鑰K2。應用請求訊息可以由應用層共用金鑰K2加密。可選地,應用請求訊息也可以由共用金鑰Ks_NAF加密。
In the embodiment of the present invention, the
步驟504,所述第三伺服器向終端發送所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。
具體地,第三伺服器可以是應用層金鑰管理伺服器。第五伺服器可以是應用伺服器。第五金鑰可以是應用層伺服器的金鑰或者根金鑰。應用層金鑰管理伺服器可以在接 收到第四應用請求訊息後,向所述應用伺服器發送請求訊息,並且根據請求訊息對應的應答訊息來獲取應用伺服器金鑰(AppKey)。可選地,應用伺服器金鑰也可以叫做應用金鑰。應用伺服器標識也可以叫做應用標識。應用層金鑰管理伺服器可以根據應用標識與應用伺服器標識的映射關係確定應用伺服器標識以及對應的位址,並且向應用伺服器發送請求訊息。請求訊息可以是金鑰請求訊息。第三伺服器向終端發送的第四請求應答訊息可以由應用層共用金鑰K2加密。可選地,第二請求應答訊息中可以包括第四金鑰標識。第四金鑰標識部分可以不加密。終端可以根據第二金鑰標識來用對應的應用層共用金鑰K2解密第二請求應答訊息。 Specifically, the third server may be an application layer key management server. The fifth server may be an application server. The fifth key may be the key of the application layer server or the root key. The application layer key management server may send a request message to the application server after receiving the fourth application request message, and obtain the application server key (AppKey) according to the response message corresponding to the request message. Optionally, the application server key can also be called an application key. The application server ID may also be called an application ID. The application layer key management server can determine the application server ID and the corresponding address according to the mapping relationship between the application ID and the application server ID, and send a request message to the application server. The request message may be a key request message. The fourth request response message sent by the third server to the terminal may be encrypted by the application layer shared key K2 . Optionally, the fourth key identifier may be included in the second request response message. The identification part of the fourth key may not be encrypted. The terminal can use the corresponding application layer shared key K2 to decrypt the second request response message according to the second key identifier.
在本發明實施例中,所述步驟504可以包括如下子步驟:子步驟S5041,所述第三伺服器刪除所述第三金鑰以及第四金鑰;具體地,第三金鑰可以是共用金鑰Ks_NAF。當終端和應用伺服器都擁有應用伺服器金鑰AppKey後,沒有必要再儲存共用金鑰Ks_NAF和應用層共用金鑰K2。因此,第三伺服器可以在發送第四請求應答訊息後,刪除共用金鑰Ks_NAF以及應用層共用金鑰K2。可選地,如果在第三應用請求訊息中就開始使用應用層共用金鑰K2加密,則第三伺服器可以在發送第一請求應答訊息後,刪除共用金鑰Ks_NAF。並且在發送到第四請求應答訊息後,刪除應用
層共用金鑰K2。
In the embodiment of the present invention, the
參照圖8,示出了本發明的一種終端與伺服器的通訊裝置實施例1的結構方塊圖,具體可以包括如下模組:位於第一伺服器的接收模組2002,用於接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述第一伺服器的發送模組2001,用於向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述第一伺服器的接收模組2002,用於接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息,所述第二請求訊息由第一金鑰加密;位於所述第一伺服器的處理模組2003,用於根據所述第一金鑰解密所述第二請求訊息;位於所述第一伺服器的處理模組2003,用於根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二請求應答訊息;位於所述第一伺服器的發送模組2001,用於向所述終端發送第二請求應答訊息;位於所述第一伺服器的處理模組2003,用於刪除所述第一金鑰。
Referring to FIG. 8 , it shows a structural block diagram of Embodiment 1 of a communication device between a terminal and a server according to the present invention, which may specifically include the following modules: a receiving
參照圖7,示出了本發明的一種終端與伺服器的通訊裝置實施例2的結構方塊圖,具體可以包括如下模組:位於所述終端的發送模組1001,用於向第一伺服器發送第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述終端的接收模組1002,用於接收所述第一伺服器發送的第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述終端的發送模組1001,用於向第一伺服器發送第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;位於所述終端的接收模組1002,用於接收所述第一伺服器發送的所述第二請求應答訊息。
Referring to FIG. 7 , it shows a structural block diagram of Embodiment 2 of a communication device between a terminal and a server according to the present invention, which may specifically include the following modules: a sending
在本發明實施例中,所述的裝置還可以包括:所述第二請求訊息由第一金鑰加密。 In the embodiment of the present invention, the device may further include: the second request message is encrypted by a first key.
