WO2008055444A1 - Procédé et système de gestion de clé entre un agent local et un agent externe - Google Patents

Procédé et système de gestion de clé entre un agent local et un agent externe Download PDF

Info

Publication number
WO2008055444A1
WO2008055444A1 PCT/CN2007/071029 CN2007071029W WO2008055444A1 WO 2008055444 A1 WO2008055444 A1 WO 2008055444A1 CN 2007071029 W CN2007071029 W CN 2007071029W WO 2008055444 A1 WO2008055444 A1 WO 2008055444A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
parameter information
key parameter
entity
network
Prior art date
Application number
PCT/CN2007/071029
Other languages
English (en)
Chinese (zh)
Inventor
Wenliang Liang
Jianjun Wu
Xianhui He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008055444A1 publication Critical patent/WO2008055444A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to the field of wireless communication technologies, and in particular, to a scheme for implementing communication between a home agent and a foreign agent in a wireless communication system.
  • wireless communication networks In order to improve the security performance of wireless communication systems to meet the security needs of mobile users, the technical means used in wireless communication networks include:
  • FIG. 1 The centralized network architecture system is shown in Figure 1.
  • the Authenticator and the BS are located in different physical entities, and the Authenticator and Key are implemented in the Authenticator.
  • Relay Authentication Relay
  • Key Receiver Key Receiver
  • FIG. 2 The distributed network architecture system is shown in Figure 2.
  • the Authenticator and the BS are in the same physical entity.
  • the physical entity implements the functions of Authenticator, Authenticator Relay, Key Distributor and Key Receiver.
  • BS used to provide secure channels for BSs and MSs (users), including compression and encryption of air interface data, and exchange of confidential information between the BS and the MS
  • Authenticator which provides proxy (proxy) functionality for MS authentication, authorization, and accounting functions, and is implemented in the same physical entity as Key Distributor;
  • Distributor which is implemented in the same physical entity as the Authenticator, generates an air interface key AK shared between the BS and the MS according to the root key information provided by the Authentication server (such as the AAA server) and the MS. Distributed to Key Receiver.
  • the air interface key AK generated by Distributor, and derives other keys between the BS and the MS.
  • the Authentication server is used to implement MS authentication, authorization, and accounting functions. And the information necessary to generate the key is exchanged with each other through the key generation mechanism with the MS. Since this information is exchanged before establishing a secure channel, the key algorithm used between the Authentication server and the MS must ensure that information leakage does not affect the security mechanism.
  • the main functions include: Complete the MSS authentication, authorization, and accounting functions, generate and distribute root key information to the Authenticator, and notify the Authenticator and other network element information changes after the user information changes.
  • MS that is, mobile user equipment, used to initiate authentication, authorization; exchange with the Authentication server the information needed to generate the root key; and generate the root key by itself; and generate the necessary security for the air interface based on the root key.
  • IP-based wireless communication technology namely MIP (mobile IP technology) is gradually being widely used.
  • MN mobile node, such as MS
  • FA foreign agent
  • HA home agent
  • the MN initiates a MIP registration request to the HA via the FA.
  • the HA associates the MN's CoA (care-of address) address with the HoA (home address) address, and then all destination addresses received by the HA are HoA.
  • the data packets will be forwarded to the CoA address (in MIPv4, CoA is the address of the FA).
  • the AE (Authentication Extension) information may be carried in the MIP message, for example, carrying the MN-HA-AE (authentication extension between the MN and the HA) information, so that when the HA receives After a MIP registration request carrying the MN-HA-AE, the HA can calculate a local authentication value according to the previously obtained key information, and then compare with the MN-HA-AE carried by the data packet. If the same, the authentication is passed. , processing the MIP registration request; otherwise, refusing to process the MIP registration request.
  • MN-HA-AE authentication extension between the MN and the HA
  • CMIP Central Mobile IP
  • PMIP Proxy Mobile IP
  • the two forms of specific applications are: For a terminal that supports the MIP protocol, it works in CMIP mode; For a terminal that does not support the MIP protocol, it works in PMIP mode, that is, a PMIP-Client (PMIP client) is created by the network side.
  • PMIP client PMIP-Client
  • HA-K (the key between FA and HA).
  • the key of the FA-HA-K is specifically generated according to HA-R K (HA root key) and SPI (Security Parameter Index), and the HA-RK and SPI may be specifically configured by the uthentication Server generated.
  • the HA When the HA is in a different network (that is, a visited network or a home network), there is no corresponding key distribution implementation scheme. For example, when the HA is in the visited network, the corresponding HA-RK and SPI acquisition processes are not implemented. ;
  • Embodiments of the present invention provide a key management method and system between a home agent and a foreign agent, thereby ensuring that information between the FA and the HA can be ensured in the network even if the HA is in the visited network.
