WO2008154841A1 - Method, system and apparatus for protecting agent mobile internet protocol signaling - Google Patents

Method, system and apparatus for protecting agent mobile internet protocol signaling Download PDF

Info

Publication number
WO2008154841A1
WO2008154841A1 PCT/CN2008/071257 CN2008071257W WO2008154841A1 WO 2008154841 A1 WO2008154841 A1 WO 2008154841A1 CN 2008071257 W CN2008071257 W CN 2008071257W WO 2008154841 A1 WO2008154841 A1 WO 2008154841A1
Authority
WO
WIPO (PCT)
Prior art keywords
shared key
spi
mobile
proxy
pmip signaling
Prior art date
Application number
PCT/CN2008/071257
Other languages
French (fr)
Chinese (zh)
Inventor
Jie Zhao
Jixing Liu
Zhiming Li
Longgui Huang
Xin Zhong
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008154841A1 publication Critical patent/WO2008154841A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to Mobile Internet Protocol (IP) technology, and more particularly to a method, system and apparatus for protecting Proxy Mobile IP (PMIP) signaling.
  • IP Mobile Internet Protocol
  • PMIP Proxy Mobile IP
  • FIG. 1 is a structural diagram of a prior art protection PMIP signaling system.
  • the system mainly includes: a mobile IP proxy, a home agent (HA, Home Agent), and a centralized control point.
  • the HA may also be referred to as a local mobility anchor (LMA, Local Mobility Anchor ) , The following is a description for the convenience of replacing the home agent.
  • LMA Local Mobility Anchor
  • the mobile IP proxy is usually located on the access entity of the wireless network where the mobile terminal is located, and replaces the mobile IP signaling interaction between the mobile terminal and the HA in its own management range, and usually moves IP IP signaling between the mobile IP proxy and the HA. Called PMIP signaling.
  • the mobile terminal interacts with the HA through a data tunnel established between the mobile IP agent and the HA.
  • the PMIP signaling interaction between the mobile IP proxy and the HA needs to be protected.
  • the PMIP signaling protection methods provided in the prior art include:
  • the centralized control point calculates the first shared key between the mobile IP proxy and the HA according to the obtained root key of the mobile proxy IP (PMN-RK), the IP address of the mobile IP proxy, the IP address of the HA, and a random number ( PMN-HA), and transmitting the first shared key together with the IP address of the HA, the identification information of the mobile terminal (NAI), and the random number required to calculate the second shared key to the mobile IP proxy; the mobile IP proxy
  • the PMIP signaling to be sent to the HA is protected by using the received first shared key, and the specific implementation of protecting the PMIP signaling is:
  • the mobile IP proxy calculates the signaling summary according to the received first shared key, and The calculated signaling summary is carried in the PMIP signaling and sent to the HA, where the PMIP signaling further includes an NAI of the mobile terminal, an IP address of the mobile IP proxy, and a random number required to calculate the second shared key.
  • the HA After receiving the PMIP signaling from the mobile IP proxy, the HA obtains relevant parameters from the signaling.
  • the second shared key is calculated in the same manner as the centralized control point, and the received PMIP is verified by using the calculated second shared key.
  • the specific verification method is: using the calculated second shared key Calculate the signaling summary in the same way as the mobile IP proxy, and compare the calculated signaling digest with the received signaling digest of the PMIP signaling. If the two are consistent, the second shared secret of the HA calculation is described. If the key is the same as the first shared key generated by the centralized control point, the verification is successful.
  • the HA When the verification is successful, the HA sends PMIP signaling to the mobile IP proxy, and the PMIP signaling to be transmitted is protected in the same manner as the mobile IP proxy.
  • also transmits the Generic Routing Encapsulation (GRE) key (Key) to the mobile IP proxy, and establishes an independent data tunnel between the mobile IP proxy and the HA for the mobile terminal.
  • GRE Generic Routing Encapsulation
  • the method for protecting PMIP signaling gives a method of generating a shared key between a mobile IP proxy and an HA, but does not teach how to identify a mobile IP proxy and a security association established by the HA for a particular mobile terminal.
  • the method, the security association here mainly refers to: a shared key between the mobile IP proxy and the HA, and may also include an algorithm for calculating a signaling summary that is pre-negotiated by the centralized control point and the HA. Therefore, after the shared key between the mobile IP proxy and the HA is determined, that is, after the security association between the two is determined, the HA receives the PMIP signaling from the mobile IP proxy, and performs integrity check on the PMIP signaling. Before the test, the security association corresponding to the PMIP signaling needs to be searched according to the IP address of the mobile IP proxy and the identification information of the mobile terminal. Such a search process is inefficient and does not comply with the current provisions of the protocol.
  • the method for protecting PMIP signaling in the prior art does not provide a method for transmitting a random number required for calculating a shared key, and the existing PMIP signaling does not support the transmission of a random number.
  • the embodiment of the present invention provides two methods for protecting PMIP signaling; on the other hand, four systems and devices for protecting and protecting PMIP signaling are provided, and the protection mechanism of PMIP signaling is improved.
  • the method for the first protection proxy to move the PMIP signaling includes: calculating a first shared key of the mobile IP proxy and the home agent HA;
  • the mobile IP proxy sends PMIP signaling to the HA, performs integrity protection on the PMIP signaling by using the first shared key, and carries the SPI in the PMIP signaling and sends the SPI to the HA; Receiving, by the HA, the PMIP signaling, calculating a second shared key by using the same method as calculating the shared key, and verifying integrity of the PMIP signaling by using the calculated second shared key, When the verification is successful, saving the calculated second shared key and the SPI;
  • the HA sends PMIP signaling to the mobile IP proxy, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI in the PMIP signaling.
  • the method for the second protection proxy to move the PMIP signaling includes: the mobile IP proxy receives or actively obtains the first shared key of the mobile IP proxy and the home agent HA calculated by the centralized control point, The HA sends the PMIP signaling, and the PMIP signaling is protected by using the first shared key, where the signaling carries a fixed identifier that triggers the SPI allocation;
  • the mobile IP proxy receives PMIP signaling from the HA, checks the integrity of the signaling with the first shared key, and saves the SPI when the verification is successful.
  • a centralized control point configured to calculate a first shared key between the mobile IP proxy and the home agent HA, and generate a security parameter index SPI that uniquely identifies the first shared key;
  • the mobile IP proxy is configured to receive, by the centralized control point, or actively obtain the first shared key and the SPI from the centralized control point, and send the first shared key pair to the HA by using the first shared key pair.
  • PMIP signaling for integrity protection carrying the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI generating unit, configured to generate by using a random number generator, or generate a unique identifier to identify the first share by using a selected parameter calculation The SPI of the key.
  • a second system for protecting PMIP signaling includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; the mobile IP proxy, configured to acquire the shared key, and generate an SPI that uniquely identifies the first shared key Performing integrity protection on the PMIP signaling to be sent to the HA by using the first shared key, and carrying the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • a shared key obtaining unit configured to receive a first shared key sent by the centralized control point, or actively acquire the first shared key from the centralized control point;
  • An SPI generating unit configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key by using a selected parameter calculation;
  • a signaling sending unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
  • a third protection proxy mobile PMIP signaling system includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA; a mobile IP proxy, configured to obtain The first shared key sends PMIP signaling to the HA, and performs integrity protection on the PMIP signaling by using the first shared key, where the PMIP signaling carries a fixed identifier that triggers SPI allocation.
  • a centralized control point configured to calculate a first shared key between a mobile IP proxy and a home agent HA
  • the first shared key sends PMIP signaling to the HA, and performs integrity protection on the PMIP signaling by using the first shared key, where the PMIP signaling carries a fixed identifier that triggers SPI allocation.
  • Receiving PMIP signaling from the HA verifying integrity of the received PMIP signaling by using the first shared key, and acquiring the HA allocation from the received PMIP signaling when the verification is successful SPI;
  • the HA is configured to receive PMIP signaling from the mobile IP proxy, calculate a second shared key in the same manner as the centralized control point, and use the calculated second shared key to verify the received PMIP signaling.
  • the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; and the SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and is calculated.
  • the resulting second shared key performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy.
  • a signaling transceiver unit for receiving PMIP signaling from a mobile IP proxy;
  • the generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key calculated by the check unit performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy; Calculating the second shared key in the same way as the centralized control point, and verifying the integrity of the received PMIP signaling by using the calculated second shared key;
  • the SPI generating unit is configured to generate, by using a random number generator, when the verification unit is successfully verified, or generate an SPI that uniquely identifies the second shared key by using a selected parameter calculation.
  • a shared key obtaining unit configured to receive a first shared key that is sent by the centralized control point or actively acquires the mobile IP proxy and the HA from the centralized control point;
  • An SPI allocation triggering unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry a fixed identifier that triggers SPI allocation in the PMIP signaling ;
  • a checksum SPI obtaining unit configured to receive PMIP signaling from the HA, verify the integrity of the signaling by using the first shared key, and obtain, from the received PMIP signaling, when the verification succeeds An SPI that uniquely identifies the first shared key that is assigned by the HA.
  • a fourth protection proxy mobile PMIP signaling system includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA, configured for the mobile IP proxy to generate Construct the parameters of the SPI;
  • a mobile IP proxy configured to acquire the first shared key, obtain a parameter for constructing an SPI, and generate an SPI that uniquely identifies the first shared key according to the parameter used to construct the SPI, by using the first
  • the shared key performs integrity protection on the PMIP signaling to be sent to the HA, and carries the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • the second centralized control point provided by the embodiment of the present invention includes:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • An SPI construction unit for generating with a random number generator, or generating parameters for constructing the SPI using selected parameters
  • An information sending unit configured to send the first shared key and the parameter used to construct the SPI Give the mobile IP proxy.
  • a shared key obtaining unit configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
  • An SPI generating unit configured to receive a parameter sent by the centralized control point for constructing an SPI, and generate an SPI that uniquely identifies the first shared key by using the parameter used to construct the SPI;
  • a signaling sending unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
  • the first method for protecting PMIP signaling provided by the embodiment of the present invention generates a SPI that uniquely identifies the shared key of the mobile IP proxy and the HA by the centralized control point or the mobile IP, and the mobile IP proxy transmits the SPI to the SPI through the PMIP signaling.
  • HA HA calculates the key in the same way as the shared key, and saves the calculated key and SPI when the integrity check of the received PMIP signaling is successful.
  • the mobile IP agent and the security association established by the HA for the specific mobile terminal, including the shared key can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
  • a second method for protecting PMIP signaling when the HA receives the PMIP signaling from the mobile IP proxy that carries the fixed identifier that triggers the SPI allocation, the method uses the same method as the centralized control point to calculate the key. And using the calculated key to verify that the integrity of the received PMIP signaling is successful, generating an SPI that uniquely identifies the shared key; and transmitting the SPI in the PMIP signaling to the mobile IP proxy.
