WO2007109994A1 - Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau - Google Patents

Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau Download PDF

Info

Publication number
WO2007109994A1
WO2007109994A1 PCT/CN2007/000973 CN2007000973W WO2007109994A1 WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1 CN 2007000973 W CN2007000973 W CN 2007000973W WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1
Authority
WO
WIPO (PCT)
Prior art keywords
bits
sequence number
master key
key sequence
subkey
Prior art date
Application number
PCT/CN2007/000973
Other languages
English (en)
Chinese (zh)
Inventor
Changhong Shan
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN200610070939.0A external-priority patent/CN101043325B/zh
Priority claimed from CN 200610070937 external-priority patent/CN101043324A/zh
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007109994A1 publication Critical patent/WO2007109994A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for generating a key sequence number in a network. Background of the invention
  • the key generated during the authentication process is generally generated by a parent key.
  • the serial number of the subkey should be equivalent to the parent key serial number.
  • each parent key maintains its own key sequence number, how to generate the subkey serial number, and no specific solution is given at present. . Summary of the invention
  • the purpose of the embodiments of the present invention is to provide a method and a device for generating a key sequence number in a network, so as to generate a subkey serial number in the network, thereby improving network security.
  • An embodiment of the present invention provides a method for generating a key sequence number in a network, including: a user equipment and a network side key generator respectively generate a first master key sequence number and a second master key sequence number;
  • the bits in the first master key sequence number and the second master key sequence number are added or bit-connected to obtain a subkey sequence number of the user equipment and the network side.
  • An embodiment of the present invention provides a device for generating a key sequence number in a network, including: a master key sequence number obtaining unit, configured to acquire a first time generated by a user equipment and a network side key generator in an authentication process Master key serial number and second master key serial number;
  • a sub-key sequence number generating unit configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit, Obtain the subkey serial number of the user equipment and the network side.
  • the embodiment of the present invention provides a method and an apparatus for generating a subkey serial number by using two parent key serial numbers, where specifically, the bits in two serial numbers generated by the authentication process are added or connected, thereby obtaining The required subkey serial number can be provided in the wireless network system, thereby improving the security of the network.
  • FIG. 1 is a flowchart of generating a universal key sequence number in an embodiment of the present invention
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a network authentication process according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
  • the authentication process is to mutually authenticate the terminal device and the network device by interacting with the authentication message between the terminal and the network device.
  • determining the sequence number of the subkey needs to be generated from the sequence numbers of the two parent keys, and providing an implementation scheme for deriving the sequence number of the subkey from the sequence numbers of the two parent keys.
  • An implementation solution provided by the embodiment of the present invention adds the key sequence numbers generated by the two authentications to obtain the authorized key sequence numbers of the user equipment and the network side. The implementation will be described below in conjunction with two specific application embodiments.
  • the corresponding first master key sequence number is RK1 - SN (4 bits); the second authentication process is at the user equipment and the secret
  • the key RK2 generated by the key generator, the corresponding second master key sequence number is RK2-SN (4 bits); the subkey is the authorization key AK, and the serial number of the authorization key AK is AK_SN.
  • RK1-SN and RK2_SN must start from an initial value. Initialization, if initialized with 0, 1, 2 or 3; When re-authentication, the values of RK1_SN and RK2-SN are respectively increased by one.
  • RK1_SN uses the lower two bits
  • RK2_SN uses the lower two bits
  • RK1-SN uses two bits higher, RK2-SN uses two bits higher; or,
  • RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
  • the key generators on the terminal and network side respectively generate a 2-bit authorized key sequence number according to the above formula.
  • FIG. 1 A flowchart for generating a serial number on the terminal and the network side is shown in FIG. 1 , wherein after the network side generates the license key serial number, the generator (such as an authenticator) may distribute the serial number of the subkey to use the Authorizer (such as a base station) that authorizes the key sequence number AK-SN.
  • the generator such as an authenticator
  • the Authorizer such as a base station
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
  • the sequence number generation method in this embodiment includes the following steps:
  • AK SN (PMK_SN + PMK2_SN) modulo 4
  • the obtained authorization key AK has a sequence number of 2 bits.
