WO2008151569A1 - Procédé, dispositif et système d'acquisition de clé - Google Patents

Procédé, dispositif et système d'acquisition de clé Download PDF

Info

Publication number
WO2008151569A1
WO2008151569A1 PCT/CN2008/071254 CN2008071254W WO2008151569A1 WO 2008151569 A1 WO2008151569 A1 WO 2008151569A1 CN 2008071254 W CN2008071254 W CN 2008071254W WO 2008151569 A1 WO2008151569 A1 WO 2008151569A1
Authority
WO
WIPO (PCT)
Prior art keywords
authenticator
key information
network device
information
migrated
Prior art date
Application number
PCT/CN2008/071254
Other languages
English (en)
Chinese (zh)
Inventor
Wenliang Liang
Jianjun Wu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2007101451465A external-priority patent/CN101325804B/zh
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008151569A1 publication Critical patent/WO2008151569A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to an implementation scheme for acquiring a key in the case where an authenticator is migrated.
  • the mobile user needs to initiate authentication to an authenticator such as a NAS (Network Access Server), and after the authentication is passed, the mobile user's FA (External Agent) obtains the corresponding key information through communication with the NAS. , in order to be applied in the subsequent communication process.
  • an authenticator such as a NAS (Network Access Server)
  • FA External Agent
  • Step 1 the MS successfully authenticates through NAS I access
  • the NAS 1 may initiate a corresponding authentication process to the AAA (authentication, authentication, and accounting) server, and complete the corresponding authentication operation to determine that the MS authentication is passed;
  • AAA authentication, authentication, and accounting
  • Step 2 The FA sends a request to NAS I to request the corresponding MN-FA key or FA-HA secret when it needs MN (mobile node)-FA key or FA-HA (home agent) key.
  • Step 3 The MS re-certifies through NAS I;
  • the NAS 1 can initiate a re-authentication operation to the AAA server to complete the corresponding re-authentication process.
  • Step 4 The MS sends a MIP-RRQ (MIP registration) message to the FA, carrying the authentication extension calculated by the new key.
  • MIP-RRQ MIP registration
  • Step 5 After receiving the registration message, the FA compares the SPI carried in the MIP-RRQ message to determine that the SPI changes, that is, if the re-authentication occurs, the FA requests the key update information from the NASI;
  • Step 6 After the FA obtains the key, it can continue to process the MIP-RRQ message and complete the subsequent processing.
  • step 5 is performed to request the key from the NASI. Obtain the current key to complete the subsequent processing.
  • An object of the embodiments of the present invention is to provide a method, a device, and a system for acquiring a key, so that a network device that needs to obtain key information can obtain a corresponding network when the authenticator is migrated. Key information to ensure the smooth progress of the subsequent communication process.
  • the embodiment of the present invention provides a method for acquiring a key, which is used to obtain key information for a network device that needs to obtain key information after the Authenticator is migrated, and the method includes:
  • the network device that needs to obtain the key information After receiving the indication information indicating that the authenticator migration occurs, the network device that needs to obtain the key information sends a key request to the migrated authenticator, and receives the key information returned by the authenticator to obtain the terminal. Corresponding key information.
  • the present invention further provides a method for obtaining a key, which is used to obtain key information for a network device that needs to obtain key information after re-authentication, and the method includes:
  • the network device After receiving the indication information indicating that re-authentication occurs, the network device that needs to obtain the key information receives the key information corresponding to the terminal sent by the authenticator.
  • the embodiment of the invention provides a network device, including: [26] an authenticator migration determining unit, configured to determine, according to the received indication information used to indicate that the authenticator migration occurs, that the authenticator corresponding to the terminal is migrated;
  • a key request obtaining unit configured to send a key request to the migrated authenticator after the authenticator migration determining unit determines that the authenticator corresponding to the terminal is migrated, and is configured to receive the secret returned by the authenticator Key information, obtaining key information corresponding to the terminal.
  • An embodiment of the present invention provides an authenticator, including:
  • a key request receiving unit configured to receive a key request sent by a network device that needs to obtain key information
  • a key information sending unit configured to receive a key at the key request receiving unit After the request, the key information corresponding to the generated terminal is sent to the network device that needs to obtain the key information.
  • An embodiment of the present invention provides a terminal, including:
  • the migration determining unit is configured to receive the identification information sent by the authenticator during the authentication process, and compare the identification information of the currently received authenticator with the identification information of the previously received authenticator to determine the authentication. Whether the migration occurred;