  • the secure interaction effectively improves the security of communications in wireless communication networks.
  • a method of key management between a home agent and a foreign agent including a process of generating key parameter information for a communication application between a home agent and a foreign agent, and the process includes:
  • the key distribution entity of the visited network assigns the key parameter information to the home agent
  • the key distribution entity of the home network assigns the key parameter information to the home agent.
  • a key distribution entity comprising:
  • a non-local home agent key distribution unit configured to allocate the key parameter information to a home agent in a visited network as a non-local home agent
  • a local home agent key distribution unit for allocating the key parameter information to a home agent in the home network as a local home agent.
  • a key management system between a home agent and a foreign agent including:
  • the above key distribution entity is configured to allocate key parameter information of a communication application between a home agent and a foreign agent;
  • the key parameter maintenance entity is configured to maintain key parameter information of a communication application between the home agent and the foreign agent, and the key parameter maintenance entity acquires the key parameter information from the key distribution entity.
  • a key management system between a home agent and a foreign agent including:
  • the above key distribution entity is configured to allocate key parameter information of a communication application between the home agent and the foreign agent;
  • a key parameter update unit configured to initiate an update process for the key parameter information to a key distribution entity of the visited network or a key distribution entity of the home network, and trigger the call to be restarted
  • the key distribution entity of the local network or the key distribution entity of the home network allocates corresponding key parameter information for the home agent, and updates the key parameter information in each related entity; and/or, for actively initiating the key parameter
  • the information update process is performed to update the key parameter information, and the key parameter information in each related entity is updated.
  • the embodiment provided by the present invention can ensure secure interaction of information between the FA and the HA in the network.
  • FIG. 1 is a schematic structural diagram of a centralized architecture system in the prior art
  • FIG. 2 is a schematic structural diagram of a distributed architecture system in the prior art
  • FIG. 3 is a schematic diagram showing a specific implementation structure of a MIP in a WiMAX system in the prior art
  • FIG. 4 is a schematic diagram of an implementation process of acquiring key parameter information of a HA in a visited network according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram 1 of a specific implementation process of updating key parameter information in an embodiment of the present invention.
  • FIG. 6 is a schematic diagram 2 of a specific implementation process of updating key parameter information in an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a specific application process according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an implementation of a system according to an embodiment of the present invention.
  • FIG. 9 is a third schematic diagram of a specific implementation process of updating key parameter information in an embodiment of the present invention.
  • the present invention provides an embodiment in which the HA is in a visited network or a home network, and different key distributions can be used, that is, when the HA is in the visited network, the key is allocated in the visited network.
  • the entity performs key parameter information allocation.
  • the key allocation entity in the home network performs the key parameter information allocation operation.
  • the key parameter information used by the key distribution entity in the visited network to allocate communication between the HA and the FA is used, where the key parameter information includes HA-RK, SPI, and lifecycle, so that the key parameter information assigned to the HA is not conflicted, that is, the key parameter information allocated by the key distribution entity in the home agent network for the HA is avoided, and the visited place is network
  • the key parameters assigned by the key distribution entity in the network conflict with other key parameters.
  • the key period of the key allocation entity parameter information can be uniformly managed.
  • the management of the validity of the FA-HA-K is completely implemented by the network side, specifically, the life cycle of the FA-HA-K is delivered by the key distribution entity on the network side, which makes the FA- HA-K becomes a complete inter-device key, that is, whether the FA-HA-K is valid and no longer related to the terminal, thereby restoring its characteristics as a key between network devices.
  • the present invention also provides an embodiment in which HA-RK expiration for generating FA-HA-K, HA and FA or an authenticator updates key parameter information such as HA-RK, thereby being based on MIP technology
  • a complete key parameter information management scheme is provided in the wireless communication network. Specifically, it can be:
  • the entity that needs to perform the update of the key parameter information such as the HA, the FA, or the authenticator, initiates the secret for the key distribution entity of the visited network described in the originating direction. Updating process of the key parameter information, re-triggering the key distribution entity of the visited network to allocate key parameter information for the home agent to update the initiator entity or all related entities (save and maintain key parameter information) Key parameter information maintained in each entity);