  • the mobile IP proxy and the security association established by the HA for the specific mobile terminal, including the shared key can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
  • the four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling
  • the system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
  • the first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
  • the second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
  • the second centralized control point of the embodiment of the present invention generates a parameter for constructing the SPI for the mobile IP proxy.
  • the third mobile IP proxy generates an SPI that uniquely identifies the shared key according to the parameters used to construct the SPI, and thus can achieve the object of improving the protection mechanism of PMIP signaling.
  • FIG. 1 is a structural diagram of a prior art protection PMIP signaling system
  • Embodiment 1 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 4 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 6 is a flowchart of Embodiment 5 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 3 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 7 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention.
  • FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention. detailed description
  • the centralized control point calculates a first shared key of the mobile IP proxy and the HA; generates an SPI that uniquely identifies the first shared key; the mobile IP proxy sends PMIP signaling to the HA, and uses the first shared key to the PMIP For integrity protection, the SPI is carried in the PMIP signaling and sent to the HA; the HA receives the PMIP signaling from the mobile IP proxy, and calculates the second shared key in the same way as the centralized control point, using the calculation The obtained second shared key verifies the integrity of the received PMIP signaling, and when the verification is successful, saves the calculated second shared key and the SPI carried in the received PMIP signaling; HA to mobile IP
  • the proxy returns the PMIP signaling, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI that uniquely identifies the first shared key in the PMIP signaling.
  • the SPI that uniquely identifies the first shared key may be generated by a centralized control point. It can also be generated by the mobile IP proxy; or the central control point generates parameters for constructing the SPI for the mobile IP proxy, and the mobile IP proxy generates an SPI that uniquely identifies the first shared key according to the parameters of the term construct SPI.
  • the method of generating an SPI that uniquely identifies the first shared key may be: the centralized control point is generated using a random number generator, or the selected parameter is used to generate an SPI that uniquely identifies the first shared key.
  • the method further includes: receiving, by the mobile IP proxy, or actively obtaining the first shared key calculated by the centralized control point and the SPI uniquely identifying the first shared key.
  • the method may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the SPI of the shared key may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the SPI of the shared key may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or proxy the root key of the mobile IP, etc.
  • the mobile IP proxy receives or actively acquires the first shared key of the mobile IP proxy and the HA calculated by the centralized control point, sends PMIP signaling to the HA, and protects the PMIP signaling by using the obtained first shared key, in the letter
  • the command carries a fixed identifier that triggers the SPI allocation
  • the HA After receiving the PMIP signaling from the mobile IP proxy, the HA calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key to verify the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key is generated; the generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy;
  • the mobile IP proxy After receiving the PMIP signaling from the HA, the mobile IP proxy verifies the integrity of the signaling by using the obtained first shared key, and saves the SPI carried by the PMIP signaling when the verification succeeds.
  • the fixed identifier of the set trigger SPI allocation may be: a set SPI that triggers a fixed value of the SPI allocation.
  • the method for generating the SPI that uniquely identifies the first shared key may be: HA is generated by using a random number generator, or using the selected parameter calculation to generate an SPI that uniquely identifies the first shared key;
  • the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or agent move The key to IP.
  • the two methods when the HA successfully checks the received PMIP signaling, the first shared key is the same as the second shared key, and the two methods further include: a data tunnel between the agent and itself;
  • the PMIP signaling that the HA interacts with the mobile IP proxy is protected with the first shared key or the second shared key, and in the interactive PMIP signaling.
  • the SPI carrying the first shared key is uniquely identified.
  • the centralized control point may calculate the first shared key of the mobile IP proxy and the home agent HA using the random number and other selected parameters, where other selected parameters may include: a proxy mobile IP root key, a mobile IP proxy IP address , HA's IP address.
  • the mobile IP proxy receives the random number required by the centralized control point or actively acquires the centralized control point to calculate the first shared key, and then randomly The number is carried in the PMIP signaling and sent to the HA.
  • the method for carrying the random number required to calculate the first shared key in the PMIP signaling may be: carrying the random number in an existing field of the PMIP signaling, or in a newly extended field.
  • the existing field can be selected.
  • the random number generator is used to generate the SPI that uniquely identifies the first shared key, or the SPI is generated by the random number calculation, the random number required for the centralized control point to calculate the first shared key can be directly used by the generated SPI. .
  • the mobile IP proxy may be a mobility agent (MPA, Mobility Proxy Agent), or a proxy mobile entity ( ⁇ , Proxy Mobile Agent), or an evolved base station (eBS, evolved base station) of the CDMA evolved network, or Access Gateway (AGW, Access Gateway)! Because these entities can replace mobile terminals to send mobile IP messages.
  • the centralized control point can be the Signaling Radio Network Controller (SRNC) or AGW of the CDMA evolved network.
  • SRNC Signaling Radio Network Controller
  • AGW Access Gateway
  • the HA can be an AGW in a CDMA evolved network.
  • Embodiment 1 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA and an SPI uniquely identifying the shared key are generated by a centralized control point. The process includes:
  • Step 201 The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and the same An SPI that uniquely identifies the first shared key is generated.
  • the parameters involved in the calculation may include: a root key of the proxy mobile IP, an IP address of the mobile IP proxy, an IP address of the HA, and a random number.
  • the method of calculating the shared key or SPI can be: Using a single function such as a hash function to generate a fixed number of values for all parameters selected for computing the shared key or SPI.
  • the centralized control point needs to ensure that the calculated SPI can uniquely identify the first shared key of the mobile IP proxy and the HA, that is, to ensure that the SPI can uniquely identify the security association established between the mobile IP proxy and the HA for a particular mobile terminal.
  • Step 202 The centralized control point passes the calculated first shared key and SPI to the mobile IP agent.
  • Step 203 The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key calculated by the centralized control point.
  • the specific implementation method for protecting the PMIP signaling to be sent by using the shared key is: calculating a signaling summary according to the received shared key, and carrying the calculated signaling summary in the required In the PMIP signaling sent.
  • Step 204 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, the data between the mobile IP proxy and the HA is established for the mobile terminal. Tunnel, and save the SPI carried by the received PMIP signaling type.
  • the HA Before saving the SPI, the HA can also verify the validity of the SPI by using the same computational SPI as the centralized control point.
  • Step 205 The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using the first shared key or the second shared key between the calculated HA and the mobile IP proxy, and the first shared secret is uniquely identified.
  • the SPI of the key is carried in the PMIP signaling.
  • FIG. 3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the SPI is calculated and generated by a mobile IP proxy.
  • the process includes:
  • Step 301 The centralized control point calculates to generate a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
  • Step 302 The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number participates in the calculation of the shared key, the random number is simultaneously sent to the mobile IP proxy.
  • Step 303 The mobile IP proxy calculates an SPI that uniquely identifies the received first shared key, and the parameters involved in the calculation may include: a shared key between the proxy mobile IP and the HA, an IP address of the mobile IP proxy, an IP address of the HA, Root SPI value and random number.
  • the random number used by the SPI can be the same or different.
  • Step 304 The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key between the mobile IP proxy and the HA. .
  • Step 305 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile terminal establishes a relationship between the mobile IP proxy and the HA. Data tunnel, and save the SPI carried in the received PMIP signaling.
  • the HA can verify the SPI in the same way as the Mobile IP Agent before saving the SPI.
  • Step 306 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is also protected by using the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier.
  • the SPI of the shared key is also protected by using the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier.
  • Subsequent PMIP signaling interactions can continue to use the shared key and SPI described above. Specifically: if the lifetime of the data tunnel established by the mobile IP proxy and the HA for the specific mobile terminal needs to be re-created, the shared key and the SPI, HA and mobile that uniquely identify the shared key need not be recalculated. The PMIP signaling of the IP proxy interaction is still protected by the original shared key and is interactive. The PMIP signaling carries an SPI that uniquely identifies the original shared key.
  • FIG. 4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point.
  • the SPI in the initial PMIP signaling uses a fixed value that is used by the SPI to trigger the HA to assign an SPI that uniquely identifies the shared key between the HA and the mobile IP proxy.
  • the process includes:
  • Step 401 The centralized control point calculates a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
  • Step 402 The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number used in calculating the first shared key is calculated, the random number needs to be transmitted to the mobile IP proxy.
  • Step 403 The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by the first shared key between the mobile IP proxy and the HA, and carries a fixed value SPI for triggering the HA to perform SPI allocation.
  • the fixed-value SPI for triggering the HA for SPI allocation is preset, and the HA is pre-negotiated with the mobile IP proxy.
  • other identification information can also be set to trigger the HA to perform SPI allocation.
  • Step 404 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared secret. Key verification of the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile IP proxy and the HA are established for the mobile terminal. The data tunnel between the two, and the HA allocates an SPI for the calculated second shared key. The SPI is unique and can uniquely identify the security association to which the first shared key or the second shared key belongs.
  • Step 405 The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using a second shared key or a first shared key between the HA and the mobile IP proxy, where the signaling carries the SPI allocated in step 404. .
  • Step 406 The mobile IP proxy receives the PMIP signaling from the HA, and checks the integrity of the signaling by using the first shared key between the mobile IP proxy and the HA. When the verification succeeds, the PMIP signaling is saved. Carrying SPI.
  • the PMIP signaling for subsequent HA and mobile IP proxy interactions can continue to be calculated using centralized control points
  • the first shared key is integrity protected and carries the HA assigned SPI in the interactive PMIP signaling. Specifically: if the mobile IP proxy and the HA establish the lifetime of the data tunnel established for the specific mobile terminal, and need to re-create the data tunnel, there is no need to recalculate the shared key and generate the SPI, HA and mobile that uniquely identify the shared key.
  • the PMIP signaling of the IP proxy interaction is still protected by the original shared key, and the SPI that uniquely identifies the original shared key is carried in the interactive PMIP signaling.
  • FIG. 5 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA and an SPI are generated by a centralized control point, and the calculation includes a random number.
  • the Mobile IP Agent uses the existing fields of PMIP signaling to pass random numbers to HA. The process includes:
  • Step 501 The centralized control point generates an SPI for the mobile IP proxy, and the SPI is generated by a random number generator, or is generated by using a random number and other selected parameters.
  • the centralized control point is to ensure the uniqueness of the generated SPI in all SPIs associated with the mobile terminal being served.
  • the centralized control point calculates a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation include: a root key of the proxy mobile IP, an SPI, an IP address of the mobile IP proxy, And the IP address of HA, etc.
  • the SPI itself is a random number or is generated by a random number
  • the centralized control point can participate in the calculation of the shared key as a random number.