  • the indication information delivery unit is configured to, after the migration determination unit determines that the migration occurs, send indication information indicating that the authentication device migration occurs to the network device that needs to acquire the key information.
  • An embodiment of the present invention provides a system for acquiring a key, including an authenticator and a network device that needs to obtain key information, where
  • an authenticator configured to receive a key request sent by a network device that needs to obtain the key information, and send the key information corresponding to the generated terminal to the network device that needs to obtain the key information;
  • the network device that needs to obtain the key information, after receiving the indication information indicating that the authenticator migration occurs, sends a key request to the migrated authenticator, and receives the key information returned by the authenticator.
  • the present invention further provides a system for acquiring a key, including an authenticator and a network device that needs to obtain key information, where
  • an authenticator configured to send the key information corresponding to the generated terminal to the network device that needs to obtain the key information
  • the network device that needs to obtain the key information is configured to receive the key information corresponding to the terminal that is sent by the authenticator after receiving the indication information indicating that the re-authentication occurs.
  • FIG. 1 is a schematic diagram of a process of processing a key information by a FA in the prior art
  • FIG. 2 is a schematic diagram 1 of a processing procedure for a FA to acquire key information according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram 2 of a process for the FA to acquire key information according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram 3 of a process for the FA to acquire key information according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of a state machine of a process for acquiring a key information by a FA according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a complete processing procedure of a method for acquiring a key according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of an acquisition key system according to an embodiment of the present invention.
  • the network device that needs to obtain the key information acquires the key information, that is, the network device that needs to obtain the key information receives the identifier for the authentication.
  • the indication information it is determined that the authenticator corresponding to the terminal is migrated, and the key request is sent to the migrated authenticator, so as to receive the key information returned by the authenticator, and obtain the key corresponding to the terminal.
  • the network device that needs to obtain the key information includes but is not limited to a device such as an FA (external proxy), a BS (base station), or a GW (gateway), and the key information includes but is not limited to: At least one of a key, SPI (Security Parameter Index), and lifecycle.
  • a device such as an FA (external proxy), a BS (base station), or a GW (gateway)
  • the key information includes but is not limited to: At least one of a key, SPI (Security Parameter Index), and lifecycle.
  • the indication information used to indicate that the authentication device migration occurs may be specifically performed by the migrated authenticator or by the original authenticator (authenticator before migration) or by the terminal or by the home agent (or home agent) or
  • the AAA (authentication, authentication, accounting) server and the like send the information to the network device that needs to obtain the key information, so that the corresponding network device that needs to obtain the key information can obtain the indication information.
  • the migrated authenticator or the original authenticator or the terminal or the device such as the HA or the AAA server may further send the address of the migrated authenticator to the network device that needs to obtain the key information;
  • the authenticator sends the address of the migrated authenticator to the network device that needs to obtain the key information, and the authenticator further maintains the correspondence between the terminal and the address of the migrated authenticator.
  • the relationship, and optionally the corresponding life cycle is set for the corresponding relationship, so that the maintained relationship information can be deleted after the predetermined interval is passed, thereby releasing the occupied storage and management resources.
  • the terminal transmits the indication information to the network device that needs to acquire the key information, the terminal needs to determine in advance that the authenticator migration occurs.
  • the process by which the terminal determines that the authenticator migration has occurred may include:
  • the authenticator sends its own identification information to the terminal, and then the terminal can compare the identification information of the currently received authenticator with the previously received identification information of the authenticator. As a result, it is determined whether the authenticator has migrated; for example, the identification information may include: address information of the authenticator and/or the number of hops from the authenticator to the gateway.