  • the entity that needs to perform the update of the key parameter information such as the HA, the FA, or the authenticator, initiates the key parameter for the key distribution entity of the home network described in the originating direction.
  • the information updating process re-triggering the key distribution entity of the home network to assign key parameter information to the home agent to update the initiator entity or all related entities (each entity that maintains the key parameter information) Maintained key parameter information.
  • the embodiment of the present invention further provides a forwarding process of the related key parameter information, such as FA migration, HA-RK, etc., to ensure that after the R3 migration occurs, the FA can still obtain the required HA-RK. And other key parameter information.
  • the related key parameter information such as FA migration, HA-RK, etc.
  • the HA in the visited network or the HA in the home network obtains the key parameter information.
  • the HA allocated in the roaming scenario can be the HA of the visited place (the HA in the visited network), it can also be the HA of the hometown (handling the HA in the home network), therefore, in order to make the allocation for each HA
  • the key parameter information such as HA-RK and SPI does not conflict, and is set in the embodiment of the present invention: [71] If the HA is located in the visited network, the key parameter information such as HA-RK and SPI required by the HA is allocated by the AAA server as the visited network of the key distribution entity in the visited network;
  • the allocation of key parameter information is performed by the A AA server in the home network as the key distribution entity in the home network.
  • the first process flow includes:
  • Step 41 The Authenticator serving the terminal initiates an Access-Request (access request) to the home network AAA server through the visited AAA server (ie, V-AAA) during the EAP process;
  • Step 42 the AAA server of the visited place forwards the Access-Request message to the AAA server (ie, HAAA) of the home network;
  • AAA server ie, HAAA
  • the Access-Request message carries the HA (ie, V-HA) address of the visited place and key parameter information such as HA-RK, SPI, and lifecycle allocated thereto;
  • Step 43 After receiving the Access-Request message, the AAA server of the home network sends an Access to the AAA server of the visited place if the HA address of the visited network is allocated to the terminal due to a policy or other reasons. Accept (access accepted) message;
  • the HA address of the visited network is included, and the HA address may be one or more HA addresses, and the message includes the H allocated by the visited AAA server for the corresponding HA.
  • Key parameter information such as A-RK, SPI, and life cycle
  • Step 44 Visiting AAA After receiving the Access-Accept message, the AAA server notifies the Authenticator of the key parameter information allocated for the HA.
  • the gateway where the Authenticator serving the terminal and the external proxy on it can obtain the key parameter information required by the terminal, and can ensure that the corresponding key parameter does not conflict in the visited network.
  • Step 45 The Authenticator serving the terminal initiates an Access-Request request to the home network AAA server through the visited AAA server (ie, V-AAA) during the EAP process;
  • Step 46 The AAA server at the visited place forwards the received Access-Request message to the home network.
  • AAA server the message may carry the HA address of the visited place;
  • the message may also carry an attribute indicating the ability of the visited network to allocate HA and key parameter information to notify the home network, or whether the visited network has the ability to allocate HA and key parameter information.
  • the home network can be notified as part of the roaming agreement; thus, if the home network determines that the visited network does not have the ability to allocate HA and key parameter information, the HA and key parameter information are allocated by the home network;
  • Step 47 After receiving the Access-Request message, the AAA server of the home network sends an Access-Accept to the AAA server of the visited network if the HA address of the visited network has been allocated due to a policy or other reasons.
  • the message, and the HA address of the visited place is carried in the message, and the HA of the visited place may be selected by the visited AAA server;
  • Step 48 After receiving the Access-Request message, the visited AAA server identifies that the AAA server of the home network allocates a HA of the visited place or does not allocate the HA, and allocates the corresponding HA. Key parameter information such as HA-RK, SPI, and life cycle, and notify the corresponding Authenticate of HA through the Access-Accept message
  • the gateway where the Authenticator serving the terminal and the external proxy on it can obtain the key parameter information required by the terminal, and can ensure that the corresponding key parameter does not conflict in the visited network.
  • the processing flow that can be used as shown in FIG. 9 includes: The home AAA server and the visited AAA server both distribute the allocated HA and the corresponding HA key information. To the Authenticator serving the terminal, so that the terminal selects the HA and related key information of the home network or the HA and related key information of the visited network as needed.