  • Step 502 The centralized control point passes the calculated first shared key and the generated SPI to the mobile IP proxy.
  • Step 503 The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
  • Step 504 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as the IP address of the SPI and the mobile IP proxy, and calculates the second method in the same manner as the centralized control point. Sharing the key, and verifying the integrity of the received PMIP signaling by using the calculated second shared key. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point. Then, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal.
  • Step 505 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share.
  • the SPI of the key The SPI of the key.
  • FIG. 6 and FIG. 7 The embodiment of FIG. 6 and FIG. 7 is described by taking a CDMA evolved network as an example, where the eBS acts as a mobile IP. Agent, AGW acts as HA, and SRNC acts as a centralized control point.
  • Step 601 The AT establishes a connection with eBS1, and the SRNC saves session information between the AT and the eBS1.
  • Step 602 The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network.
  • the SRNC and the AGW obtain the root key of the proxy mobile IP from the HAAA (PMN-RK, Proxy Mobile Node - Root Key ) radical
  • Step 603 The SRNC calculates the first shared key PMN-HA1 between the eBS1 and the AGW, and carries the AGW IP address, the AT ⁇ , the ⁇ - ⁇ , and the random number noncel in the signaling to the eBS1.
  • PMN-HA1 is generated by SRNC based on PMN-RK, IP address of eBS1, IP address of AGW, and noncel calculation.
  • Step 604 The eBS1 sends the link ID to the AT, where the Link ID indicates the identity of the link layer in the AGW range.
  • Step 605 The AT transmits the Link ID to the AT layer of the AT.
  • Step 606 The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling to be sent by using the first shared key PMN-HA1 obtained from the SRNC.
  • eBS1 will be based on the first shared key
  • the signaling summary of the PMN-HA1 calculation is carried in the PMN-HA AAA (PMN-HA Authentication Extension) field.
  • PMN-HA AE field also contains a fixed value SPI for triggering the AGW to perform SPI allocation.
  • the PMIP signaling also includes AT identification information (NAI), eBS1 IP address, and noncel, which are included in the lower 32 bits of the Identification field.
  • Step 607 After receiving the PMIP signaling from the eBS1, the AGW obtains the noncel from the Identification field, calculates the second shared key PMN-HA1 in the same manner as the SRNC, and performs the integrity check on the PMIP signaling by using the PMN-HA1. If the check is successful, the AGW assigns a unique SPI to PMN-HA1, which is used to identify the security association to which PMN-HA1 belongs.
  • Step 608 The AGW sends the PMIP signaling to the eBS1, and the signaling is protected by the PMN-HA1.
  • the Authentication Extended MN-HA AE field includes the allocated SPI.
  • the AGW also transmits the GRE key to the eBS1, in order to establish an independent data tunnel between the eBS1 and the AGW for the currently served AT.
  • the data tunnel is encapsulated by GRE and identified by Key.
  • step 609 the eBS1 notifies the SRNC of the GRE key assigned by the AGW.
  • Step 610 The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If it needs to acquire a new IP address, it requests an IP address from the AGW, and the AGW sends the assigned IP address to the AT.
  • Each AT may establish a connection with multiple eBSs.
  • steps 611 to 614 are performed.
  • Step 611 The AT adds the eBS2 to the AT route set, and establishes an air interface connection with the eBS2.
  • the eBS2 obtains the AGW IP address, the GRE Key, the first shared key PMN-HA2 between the eBS2 and the AGW generated by the SRNC calculation, and the random number nonce2 through interaction with the SRNC.
  • PMN-HA2 is different from the PMN-HA1 key used by eBS1.
  • PMN-HA2 is generated by SRNC based on PMN-RK, eBS2 IP address, AGW IP address, and nonce2.
  • Step 612 The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the PMIP signaling by using the PMN-HA2 obtained from the SRNC.
  • the PMIP signaling also includes the NAI of the AT, the IP address of the eBS2, the GRE Key, and the identification field includes the nonce2, and the SPI of the authentication extension MN-HAAE field carries a fixed value.
  • Step 613 After receiving the PMIP signaling from the eB2, the AGW extracts the nonce2, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and performs integrity check on the received PMIP signaling by using the PMN-HA2. If the verification is successful, an SPI that uniquely identifies the security association to which the PMN-HA2 belongs is assigned.
  • step 614 the AGW sends the PMIP signaling to the eB2, and the signaling is protected by the PMN-HA2.
  • the authentication extended MN-HAAE field includes the SPI allocated in step 613.
  • the AGW no longer allocates a new GRE key, but uses the GRE key carried by the eBS2 in the PMIP signaling as the identifier of the tunnel between the eBS2 and the AGW.
  • Each data tunnel between the AGW and the eSB is a lifetime.
  • the AGW and the eBS1 can be determined.
  • the shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling.
  • the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
  • the eBS when the eBS transmits the random number of the shared key to the AGW through the PMIP signaling, the eBS carries the random number in the existing indication field in the PMIP signaling and sends the random number to the AGW.
  • the eBS may also send a random number in the newly extended field to the AGW by extending a new field in the PMIP signaling, such as a Nonce field.
  • FIG. 7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention.
  • the SPI acts as a random number.
  • the process includes:
  • Step 701 The AT establishes a connection with the eBS1, and the SRNC saves the session information between the AT and the eBS1.
  • Step 702 The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network. In the access authentication process, the SRNC and the AGW obtain the proxy mobile IP from the HAAA.
  • Step 703 The SRNC sends the IP address of the AGW, the NAI of the AT, the generated SPI1, and the first shared key PMN-HA1 calculated by using the SPI1 to the eBS1.
  • the SPI1 is generated by the SRNC based on the IP address of the eBS1, the IP address of the AGW, and a random number.
  • the first shared key PMN-HA1 is generated by the SRNC based on the PMN-RK and SPI1.
  • Step 704 The eBS1 sends the link ID to the AT, where the Link ID indicates the identifier of the link layer in the AGW range.
  • Step 705 The AT transmits the Link ID to the AT layer of the AT.
  • Step 706 The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling by using the first shared key PMN-HA1 obtained from the SRNC.
  • the PMIP signaling includes the IP addresses of the SPI1 and the AT and the eBS1 of the AT.
  • eB S 1 carries the signaling digest calculated according to PMN-HA1 in the PMN-HAAE field, and PMN-HAAE also includes SPI1.
  • Step 707 After receiving the PMIP signaling from the eBS1, the AGW obtains the SPI1 from the UE. Because the AGW also has the PMN-RK, the AGW calculates the second shared key PMN-HA1 in the same manner as the SRNC. The shared key PMN-HA1 verifies the message. If the check is successful, save the acquired SPI1.
  • Step 708 The AGW sends PMIP signaling to the eBS1, protects the signaling by using the PMN-HA1, and carries the SPI1 in the PMN-HAAE field.
  • the AGW also transmits the GRE key to eBSl.
  • the purpose is to establish an independent data tunnel between the eBS1 and the AGW for the currently serving AT.
  • the data tunnel is encapsulated by GRE and identified by Key.
  • step 709 the eBS1 interacts with the SRNC to notify the SRNC of the GRE key assigned by the AGW.
  • Step 710 The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If a new IP address needs to be obtained, the IP address is requested from the AGW, and the AGW sends the assigned IP address to the AT.
  • Each AT may establish a connection with multiple eBSs.
  • steps 711 to 714 are performed.
  • Step 711 The AT adds the eBS2 to its own route set, and establishes an air interface connection with the eBS2.
  • eBS2 obtains the AGW IP address, GRE Key, PMN-HA2, and SPI2 generated by parameters such as random numbers through interaction with SRNC.
  • the SPI2 is generated by the SRNC according to the IP address of the eBS2, the IP address of the AGW, and a random number.
  • the first shared key PMN-HA2 is different from the PMN-HA1 key used by the eBS1, and the SRNC is based on the SPI2 and the PMN. -RK calculation generated.
  • Step 712 The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the signaling by using the first shared key PMN-HA2 obtained from the SRNC, and carries the SPI2 in the PMN-HAAE field.
  • the PMIP message also includes the AT of the AT, the IP address of the eBS2, and the GRE Key.
  • Step 713 After receiving the PMIP signaling from the eBS2, the AGW obtains the SPI2 from the UE, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and uses the calculated disc sharing key PMN-HA2 to signal the PMIP. The check is performed, and if the check is successful, the acquired SPI2 is saved.
  • Step 714 The AGW sends PMIP signaling to the eBS2, protects the signaling by using the PMN-HA2, and carries the SPI2 in the PMN-HAAE field.
  • the AGW no longer allocates a new GRE key, but uses the GRE key carried in the PMIP signaling sent by the eBS2 as the identifier of the data tunnel between the AGW and the eBS2.
  • Each data tunnel between the AGW and the eSB is a lifetime.
  • the AGW and the eBS1 can be determined.
  • the shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling.
  • the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
  • Embodiments of the present invention also provide three systems for protecting PMIP signaling.
  • FIG. 8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, Generating an SPI that uniquely identifies the first shared key;
  • a mobile IP proxy configured to receive the first shared key and the SPI sent by the centralized control point or actively from the centralized control point, and perform integrity protection on the PMIP signaling to be sent to the HA by using the obtained first shared key Carrying the acquired SPI in the PMIP signaling to be sent;
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
  • the centralized control points of the system include:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • the SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key calculated by the first shared key computing unit by using the selected parameter calculation.
  • the centralized control point may further include: an information sending unit, configured to send the first shared key calculated by the first shared key calculation unit and the SPI generated by the SPI generating unit to the mobile IP proxy.
  • the shared key calculation unit in the centralized control point may be composed of a random number acquisition unit and a key calculation unit. among them,
  • a random number obtaining unit configured to obtain the generated SPI from the SPI generating unit
  • the key calculation unit is configured to calculate the shared key between the mobile IP proxy and the HA by using the SPI acquired by the random number obtaining unit as a random number.
  • FIG. 9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and generate a unique identifier a shared key SPI, using the first shared key to perform integrity protection on the PMIP signaling to be sent to the HA, and carrying the generated SPI in the PMIP signaling to be sent;
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
  • the mobile IP proxy includes: a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain a first shared key from a centralized control point;
  • An SPI generating unit configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key obtained by using the selected parameter;
  • the signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling to be sent by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling to be sent.
  • FIG. 10 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention.
  • the system comprises: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and send a PMIP letter to the HA And performing integrity protection on the PMIP signaling by using the obtained first shared key, carrying a fixed identifier for triggering SPI allocation in the PMIP signaling, receiving PMIP signaling from the HA, and using the obtained first
  • the shared key checks the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key or the second shared key is obtained from the received PMIP signaling.