  • the active device may actively send the key information to the corresponding network device that needs to obtain the key information; or, optionally, The key information corresponding to the generated terminal is sent to the original authenticator by the migrated authenticator, and sent by the original authenticator to the network device that needs to obtain the key information.
  • the network device that needs to obtain the key information determines the authenticator corresponding to the terminal. After the migration occurs, it is also possible to determine whether the key information sent by the migrated authenticator is received. If it is determined that the key information corresponding to the terminal generated by the migrated authenticator is not obtained, the authentication may be performed after the migration. The key information is obtained by sending a key request.
  • the network device that needs to obtain the key information may also include the operation of acquiring the address information of the migrated authenticator before sending the key request to the migrated authenticator.
  • the network device that obtains the key information can obtain the address of the migrated authenticator, and facilitate sending a key request message to it.
  • the method for obtaining the address information of the migrated authenticator includes: one may request the address information of the migrated authenticator from the original authenticator before migration; the other is to receive the migrated authenticator or The address information of the migrated authenticator sent by the original authenticator.
  • the migrated authenticator can first send the key information to the original required key before migration. a network device of information, and the key information is sent by the network device that originally needs to obtain key information.
  • the network device that needs to obtain the key information after the migration; or the network device that needs to obtain the key information may send the indication of the migration of the network device that needs to obtain the key information or the post-migration requirement to the migrated authenticator.
  • Information such as the address of the network device that obtains the key information, or the network device that needs to obtain the key information after the migration sends an indication of the migration of the network device that needs to obtain the key information to the migrated authenticator or needs to be acquired after the migration.
  • the new FA after the migration is used as the current FA of the terminal, and the foregoing processing procedure can be used to ensure that the network device that needs to obtain the key information can obtain the corresponding key information;
  • the migrated new FA can obtain a new NAS address during the migration process, which makes it easy for the network device that needs to obtain the key information to obtain the corresponding key information; for example, by the migrated
  • the FA sends an indication of the FA migration to the new NAS or the address of the migrated FA, or the original FA sends an indication of the FA migration or the address of the new FA to the new NA S, and then the key information is sent by the new NAS to the new NAS.
  • the migrated FA so that the new NAS sends the key information to the new FA;
  • the new FA needs to request a key from the original NAS, and the process of sending the key information to the new FA in the original NAS may include:
  • the original NAS informs the new FA that NAS migration is in progress, it will also inform the new FA of the address of the new NAS, and the new FA will send a key request to the new NAS. If the new NAS has completed the re-authentication, it will reply with the new key information. Otherwise, reply to an instruction that waits for a new FA or wait for the re-authentication to complete before sending the new key information to the new F.
  • the new FA can request the address of the new NAS from the original NAS (that is, the migrated authenticator can use the key information. First, it is sent to the original FA, and then the key information is sent by the original FA to the migrated FA), or waiting for the new NAS to actively update the key.
  • the network device before determining that the authenticator corresponding to the terminal is migrated, the network device that needs to obtain the key information needs to determine whether the terminal is re-authenticated, so as to further determine that the terminal is re-authenticated.
  • the operation of the network device that needs to obtain the key information to determine whether the terminal is re-authenticated may include: saving the SPI (Security Parameter Index) between the terminal and the home agent in the network device that needs to obtain the key information, if received SPI different between the terminal and the home agent of a terminal or other device to send registration request SPI and saved, re-authentication is determined to have occurred for the terminal, otherwise, determining that a re-authentication does not occur; or need to obtain the key
  • the network device of the information may further determine whether the terminal performs a re-authentication operation according to the explicit re-authentication indication or the implicit re-authentication indication information in the received message.
  • the key information that the FA needs to obtain may be MIP (Mobile IP) key information.
  • MIP Mobile IP