  • the Access-Accept message sent by the home AAA server only includes the HA of the home network. And the associated key information, the HA of the visited network and the related key information are added to the Access-Accept message sent to the access network (ie, the Authenticator serving the terminal) during the processing and forwarding process of the visited AAA server;
  • HA and related key information including:
  • the MIP registration request message carries a request for the attribution of the HA, and the request may be a special HA address or an extension, so that the FA can be directed to the Authentic ator serving the terminal.
  • the HA and the related key information required to satisfy the MS are requested, so that the HA of the home network or the visited network and related key information can be selected based on the requirements of the terminal.
  • the corresponding key management methods include:
  • the HA of the home network is selected as the MS service, after the FA receives the MIP registration request of the MS, the FA needs to request the HA related key information from the home network AAA server, and the home network AAA
  • the server can know that the home network HA assigned by itself will provide services to the MS, and will maintain the relevant key information of the corresponding HA; for visiting the network AAA server, it will be in a period of time because the corresponding request is not received.
  • the HA-RK information is no longer maintained for the MS after the interval;
  • the FA needs to request the HA related key information from the visited network AAA server, and then visits the network AAA.
  • the server can know that the visited visited network HA will provide services to the MS, and will maintain the relevant key information of the corresponding HA; for the home network AAA server, it will be in a period of time because the corresponding request is not received.
  • the HA-RK information is no longer maintained for the MS after the interval.
  • the FA or the Authenticator may select the HA and the related key letter according to the local policy. Interest, or, make a random selection.
  • the implementation process of obtaining the key parameter information by the HA in the home network may include:
  • the Authenticator for the terminal service in the home network initiates an Access-Requesti request to the home network AAA server during the EAP process;
  • the AAA server of the home network After receiving the Access-Request message, the AAA server of the home network sends an Access-Accept message to the Authenticator if the HA address is assigned to the terminal due to a policy or other reasons;
  • the Access-Accept message includes one or more HA addresses of the home network, and key parameter information such as HA-RK, SPI, and lifecycle allocated by the AAA server of the home network for the corresponding HA;
  • the gateway where the Authenticator serving the terminal and the foreign agent on it can obtain the key parameter information it needs.
  • the Authenticator serving the terminal service may also carry the identifier of the local gateway or the FA (which may be an IP address) as needed, and then the AA A server or the home AAA of the visited network.
  • the server decides whether to deliver the HA-RK of the assigned HA and the SPI, life cycle and other information. If the Authenticator serving the terminal knows the HA-RK corresponding to the allocated HA, it can directly indicate in the Access-Request message whether the HA-RK and the SPI, life cycle and other information are required to be delivered.
  • step 42 and step 43 in the above processing may be omitted, and the second processing flow is omitted.
  • Step 46 and step 47 in the above process may be omitted, that is, the AAA server in the visited network directly allocates corresponding key parameter information for the HA in the visited network.
  • the triggering conditions for the key parameter information to be updated may specifically include four cases: the first is that the MS or the network initiates the process of reauthentication authentication, and the second is that the life cycle of the key parameter information expires. The third is to determine that the corresponding key parameter information has been updated, and the fourth case is that the key assignment entity determines that the key needs to be updated.
  • the new authenticator is transmitting an Access-Request (including requesting a new key parameter).
  • an Access-Request including requesting a new key parameter.
  • the AAA server can decide according to the predetermined policy. Whether to issue key parameter information such as HA-RK and context information;
  • the indication information may be an indication bit, used to indicate whether a valid HA-RK already exists on the ASN-GW, or may be an identifier of an Authenticator or an ASN-GW or an FA, and The A AA server determines whether there is a valid HA-RK based on the identity.
  • HA's Authenticator or ASN-GW is dedicated to maintaining key parameter information such as HA-RK
  • the body finds that the life cycle of the corresponding key parameter information such as HA-RK expires or there is still Grace-Time remaining, that is, it is determined that the corresponding key parameter information needs to be updated; then the key parameters such as HA-RK are actively initiated. Information update process;
  • the specific update processing process includes: if the key parameter information corresponding to the HA in the visited network needs to be updated, it needs to be implemented by the key distribution entity of the visited network, if the key corresponding to the HA of the home network The parameter information needs to be implemented by the key distribution entity of the home network.
  • HA discovers that the SPI of the authentication extension between FA and HA in the mobile IP registration request sent by the FA has been updated;
