WO2007109994A1 - Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau - Google Patents
Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau Download PDFInfo
- Publication number
- WO2007109994A1 WO2007109994A1 PCT/CN2007/000973 CN2007000973W WO2007109994A1 WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1 CN 2007000973 W CN2007000973 W CN 2007000973W WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- bits
- sequence number
- master key
- key sequence
- subkey
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for generating a key sequence number in a network. Background of the invention
- the key generated during the authentication process is generally generated by a parent key.
- the serial number of the subkey should be equivalent to the parent key serial number.
- each parent key maintains its own key sequence number, how to generate the subkey serial number, and no specific solution is given at present. . Summary of the invention
- the purpose of the embodiments of the present invention is to provide a method and a device for generating a key sequence number in a network, so as to generate a subkey serial number in the network, thereby improving network security.
- An embodiment of the present invention provides a method for generating a key sequence number in a network, including: a user equipment and a network side key generator respectively generate a first master key sequence number and a second master key sequence number;
- the bits in the first master key sequence number and the second master key sequence number are added or bit-connected to obtain a subkey sequence number of the user equipment and the network side.
- An embodiment of the present invention provides a device for generating a key sequence number in a network, including: a master key sequence number obtaining unit, configured to acquire a first time generated by a user equipment and a network side key generator in an authentication process Master key serial number and second master key serial number;
- a sub-key sequence number generating unit configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit, Obtain the subkey serial number of the user equipment and the network side.
- the embodiment of the present invention provides a method and an apparatus for generating a subkey serial number by using two parent key serial numbers, where specifically, the bits in two serial numbers generated by the authentication process are added or connected, thereby obtaining The required subkey serial number can be provided in the wireless network system, thereby improving the security of the network.
- FIG. 1 is a flowchart of generating a universal key sequence number in an embodiment of the present invention
- FIG. 2 is a flowchart of a key sequence number generation process applied to a network authentication process according to an embodiment of the present invention
- FIG. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
- the authentication process is to mutually authenticate the terminal device and the network device by interacting with the authentication message between the terminal and the network device.
- determining the sequence number of the subkey needs to be generated from the sequence numbers of the two parent keys, and providing an implementation scheme for deriving the sequence number of the subkey from the sequence numbers of the two parent keys.
- An implementation solution provided by the embodiment of the present invention adds the key sequence numbers generated by the two authentications to obtain the authorized key sequence numbers of the user equipment and the network side. The implementation will be described below in conjunction with two specific application embodiments.
- the corresponding first master key sequence number is RK1 - SN (4 bits); the second authentication process is at the user equipment and the secret
- the key RK2 generated by the key generator, the corresponding second master key sequence number is RK2-SN (4 bits); the subkey is the authorization key AK, and the serial number of the authorization key AK is AK_SN.
- RK1-SN and RK2_SN must start from an initial value. Initialization, if initialized with 0, 1, 2 or 3; When re-authentication, the values of RK1_SN and RK2-SN are respectively increased by one.
- RK1_SN uses the lower two bits
- RK2_SN uses the lower two bits
- RK1-SN uses two bits higher, RK2-SN uses two bits higher; or,
- RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
- the key generators on the terminal and network side respectively generate a 2-bit authorized key sequence number according to the above formula.
- FIG. 1 A flowchart for generating a serial number on the terminal and the network side is shown in FIG. 1 , wherein after the network side generates the license key serial number, the generator (such as an authenticator) may distribute the serial number of the subkey to use the Authorizer (such as a base station) that authorizes the key sequence number AK-SN.
- the generator such as an authenticator
- the Authorizer such as a base station
- FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
- the sequence number generation method in this embodiment includes the following steps:
- AK SN (PMK_SN + PMK2_SN) modulo 4
- the obtained authorization key AK has a sequence number of 2 bits.
- PMK-SN uses the lower two bits
- PMK2-SN uses the upper two bits
- PMK—SN uses the lower two bits
- PMK2-SN uses the lower two bits
- PMK—SN uses two bits higher
- PMK2—SN uses two bits higher
- PMK The SN uses the upper two bits, and the PMK2—SN uses the lower two bits.
- PMK-SN For example, if both PMK-SN and PMK2-SN use two lower bits, if PMK-SN is lower two bits are 01; if PMK2_SN lower two bits is 00, then (01 +00) modulo 4 - 01, that is, get 2 bits Authorization key serial number AK-SN.