  • the embodiment of the present invention can specifically solve the problem that the MIP key cannot be obtained due to the migration of the NAS during the process of updating the MIP key, and reduce the contention of the competition scenario and the key, and provide the FA to obtain a valid MIP key.
  • the implementation of the MIP key may include an MN-FA key and an FA-HA key. It should be noted that the embodiments of the present invention are not limited to the examples of the specific application.
  • the re-authentication process for the terminal it can be accompanied by the Authenticator migration or directly on the original Authenticator.
  • the authenticator migrates, it is necessary to inform the FA of the address information of the new authenticator so that F A subsequently requests the key information.
  • the migration of the FA migration and the authenticator are independent of each other, that is, migration may occur at the same time, or it may not be the same.
  • Step 1 the MS successfully authenticates through the NASI access
  • Step 2 The FA sends a request to the NASI after the MN-FA key is needed, and the request may be obtained by sending a context request to the NASI.
  • Step 3 The re-authentication for MS is performed through NAS2, that is, NAS migration occurs;
  • Step 4 After re-authentication, MS or HA (home agent), etc. (only the MS is taken as an example in the figure)
  • the device sends a MIP-RRQ message to the FA, where the message carries a new key calculation.
  • Certification extension of which
  • the SPI is also obtained by FA-RK calculations generated after re-authentication, or may be other indication information that can be used to determine whether re-authentication has occurred;
  • Step 5 After receiving the message, the FA compares whether the SPI carried in the MIP-RRQ message is the same as the locally maintained SPI, if it is determined that a change occurs (determination of re-authentication occurs), or confirms that re-authentication occurs according to the indication information. Then, the updated key information is obtained, and the corresponding key can still be obtained by sending a context request to the NAS2.
  • the specific implementation process of requesting the NAS to obtain the updated key may be, but is not limited to, three types. Referring to FIG. 2, FIG. 3 and FIG. 4, the implementation processes are respectively:
  • the FA requests the NASI for the key update information; and the NASI returns a NAS migration indication and/or a new NAS address (ie, the NAS2 address); then, the FA sends a key request message to the NAS2 to request the corresponding MIP.
  • Key information ie, the NAS2 address
  • the FA requests the NASI for the key update information; and the NASI returns the NAS migration indication and/or the new NAS address (ie, the NAS2 address) to the FA; the NAS2 migrated notification message arrives before the FA sends the key request message to the NAS2.
  • FA if the message carries the updated key and the context information, the FA does not send the key request; otherwise, the FA continues to send a key request to the NAS2 to request the corresponding MIP secret message;
  • the FA does not send the key request to NAS2; otherwise, the FA continues to send a key request to NAS2 to request the corresponding MIP key information.
  • step 1 to step 5 above After the process of step 1 to step 5 above is performed, after the FA obtains the updated key information, the MIP-RRQ message can be continuously processed.
  • the embodiment of the present invention further provides another specific implementation manner, where the option to carry the MIP-RRQ message is considered.
  • the corresponding processing procedure is as shown in FIG. 5, which may specifically include the following processes:
  • Step 1 For the first authentication, NASI sends the hop count of its own address or NAS to the serving GW gateway to the MS during the EAP process and records it;
  • Step 2 re-authentication, the MS also obtains the NASI address or the hop count of the NAS to the serving GW, and compares with the previously recorded address or hop count information (ie, the information recorded in step 1), and finds the same, then Confirm that the NAS has not migrated;
  • Step 3 The MS sends the MIP-RRQ carrying the indication information to indicate the re-authentication but no NAS migration.
  • the indication information may be: SPI different algorithm, or a separate extension header;
  • the AS does not migrate; if it is an extension header, you can include a type representation directly in the extension header.
  • the migration status of the NAS or directly contains the address information of the current NAS;
  • Step 4 re-authentication, the MS also obtains the hop count of the NAS2 address or the NAS to the serving GW, and compares with the previously recorded address or hop count information (ie, the information recorded in step 1), and finds that it is different, then Confirm that the NAS has migrated;
  • Step 5 The MS sends the MIP-RRQ carrying the indication information to indicate that the MS is re-authenticated, and the NAS migration occurs.
  • the processing procedure after the FA receives the corresponding MIP-RRQ message may specifically be:
  • the indication information of the P-RRQ message is processed: if there is no re-authentication, the processing is continued; if re-authentication but no NAS migration, the key is requested from the original NAS; if re-authentication and accompanying the NAS migration, waiting for the new NAS to take the initiative Sending the notification information, if the notification information sent by the new NAS does not carry the key information required by the FA, the corresponding key information needs to be requested from the new NAS, or the new NAS information or the updated confidentiality may be requested from the original NAS. Key information