  • the other is to update the key parameter information by the functional entity dedicated to maintaining key parameter information such as HA-RK on the Authenticator or ASN-GW, specifically: FA discovers the mobile IP-Revocati on sent by the HA. (Mobile IP Withdrawal) The SPI for the authentication extension between the FA and HA in the request has been updated.
  • the key distribution entity needs to actively initiate an update process of the corresponding key parameter information to update the corresponding key parameter information. Specifically, if the HA is in the visited network, the key parameter information needs to be updated by the key distribution entity of the visited network; if it is the HA in the home network, it needs to be performed by the key distribution entity of the home network. Update of key parameter information.
  • the corresponding key update process may also be initiated by the AAA server as the key distribution entity, specifically: the AAA server finds that the life cycle of the HA-RK expires or that there is still a remaining Gracetime or other need to update the secret.
  • the key parameter information the key parameter information maintained in the Authenticator of the HA or the ASN-GW is actively updated;
  • the corresponding update processing process is as shown in FIG. 6. If the key parameter information corresponding to the HA in the visited network needs to be updated, it needs to be implemented by the key distribution entity of the visited network, if it is in the home network. The key parameter information corresponding to the HA needs to be updated, and the key distribution entity of the home network needs to be implemented; [129] Wherein, if multiple Authenticators are included in the same ASN-GW, only one message is sent to the ASN-GW, and the ID of the relevant Authenticator or the identifier of the MS is carried in the message, so as to be facilitated by the ASN-GW. The update of the key parameter information maintained by the corresponding Authenticator is continued.
  • the key distribution entity records the home agent or the authenticator or the access service associated with the key parameter information distribution operation after each time the key parameter information allocated by the home agent is delivered. Identification information of the network gateway or foreign agent. Thereafter, the key distribution entity performs an active update of the key based on the record.
  • the key parameter information such as HA-RK is maintained by Authenticator for each user, it is required to request the key parameter information corresponding to HA-RK, SPI, etc., or directly request FA-HA- to the Authenticator currently serving the user.
  • K the key parameter information corresponding to HA-RK, SPI, etc.
  • the key parameter information such as the HA-RK is maintained by the dedicated function entity on the ASN-GW (ie, the key parameter maintenance entity), it may first query whether the entity on the local ASN-GW has a key corresponding to the HA. If yes, there is no need to obtain the key parameter information. If not, the ASN-GW that is currently serving the user can be requested. Then, the corresponding ASN-GW of the Authenticator currently serving the user is located. The current local ASN-GW will be provided with the corresponding key parameter information maintained by it. Querying the key management entity on the local ASN-GW is an optional step. Each time, the HA-RK or FA-HA-K related key information can be directly requested from the Authenticator currently serving the user.
  • the HA-RK-related information is also maintained on the ASN-GW where the FA before the FA migration, and the new FA after the FA migration can request the relevant key from the FA-RK. (HA-RK or FA-HA)
  • the dedicated functional entity on the Authenticator or ASN-GW can also obtain new key parameter information from the key distribution entity.
  • the process of obtaining the corresponding key parameter information may be performed in conjunction with the R3 migration process, or independently before or after the R3 migration process.
  • the corresponding processing may specifically include the following steps:
  • Step 71 In the process of initial access authentication of the MS, that is, EAP (Extended Authentication Protocol), the AAA server sends the HA-RK, SPI, and lifecycle to the Authenticator serving the MS, that is, the anchor authenticator.
  • the current FA of the MS can obtain the corresponding HA-RK, SPI and lifecycle information from the Authenticator;
  • the corresponding HA-RK, SPI and lifecycle information may be specifically maintained in the anchor authenticator or may be maintained by functional entities in the AS N-GW;
  • the AAA server delivers the HA-RK, the SPI, and the lifecycle information, where the AAA server sends the HA-RK, the SPI, and the lifecycle information.
  • the AAA server unconditionally and actively delivers the key parameter information
  • the anchor authenticator carries the identifier of the FA that is located on an ASN-GW (Access Service Network Gateway) with the Access-Request message sent to the AAA server. Or the identifier of the anchor authenticator or the identification information of the ASN-GW, after which the AAA server sends the information according to the identifier information, including: if the AAA server finds that the HA has been allocated and the FA or the anchor If the authority or the ASN-GW sends the HA-RK and other information, the AAA server can choose not to perform the HA-RK and the delivery of the context information.
  • ASN-GW Access Service Network Gateway
  • the SPI may be a random number, but it is required to ensure that the SPI generated in two consecutive times is inconsistent; or may be incremented according to each update order of the HA-RK, for example, initially 0. Each time the HA-RK is updated, it is incremented by one. If the upper limit is reached, it can be cycled.