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; carrying the SPI in the PMIP signaling and sending the same to the mobile IP proxy, using the calculated second shared key pair PMIP signaling to be sent to the Mobile IP Agent for integrity protection.
  • the home agent HA includes:
  • a signaling transceiver unit configured to receive PMIP signaling from the mobile IP proxy; the SPI generated by the SPI generating unit is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key pair calculated by the check unit is used. PMIP signaling sent to the mobile IP proxy for integrity protection;
  • the verification unit calculates the second shared key in the same manner as the centralized control point, and verifies the integrity of the received PMIP signaling by using the calculated second shared key;
  • the SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key or the second shared key by using a selected parameter calculation when the check unit is successfully verified.
  • Mobile IP agents include:
  • a shared key obtaining unit configured to receive a centralized control point or actively obtain from a centralized control point The first shared key of the mobile IP proxy and the HA;
  • the SPI allocation triggering unit is configured to send PMIP signaling to the HA, and perform integrity protection on the PMIP signaling by using the first shared key obtained by the shared key obtaining unit, and carry the set trigger SPI allocation in the PMIP signaling.
  • a checksum SPI obtaining unit configured to receive PMIP signaling from the HA, and verify the integrity of the signaling by using the first shared key obtained by the shared key obtaining unit, and when the verification succeeds, the received PMIP
  • the SPI that is assigned by the HA to uniquely identify the first shared key or the second shared key is obtained in the signaling.
  • FIG. 11 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the calculation includes a random number.
  • the centralized control point generates parameters for constructing the SPI for the mobile IP proxy. The process includes:
  • Step 1101 The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and generates a parameter for constructing the SPI for the mobile IP proxy, where the constructor parameter may be generated by a random number generator, or by using a random number and Other selected parameters are calculated and generated.
  • the centralized control point calculates the first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation include: the root key of the proxy mobile IP, the SPI configuration parameter, and the IP of the mobile IP proxy. Address, and IP address of HA, etc.
  • the centralized control point can participate in the calculation of the second shared key as a random number.
  • Step 1102 The centralized control point passes the calculated first shared key and parameters for constructing the SPI to the mobile IP proxy.
  • Step 1103 The mobile IP proxy generates an SPI according to the SPI configuration parameters.
  • Step 1104 The mobile IP proxy sends PMIP signaling to the HA, the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
  • Step 1105 after receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as SPI or parameters for constructing the SPI and the IP address of the mobile IP proxy, and centralized control.
  • the same method is used to calculate the second shared key, and the calculated second shared key is used to verify the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA and the centralized control point are calculated. If the first shared key is the same, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal.
  • Step 1106 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share.
  • the SPI of the key The SPI of the key.
  • FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, and generating parameters for constructing the SPI for the mobile IP proxy;
  • a mobile IP proxy configured to obtain the first shared key, obtain a parameter for constructing the SPI, generate an SPI that uniquely identifies the first shared key according to a parameter used to construct the SPI, and use the first shared key to Performing integrity protection on the PMIP signaling sent to the HA, and carrying the SPI in the PMIP signaling;
  • the home agent HA is configured to receive the PMIP signaling, calculate a second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key. When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • Centralized control points include:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • an SPI construction unit configured to generate by using a random number generator, or generate a parameter for constructing the SPI by using a selected parameter
  • an information sending unit configured to send the first shared key and the parameter used to construct the SPI to the mobile IP proxy.
  • Mobile IP agents include:
  • a shared key obtaining unit configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
  • An SPI generating unit configured to receive a parameter sent by the centralized control point for constructing the SPI, and use the parameter for constructing the SPI to generate an SPI that uniquely identifies the first shared key;
  • the signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling.
  • the shared key between the mobile IP proxy and the HA is calculated by the centralized control point, and the shared control key or the mobile IP proxy or the HA generates a shared key that uniquely identifies the mobile IP proxy and the HA.
  • SPI using the shared key calculated by the centralized control point to perform integrity protection on the PMIP signaling of the mobile IP proxy and the HA interaction, and carrying the generated SPI in the PMIP signaling,
  • the HA can search for the security association corresponding to the PMIP signaling according to the SPI.
  • Such a search process is not only efficient but also conforms to the current provisions of the protocol. Therefore, the method for protecting PMIP signaling provided by the embodiment of the present invention improves the protection mechanism of PMIP signaling.
  • the four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling
  • the system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
  • the first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
  • the second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
  • the second centralized control point generates a parameter for constructing the SPI for the mobile IP proxy
  • the third mobile IP proxy generates the SPI that uniquely identifies the shared key according to the parameter used to construct the SPI, so that the SPI can be perfected.
  • the object of the invention of the protection mechanism of PMIP signaling.
  • the embodiment of the present invention provides a method for generating an SPI, which improves the protection mechanism of the PMIP signaling, and improves the efficiency of the HA to find a security association of a specific mobile terminal.
  • the embodiment of the present invention further provides a method for transmitting a random number required for a centralized control point to calculate a shared key, which not only further improves the protection mechanism of the PMIP signaling, but also has little impact on the existing protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Two methods for protecting PMIP signaling are provided. The first is that the centralized controlling node or the mobile IP agent generates SPI for uniquely identifying the shared key, or triggered by the IP agent and the home agent HA generates SPI for uniquely identifying the shared key. Four systems for protecting the PMIP signaling are also provided. The four systems respectively realize the method for generating SPI for uniquely identifying the shared key, the SPI was generated respectively by the centralized controlling node, by the mobile IP agent and by the HA. A mobile IP agent, a centralized controlling node and a home agent which can generate SPI for uniquely identifying the shared key are also provided. Another mobile IP agent for triggering the home agent to generate the SPI for uniquely identifying the shared key is also provided. The solutions of the method, system and apparatus are to perfect the protection mechanism of the PMIP signaling.

Description

保护代理移动互联网协议信令的方法、 系统及装置  Method, system and device for protecting proxy mobile internet protocol signaling
技术领域 Technical field
本发明涉及移动互联网协议(IP )技术, 特别涉及保护代理移动 IP ( PMIP ) 信令的方法、 系统及装置。 背景技术  The present invention relates to Mobile Internet Protocol (IP) technology, and more particularly to a method, system and apparatus for protecting Proxy Mobile IP (PMIP) signaling. Background technique
代理移动 IP技术是在移动 IP的基础上提出的,它的目的是为不支持移动 IP 的终端也提供移动性管理服务, 另外还可以减少空口信令的传递。 图 1 为现有 技术保护 PMIP信令系统的结构图, 该系统主要包括: 移动 IP代理、 家乡代理 ( HA, Home Agent )以及集中控制点, HA也可以称为本地移动性锚点( LMA, Local Mobility Anchor ) , 以下为了描述方便用 ΗΑ代替家乡代理。  The proxy mobile IP technology is proposed on the basis of mobile IP. Its purpose is to provide mobility management services for terminals that do not support mobile IP, and also to reduce the transmission of air interface signaling. FIG. 1 is a structural diagram of a prior art protection PMIP signaling system. The system mainly includes: a mobile IP proxy, a home agent (HA, Home Agent), and a centralized control point. The HA may also be referred to as a local mobility anchor (LMA, Local Mobility Anchor ) , The following is a description for the convenience of replacing the home agent.
其中, 移动 IP代理通常位于移动终端所在无线网络的接入实体上, 代替自 身管理范围内的移动终端与 HA进行移动 IP信令交互, 通常将移动 IP代理与 HA之间交互的移动 IP信令称为 PMIP信令。 移动终端与 HA通过在移动 IP代 理和 HA间建立的数据隧道进行数据交互。  The mobile IP proxy is usually located on the access entity of the wireless network where the mobile terminal is located, and replaces the mobile IP signaling interaction between the mobile terminal and the HA in its own management range, and usually moves IP IP signaling between the mobile IP proxy and the HA. Called PMIP signaling. The mobile terminal interacts with the HA through a data tunnel established between the mobile IP agent and the HA.
移动 IP代理与 HA之间交互的 PMIP信令需要被保护, 现有技术中提供的 PMIP信令保护方法包括:  The PMIP signaling interaction between the mobile IP proxy and the HA needs to be protected. The PMIP signaling protection methods provided in the prior art include:
集中控制点根据获取的移动代理 IP的根密钥 (PMN-RK )、 移动 IP代理的 IP地址、 HA的 IP地址以及一个随机数计算出移动 IP代理和 HA之间的第一共 享密钥(PMN-HA ), 并将该第一共享密钥连同 HA的 IP地址、 移动终端的标识 信息 (NAI ) 以及计算第二共享密钥所需的随机数一并发送给移动 IP代理; 移动 IP代理用接收到的第一共享密钥对要发送给 HA的 PMIP信令进行保 护, 对 PMIP信令进行保护的具体实现为: 移动 IP代理根据接收到的第一共享 密钥计算信令摘要, 将计算所得的信令摘要携带在 PMIP信令中发送给 HA, 在 该 PMIP信令中还包括移动终端的 NAI、移动 IP代理的 IP地址以及计算第二共 享密钥所需的随机数;  The centralized control point calculates the first shared key between the mobile IP proxy and the HA according to the obtained root key of the mobile proxy IP (PMN-RK), the IP address of the mobile IP proxy, the IP address of the HA, and a random number ( PMN-HA), and transmitting the first shared key together with the IP address of the HA, the identification information of the mobile terminal (NAI), and the random number required to calculate the second shared key to the mobile IP proxy; the mobile IP proxy The PMIP signaling to be sent to the HA is protected by using the received first shared key, and the specific implementation of protecting the PMIP signaling is: The mobile IP proxy calculates the signaling summary according to the received first shared key, and The calculated signaling summary is carried in the PMIP signaling and sent to the HA, where the PMIP signaling further includes an NAI of the mobile terminal, an IP address of the mobile IP proxy, and a random number required to calculate the second shared key.
HA接收到来自移动 IP代理的 PMIP信令后, 从该信令中获取相关参数, 釆用与集中控制点相同的方法计算第二共享密钥, 并用计算出的第二共享密钥 对接收到的 PMIP进行校验, 具体的校验方法为: 利用计算出的第二共享密钥, 釆用与移动 IP代理相同的方法计算信令摘要, 将计算所得的信令摘要与接收到 的 PMIP信令携带的信令摘要进行比较,如果二者一致,说明 HA计算的第二共 享密钥与集中控制点生成的第一共享密钥相同, 则校验成功。 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains relevant parameters from the signaling. The second shared key is calculated in the same manner as the centralized control point, and the received PMIP is verified by using the calculated second shared key. The specific verification method is: using the calculated second shared key Calculate the signaling summary in the same way as the mobile IP proxy, and compare the calculated signaling digest with the received signaling digest of the PMIP signaling. If the two are consistent, the second shared secret of the HA calculation is described. If the key is the same as the first shared key generated by the centralized control point, the verification is successful.