  • the implementation process of the state machine of the FA includes the following steps:
  • Step 1 the FA receives the MIP-RRQ message
  • Step 2 determine whether there is a local MN-FA key, if yes, go to step 3, otherwise, go to step 7;
  • Step 3 compare whether the SPI in the received MIP-RRQ message is the same as the locally saved SPI, if the same
  • step 15 is performed. Otherwise, it indicates that a re-authentication has occurred, and step 4 is performed;
  • Step 4 Determine whether NAS migration occurs. If yes, go to Step 5. Otherwise, go to Step 6. Specifically, but not limited to the received Context-Rpt (Context Report) sent by the SPI or the new NAS. An indication of whether the NAS is migrated determines whether a NAS migration occurs;
  • step 7 if it is not possible to determine whether a NAS migration occurs, proceed to step 7;
  • step 5 if it is determined that the migration occurs, it may further determine whether the key of the new NAS has been received, and if yes, perform step 15, otherwise, perform step 5;
  • the key of the new NAS received may be sent directly by the new NAS, or it may be the key of the new NAS received from the original NAS from the new NAS;
  • Step 5 determine whether the FA already knows the address of the new NAS after the migration, if yes, go to step 8, otherwise, go to step 9;
  • Step 6 the FA requests the original NAS to acquire the MN-FA, and performs step 15.
  • Step 7 the FA requests the original NAS to acquire the MN-FA, or directly sets the clock and waits to receive the information from the authenticator (authenticator for re-authentication). If the NAS feedback information is received from the original NAS, the step is performed. 10, if the FA receives the indication information sent by the new NAS, step 12 is performed; [106] after receiving the information, terminating the set clock; if the clock expires and has not received the information from the authenticator, discarding the MIP-RRQ message;
  • Step 8 the FA requests the MN-FA to the migrated new NAS, and performs step 15.
  • Step 9 the FA waits for the indication of the new NAS, or queries the original NAS for the address or MN-FA of the new NAS, and after receiving the instruction of the new NAS or the feedback of the original NAS, step 12 is performed;
  • the new NAS indication received or the feedback from the original NAS can be the MN-FA of the new NAS or the address of the new NAS.
  • Step 10 the FA judges whether the NAS migration occurs according to the feedback information returned by the original NAS. If it occurs, the shell IJ performs the step, 12, otherwise, step 11 is performed;
  • Step 11 If the MN-FA is not carried in the feedback information sent by the original NAS, the request is sent to the original NAS.
  • the step 151 is performed after the MN-FA is obtained. If the MN-FA is carried in the feedback information, the step 15 is directly performed.
  • Step 12 Determine whether the new NAS has sent the corresponding MN-FA to the FA, that is, determine whether the FA receives the MN-FA, and if yes, perform step 13, otherwise, from the new received NAS indication or original NA
  • Step 13 the FA obtains the MN-FA from the information sent by the new NAS, and performs step 15;
  • Step 14 according to the address of the new NAS, the FA obtains the corresponding MA-FA from the new NAS request, and after performing the MN-FA, performs step 15;
  • Step 15 The FA processes the received MIP-RRQ message according to the obtained key information.
  • the embodiment of the present invention further provides a system for acquiring a key by a network device, and the specific implementation structure is as shown in FIG. 7. Specifically, the following processing unit may be included:
  • a key request receiving unit configured to receive a key request sent by a network device that needs to obtain key information
  • the key information transmitting unit is configured to: after the key request receiving unit receives the key request, send the key information corresponding to the generated terminal to the network device that needs to obtain the key information.
  • the authenticator may further include: a migration indication sending unit, configured to send, to the network device that needs to obtain key information, indication information indicating that an authenticator migration occurs; the authenticator specific The Authenticator may be the Authenticator after the migration, or may be the original Authenticator before the migration; if the migration indication sending unit is set in the original authenticator, and the migrated authenticator needs to be sent to the network device that needs to obtain the key information.
  • the identifier further includes a terminal information maintenance unit, configured to maintain a correspondence between the terminal and the address of the migrated authenticator, and optionally set a corresponding life cycle for the correspondence.
  • the key information direct sending unit is configured to directly send the key information generated by the migrated authenticator to the network device that needs to obtain the key information;
  • the key information indirect delivery unit is configured to send the key information generated by the migrated authenticator to the original authenticator, and send the original authenticator to the network device that needs to obtain the key information.