  • Step 72 The anchor authenticator (ie, FA/Auth) of the MS corresponding to the FA or the dedicated functional entity of the ASN-GW or the dedicated functional entity set independently of the ASN-GW obtains and saves the corresponding HA-RK, SPI. And life cycle information (ie Lifetime);
  • the anchor authenticator can maintain a backup for each user, that is, the key parameter information is maintained by the authenticator; or, the HA can be saved in the HA.
  • a special functional entity of the ASN-G W and maintains corresponding information for each HA, that is, the key function information is maintained by the dedicated functional entity to save storage space, and corresponding dedicated functional entities Is located in the same ASN-GW as the anchor authenticator, so the corresponding HA-RK can be obtained along with the request Relevant information, and can ensure the security of key parameter information transmission;
  • the key parameter information maintained in the key parameter maintenance entity (such as the dedicated function entity in the ASN-GW) for maintaining the key parameter information for the foreign agent is not applied within the predetermined time, the maintenance is stopped.
  • Key parameter information such as the dedicated function entity in the ASN-GW
  • Step 73 The MS or /PMIP-Client sends a MIP-RRQ (MIP Registration Request) message to the FA, initiating M
  • Step 74 The FA requests FA-HA-K, SPI information and a life cycle from an anchor authenticator holding the key parameter information or an HA-RK maintenance entity of the ASN-GW, wherein the life cycle setting The remainder of the life cycle of the HA-RK;
  • the anchor authenticator or the HA-RK maintenance entity of the ASN-GW is specifically based on the saved maintenance HA-RK, S
  • Step 75 The FA sends the MIP-RRQ message to the HA by using the FA-HA-K information;
  • the HA After receiving the message, the HA authenticates the received message based on the HA-RK, SPI, and lifecycle information it obtained;
  • the HA-RK, SPI and lifecycle information obtained by the HA may have been obtained before, or may be performed after performing the message 76 and step 77; and, since the HA-RK is only
  • the HA itself is allocated by the AAA server of the same network (visiting network or home network), so it can be requested only by the AAA server of the network to which the HA belongs;
  • Step 76, Step 77 The HA sends an access request Acces to the AAA server to which the HA-RK information is assigned. s-Request, and receive the corresponding HA-RK, SPI and lifecycle information by receiving an Access-Accept message through the access returned by the AAA server;
  • the HA allocated in the roaming scenario may be the HA of the visited place, or may be the HA of the hometown, in the embodiment of the present invention, the HA is located in the visited place, and the HA is located in the visited place.
  • Information such as RK, SPI, and lifecycle is assigned by the AAA server at the visited location; for HA located in the home network, the AAA server of the home network is responsible for the allocation of HA-RK, SPI, and lifecycle information.
  • the AAA server responds to each request, that is, every time the key parameter information is sent, the HA associated with the delivery of the key parameter information is recorded or Authenticator or ASN-GW or FA identifier; if an ASN-GW or FA, if there is no terminal to apply HA-RK information of a certain HA within a predetermined period of time, then on the ASN-GW or FA The HA-RK information can no longer be maintained.
  • Step 78, Step 79 The HA returns a MIP registration response MIP-RRP message to the FA, and the FA continues to send the message to the MS to complete the corresponding MIP registration process;
  • the FA and HA continue to perform the processing of the MIP registration message using the FA-HA-K obtained in each of the above steps.
  • the MS may initiate a re-authentication authentication process. As shown in Figure 7, the corresponding processing process includes:
  • Step 710 the re-authentication authentication of the MS occurs for some reason, and the new anchor authenticator is migrated to another ASN-GW;
  • Step 711 If the HA-RK is maintained by the anchor authenticator for each user, the new anchor authenticator needs to notify the original anchor authenticator to delete the related information of the HA-RK maintained by it;
  • Step 712 If the HA-RK is maintained by a dedicated functional entity on the ASN-GW, the new anchor authenticator needs to obtain corresponding key parameter information such as HA-RK;
  • the new anchor authenticator may query the key parameter information such as HA-RK that is valid on the local ASN-GW, and An indication is given in the A ccess-RequestM message to indicate whether there is a valid HA-RK on the ASN-GW.
  • the device can determine whether to issue the HA-RK and key parameters such as context information.
  • FA migration may occur, as shown in Figure 7, the corresponding processing process includes:
  • Step 713 R3 migration occurs in the system, and the FA migrates to the new FA;
  • Step 714 The new FA requests to obtain corresponding key parameter information
  • the shell I requests the key of the corresponding HA and the SPI to the original anchor authenticator of the user;
  • the key parameter information such as the HA-RK is maintained by the dedicated function entity on the ASN-GW, it is necessary to first query whether the entity has the corresponding key parameter information on the local ASN-GW, and if not, the user can The ASN-GW request where the original anchor authenticator is located, that is, the key parameter information is inevitably stored on the functional entity of the ASN-GW where the original anchor authenticator is located; if the HA-RK is transmitted between the ASN-GWs, Then, the ASN-GW where the FA before the FA migration is maintained also has HA-RK related information corresponding to the HA, and then the new FA after the FA migration can request the relevant key (HA-RK or FA-HA) information. .