在校验成功时, HA向移动 IP代理发送 PMIP信令, 釆用与移动 IP代理相 同的方法对要发送的 PMIP信令进行保护。同时,ΗΑ还传递通用路由封装( GRE ) 的关键字 (Key )给移动 IP代理, 在移动 IP代理与 HA之间为移动终端建立一 个独立的数据隧道, 该隧道使用 GRE封装, 用 Key标识。  When the verification is successful, the HA sends PMIP signaling to the mobile IP proxy, and the PMIP signaling to be transmitted is protected in the same manner as the mobile IP proxy. At the same time, ΗΑ also transmits the Generic Routing Encapsulation (GRE) key (Key) to the mobile IP proxy, and establishes an independent data tunnel between the mobile IP proxy and the HA for the mobile terminal. The tunnel uses GRE encapsulation and is identified by Key.
现有技术中提供的保护 PMIP信令的方法给出了生成移动 IP代理与 HA之 间的共享密钥的方法, 但未给出如何标识移动 IP代理和 HA为特定移动终端建 立的安全关联的方法, 这里的安全关联主要是指: 移动 IP代理和 HA之间的共 享密钥, 还可以包括集中控制点与 HA预先协商好的计算信令摘要的算法等。 因此, 当移动 IP代理和 HA之间的共享密钥确定后, 即二者之间的安全关联确 定后, HA再接收到来自移动 IP代理的 PMIP信令,对该 PMIP信令进行完整性 校验前, 需要根据移动 IP代理的 IP地址以及移动终端的标识信息查找该 PMIP 信令对应的安全关联, 这样的查找过程效率较低, 也不符合协议目前的规定。  The method for protecting PMIP signaling provided in the prior art gives a method of generating a shared key between a mobile IP proxy and an HA, but does not teach how to identify a mobile IP proxy and a security association established by the HA for a particular mobile terminal. The method, the security association here mainly refers to: a shared key between the mobile IP proxy and the HA, and may also include an algorithm for calculating a signaling summary that is pre-negotiated by the centralized control point and the HA. Therefore, after the shared key between the mobile IP proxy and the HA is determined, that is, after the security association between the two is determined, the HA receives the PMIP signaling from the mobile IP proxy, and performs integrity check on the PMIP signaling. Before the test, the security association corresponding to the PMIP signaling needs to be searched according to the IP address of the mobile IP proxy and the identification information of the mobile terminal. Such a search process is inefficient and does not comply with the current provisions of the protocol.
另夕卜,现有技术中的保护 PMIP信令的方法中并没有提供计算共享密钥所需 随机数的传递方式, 并且现有的 PMIP信令并不支持随机数的传递。 发明内容  In addition, the method for protecting PMIP signaling in the prior art does not provide a method for transmitting a random number required for calculating a shared key, and the existing PMIP signaling does not support the transmission of a random number. Summary of the invention
有鉴于此, 本发明实施例一方面提供了两种保护 PMIP信令的方法; 另一方 面还提供了四种保护保护 PMIP信令的系统以及装置,完善了 PMIP信令的保护 机制。  In view of this, the embodiment of the present invention provides two methods for protecting PMIP signaling; on the other hand, four systems and devices for protecting and protecting PMIP signaling are provided, and the protection mechanism of PMIP signaling is improved.
本发明实施例的技术方案是这样实现的:  The technical solution of the embodiment of the present invention is implemented as follows:
本发明实施例提供的第一种保护代理移动 PMIP信令的方法, 包括: 计算移动 IP代理和家乡代理 HA的第一共享密钥;  The method for the first protection proxy to move the PMIP signaling provided by the embodiment of the present invention includes: calculating a first shared key of the mobile IP proxy and the home agent HA;
生成唯一标识所述第一共享密钥的安全参数索引 SPI;  Generating a security parameter index SPI that uniquely identifies the first shared key;
所述移动 IP代理向所述 HA发送 PMIP信令,用所述第一共享密钥对该 PMIP 信令进行完整性保护, 将所述 SPI携带在该 PMIP信令中发送给所述 HA; 所述 HA接收所述 PMIP信令,釆用与计算所述共享密钥相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验所述 PMIP信令的完整性,在校 验成功时, 保存计算所得的第二共享密钥和所述 SPI; The mobile IP proxy sends PMIP signaling to the HA, performs integrity protection on the PMIP signaling by using the first shared key, and carries the SPI in the PMIP signaling and sends the SPI to the HA; Receiving, by the HA, the PMIP signaling, calculating a second shared key by using the same method as calculating the shared key, and verifying integrity of the PMIP signaling by using the calculated second shared key, When the verification is successful, saving the calculated second shared key and the SPI;
所述 HA向所述移动 IP代理回送 PMIP信令, 用计算所得的第二共享密钥 对该 PMIP信令进行完整性保护, 并将所述 SPI携带在该 PMIP信令中。  The HA sends PMIP signaling to the mobile IP proxy, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI in the PMIP signaling.
本发明实施例提供的第二种保护代理移动 PMIP信令的方法, 包括: 移动 IP代理接收或主动获取集中控制点计算的所述移动 IP代理和家乡代理 HA的第一共享密钥, 向所述 HA发送 PMIP信令, 利用所述第一共享密钥对该 PMIP信令进行保护, 在该信令中携带设定的触发 SPI分配的固定标识;  The method for the second protection proxy to move the PMIP signaling provided by the embodiment of the present invention includes: the mobile IP proxy receives or actively obtains the first shared key of the mobile IP proxy and the home agent HA calculated by the centralized control point, The HA sends the PMIP signaling, and the PMIP signaling is protected by using the first shared key, where the signaling carries a fixed identifier that triggers the SPI allocation;
所述 HA接收来自所述移动 IP代理的 PMIP信令, 釆用与所述集中控制点 相同的方法计算第二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 生成唯一标识所述第一共享密钥或者第二 共享密钥的 SPI; 将所述 SPI携带在 PMIP信令中发送给所述移动 IP代理,用计 算所得的第二共享密钥对该 PMIP信令进行保护;  Receiving, by the HA, PMIP signaling from the mobile IP proxy, calculating a second shared key in the same manner as the centralized control point, and verifying the received PMIP signaling by using the calculated second shared key Integrity, when the verification is successful, generating an SPI that uniquely identifies the first shared key or the second shared key; carrying the SPI in the PMIP signaling and sending it to the mobile IP proxy, using the calculation result The second shared key protects the PMIP signaling;
所述移动 IP代理接收来自所述 HA的 PMIP信令, 利用所述第一共享密钥 校验该信令的完整性, 在校验成功时, 保存所述 SPI。  The mobile IP proxy receives PMIP signaling from the HA, checks the integrity of the signaling with the first shared key, and saves the SPI when the verification is successful.
本发明实施例提供的第一种保护 PMIP信令的系统, 包括:  The first system for protecting PMIP signaling provided by the embodiment of the present invention includes:
集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 生成唯一标识所述第一共享密钥的安全参数索引 SPI;  a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA, and generate a security parameter index SPI that uniquely identifies the first shared key;
所述移动 IP代理, 用于接收所述集中控制点发送的或主动从所述集中控制 点获取所述第一共享密钥和 SPI,利用所述第一共享密钥对要发送给所述 HA的 PMIP信令进行完整性保护, 在所述 PMIP信令中携带所述 SPI;  The mobile IP proxy is configured to receive, by the centralized control point, or actively obtain the first shared key and the SPI from the centralized control point, and send the first shared key pair to the HA by using the first shared key pair. PMIP signaling for integrity protection, carrying the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
本发明实施例提供的第一种集中控制点, 包括:  The first centralized control point provided by the embodiment of the present invention includes:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥; SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识所述第一共享密钥的 SPI。  a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI generating unit, configured to generate by using a random number generator, or generate a unique identifier to identify the first share by using a selected parameter calculation The SPI of the key.
本发明实施例提供的第二种保护 PMIP信令的系统, 包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 所述移动 IP代理, 用于获取所述共享密钥, 生成唯一标识所述第一共享密 钥的 SPI, 利用所述第一共享密钥对要发送给所述 HA的 PMIP信令进行完整性 保护, 在所述 PMIP信令中携带所述 SPI; A second system for protecting PMIP signaling provided by the embodiment of the present invention includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; the mobile IP proxy, configured to acquire the shared key, and generate an SPI that uniquely identifies the first shared key Performing integrity protection on the PMIP signaling to be sent to the HA by using the first shared key, and carrying the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
本发明实施例提供的第一种移动 IP代理, 包括:  The first mobile IP proxy provided by the embodiment of the present invention includes:
共享密钥获取单元, 用于接收所述集中控制点发送的第一共享密钥, 或从 所述集中控制点主动获取所述第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key sent by the centralized control point, or actively acquire the first shared key from the centralized control point;
SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识所述第一共享密钥的 SPI;  An SPI generating unit, configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key by using a selected parameter calculation;
信令发送单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥对所 述 PMIP信令进行完整性保护,在所述 PMIP信令中携带所述 SPI生成单元生成 的 SPI。  a signaling sending unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
本发明实施例提供的第三种保护代理移动 PMIP信令的系统, 包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 移动 IP代理, 用于获取所述第一共享密钥, 向 HA发送 PMIP信令, 利用 所述第一共享密钥对该 PMIP信令进行完整性保护,在该 PMIP信令中携带设定 的触发 SPI分配的固定标识; 接收来自所述 HA的 PMIP信令, 利用所述第一共 享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 从接收到的 PMIP信 令中获取所述 HA分配的 SPI;  A third protection proxy mobile PMIP signaling system provided by the embodiment of the present invention includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA; a mobile IP proxy, configured to obtain The first shared key sends PMIP signaling to the HA, and performs integrity protection on the PMIP signaling by using the first shared key, where the PMIP signaling carries a fixed identifier that triggers SPI allocation. Receiving PMIP signaling from the HA, verifying integrity of the received PMIP signaling by using the first shared key, and acquiring the HA allocation from the received PMIP signaling when the verification is successful SPI;
所述 HA, 用于接收来自所述移动 IP代理的 PMIP信令, 釆用与集中控制 点相同的方法计算第二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 生成唯一标识所述第一共享密钥或者第二 共享密钥的 SPI; 将所述 SPI携带在 PMIP信令中发送给所述移动 IP代理,用计 算所得的第二共享密钥对要发送给所述移动 IP代理的 PMIP信令进行完整性保 护。  The HA is configured to receive PMIP signaling from the mobile IP proxy, calculate a second shared key in the same manner as the centralized control point, and use the calculated second shared key to verify the received PMIP signaling. In the integrity of the command, when the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; and the SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and is calculated. The resulting second shared key performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy.