- the serial number of the authorization key is obtained on the subscription station and the authenticator, respectively.
- the network side authenticator sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
- a negotiation of a new authorized key sequence number is performed between the subscribing station and the base station. Specifically, it can be negotiated with reference to the standards defined in IEEE802.16e-D12. Since the distribution of the key sequence number and the negotiation process of the serial number are the same as those of the prior art, they are not described herein.
- the key RK1 generated by the first authentication process has the sequence number RK1_SN (4 bits); the key RK2 generated by the second authentication process, the sequence number is RK2_SN (4 bits); the subkey is the authorization The key AK, the serial number of the authorization key AK is AK_SN.
- RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization.
- RK1—SN always uses two bits that are meaningless
- RK2—SN always uses two bits that are meaningful (signal bits, including MSB (most significant bit) and LSB (least significant bit)).
- the meaningless two bits of the RM-SN and the meaningful two-bit value of the RK2-SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then Mode 4. Or, for the same reason, it is also possible to always use meaningful two bits for RM SN, and RK2_SN always uses two bits that are meaningless.
- the method of obtaining AK-SN is that the meaningless two bits of RK1-SN are added to the meaningful two bits of RK2-SN:
- AK_SN RK1_SN + RK2 - SN.
- the method for generating the license key serial number includes the following steps:
- the meaningless two bits are always used, and the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
- the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
- AK_SN PMK_SN + PMK2_SN.
- the meaningless two bits of the PMK-SN are the lower two bits
- the meaningful two bits of the PMK2-SN are two bits higher. If the initial values of the two authentications are 0 and 3 respectively, the meaningless two bits of PMK_SN are from the initial value (0).
- the force p 1 is the modulo 4, which is ' ⁇ ; the meaningful two bits of PMK2_SN are from the initial value.
- serial number of the 2-bit authorization key is obtained on the subscription station and the authentication server respectively.
- the steps after the authorization serial number is generated are the same as in the first embodiment.
- the embodiment of the present invention may further add RK2_SN to RK2_SN to obtain a 4-bit subkey sequence number, wherein only two bits or two bits lower may be used.
- the basic principle of another implementation solution provided by the embodiment of the present invention is that the key sequence numbers generated by the two authentications are bit-connected to obtain the user equipment and the network side key sequence number. The implementation will be described below in conjunction with two specific application embodiments.
- the key RM generated by the first authentication process has the serial number RK1_SN; the key RK2 generated by the second authentication process, the serial number is RK2_SN; the subkey is the authorization key AK, and the sequence of the authorization key AK
- the number is AK-SN.
- the serial numbers are all 4 bits.
- both RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization. The meaningless two bits are always used for RK1-SN, and RK2_SN always uses meaningful two bits.
- the meaningless two bits of the RK1 - SN and the meaningful two bit values of the RK2_SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then the modulo 4 . Or, for the same reason, it is also possible to use meaningful two bits for RK1-SN, and RK2-SN always uses meaningless ⁇ two bits.
- the method of obtaining AK-SN is that the meaningless two bits of RK1_SN are connected with the meaningful two bits of RK2-SN:
- AK_SN RK1_SN + RK2_SN , where "+” is the connector (1).
- a 4-bit key sequence number is generated on the terminal and the network side according to the above formula (1), respectively, wherein only the upper two bits or the lower two bits can be used.
- FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
- the sequence number generation method in this embodiment includes the following steps:
- the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
- the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
- the network side authentication server sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
- the serial number is RK1_SN
- the second authentication process is generated by the user equipment and the key generator RK2
- the serial number is RK2_SN
- the subkey is the authorization key AK
- the serial number of the authorization key AK is AK__SN.
- the serial numbers are all 4 bits.
- the method of obtaining AK_SN is to connect two bits using each sequence number, that is,
- AK_SN ( RK1 — SN+RK2 — SN ), where “+” is the connector ( 2 )
- RK1 the SN uses the lower two bits, and the RK2-SN uses the lower two bits;
- RK1-SN uses two bits higher, and RK2-SN uses two bits higher; or,
- RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
- the key generators at the terminal and the network side respectively generate a 4-bit authorized key sequence number in which only the upper two bits or the lower two bits are used.
- the flow chart for generating the serial number on the terminal and network side is shown in Figure 1.