  • the authenticator may further include an identification information sending unit, configured to send the address information of the authenticator or the hop count of the authenticator to the gateway as the identification information. Said terminal.
  • the network device is a network device that needs to obtain key information, and after receiving the indication information indicating that the authentication device migration occurs, sending a key request to the migrated authenticator, and receiving the secret returned by the authenticator. Steel suffocation.
  • the network device that needs to obtain the key information may specifically include:
  • an authenticator migration determining unit configured to determine, according to the received information indicating that the authenticator migration occurs, that the authenticator corresponding to the terminal is migrated;
  • [2] (2) a key request obtaining unit, configured to send a key request to the migrated authenticator after the authenticator migration determining unit determines that the authenticator corresponding to the terminal is migrated, and is configured to receive the authenticator The returned key information, and obtain the key corresponding to the terminal.
  • the network device that needs to obtain the key information may further include a determining processing unit, configured to The authenticator migration determining unit determines that after the authenticator migration occurs, if it is determined that the key information generated by the migrated authenticator is not acquired, the key request acquisition unit is notified.
  • the network device that needs to obtain the key information may further include an authenticator address obtaining unit, configured to receive and obtain the address information of the migrated authenticator sent by the migrated authenticator or the original authenticator, And notifying the key request obtaining unit to send a key request according to the address information.
  • an authenticator address obtaining unit configured to receive and obtain the address information of the migrated authenticator sent by the migrated authenticator or the original authenticator, And notifying the key request obtaining unit to send a key request according to the address information.
  • the network device that needs to obtain the key information may further include any one of the following units:
  • a key information forwarding unit configured to receive the key information sent by the migrated authenticator, and send the key information to the migrated network device that needs to obtain the key information
  • the network device migration notification unit is configured to: after receiving the key information sent by the migrated authenticator, return an indication of the migration of the network device that needs to obtain the key information to the migrated authenticator or the required acquisition after the migration The address information of the network device of the key information; or, the initiative to send the network device that needs to obtain the key information to the migrated authenticator or the address information of the network device that needs to obtain the key information after the migration; The subsequent authenticator can send the key information to the migrated network device that needs to obtain the key information.
  • the terminal may further send, to the network device that needs to obtain the key information, indication information indicating that the authenticator corresponding to the terminal is migrated, and the terminal may further include, to determine whether the authenticator is migrated.
  • the processing unit may specifically include:
  • a migration determining unit configured to receive the identification information sent by the authenticator during the authentication process, and compare the identification information of the currently received authenticator with the identification information of the previously received authenticator to determine the authentication. Whether the migration occurred;
  • the indication information delivery unit is configured to, after the migration determination unit determines that the migration occurs, send indication information indicating that the authentication device migration occurs to the network device that needs to acquire the key information.
  • the embodiment of the present invention solves the problem that the updated MIP key cannot be obtained when the NAS is migrated in the process of updating the MIP key, so that the competition scenario can be eliminated as much as possible, and the confidentiality is minimized. Therefore, the embodiment of the present invention provides an implementation scheme capable of enabling an FA to obtain an effective MIP key, which overcomes the problems existing in the prior art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé, un dispositif et un système d'acquisition de clé permettant d'acquérir des données de clé destinées à un dispositif de réseau nécessitant d'acquérir ces données de clé après une migration d'authentificateur. Le procédé comporte les étapes suivantes: le dispositif de réseau nécessitant d'acquérir les données de clé envoie à l'authentificateur ayant migré une demande de clé après avoir reçu des données indiquant une migration de l'authentificateur, et reçoit les données de clé provenant de l'authentificateur.
PCT/CN2008/071254 2007-06-11 2008-06-10 Procédé, dispositif et système d'acquisition de clé WO2008151569A1 (fr)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
CN200710112367 2007-06-11
CN200710112367.2 2007-06-11
CN200710136389 2007-07-26
CN200710136389.2 2007-07-26
CN2007101451465A CN101325804B (zh) 2007-06-11 2007-08-23 获取密钥的方法、设备及系统
CN200710145146.5 2007-08-23