本发明实施例提供的一种家乡代理, 包括:  A home agent provided by an embodiment of the present invention includes:
信令收发单元, 用于接收来自移动 IP代理的 PMIP信令; 将 SPI生成单元 生成的 SPI携带在 PMIP信令中发送给所述移动 IP代理, 用校验单元计算所得 的第二共享密钥对要发送给所述移动 IP代理的 PMIP信令进行完整性保护; 校验单元, 釆用与集中控制点相同的方法计算第二共享密钥, 利用计算所 得的第二共享密钥校验接收到的 PMIP信令的完整性; a signaling transceiver unit for receiving PMIP signaling from a mobile IP proxy; The generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key calculated by the check unit performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy; Calculating the second shared key in the same way as the centralized control point, and verifying the integrity of the received PMIP signaling by using the calculated second shared key;
所述 SPI生成单元, 用于在所述校验单元校验成功时, 利用随机数生成器 生成, 或利用选定参数计算生成唯一标识所述第二共享密钥的 SPI。  The SPI generating unit is configured to generate, by using a random number generator, when the verification unit is successfully verified, or generate an SPI that uniquely identifies the second shared key by using a selected parameter calculation.
本发明实施例提供的第二种移动 IP代理, 包括:  A second mobile IP proxy provided by the embodiment of the present invention includes:
共享密钥获取单元, 用于接收集中控制点发送的或从所述集中控制点主动 获取该移动 IP代理与 HA的第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key that is sent by the centralized control point or actively acquires the mobile IP proxy and the HA from the centralized control point;
SPI分配触发单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥 对该 PMIP信令进行完整性保护,在该 PMIP信令中携带设定的触发 SPI分配的 固定标识;  An SPI allocation triggering unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry a fixed identifier that triggers SPI allocation in the PMIP signaling ;
校验及 SPI获取单元, 用于接收来自 HA的 PMIP信令, 利用所述第一共享 密钥校验该信令的完整性, 在校验成功时, 从接收到的 PMIP信令中获取所述 HA分配的唯一标识所述第一共享密钥的 SPI。  a checksum SPI obtaining unit, configured to receive PMIP signaling from the HA, verify the integrity of the signaling by using the first shared key, and obtain, from the received PMIP signaling, when the verification succeeds An SPI that uniquely identifies the first shared key that is assigned by the HA.
本发明实施例提供的第四种保护代理移动 PMIP信令的系统, 包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 为移动 IP代理生成用于构造 SPI的参数;  A fourth protection proxy mobile PMIP signaling system provided by the embodiment of the present invention includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA, configured for the mobile IP proxy to generate Construct the parameters of the SPI;
移动 IP代理, 用于获取所述第一共享密钥, 获取用于构造 SPI的参数, 根 据所述用于构造 SPI的参数生成唯一标识所述第一共享密钥的 SPI, 利用所述第 一共享密钥对要发送给所述 HA的 PMIP信令进行完整性保护,在所述 PMIP信 令中携带所述 SPI;  a mobile IP proxy, configured to acquire the first shared key, obtain a parameter for constructing an SPI, and generate an SPI that uniquely identifies the first shared key according to the parameter used to construct the SPI, by using the first The shared key performs integrity protection on the PMIP signaling to be sent to the HA, and carries the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。 本发明实施例提供的第二种集中控制点, 包括:  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved. The second centralized control point provided by the embodiment of the present invention includes:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥;  a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA;
SPI构造单元, 用于利用随机数生成器生成, 或利用选定参数计算生成用于构 造 SPI的参数;  An SPI construction unit for generating with a random number generator, or generating parameters for constructing the SPI using selected parameters;
信息发送单元, 用于将所述第一共享密钥和所述用于构造 SPI的参数发送 给所述移动 IP代理。 An information sending unit, configured to send the first shared key and the parameter used to construct the SPI Give the mobile IP proxy.
本发明实施例提供的第三种移动 IP代理, 包括:  A third mobile IP proxy provided by the embodiment of the present invention includes:
共享密钥获取单元, 用于接收集中控制点发送的第一共享密钥, 或从所述 集中控制点主动获取所述第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
SPI生成单元, 用于接收所述集中控制点发送的用于构造 SPI的参数, 并利 用所述用于构造 SPI的参数生成唯一标识所述第一共享密钥的 SPI;  An SPI generating unit, configured to receive a parameter sent by the centralized control point for constructing an SPI, and generate an SPI that uniquely identifies the first shared key by using the parameter used to construct the SPI;
信令发送单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥对所 述 PMIP信令进行完整性保护,在所述 PMIP信令中携带所述 SPI生成单元生成 的 SPI。  a signaling sending unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
本发明实施例提供的第一种保护 PMIP信令的方法,由集中控制点或移动 IP 生成唯一标识移动 IP代理与 HA的共享密钥的 SPI, 由移动 IP代理通过 PMIP 信令将其传送给 HA; HA釆用与计算所述共享密钥相同的方法计算密钥, 对接 收到的 PMIP信令的完整性校验成功时, 保存计算所得的密钥和 SPI。 这样移动 IP代理和 HA为特定移动终端建立的包括共享密钥等的安全关联,就可以用 SPI 来唯一标识 , 从而完善了 PMIP信令的保护机制。  The first method for protecting PMIP signaling provided by the embodiment of the present invention generates a SPI that uniquely identifies the shared key of the mobile IP proxy and the HA by the centralized control point or the mobile IP, and the mobile IP proxy transmits the SPI to the SPI through the PMIP signaling. HA; HA calculates the key in the same way as the shared key, and saves the calculated key and SPI when the integrity check of the received PMIP signaling is successful. In this way, the mobile IP agent and the security association established by the HA for the specific mobile terminal, including the shared key, can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
本发明实施例提供的第二种保护 PMIP信令的方法, HA接收到来自移动 IP 代理的携带了触发 SPI分配的固定标识的 PMIP信令时,釆用与集中控制点相同 的方法计算密钥, 利用计算所得的密钥校验接收到的 PMIP信令的完整性成功 时, 生成唯一标识所述共享密钥的 SPI; 将所述 SPI携带在 PMIP信令中发送给 所述移动 IP代理。 这样, 移动 IP代理和 HA为特定移动终端建立的包括共享密 钥等的安全关联,就可以用 SPI来唯一标识,从而完善了 PMIP信令的保护机制。  A second method for protecting PMIP signaling provided by the embodiment of the present invention, when the HA receives the PMIP signaling from the mobile IP proxy that carries the fixed identifier that triggers the SPI allocation, the method uses the same method as the centralized control point to calculate the key. And using the calculated key to verify that the integrity of the received PMIP signaling is successful, generating an SPI that uniquely identifies the shared key; and transmitting the SPI in the PMIP signaling to the mobile IP proxy. In this way, the mobile IP proxy and the security association established by the HA for the specific mobile terminal, including the shared key, can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
本发明实施例提供的四种保护 PMIP信令的系统,分别实现了由集中控制点 生成、 由移动 IP代理和由 HA生成唯一标识共享密钥的 SPI的方法, 因此这四 种保护 PMIP信令的系统能够达到完善 PMIP信令的保护机制的发明目的。  The four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling The system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
本发明实施例提供的第一种移动 IP代理、 HA以及第一种集中控制点, 可 以生成唯一标识共享密钥的 SPI, 因此能够达到完善 PMIP信令的保护机制的发 明目的。  The first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
本发明实施例提供的第二种移动 IP代理能够触发并获取 HA为共享密钥分 配的唯一标识 SPI, 因此能够达到完善 PMIP信令的保护机制的发明目的。  The second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
本发明实施例第二种集中控制点为移动 IP代理生成用于构造 SPI的参数, 第三种移动 IP代理根据所述用于构造 SPI的参数生成唯一标识共享密钥的 SPI, 因此能够达到完善 PMIP信令的保护机制的发明目的。 附图说明 The second centralized control point of the embodiment of the present invention generates a parameter for constructing the SPI for the mobile IP proxy. The third mobile IP proxy generates an SPI that uniquely identifies the shared key according to the parameters used to construct the SPI, and thus can achieve the object of improving the protection mechanism of PMIP signaling. DRAWINGS
图 1为现有技术保护 PMIP信令系统的结构图;  1 is a structural diagram of a prior art protection PMIP signaling system;
图 2为本发明保护 PMIP信令的方法实施例一的流程图;  2 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention;
图 3为本发明保护 PMIP信令的方法实施例二的流程图;  3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention;
图 4为本发明保护 PMIP信令的方法实施例三的流程图  4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention.
图 5为本发明保护 PMIP信令的方法实施例四的流程图;  5 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention;
图 6为本发明保护 PMIP信令的方法实施例五的流程图;  6 is a flowchart of Embodiment 5 of a method for protecting PMIP signaling according to the present invention;
图 7为本发明保护 PMIP信令的方法实施例六的流程图;  7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention;
图 8为本发明保护 PMIP信令的系统实施例一的结构示意图;  8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention;
图 9为本发明保护 PMIP信令的系统实施例二的结构示意图;  9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention;
图 10为本发明保护 PMIP信令的系统实施例三的结构示意图;  10 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention;
图 11为本发明保护 PMIP信令的方法实施例七的流程图;  11 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention;
图 12为本发明保护 PMIP信令的系统实施例四的结构示意图。 具体实施方式  FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention. detailed description
为使本发明的目的、 技术方案和有益效果更加清楚明白, 下面结合实施例 和附图, 对本发明做进一步地详细说明。  In order to make the objects, technical solutions and advantageous effects of the present invention more comprehensible, the present invention will be further described in detail below with reference to the embodiments and drawings.
本发明实施例中提供的第一种保护 PMIP信令的方法, 包括:  The first method for protecting PMIP signaling provided in the embodiment of the present invention includes:
集中控制点计算移动 IP代理和 HA的第一共享密钥; 生成唯一标识该第一 共享密钥的 SPI; 移动 IP代理向 HA发送 PMIP信令,用所述第一共享密钥对该 PMIP信令进行完整性保护, 将所述 SPI携带在该 PMIP信令中发送给 HA; HA 接收来自移动 IP代理的 PMIP信令, 釆用与集中控制点相同的方法计算第二共 享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性,在校 验成功时, 保存计算所得的第二共享密钥和接收到的 PMIP信令中携带的 SPI; HA向移动 IP代理回送 PMIP信令,用计算所得的第二共享密钥对该 PMIP信令 进行完整性保护, 并将唯一标识该第一共享密钥的 SPI携带在该 PMIP信令中。  The centralized control point calculates a first shared key of the mobile IP proxy and the HA; generates an SPI that uniquely identifies the first shared key; the mobile IP proxy sends PMIP signaling to the HA, and uses the first shared key to the PMIP For integrity protection, the SPI is carried in the PMIP signaling and sent to the HA; the HA receives the PMIP signaling from the mobile IP proxy, and calculates the second shared key in the same way as the centralized control point, using the calculation The obtained second shared key verifies the integrity of the received PMIP signaling, and when the verification is successful, saves the calculated second shared key and the SPI carried in the received PMIP signaling; HA to mobile IP The proxy returns the PMIP signaling, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI that uniquely identifies the first shared key in the PMIP signaling.