  • Step 715 The new FA obtains the HA-RK or FA-HA key, and the key parameter information such as the SPI and the life cycle, and thus, the update of the key parameter information of the corresponding R3 migration is completed.
  • the present invention also provides an embodiment of a key management system between a home agent and a foreign agent, the system being applied to a wireless communication network, and including a key distribution entity for allocating a home agent and a foreign agent.
  • the key configuration information of the inter-communication application is as shown in FIG. 8 , wherein the key distribution entity includes, in addition to the original processing function unit, the following:
  • a non-local HA key allocation unit configured to allocate the corresponding key parameter information for the HA as a non-local HA, that is, in the visited network, for example, assigning the corresponding HA-RK, SPI and the HA to the HA Information such as the life cycle; [175] Moreover, the processing performed by the non-local home agent key distribution unit specifically includes:
  • the non-local home agent key distribution unit directly allocates the corresponding key parameter information to the corresponding home agent according to the request of the home agent, and delivers the key parameter information;
  • the non-local home agent key distribution unit communicates with the key distribution entity of the home network corresponding to the home agent according to the request of the authenticator, and the key distribution entity of the home network determines the corresponding home agent for the request. After that, the key distribution entity of the visited network distributes the key parameter information allocated by the home agent to the home agent;
  • the local home agent key distribution unit that is, the local HA key distribution unit, is configured to allocate corresponding key parameter information for the home agent acting as a local home agent, that is, in the home network.
  • the AAA server is specifically used as the key distribution entity, and other functional entities may be used as the key distribution entity in the actual application process.
  • the corresponding key parameter information is allocated to the HA at the visited place by the key distribution entity at the visited place.
  • the system according to the embodiment of the present invention further includes a key parameter maintenance entity, which is used to maintain key parameter information of a communication application between the home agent and the foreign agent, and the key parameter maintenance entity distributes the key from the key.
  • the entity obtains the key parameter information; and the key parameter maintenance entity specifically includes any one of the following situations:
  • the system provided by the embodiment of the present invention further includes a query processing unit, configured to first query the key after determining that the new key parameter information needs to be acquired. Whether the key parameter information corresponding to the home agent exists in the parameter maintenance entity, and only after determining that it does not exist, the key allocation entity is requested to allocate the key parameter information to avoid the previous key parameter maintenance. When the body has obtained the key parameter information of the corresponding HA, the request operation of the corresponding key parameter information is initiated to the key distribution entity again, thereby reducing the number of messages exchanged in the system.
  • a key parameter update unit configured to initiate, for the key distribution entity of the visited network or a key distribution entity of a home network, the key The parameter information update processing process, re-triggering the key distribution entity of the visited network or the key distribution entity of the home network to allocate corresponding key parameter information for the home agent, and updating key parameters in each related entity Information; or, the unit may be further disposed in the key distribution entity, configured to actively initiate an update process of the key parameter information, perform update operation of the key parameter information, and update key parameter information in each related entity.
  • the key parameter maintenance entity, etc. the corresponding specific processing procedure has been described above, and therefore will not be described in detail herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un système de gestion de clé entre un agent local et un agent externe dans un réseau de communication sans fil, et un projet de gestion de clé utilisé concrètement consistant : à distribuer des informations de paramètre de clé pour l'agent local par l'entité de distribution de clé d'un site accédé à l'agent local situé dans le réseau du site accédé; à distribuer lesdites informations de paramètre de clé pour l'agent local par l'entité de distribution de clé du réseau local à l'agent local situé dans le réseau local, lesdites informations de paramètre de clé étant utilisées dans le processus de communicationentre l'agent local et l'agent externe. L'invention permet de garantir l'échange d'informations sécurisé entre l'agent local et l'agent externe dans le réseau et d'améliorer efficacement la performance de sécurité de communication dans le réseau de communication sans fil.
PCT/CN2007/071029 2006-11-08 2007-11-07 Procédé et système de gestion de clé entre un agent local et un agent externe WO2008055444A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200610146123.1 2006-11-08
CN200610146123 2006-11-08
CN2006101702524A CN101179845B (zh) 2006-11-08 2006-12-21 家乡代理与外地代理间的密钥管理方法及系统
CN200610170252.4 2006-12-21