在本發明實施例中,所述的裝置還可以包括:所述第一請求應答訊息包括第二金鑰標識;在本發明實施例中,所述的裝置還可以包括:位於所述終端的發送模組,用於向第一伺服器發送第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答 訊息向終端發送所述第二金鑰;在本發明實施例中,所述的裝置還可以包括:所述終端刪除所述第一金鑰。 In the embodiment of the present invention, the device may further include: the first request response message includes the second key identifier; in the embodiment of the present invention, the device may further include: a sending A module, configured to send a first request message to the first server, the first request message includes a second key identifier, and the second key identifier is used to make the first server respond through the first request A message sends the second key to the terminal; in the embodiment of the present invention, the device may further include: the terminal deletes the first key.
參照圖8,示出了本發明的一種終端與伺服器的通訊裝置實施例2的結構方塊圖,具體可以包括如下模組:位於第一伺服器的接收模組2002,用於接收所述終端發送的第一請求訊息,所述第一請求訊息用於使得第一伺服器向第二伺服器發送認證請求,並且從第二伺服器獲取第一金鑰;位於所述第一伺服器的發送模組2001,用於向終端發送第一請求訊息對應的第一請求應答訊息,所述第一請求應答訊息包括第二金鑰;位於所述第一伺服器的接收模組2002,用於接收所述終端發送的第二請求訊息,所述第二請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器根據所述第二金鑰標識對應的第二金鑰產生第二請求訊息對應的第二請求應答訊息;位於所述第一伺服器的發送模組2001,用於向所述終端發送第二請求應答訊息。
Referring to FIG. 8 , it shows a structural block diagram of Embodiment 2 of a communication device between a terminal and a server according to the present invention, which may specifically include the following modules: a receiving
在本發明實施例中,所述的裝置還可以包括:位於所述第一伺服器的處理模組,用於根據所述第一金鑰解密所述第二請求訊息;位於所述第一伺服器的處理模組,用於根據所述第二請求訊息中的第二金鑰標識對應的第二金鑰加密所述第二 請求應答訊息;在本發明實施例中,所述的裝置還可以包括:所述第二請求訊息由第一金鑰加密。 In the embodiment of the present invention, the device may further include: a processing module located in the first server, configured to decrypt the second request message according to the first key; A processing module of the device, configured to encrypt the second key according to the second key corresponding to the second key identifier in the second request message A request response message; in the embodiment of the present invention, the device may further include: the second request message is encrypted by a first key.
在本發明實施例中,所述的裝置還可以包括:所述第一請求應答訊息包括第二金鑰標識;在本發明實施例中,所述的裝置還可以包括:位於所述第一伺服器的接收裝置,用於接收終端發送的第一請求訊息,所述第一請求訊息包括第二金鑰標識,所述第二金鑰標識用於使得第一伺服器透過所述第一請求應答訊息向終端發送所述第二金鑰;在本發明實施例中,所述的裝置還可以包括:位於所述第一伺服器的處理模組,用於刪除所述第一金鑰。 In the embodiment of the present invention, the device may further include: the first request response message includes the second key identifier; in the embodiment of the present invention, the device may further include: The receiving device of the server is used to receive the first request message sent by the terminal, the first request message includes a second key identifier, and the second key identifier is used to make the first server respond through the first request A message sends the second key to the terminal; in the embodiment of the present invention, the device may further include: a processing module located in the first server, configured to delete the first key.