本发明实施例中, 唯一标识第一共享密钥的 SPI可以由集中控制点生成, 也可以由移动 IP代理生成; 或者由集中控制点为移动 IP代理生成用于构造 SPI 的参数, 由移动 IP代理根据用语构造 SPI的参数生成唯一标识第一共享密钥的 SPI。 In the embodiment of the present invention, the SPI that uniquely identifies the first shared key may be generated by a centralized control point. It can also be generated by the mobile IP proxy; or the central control point generates parameters for constructing the SPI for the mobile IP proxy, and the mobile IP proxy generates an SPI that uniquely identifies the first shared key according to the parameters of the term construct SPI.
生成唯一标识所述第一共享密钥的 SPI的方法可以为: 集中控制点利用随 机数生成器生成, 或利用选定的参数生成唯一标识第一共享密钥的 SPI。 当 SPI 由集中控制点生成时, 该方法还包括: 移动 IP代理接收, 或主动获取集中控制 点计算所得的第一共享密钥和唯一标识该第一共享密钥的 SPI。  The method of generating an SPI that uniquely identifies the first shared key may be: the centralized control point is generated using a random number generator, or the selected parameter is used to generate an SPI that uniquely identifies the first shared key. When the SPI is generated by the centralized control point, the method further includes: receiving, by the mobile IP proxy, or actively obtaining the first shared key calculated by the centralized control point and the SPI uniquely identifying the first shared key.
还可以为: 移动 IP代理接收到集中控制点发送的或主动从集中控制点获取 到第一共享密钥时, 利用随机数生成器生成, 或利用选定的参数生成唯一标识 所获取的第一共享密钥的 SPI。  The method may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter. The SPI of the shared key.
利用选定参数计算生成 SPI时, 选定参数可以包括: 随机数、和 /或所述 HA 的 IP地址、 和 /或所述移动 IP代理的 IP地址、 和 /或才艮 SPI值、 和 /或代理移动 IP的根密钥等。计算 SPI所需的参数并没有特定要求, 只要保证计算所得的 SPI 可以唯一标识第一共享密钥即可。  When the SPI is generated using the selected parameter calculations, the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or proxy the root key of the mobile IP, etc. There are no specific requirements for calculating the parameters required for the SPI, as long as the calculated SPI can uniquely identify the first shared key.
本发明实施例提供的第二种保护 PMIP信令的方法, 包括:  A second method for protecting PMIP signaling provided by the embodiment of the present invention includes:
移动 IP代理接收或主动获取集中控制点计算的移动 IP代理和 HA的第一共 享密钥, 向 HA发送 PMIP信令, 利用获取的第一共享密钥对该 PMIP信令进行 保护, 在该信令中携带设定的触发 SPI分配的固定标识;  The mobile IP proxy receives or actively acquires the first shared key of the mobile IP proxy and the HA calculated by the centralized control point, sends PMIP signaling to the HA, and protects the PMIP signaling by using the obtained first shared key, in the letter The command carries a fixed identifier that triggers the SPI allocation;
HA接收到来自移动 IP代理的 PMIP信令后, 釆用与集中控制点相同的方 法计算第二共享密钥,利用计算所得的第二共享密钥校验接收到的 PMIP信令的 完整性, 在校验成功时, 生成唯一标识该第一共享密钥的 SPI; 将生成的 SPI携 带在 PMIP信令中发送给移动 IP代理;  After receiving the PMIP signaling from the mobile IP proxy, the HA calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key to verify the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key is generated; the generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy;
移动 IP代理接收来自 HA的 PMIP信令后, 利用获取的第一共享密钥校验 该信令的完整性, 在校验成功时, 保存该 PMIP信令携带的 SPI。  After receiving the PMIP signaling from the HA, the mobile IP proxy verifies the integrity of the signaling by using the obtained first shared key, and saves the SPI carried by the PMIP signaling when the verification succeeds.
较佳地,设定的触发 SPI分配的固定标识可以为:设定的触发 SPI分配的固 定值的 SPI。  Preferably, the fixed identifier of the set trigger SPI allocation may be: a set SPI that triggers a fixed value of the SPI allocation.
生成唯一标识第一共享密钥的 SPI的方法可以为: HA利用随机数生成器生 成, 或利用选定的参数计算生成唯一标识第一共享密钥的 SPI;  The method for generating the SPI that uniquely identifies the first shared key may be: HA is generated by using a random number generator, or using the selected parameter calculation to generate an SPI that uniquely identifies the first shared key;
利用选定的参数计算生成 SPI时, 所述选定的参数可以包括: 随机数、 和 / 或 HA的 IP地址、 和 /或移动 IP代理的 IP地址、 和 /或才艮 SPI值、 和 /或代理移动 IP的才艮密钥。 When the SPI is generated using the selected parameter calculations, the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or agent move The key to IP.
本发明实施例提供的上述两种方法中,当 HA对接收到的 PMIP信令校验成 功时, 第一共享密钥与第二共享密钥相同, 这两种方法还包括: HA创建移动 IP 代理与自身之间的数据隧道;  In the above two methods provided by the embodiments of the present invention, when the HA successfully checks the received PMIP signaling, the first shared key is the same as the second shared key, and the two methods further include: a data tunnel between the agent and itself;
如果该数据隧道的生命期到达, 需要重新创建该数据隧道时, HA与移动 IP 代理交互的 PMIP信令釆用第一共享密钥或者第二共享密钥进行保护,并在交互 的 PMIP信令中携带唯一标识该第一共享密钥的 SPI。  If the lifetime of the data tunnel arrives and the data tunnel needs to be re-created, the PMIP signaling that the HA interacts with the mobile IP proxy is protected with the first shared key or the second shared key, and in the interactive PMIP signaling. The SPI carrying the first shared key is uniquely identified.
集中控制点可以利用随机数以及其它选定参数计算移动 IP代理和家乡代理 HA的第一共享密钥, 这里的其它选定参数可以包括: 代理移动 IP的根密钥、 移动 IP代理的 IP地址、 HA的 IP地址。  The centralized control point may calculate the first shared key of the mobile IP proxy and the home agent HA using the random number and other selected parameters, where other selected parameters may include: a proxy mobile IP root key, a mobile IP proxy IP address , HA's IP address.
为了使得 HA获得集中控制点计算第一共享密钥所需的随机数, 移动 IP代 理接收集中控制点发送的或主动获取集中控制点计算第一共享密钥所需的随机 数后, 将该随机数携带在 PMIP信令中发送给 HA。  In order to enable the HA to obtain the random number required by the centralized control point to calculate the first shared key, the mobile IP proxy receives the random number required by the centralized control point or actively acquires the centralized control point to calculate the first shared key, and then randomly The number is carried in the PMIP signaling and sent to the HA.
这里, 将计算第一共享密钥所需的随机数携带在 PMIP信令中的方法可以 为: 将该随机数携带在 PMIP信令现有的字段, 或新扩展的字段中。  Here, the method for carrying the random number required to calculate the first shared key in the PMIP signaling may be: carrying the random number in an existing field of the PMIP signaling, or in a newly extended field.
如果将该随机数携带在 PMIP信令现有的字段中时, 现有字段可以选  If the random number is carried in an existing field of PMIP signaling, the existing field can be selected.
Identification字段。 Identification field.
另外, 如果釆用随机数生成器生成唯一标识第一共享密钥的 SPI, 或利用随 机数计算生成 SPI,则集中控制点计算第一共享密钥所需的随机数可以直接由生 成的 SPI充当。  In addition, if the random number generator is used to generate the SPI that uniquely identifies the first shared key, or the SPI is generated by the random number calculation, the random number required for the centralized control point to calculate the first shared key can be directly used by the generated SPI. .
本发明实施例中, 移动 IP代理可以是移动性代理( MPA, Mobility Proxy Agent ) , 或代理移动实体( ΡΜΑ , Proxy Mobile Agent ) , 或 CDMA演进网络的 演进基站(eBS, evolved Base Station )、 或接入网关(AGW, Access Gateway )„ 因为 ,这些实体均可以替代移动终端发送移动 IP消息。集中控制点可以为 CDMA 演进网络的信令无线网络控制器( SRNC, Signaling Radio Network Controller ) 或者 AGW。 HA可以为 CDMA演进网络中的 AGW。  In the embodiment of the present invention, the mobile IP proxy may be a mobility agent (MPA, Mobility Proxy Agent), or a proxy mobile entity (ΡΜΑ, Proxy Mobile Agent), or an evolved base station (eBS, evolved base station) of the CDMA evolved network, or Access Gateway (AGW, Access Gateway) „ Because these entities can replace mobile terminals to send mobile IP messages. The centralized control point can be the Signaling Radio Network Controller (SRNC) or AGW of the CDMA evolved network. The HA can be an AGW in a CDMA evolved network.
图 2为本发明保护 PMIP信令的方法实施例一的流程图 ,该实施例中移动 IP 代理和 HA间的共享密钥和唯一标识该共享密钥的 SPI由集中控制点计算生成。 该流程包括:  2 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention. In this embodiment, a shared key between a mobile IP proxy and an HA and an SPI uniquely identifying the shared key are generated by a centralized control point. The process includes:
步骤 201 , 集中控制点计算生成移动 IP代理与 HA间的第一共享密钥, 同 时生成唯一标识该第一共享密钥的 SPI。 Step 201: The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and the same An SPI that uniquely identifies the first shared key is generated.
集中控制点在计算所述第一共享密钥和 SPI时, 参与计算的参数可以包括: 代理移动 IP的根密钥、 移动 IP代理的 IP地址、 HA的 IP地址以及随机数等。  When the centralized control point calculates the first shared key and the SPI, the parameters involved in the calculation may include: a root key of the proxy mobile IP, an IP address of the mobile IP proxy, an IP address of the HA, and a random number.
计算共享密钥或 SPI的方法可以为: 利用哈西函数等单项函数将选定的用 于计算共享密钥或 SPI的所有参数生成一个固定位数的值。 同时, 集中控制点 需要保证计算出的 SPI能够唯一地标识移动 IP代理和 HA的第一共享密钥, 即 保证 SPI能够唯一标识移动 IP代理和 HA为特定移动终端建立的安全关联。  The method of calculating the shared key or SPI can be: Using a single function such as a hash function to generate a fixed number of values for all parameters selected for computing the shared key or SPI. At the same time, the centralized control point needs to ensure that the calculated SPI can uniquely identify the first shared key of the mobile IP proxy and the HA, that is, to ensure that the SPI can uniquely identify the security association established between the mobile IP proxy and the HA for a particular mobile terminal.