- the serial number of the subkey is distributed to the user (e.g., base station) by the generator (e.g., the authenticator) on the network side.
- the generator e.g., the authenticator
- the authorization key serial number generation method includes the following steps:
- AK Authorization Key
- AK SN (PMK_SN + PMK2_SN), "+" is the connector, and the obtained authorization key AK has a serial number of 4 bits.
- PMK-SN uses the lower two bits
- PMK2-SN uses the upper two bits
- PMK—SN uses the lower two bits
- PMK2—SN uses the lower two bits
- PMK-SN uses two bits higher, PMK2-SN uses two bits higher; or,
- the PMK-SN uses the upper two bits, and the PMK2_SN uses the lower two bits.
- a 4-bit authorized key sequence number AK_SN is obtained, wherein, specifically, only two bits high or two bits of four bits can be used.
- the embodiment of the present invention further provides a device for generating a key sequence number in a network.
- the specific structure is as shown in FIG. 3, and includes the following processing units:
- the unit is configured to obtain a first master key sequence number and a second master key sequence number generated by the user equipment and the network side key generator in an authentication process (such as an EAP authentication process, etc.), and provide the sub-secret A key sequence number generating unit for generating a subkey sequence number.
- an authentication process such as an EAP authentication process, etc.
- the unit is configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit to obtain user equipment and Subkey serial number on the network side;
- the subkey serial number generating unit may specifically include an adding or connecting unit and a modulo unit, where:
- the adding or connecting unit is configured to add or connect two bits of the first master key sequence number and the second bit of the second master key sequence number, and add the added
- the result is sent to the modulo unit, and the connected result is directly used as the subkey sequence ⁇
- the adding or connecting unit is further in communication with the bit information extracting unit, the bit information extracting unit is configured to extract the lower two bits of the first master key sequence number, and the second two of the second master key sequence number Or; extract the lower two bits of the first master key sequence number, the lower two bits of the second master key sequence number; or, extract the upper two bits of the first master key sequence number, the second time The lower two bits of the master key sequence number; or, the upper two bits of the first master key sequence number, and the upper two bits of the second master key sequence number;
- first master key sequence number two meaningless two bits are used, and for the second master key sequence number, meaningful two bits are used; or, for the first master a key sequence number, using meaningful two bits, using two meaningless two bits for the second master key sequence number;
- the modulo unit is configured to perform modulo 4 processing on the added result obtained by the adding or connecting unit to obtain a subkey sequence number of the user equipment and the network side.
- the apparatus further includes the unit, configured to send the subkey sequence number generated by the network side key generator to the user through the key material transmission message.
- the apparatus provided by the embodiment of the present invention may be specifically, but not limited to, being configured in a WiMAX network.
- the terminal is a mobile station MS
- the network side key generator is an authenticator
- the RK1 is a dual master key.
- PMK, RK2 is the second dual master key PMK2;
- the sequence numbers corresponding to the PMK and PMK2 are PMK_SN and PMK2-SN, respectively, and the entity using the subkey serial number is the base station.
- the embodiments of the present invention are applicable not only to WiMAX networks, but also to other network systems.