Publications (1)

Publication Number Publication Date
WO2008055444A1 true WO2008055444A1 (fr) 2008-05-15

Family

ID=39364190

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071029 WO2008055444A1 (fr) 2006-11-08 2007-11-07 Procédé et système de gestion de clé entre un agent local et un agent externe

Country Status (2)

Country Link
CN (1) CN101179845B (fr)
WO (1) WO2008055444A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6867018B1 (en) 1998-09-24 2005-03-15 Pharmacia & Upjohn Company Alzheimer's disease secretase, APP substrates therefor, and uses thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1424804A2 (fr) * 2002-11-29 2004-06-02 Fujitsu Limited Mise à jour d'une clé symétrique pour un système de communication cryptographique
CN1716853A (zh) * 2004-06-30 2006-01-04 中国科学技术大学 基于物理层次的组播密钥管理方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6263435B1 (en) * 1999-07-06 2001-07-17 Matsushita Electric Industrial Co., Ltd. Dual encryption protocol for scalable secure group communication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1424804A2 (fr) * 2002-11-29 2004-06-02 Fujitsu Limited Mise à jour d'une clé symétrique pour un système de communication cryptographique
CN1716853A (zh) * 2004-06-30 2006-01-04 中国科学技术大学 基于物理层次的组播密钥管理方法

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6867018B1 (en) 1998-09-24 2005-03-15 Pharmacia & Upjohn Company Alzheimer's disease secretase, APP substrates therefor, and uses thereof

Also Published As

Publication number Publication date
CN101179845B (zh) 2011-02-02
CN101179845A (zh) 2008-05-14

Similar Documents

Publication Publication Date Title
TWI837450B (zh) 密鑰再生方法及終端裝置
US8477945B2 (en) Method and server for providing a mobile key
US8542838B2 (en) Method and system for generating and distributing mobile IP key
KR101341720B1 (ko) 이동통신 시스템에서 프록시 이동 인터넷 프로토콜을 이용한 단말의 이동성 관리 방법 및 시스템과 이를 위한 단말의 홈 주소 할당 방법
US20100048161A1 (en) Method, system and apparatuses thereof for realizing emergency communication service
CN110035037B (zh) 安全认证方法、相关设备及系统
KR101523090B1 (ko) 모바일 아이피를 이용하는 이동통신 시스템에서 단말의 이동성 관리 방법 및 장치
JP4681656B2 (ja) クライアントモバイルip(cmip)に代わるプロキシモバイルip(pmp)の加入者固有の強制
JP2004241976A (ja) 移動通信ネットワークシステムおよび移動端末認証方法
US8447981B2 (en) Method and system for generating and distributing mobile IP security key after re-authentication
JP5044690B2 (ja) Ipモビリティシステムのための動的な外部エージェント−ホーム・エージェント・セキュリティ・アソシエーション割当て
KR20220128993A (ko) 서비스 애플리케이션들과의 암호화된 통신을 위한 통신 네트워크에서의 앵커 키 생성 및 관리를 위한 방법, 디바이스, 및 시스템
CN114946153A (zh) 与服务应用进行加密通信的通信网络中的应用密钥生成与管理的方法、设备及系统
CN101075870B (zh) 一种移动ip密钥的产生及分发方法
KR101465416B1 (ko) WiFi및 WiMAX 인터네트워킹
WO2007143950A1 (fr) Appareil et procédé de mise en œuvre de l'amorce du nœud en double pile d'un réseau hétérogène
KR100395494B1 (ko) 이동 아이피 통신망에서의 도메인내 핸드오프 방법
US8908871B2 (en) Mobile internet protocol system and method for updating home agent root key
WO2008055444A1 (fr) Procédé et système de gestion de clé entre un agent local et un agent externe
CN101447978B (zh) 在WiMAX网络中拜访AAA服务器获取正确的HA-RK Context的方法
WO2008154841A1 (fr) Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent
CN102811441A (zh) 管理移动ip密钥的方法和装置
KR20060068529A (ko) 모바일 IPv 6를 지원하는 다이아미터 AAA프로토콜의 확장 방법
KR20090041155A (ko) 프락시 모바일 ip 기반의 휴대 인터넷 망에서 빠른 ip주소 설정 방법 및 장치
WO2008151569A1 (fr) Procédé, dispositif et système d'acquisition de clé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07817220

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07817220

Country of ref document: EP

Kind code of ref document: A1