參照圖7,示出了本發明的一種終端與伺服器的通訊裝置實施例3的結構方塊圖,具體可以包括如下模組:位於所述終端的發送模組1001,用於向第三伺服器發送第三請求訊息,所述第三請求訊息用於使得第三伺服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;位於所述終端的接收模組1002,用於接收所述第三伺服器發送的第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;位於所述終端的發送模組1001,用於向第三伺服器發送第四請求訊息,所述第四請求訊息包括第四金鑰標識,
所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;位於所述所述終端的接收模組1002,用於接收所述第三伺服器發送的所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。
Referring to FIG. 7 , it shows a structural block diagram of Embodiment 3 of a communication device between a terminal and a server according to the present invention, which may specifically include the following modules: a sending
在本發明實施例中,所述的裝置還可以包括:所述第四請求訊息由第四金鑰加密。 In the embodiment of the present invention, the device may further include: the fourth request message is encrypted by a fourth key.
在本發明實施例中,所述的裝置還可以包括:所述第三請求應答訊息包括第四金鑰標識;在本發明實施例中,所述的裝置還可以包括:位於所述終端的發送模組,用於向第三伺服器發送第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;在本發明實施例中,所述的裝置還可以包括:位於所述終端的處理模組1003,用於刪除所述第三金鑰以及第四金鑰。
In the embodiment of the present invention, the device may further include: the third request response message includes the fourth key identifier; in the embodiment of the present invention, the device may further include: a sending A module, configured to send a third request message to a third server, the third request message includes a fourth key identifier, and the fourth key identifier is used to make the third server respond through the third request Send the fourth key to the terminal via a message; in the embodiment of the present invention, the device may further include: a
參照圖8,示出了本發明的一種終端與伺服器的通訊裝置實施例3的結構方塊圖,具體可以包括如下模組:位於第三伺服器的接收模組2002,用於接收所述終端發送的第三請求訊息,所述第三請求訊息用於使得第三伺
服器向第四伺服器發送認證請求,並且從第四伺服器獲取第三金鑰;位於所述第三伺服器的發送模組2001,用於向所述終端發送第三請求訊息對應的第三請求應答訊息,所述第三請求應答訊息包括第四金鑰;位於所述第三伺服器的接收模組2002,用於接收所述終端發送的第四請求訊息,所述第四請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器根據所述第四金鑰標識對應的第四金鑰產生第四請求訊息對應的第四請求應答訊息;位於所述第三伺服器的發送模組2001,用於向終端發送所述第四請求應答訊息,所述第四請求應答訊息包括第五金鑰,所述第五金鑰為第三伺服器接收所述終端發送的第四請求訊息後,向第五伺服器發送請求,並且從第五伺服器獲取的。
Referring to FIG. 8 , it shows a structural block diagram of Embodiment 3 of a communication device between a terminal and a server according to the present invention, which may specifically include the following modules: a receiving
在本發明實施例中,所述的裝置還可以包括:所述第四請求訊息由第四金鑰加密。 In the embodiment of the present invention, the device may further include: the fourth request message is encrypted by a fourth key.