- the embodiment of the present invention provides a method and apparatus for generating a subkey sequence number from two parent key serial numbers, which ensures the security of data transmission in the network.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
L'invention concerne un procédé et un appareil permettant de générer un nombre ordinal de la clé de chiffrement dans le réseau. L'équipement utilisateur et le générateur de clé de chiffrement côté réseau génèrent respectivement le nombre ordinal RK1_SN de la première clé de chiffrement et le nombre ordinal RK2_SN de la seconde clé de chiffrement. Les bits présents dans RK1_SN et RK2_SN sont ajoutés ou raccordés pour obtenir la clé de sous-chiffrement pour l'équipement utilisateur et le côté réseau. Le procédé et l'appareil de génération du nombre ordinal de la clé de sous-chiffrement par les nombres ordinaux de deux clés de chiffrement parents peuvent renforcer la sécurité du réseau.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200610070939.0 | 2006-03-25 | ||
CN200610070939.0A CN101043325B (zh) | 2006-03-25 | 2006-03-25 | 一种网络认证方法 |
CN200610070937.1 | 2006-03-25 | ||
CN 200610070937 CN101043324A (zh) | 2006-03-25 | 2006-03-25 | 一种网络中的密钥序列号的生成方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007109994A1 true WO2007109994A1 (fr) | 2007-10-04 |
Family
ID=38540812
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2007/000973 WO2007109994A1 (fr) | 2006-03-25 | 2007-03-26 | Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2007109994A1 (fr) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105307159A (zh) * | 2014-06-25 | 2016-02-03 | 普天信息技术有限公司 | 一种集群通信组呼业务的空口加密方法 |
CN105323725A (zh) * | 2014-05-26 | 2016-02-10 | 普天信息技术有限公司 | 一种集群通信组呼业务的空口加密方法 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697374A (zh) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | 密钥数据收发方法及其密钥数据分发装置和接收装置 |
CN1751533A (zh) * | 2003-02-20 | 2006-03-22 | 西门子公司 | 在移动无线电系统中形成和分配加密密钥的方法和移动无线电系统 |
-
2007
- 2007-03-26 WO PCT/CN2007/000973 patent/WO2007109994A1/fr active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1751533A (zh) * | 2003-02-20 | 2006-03-22 | 西门子公司 | 在移动无线电系统中形成和分配加密密钥的方法和移动无线电系统 |
CN1697374A (zh) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | 密钥数据收发方法及其密钥数据分发装置和接收装置 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105323725A (zh) * | 2014-05-26 | 2016-02-10 | 普天信息技术有限公司 | 一种集群通信组呼业务的空口加密方法 |
CN105307159A (zh) * | 2014-06-25 | 2016-02-03 | 普天信息技术有限公司 | 一种集群通信组呼业务的空口加密方法 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9392453B2 (en) | Authentication | |
JP4286224B2 (ja) | 無線ローカルエリアネットワーク(wlan)に用いられる安全な機密通信のための方法 | |
JP5307191B2 (ja) | 無線通信機器とサーバとの間でのデータの安全なトランザクションのためのシステムおよび方法 | |
US7760885B2 (en) | Method of distributing encryption keys among nodes in mobile ad hoc network and network device using the same | |
JP3863852B2 (ja) | 無線環境におけるネットワークへのアクセス制御方法及びこれを記録した記録媒体 | |
WO2011010432A1 (fr) | Station de base et dispositif client | |
WO2007028328A1 (fr) | Procede, systeme et dispositif de negociation a propos d'une cle de chiffrement partagee par equipement utilisateur et equipement externe | |
JP2011139457A (ja) | 無線通信装置とサーバとの間でデータを安全にトランザクション処理する方法及びシステム | |
JP2002247047A (ja) | セッション共有鍵共有方法、無線端末認証方法、無線端末および基地局装置 | |
JP2013539248A (ja) | 通信ネットワークにおける安全なノード承認 | |
JP2012110009A (ja) | エンティティの認証と暗号化キー生成の機密保護されたリンクのための方法と構成 | |
WO2006032214A1 (fr) | Procede de transmission de donnees synchrones syncml | |
WO2003077467A1 (fr) | Procede de distribution de cles chiffrees dans un reseau lan sans fil | |
WO2006086932A1 (fr) | Methode d'authentification d'acces adaptee aux reseaux avec et sans fils | |
WO2009094942A1 (fr) | Procédé et système de réseau de communication pour établir une conjonction de sécurité | |
WO2014180198A1 (fr) | Procédé, système et dispositif d'accès d'un terminal et support de stockage informatique | |
CN110087240B (zh) | 基于wpa2-psk模式的无线网络安全数据传输方法及系统 | |
EP1982547A1 (fr) | Procédé et système pour une authentification récurrente dans un réseau mobile | |
CA2579272A1 (fr) | Procede et appareil permettant la generation d'une cle pseudo-secrete afin de generer une reponse a une demande d'acces provenant d'un fournisseur de service | |
WO2015100974A1 (fr) | Procédé, dispositif et système d'authentification de terminal | |
WO2007104248A1 (fr) | Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques | |
CN111654481B (zh) | 一种身份认证方法、装置和存储介质 | |
JP2005529525A5 (fr) | ||
WO2012040949A1 (fr) | Procédé d'authentification par protocole d'authentification extensible (eap) à transfert rapide dans un réseau d'interopérabilité mondiale d'accès hyperfréquence (wimax) mobile | |
WO2007109994A1 (fr) | Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07720547 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07720547 Country of ref document: EP Kind code of ref document: A1 |