Publications (1)

Publication Number Publication Date
WO2008151569A1 true WO2008151569A1 (fr) 2008-12-18

Family

ID=40129260

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071254 WO2008151569A1 (fr) 2007-06-11 2008-06-10 Procédé, dispositif et système d'acquisition de clé

Country Status (1)

Country Link
WO (1) WO2008151569A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431746A (zh) * 2020-03-20 2020-07-17 杭州有赞科技有限公司 一种api网关迁移方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
CN1725685A (zh) * 2004-07-22 2006-01-25 中兴通讯股份有限公司 无线局域网移动终端的安全重认证方法
CN1732707A (zh) * 2002-10-25 2006-02-08 松下电器产业株式会社 无线通信管理方法和无线通信管理服务器
CN1905734A (zh) * 2005-07-25 2007-01-31 华为技术有限公司 一种目标基站获取鉴权密钥的方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030147537A1 (en) * 2002-02-07 2003-08-07 Dongfeng Jing Secure key distribution protocol in AAA for mobile IP
CN1732707A (zh) * 2002-10-25 2006-02-08 松下电器产业株式会社 无线通信管理方法和无线通信管理服务器
CN1725685A (zh) * 2004-07-22 2006-01-25 中兴通讯股份有限公司 无线局域网移动终端的安全重认证方法
CN1905734A (zh) * 2005-07-25 2007-01-31 华为技术有限公司 一种目标基站获取鉴权密钥的方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431746A (zh) * 2020-03-20 2020-07-17 杭州有赞科技有限公司 一种api网关迁移方法及系统
CN111431746B (zh) * 2020-03-20 2022-05-31 杭州有赞科技有限公司 一种api网关迁移方法及系统

Similar Documents

Publication Publication Date Title
US8065518B1 (en) Fast authentication and access control system for mobile networking
US8914005B2 (en) Method and system for network logout of a mobile station in idle mode
US7561692B2 (en) Method of authenticating mobile terminal
CN101616410B (zh) 一种蜂窝移动通信网络的接入方法和系统
EP2432265B1 (fr) Procédé et appareille pour envoyer un cléf dans un réseau local sans fil
CN101006682B (zh) 快速网络附着
WO2008006306A1 (fr) Procédé et dispositif de dérivation d'une clé interface locale
KR101002799B1 (ko) 이동통신 네트워크 및 상기 이동통신 네트워크에서 이동 노드의 인증을 수행하는 방법 및 장치
WO2012146282A1 (fr) Authentification d'un dispositif dans un réseau
KR20060042045A (ko) 무선 휴대 인터넷 시스템에서 eap를 이용한 보안 관계협상 방법
WO2007045177A1 (fr) Procede, systeme et appareil de realisation de desenregistrement de protocole mobile
KR20060067263A (ko) Wlan-umts 연동망 시스템과 이를 위한 인증 방법
WO2009030164A1 (fr) Procédé, système et dispositif pour empêcher l'attaque par dégradation pendant qu'un terminal se déplace
WO2013107423A1 (fr) Procédé, système et dispositif d'authentification pour accès réseau
US20130042316A1 (en) Method and apparatus for redirecting data traffic
WO2007121669A1 (fr) Procédé, dispositif et système pour établir une connexion hertzienne
WO2009074050A1 (fr) Procede, systeme et appareil d'authentification de dispositif de point d'acces
KR20180124076A (ko) 통신 네트워크를 통해 데이터를 릴레이하는 시스템 및 방법
WO2007134547A1 (fr) Procédé et système pour créer et distribuer une clé de sécurité ip mobile après réauthentification
WO2009105956A1 (fr) Procédé et système de commande permettant d'établir plusieurs tunnels dans un réseau de communication sans fil
US20110003546A1 (en) System and Method for Communications Device and Network Component Operation
CA2522846A1 (fr) Procedes et dispositifs permettant d'optimiser la gestion des ressources dans des reseaux ip sans fil cdma2000
US20100085949A1 (en) Base station apparatus, authenticator apparatus and method for attaching a base station apparatus to an authenticator apparatus
WO2018170703A1 (fr) Procédé et dispositif d'établissement de connexion
WO2010133073A1 (fr) Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757665

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 4227/KOLNP/2009

Country of ref document: IN

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757665

Country of ref document: EP

Kind code of ref document: A1