在本發明實施例中,所述的裝置還可以包括:所述第三請求應答訊息包括第四金鑰標識;在本發明實施例中,所述的裝置還可以包括:位於所述第三伺服器的接收模組,用於接收所述終端發送的第三請求訊息,所述第三請求訊息包括第四金鑰標識,所述第四金鑰標識用於使得第三伺服器透過所述第三請求應答訊息向終端發送所述第四金鑰;
在本發明實施例中,所述的裝置還可以包括:位於所述第三伺服器的處理模組2003,用於刪除所述第三金鑰以及第四金鑰。
In the embodiment of the present invention, the device may further include: the third request response message includes the fourth key identifier; in the embodiment of the present invention, the device may further include: A receiving module of the device, configured to receive a third request message sent by the terminal, the third request message includes a fourth key identifier, and the fourth key identifier is used to enable the third server to pass through the first 3. sending the fourth key to the terminal in a request response message;
In the embodiment of the present invention, the device may further include: a
對於裝置實施例而言,由於其與方法實施例基本相似,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。 As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
本發明實施例還提供了一種裝置,包括:一個或多個處理器;和其上儲存有指令的一個或多個機器可讀媒體,當由所述一個或多個處理器執行時,使得所述裝置執行本發明實施例所述的方法。 An embodiment of the present invention also provides an apparatus, including: one or more processors; and one or more machine-readable media storing instructions thereon, which, when executed by the one or more processors, cause the The device executes the method described in the embodiment of the present invention.
本發明實施例還提供了一個或多個機器可讀媒體,其上儲存有指令,當由一個或多個處理器執行時,使得裝置執行本發明實施例所述的方法。 The embodiment of the present invention also provides one or more machine-readable media, on which instructions are stored, and when executed by one or more processors, the device executes the method described in the embodiment of the present invention.
本說明書中的各個實施例均採用遞進的方式描述,每個實施例重點說明的都是與其他實施例的不同之處,各個實施例之間相同相似的部分互相參見即可。 Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.
本領域內的技術人員應明白,本發明實施例的實施例可提供為方法、裝置、或電腦程式產品。因此,本發明實施例可採用完全硬體實施例、完全軟體實施例、或結合軟體和硬體方面的實施例的形式。而且,本發明實施例可採用在一個或多個其中包含有電腦可用程式碼的電腦可用儲存媒體(包括但不限於磁碟記憶體、CD-ROM、光學記憶體等)上實施的電腦程式產品的形式。 Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, devices, or computer program products. Accordingly, embodiments of the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may employ a computer program product implemented on one or more computer-usable storage media (including but not limited to disk memory, CD-ROM, optical memory, etc.) having computer-usable program code embodied therein form.
本發明實施例是參照根據本發明實施例的方法、終端設備(系統)、和電腦程式產品的流程圖和/或方塊圖來描述的。應理解可由電腦程式指令實現流程圖和/或方塊圖中的每一流程和/或方塊、以及流程圖和/或方塊圖中的流程和/或方塊的結合。可提供這些電腦程式指令到通用電腦、專用電腦、嵌入式處理機或其他可程式設計資料處理終端設備的處理器以產生一個機器,使得透過電腦或其他可程式設計資料處理終端設備的處理器執行的指令產生用於實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能的裝置。 Embodiments of the present invention are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and combinations of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to general-purpose computers, special-purpose computers, embedded processors, or processors of other programmable data processing terminal equipment to produce a machine that can be executed by a processor of a computer or other programmable data processing terminal equipment The instructions produce means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
這些電腦程式指令也可儲存在能引導電腦或其他可程式設計資料處理終端設備以特定方式工作的電腦可讀記憶體中,使得儲存在該電腦可讀記憶體中的指令產生包括指令裝置的製造品,該指令裝置實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能。 These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing terminal to operate in a specific manner, so that the instructions stored in the computer-readable memory generate product, the instruction device realizes the function specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.
這些電腦程式指令也可裝載到電腦或其他可程式設計資料處理終端設備上,使得在電腦或其他可程式設計終端設備上執行一系列操作步驟以產生電腦實現的處理,從而在電腦或其他可程式設計終端設備上執行的指令提供用於實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能的步驟。 These computer program instructions can also be loaded into a computer or other programmable data processing terminal equipment, so that a series of operation steps are executed on the computer or other programmable data processing terminal equipment to produce computer-implemented processing, so that the computer or other programmable data processing terminal The instructions executed on the terminal device are designed to provide steps for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
儘管已描述了本發明實施例的較佳實施例,但本領域內的技術人員一旦得知了基本創造性概念,則可對這些實施例做出另外的變更和修改。所以,所附申請專利範圍意 欲解釋為包括較佳實施例以及落入本發明實施例範圍的所有變更和修改。 While a preferred embodiment of the present invention has been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, the appended patent scope means It is intended to be construed as including the preferred embodiment and all changes and modifications falling within the scope of the embodiment of the present invention.