  • PMK-SN uses the lower two bits
  • PMK2-SN uses the upper two bits
  • PMK—SN uses the lower two bits
  • PMK2-SN uses the lower two bits
  • PMK—SN uses two bits higher
  • PMK2—SN uses two bits higher
  • PMK The SN uses the upper two bits, and the PMK2—SN uses the lower two bits.
  • PMK-SN For example, if both PMK-SN and PMK2-SN use two lower bits, if PMK-SN is lower two bits are 01; if PMK2_SN lower two bits is 00, then (01 +00) modulo 4 - 01, that is, get 2 bits Authorization key serial number AK-SN.
  • the serial number of the authorization key is obtained on the subscription station and the authenticator, respectively.
  • the network side authenticator sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
  • a negotiation of a new authorized key sequence number is performed between the subscribing station and the base station. Specifically, it can be negotiated with reference to the standards defined in IEEE802.16e-D12. Since the distribution of the key sequence number and the negotiation process of the serial number are the same as those of the prior art, they are not described herein.
  • the key RK1 generated by the first authentication process has the sequence number RK1_SN (4 bits); the key RK2 generated by the second authentication process, the sequence number is RK2_SN (4 bits); the subkey is the authorization The key AK, the serial number of the authorization key AK is AK_SN.
  • RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization.
  • RK1—SN always uses two bits that are meaningless
  • RK2—SN always uses two bits that are meaningful (signal bits, including MSB (most significant bit) and LSB (least significant bit)).
  • the meaningless two bits of the RM-SN and the meaningful two-bit value of the RK2-SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then Mode 4. Or, for the same reason, it is also possible to always use meaningful two bits for RM SN, and RK2_SN always uses two bits that are meaningless.
  • the method of obtaining AK-SN is that the meaningless two bits of RK1-SN are added to the meaningful two bits of RK2-SN:
  • AK_SN RK1_SN + RK2 - SN.
  • the method for generating the license key serial number includes the following steps:
  • the meaningless two bits are always used, and the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
  • the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
  • AK_SN PMK_SN + PMK2_SN.
  • the meaningless two bits of the PMK-SN are the lower two bits
  • the meaningful two bits of the PMK2-SN are two bits higher. If the initial values of the two authentications are 0 and 3 respectively, the meaningless two bits of PMK_SN are from the initial value (0).
  • the force p 1 is the modulo 4, which is ' ⁇ ; the meaningful two bits of PMK2_SN are from the initial value.
  • serial number of the 2-bit authorization key is obtained on the subscription station and the authentication server respectively.
  • the steps after the authorization serial number is generated are the same as in the first embodiment.
  • the embodiment of the present invention may further add RK2_SN to RK2_SN to obtain a 4-bit subkey sequence number, wherein only two bits or two bits lower may be used.
  • the basic principle of another implementation solution provided by the embodiment of the present invention is that the key sequence numbers generated by the two authentications are bit-connected to obtain the user equipment and the network side key sequence number. The implementation will be described below in conjunction with two specific application embodiments.
  • the key RM generated by the first authentication process has the serial number RK1_SN; the key RK2 generated by the second authentication process, the serial number is RK2_SN; the subkey is the authorization key AK, and the sequence of the authorization key AK
  • the number is AK-SN.
  • the serial numbers are all 4 bits.
  • both RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization. The meaningless two bits are always used for RK1-SN, and RK2_SN always uses meaningful two bits.
  • the meaningless two bits of the RK1 - SN and the meaningful two bit values of the RK2_SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then the modulo 4 . Or, for the same reason, it is also possible to use meaningful two bits for RK1-SN, and RK2-SN always uses meaningless ⁇ two bits.
  • the method of obtaining AK-SN is that the meaningless two bits of RK1_SN are connected with the meaningful two bits of RK2-SN:
  • AK_SN RK1_SN + RK2_SN , where "+” is the connector (1).
  • a 4-bit key sequence number is generated on the terminal and the network side according to the above formula (1), respectively, wherein only the upper two bits or the lower two bits can be used.
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
  • the sequence number generation method in this embodiment includes the following steps:
  • the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
  • the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
  • the network side authentication server sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
  • the serial number is RK1_SN
  • the second authentication process is generated by the user equipment and the key generator RK2
  • the serial number is RK2_SN
  • the subkey is the authorization key AK
  • the serial number of the authorization key AK is AK__SN.
  • the serial numbers are all 4 bits.
  • the method of obtaining AK_SN is to connect two bits using each sequence number, that is,
  • AK_SN ( RK1 — SN+RK2 — SN ), where “+” is the connector ( 2 )
  • RK1 the SN uses the lower two bits, and the RK2-SN uses the lower two bits;
  • RK1-SN uses two bits higher, and RK2-SN uses two bits higher; or,
  • RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
  • the key generators at the terminal and the network side respectively generate a 4-bit authorized key sequence number in which only the upper two bits or the lower two bits are used.
  • the flow chart for generating the serial number on the terminal and network side is shown in Figure 1.
  • the serial number of the subkey is distributed to the user (e.g., base station) by the generator (e.g., the authenticator) on the network side.
  • the generator e.g., the authenticator
  • the authorization key serial number generation method includes the following steps:
  • AK Authorization Key
  • AK SN (PMK_SN + PMK2_SN), "+" is the connector, and the obtained authorization key AK has a serial number of 4 bits.
  • PMK-SN uses the lower two bits
  • PMK2-SN uses the upper two bits
  • PMK—SN uses the lower two bits
  • PMK2—SN uses the lower two bits
  • PMK-SN uses two bits higher, PMK2-SN uses two bits higher; or,
  • the PMK-SN uses the upper two bits, and the PMK2_SN uses the lower two bits.
  • a 4-bit authorized key sequence number AK_SN is obtained, wherein, specifically, only two bits high or two bits of four bits can be used.
  • the embodiment of the present invention further provides a device for generating a key sequence number in a network.
  • the specific structure is as shown in FIG. 3, and includes the following processing units:
  • the unit is configured to obtain a first master key sequence number and a second master key sequence number generated by the user equipment and the network side key generator in an authentication process (such as an EAP authentication process, etc.), and provide the sub-secret A key sequence number generating unit for generating a subkey sequence number.
  • an authentication process such as an EAP authentication process, etc.
  • the unit is configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit to obtain user equipment and Subkey serial number on the network side;
  • the subkey serial number generating unit may specifically include an adding or connecting unit and a modulo unit, where:
  • the adding or connecting unit is configured to add or connect two bits of the first master key sequence number and the second bit of the second master key sequence number, and add the added
  • the result is sent to the modulo unit, and the connected result is directly used as the subkey sequence ⁇
  • the adding or connecting unit is further in communication with the bit information extracting unit, the bit information extracting unit is configured to extract the lower two bits of the first master key sequence number, and the second two of the second master key sequence number Or; extract the lower two bits of the first master key sequence number, the lower two bits of the second master key sequence number; or, extract the upper two bits of the first master key sequence number, the second time The lower two bits of the master key sequence number; or, the upper two bits of the first master key sequence number, and the upper two bits of the second master key sequence number;
  • first master key sequence number two meaningless two bits are used, and for the second master key sequence number, meaningful two bits are used; or, for the first master a key sequence number, using meaningful two bits, using two meaningless two bits for the second master key sequence number;
  • the modulo unit is configured to perform modulo 4 processing on the added result obtained by the adding or connecting unit to obtain a subkey sequence number of the user equipment and the network side.
  • the apparatus further includes the unit, configured to send the subkey sequence number generated by the network side key generator to the user through the key material transmission message.
  • the apparatus provided by the embodiment of the present invention may be specifically, but not limited to, being configured in a WiMAX network.
  • the terminal is a mobile station MS
  • the network side key generator is an authenticator
  • the RK1 is a dual master key.
  • PMK, RK2 is the second dual master key PMK2;
  • the sequence numbers corresponding to the PMK and PMK2 are PMK_SN and PMK2-SN, respectively, and the entity using the subkey serial number is the base station.
  • the embodiments of the present invention are applicable not only to WiMAX networks, but also to other network systems.
  • the embodiment of the present invention provides a method and apparatus for generating a subkey sequence number from two parent key serial numbers, which ensures the security of data transmission in the network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un appareil permettant de générer un nombre ordinal de la clé de chiffrement dans le réseau. L'équipement utilisateur et le générateur de clé de chiffrement côté réseau génèrent respectivement le nombre ordinal RK1_SN de la première clé de chiffrement et le nombre ordinal RK2_SN de la seconde clé de chiffrement. Les bits présents dans RK1_SN et RK2_SN sont ajoutés ou raccordés pour obtenir la clé de sous-chiffrement pour l'équipement utilisateur et le côté réseau. Le procédé et l'appareil de génération du nombre ordinal de la clé de sous-chiffrement par les nombres ordinaux de deux clés de chiffrement parents peuvent renforcer la sécurité du réseau.
PCT/CN2007/000973 2006-03-25 2007-03-26 Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau WO2007109994A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200610070939.0 2006-03-25
CN200610070939.0A CN101043325B (zh) 2006-03-25 2006-03-25 一种网络认证方法
CN200610070937.1 2006-03-25
CN 200610070937 CN101043324A (zh) 2006-03-25 2006-03-25 一种网络中的密钥序列号的生成方法