最後,還需要說明的是,在本文中,諸如第一和第二等之類的關係術語僅僅用來將一個實體或者操作與另一個實體或操作區分開來,而不一定要求或者暗示這些實體或操作之間存在任何這種實際的關係或者順序。而且,術語“包括”、“包含”或者其任何其他變體意在涵蓋非排他性的包含,從而使得包括一系列要素的過程、方法、物品或者終端設備不僅包括那些要素,而且還包括沒有明確列出的其他要素,或者是還包括為這種過程、方法、物品或者終端設備所固有的要素。在沒有更多限制的情況下,由語句“包括一個......”限定的要素,並不排除在包括所述要素的過程、方法、物品或者終端設備中還存在另外的相同要素。 Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or terminal equipment comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements identified, or also include elements inherent in such a process, method, article, or terminal equipment. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or terminal device comprising said element.
以上對本發明所提供的一種終端與基站的通訊方法、一種終端與基站的通訊裝置、一種終端的入網方法和一種終端的入網裝置,進行了詳細介紹,本文中應用了具體個例對本發明的原理及實施方式進行了闡述,以上實施例的說明只是用於幫助理解本發明的方法及其核心思想;同時,對於本發明所屬技術領域中具有通常知識者,依據本發明的思想,在實施例及應用範圍上均會有改變之處,綜上所述,本說明書內容不應理解為對本發明的限制。 A communication method between a terminal and a base station, a communication device between a terminal and a base station, a method for connecting a terminal to a network, and a device for connecting a terminal to a network provided by the present invention have been described above in detail. In this paper, specific examples are applied to the present invention. The principle and the implementation mode of the present invention have been set forth, and the description of the above embodiments is only used to help understand the method of the present invention and its core idea; at the same time, for those with ordinary knowledge in the technical field of the present invention, according to the thought of the present invention, in the implementation There will be changes in examples and scope of application. To sum up, the contents of this specification should not be construed as limiting the present invention.
Claims (15)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810908310.1A CN110830240B (en) | 2018-08-09 | 2018-08-09 | Communication method and device of terminal and server |
| CN201810908310.1 | 2018-08-09 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW202010287A TW202010287A (en) | 2020-03-01 |
| TWI801615B true TWI801615B (en) | 2023-05-11 |
Family
ID=69415369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW108121638A TWI801615B (en) | 2018-08-09 | 2019-06-21 | Communication method between terminal and server, server communicating with terminal, and terminal communicating with server |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN110830240B (en) |
| TW (1) | TWI801615B (en) |
| WO (1) | WO2020029859A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11863665B2 (en) * | 2019-08-16 | 2024-01-02 | Lenovo (Singapore) Pte. Ltd. | Security capabilities in an encryption key request |
| CN113518348B (en) * | 2020-06-30 | 2023-05-09 | 中国移动通信有限公司研究院 | Service processing method, device, system and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378313A (en) * | 2007-08-31 | 2009-03-04 | 上海华为技术有限公司 | Method for establishing safety association, user equipment and network side equipment |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100581104C (en) * | 2005-01-07 | 2010-01-13 | 华为技术有限公司 | Method for arranging key in IP multimedia service subsystem network |
| WO2007008120A1 (en) * | 2005-07-07 | 2007-01-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and arrangement for authentication and privacy |
| CN101047505A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method and system for setting safety connection in network application PUSH service |
| CN101087261B (en) * | 2006-06-05 | 2012-05-23 | 华为技术有限公司 | Method, device and system for realizing push function based on general guiding architecture |
| CN101141792A (en) * | 2006-09-09 | 2008-03-12 | 华为技术有限公司 | Universal guiding structure pushing method |
| CN101990771B (en) * | 2008-04-09 | 2014-07-02 | 诺基亚西门子通信公司 | Service reporting |
| CN102299797A (en) * | 2010-06-23 | 2011-12-28 | 财团法人工业技术研究院 | Authentication method, key distribution method and authentication and key distribution method |
| EP2810418B1 (en) * | 2012-02-02 | 2018-11-07 | Nokia Solutions and Networks Oy | Group based bootstrapping in machine type communication |
| CN104756458B (en) * | 2012-10-29 | 2018-07-10 | 瑞典爱立信有限公司 | For protecting the method and apparatus of the connection in communication network |
| WO2015072899A1 (en) * | 2013-11-15 | 2015-05-21 | Telefonaktiebolaget L M Ericsson (Publ) | Methods and devices for bootstrapping of resource constrained devices |
| EP3466012B1 (en) * | 2016-05-26 | 2024-04-10 | Telefonaktiebolaget LM Ericsson (PUBL) | Network application function registration |
-
2018
- 2018-08-09 CN CN201810908310.1A patent/CN110830240B/en active Active
-
2019
- 2019-06-21 TW TW108121638A patent/TWI801615B/en active
- 2019-08-01 WO PCT/CN2019/098821 patent/WO2020029859A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101378313A (en) * | 2007-08-31 | 2009-03-04 | 上海华为技术有限公司 | Method for establishing safety association, user equipment and network side equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202010287A (en) | 2020-03-01 |
| WO2020029859A1 (en) | 2020-02-13 |
| CN110830240B (en) | 2023-02-24 |
| CN110830240A (en) | 2020-02-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3432532B1 (en) | Key distribution and authentication method, apparatus and system | |
| US11228442B2 (en) | Authentication method, authentication apparatus, and authentication system | |
| US20190058701A1 (en) | Key distribution and authentication method and system, and apparatus | |
| EP3832982B1 (en) | Secure communication with a mobile device | |
| JP4741664B2 (en) | Method and apparatus for authentication and privacy | |
| WO2017114123A1 (en) | Key configuration method and key management center, and network element | |
| EP1933498B1 (en) | Method, system and device for negotiating about cipher key shared by ue and external equipment | |
| JP7292263B2 (en) | Method and apparatus for managing digital certificates | |
| CN108353279B (en) | Authentication method and authentication system | |
| WO2019041809A1 (en) | Registration method and apparatus based on service-oriented architecture | |
| CN113497778A (en) | Data transmission method and device | |
| WO2008006312A1 (en) | A realizing method for push service of gaa and a device | |
| CN111050322A (en) | GBA-based client registration and key sharing method, device and system | |
| US11652646B2 (en) | System and a method for securing and distributing keys in a 3GPP system | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| TWI801615B (en) | Communication method between terminal and server, server communicating with terminal, and terminal communicating with server | |
| CN113163399B (en) | Communication method and device for terminal and server | |
| WO2017012425A1 (en) | Method for managing shared channel of broadband cluster system, system, terminal and base station | |
| CN114513361B (en) | Power distribution Internet of things based on block chain | |
| CN101990203B (en) | Key agreement method, device and system based on universal self-initializing architecture | |
| CN112751664A (en) | Internet of things networking method and device and computer readable storage medium | |
| WO2017206125A1 (en) | Network connection method, and secure node determination method and device | |
| WO2024041177A1 (en) | Method for verifying access request, user terminal, and base station | |
| CN115037504A (en) | Communication method and device | |
| KR20080036731A (en) | Method of bootstrapping for authenticated execution of application in mobile communication network |