Publications (1)

Publication Number Publication Date
WO2007109994A1 true WO2007109994A1 (fr) 2007-10-04

Family

ID=38540812

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000973 WO2007109994A1 (fr) 2006-03-25 2007-03-26 Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau

Country Status (1)

Country Link
WO (1) WO2007109994A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105307159A (zh) * 2014-06-25 2016-02-03 普天信息技术有限公司 一种集群通信组呼业务的空口加密方法
CN105323725A (zh) * 2014-05-26 2016-02-10 普天信息技术有限公司 一种集群通信组呼业务的空口加密方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (zh) * 2004-05-13 2005-11-16 华为技术有限公司 密钥数据收发方法及其密钥数据分发装置和接收装置
CN1751533A (zh) * 2003-02-20 2006-03-22 西门子公司 在移动无线电系统中形成和分配加密密钥的方法和移动无线电系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1751533A (zh) * 2003-02-20 2006-03-22 西门子公司 在移动无线电系统中形成和分配加密密钥的方法和移动无线电系统
CN1697374A (zh) * 2004-05-13 2005-11-16 华为技术有限公司 密钥数据收发方法及其密钥数据分发装置和接收装置

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323725A (zh) * 2014-05-26 2016-02-10 普天信息技术有限公司 一种集群通信组呼业务的空口加密方法
CN105307159A (zh) * 2014-06-25 2016-02-03 普天信息技术有限公司 一种集群通信组呼业务的空口加密方法

Similar Documents

Publication Publication Date Title
US9392453B2 (en) Authentication
JP4286224B2 (ja) 無線ローカルエリアネットワーク(wlan)に用いられる安全な機密通信のための方法
JP5307191B2 (ja) 無線通信機器とサーバとの間でのデータの安全なトランザクションのためのシステムおよび方法
US7760885B2 (en) Method of distributing encryption keys among nodes in mobile ad hoc network and network device using the same
JP3863852B2 (ja) 無線環境におけるネットワークへのアクセス制御方法及びこれを記録した記録媒体
WO2011010432A1 (fr) Station de base et dispositif client
WO2007028328A1 (fr) Procede, systeme et dispositif de negociation a propos d'une cle de chiffrement partagee par equipement utilisateur et equipement externe
JP2011139457A (ja) 無線通信装置とサーバとの間でデータを安全にトランザクション処理する方法及びシステム
JP2002247047A (ja) セッション共有鍵共有方法、無線端末認証方法、無線端末および基地局装置
JP2013539248A (ja) 通信ネットワークにおける安全なノード承認
JP2012110009A (ja) エンティティの認証と暗号化キー生成の機密保護されたリンクのための方法と構成
WO2006032214A1 (fr) Procede de transmission de donnees synchrones syncml
WO2003077467A1 (fr) Procede de distribution de cles chiffrees dans un reseau lan sans fil
WO2006086932A1 (fr) Methode d'authentification d'acces adaptee aux reseaux avec et sans fils
WO2009094942A1 (fr) Procédé et système de réseau de communication pour établir une conjonction de sécurité
WO2014180198A1 (fr) Procédé, système et dispositif d'accès d'un terminal et support de stockage informatique
CN110087240B (zh) 基于wpa2-psk模式的无线网络安全数据传输方法及系统
EP1982547A1 (fr) Procédé et système pour une authentification récurrente dans un réseau mobile
CA2579272A1 (fr) Procede et appareil permettant la generation d'une cle pseudo-secrete afin de generer une reponse a une demande d'acces provenant d'un fournisseur de service
WO2015100974A1 (fr) Procédé, dispositif et système d'authentification de terminal
WO2007104248A1 (fr) Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques
CN111654481B (zh) 一种身份认证方法、装置和存储介质
JP2005529525A5 (fr)
WO2012040949A1 (fr) Procédé d'authentification par protocole d'authentification extensible (eap) à transfert rapide dans un réseau d'interopérabilité mondiale d'accès hyperfréquence (wimax) mobile
WO2007109994A1 (fr) Procédé et appareil permettant de générer un nombre ordinal de la clé de chiffrement dans un réseau

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720547

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720547

Country of ref document: EP

Kind code of ref document: A1