步骤 202, 集中控制点将计算所得的第一共享密钥和 SPI传递给移动 IP代 理。  Step 202: The centralized control point passes the calculated first shared key and SPI to the mobile IP agent.
步骤 203 , 移动 IP代理向 HA发送 PMIP信令, 在该信令中携带 SPI以及 HA计算第二共享密钥所需要的参数,并用集中控制点计算的第一共享密钥保护 该信令。  Step 203: The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key calculated by the centralized control point.
本步骤以及下面的实施例中,用共享密钥对要发送的 PMIP信令进行保护的 具体实现方法为: 根据接收到的共享密钥计算信令摘要, 将计算所得的信令摘 要携带在要发送的 PMIP信令中。  In this step and the following embodiments, the specific implementation method for protecting the PMIP signaling to be sent by using the shared key is: calculating a signaling summary according to the received shared key, and carrying the calculated signaling summary in the required In the PMIP signaling sent.
步骤 204, HA接收到来自移动 IP代理的 PMIP信令后, 从该信令中获得必 要的参数, 用与集中控制点相同的方法计算第二共享密钥, 用计算所得的第二 共享密钥校验接收到的 PMIP信令的完整性, 如果成功, HA计算的第二共享密 钥与集中控制点计算的第一共享密钥相同,则为移动终端建立移动 IP代理和 HA 之间的数据隧道, 并且保存接收到的 PMIP信令种携带的 SPI。  Step 204: After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, the data between the mobile IP proxy and the HA is established for the mobile terminal. Tunnel, and save the SPI carried by the received PMIP signaling type.
HA在保存 SPI前, 还可以用与集中控制点相同的计算 SPI的方法对 SPI的 有效性进行验证。  Before saving the SPI, the HA can also verify the validity of the SPI by using the same computational SPI as the centralized control point.
步骤 205 , HA向移动 IP代理发送 PMIP信令, 该信令使用计算所得的 HA 与移动 IP代理间的第一共享密钥或者第二共享密钥进行保护, 并且将唯一标识 该第一共享密钥的 SPI携带在 PMIP信令中。  Step 205: The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using the first shared key or the second shared key between the calculated HA and the mobile IP proxy, and the first shared secret is uniquely identified. The SPI of the key is carried in the PMIP signaling.
后续 HA和移动 IP代理交互的 PMIP信令可继续使用上述的共享密钥和 SPI 进行保护。 具体为: 如果移动 IP代理与 HA为特定移动终端建立的数据隧道的 生命期到达, 需要重新创建该数据隧道时, 不需要重新计算共享密钥和生成唯 一标识共享密钥的 SPI, HA与移动 IP代理交互的 PMIP信令仍釆用原来的共享 密钥进行保护, 并在交互的 PMIP信令中携带唯一标识原来的共享密钥的 SPI。 图 3为本发明保护 PMIP信令的方法实施例二的流程图,该实施例中移动 IP 代理和 HA间的共享密钥由集中控制点计算生成, SPI由移动 IP代理计算生成。 该流程包括: The PMIP signaling of subsequent HA and mobile IP proxy interactions can continue to be protected using the shared key and SPI described above. Specifically: if the mobile IP proxy and the HA establish the lifetime of the data tunnel established for the specific mobile terminal, and need to re-create the data tunnel, there is no need to recalculate the shared key and generate the SPI, HA and mobile that uniquely identify the shared key. The PMIP signaling of the IP proxy interaction is still protected by the original shared key, and the SPI that uniquely identifies the original shared key is carried in the interactive PMIP signaling. FIG. 3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention. In this embodiment, a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the SPI is calculated and generated by a mobile IP proxy. The process includes:
步骤 301 , 集中控制点计算生成移动 IP代理与 HA间的第一共享密钥。 集中控制点在计算所述第一共享密钥时, 参与计算的参数可以包括: 代理 移动 IP的根密钥, 移动 IP代理的 IP地址, HA的 IP地址以及随机数等。  Step 301: The centralized control point calculates to generate a first shared key between the mobile IP proxy and the HA. When the centralized control point calculates the first shared key, the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
步骤 302, 集中控制点将计算所得的第一共享密钥传递给移动 IP代理, 如 果随机数参与了共享密钥的计算, 则同时将随机数发送给移动 IP代理。  Step 302: The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number participates in the calculation of the shared key, the random number is simultaneously sent to the mobile IP proxy.
步骤 303 ,移动 IP代理计算唯一标识接收到的第一共享密钥的 SPI, 参与计 算的参数可以包括: 代理移动 IP与 HA间的共享密钥, 移动 IP代理的 IP地址, HA的 IP地址、 根 SPI值以及随机数等。  Step 303: The mobile IP proxy calculates an SPI that uniquely identifies the received first shared key, and the parameters involved in the calculation may include: a shared key between the proxy mobile IP and the HA, an IP address of the mobile IP proxy, an IP address of the HA, Root SPI value and random number.
计算共享密钥和移动 IP代理计算 SPI所釆用的随机数可以相同, 也可以不 同。  Calculating the shared key and the mobile IP proxy calculation The random number used by the SPI can be the same or different.
步骤 304, 移动 IP代理向 HA发送 PMIP信令, 在该信令中携带 SPI以及 HA计算第二共享密钥所需要的参数, 并用移动 IP代理与 HA间的第一共享密 钥保护该信令。  Step 304: The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key between the mobile IP proxy and the HA. .
步骤 305, HA接收到来自移动 IP代理的 PMIP信令后, 从该信令中获得必 要的参数, 用与集中控制点相同的方法计算第二共享密钥, 用计算所得的第二 共享密钥校验接收到的 PMIP信令的完整性, 如果校验成功, HA计算的第二共 享密钥与集中控制点计算的第一共享密钥相同, 则为移动终端建立移动 IP代理 和 HA之间的数据隧道, 并且保存接收到的 PMIP信令中携带的 SPI。  Step 305: After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile terminal establishes a relationship between the mobile IP proxy and the HA. Data tunnel, and save the SPI carried in the received PMIP signaling.
如果需要, HA在保存所述 SPI前, 还可以用与移动 IP代理相同的方法验 证 SPI。  If necessary, the HA can verify the SPI in the same way as the Mobile IP Agent before saving the SPI.
步骤 306, HA向移动 IP代理发送 PMIP信令, 该信令也使用 HA与移动 IP 代理间的第一共享密钥或者第二共享密钥进行保护, 并且该信令中携带唯一标 识该第一共享密钥的 SPI。  Step 306: The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is also protected by using the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier. The SPI of the shared key.
后续的 PMIP信令交互可继续使用上述的共享密钥和 SPI。 具体为: 如果移 动 IP代理与 HA为特定移动终端建立的数据隧道的生命期到达, 需要重新创建 该数据隧道时, 不需要重新计算共享密钥和生成唯一标识共享密钥的 SPI, HA 与移动 IP代理交互的 PMIP信令仍釆用原来的共享密钥进行保护, 并在交互的 PMIP信令中携带唯一标识原来的共享密钥的 SPI。 Subsequent PMIP signaling interactions can continue to use the shared key and SPI described above. Specifically: if the lifetime of the data tunnel established by the mobile IP proxy and the HA for the specific mobile terminal needs to be re-created, the shared key and the SPI, HA and mobile that uniquely identify the shared key need not be recalculated. The PMIP signaling of the IP proxy interaction is still protected by the original shared key and is interactive. The PMIP signaling carries an SPI that uniquely identifies the original shared key.
图 4为本发明保护 PMIP信令的方法实施例三的流程图 ,该实施例中移动 IP 代理和 HA间的共享密钥由集中控制点计算生成。初始 PMIP信令中的 SPI使用 固定值, 该固定值的 SPI用来触发 HA分配唯一标识 HA与移动 IP代理之间的 共享密钥的 SPI 。 该流程包括:  FIG. 4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention. In this embodiment, a shared key between a mobile IP proxy and an HA is generated by a centralized control point. The SPI in the initial PMIP signaling uses a fixed value that is used by the SPI to trigger the HA to assign an SPI that uniquely identifies the shared key between the HA and the mobile IP proxy. The process includes:
步骤 401 , 集中控制点计算生成移动 IP代理与 HA间的第一共享密钥。 集中控制点在计算所述第一共享密钥时, 参与计算的参数可以包括: 代理 移动 IP的根密钥, 移动 IP代理的 IP地址, HA的 IP地址以及随机数等。  Step 401: The centralized control point calculates a first shared key between the mobile IP proxy and the HA. When the centralized control point calculates the first shared key, the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
步骤 402, 集中控制点将计算所得的第一共享密钥传递给移动 IP代理, 如 果计算第一共享密钥时釆用的随机数, 还需要将随机数传递给移动 IP代理。  Step 402: The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number used in calculating the first shared key is calculated, the random number needs to be transmitted to the mobile IP proxy.
步骤 403 ,移动 IP代理向 HA发送 PMIP信令,该信令用移动 IP代理与 HA 间的第一共享密钥保护, 同时携带一个固定值的 SPI, 用于触发 HA进行 SPI分 配。  Step 403: The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by the first shared key between the mobile IP proxy and the HA, and carries a fixed value SPI for triggering the HA to perform SPI allocation.
这里, 该用于触发 HA进行 SPI分配的固定值的 SPI为预先设定的, 是 HA 与移动 IP代理预先协商好的。 当然, 也可以设定其它的标识信息来触发 HA进 行 SPI分配。  Here, the fixed-value SPI for triggering the HA for SPI allocation is preset, and the HA is pre-negotiated with the mobile IP proxy. Of course, other identification information can also be set to trigger the HA to perform SPI allocation.
步骤 404, HA在接收到来自移动 IP代理的 PMIP信令后, 从该信令中获得 必要的参数, 用与集中控制点相同的方法计算第二共享密钥, 用计算所得的第 二共享密钥校验接收到的 PMIP信令的完整性, 如果校验成功, HA计算的第二 共享密钥与集中控制点计算的第一共享密钥相同, 则为移动终端建立移动 IP代 理和 HA之间的数据隧道, 并且 HA为计算所得的第二共享密钥分配一个 SPI, 这个 SPI具有唯一性, 能唯一标识该第一共享密钥或者第二共享密钥所属的安 全关联。  Step 404: After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared secret. Key verification of the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile IP proxy and the HA are established for the mobile terminal. The data tunnel between the two, and the HA allocates an SPI for the calculated second shared key. The SPI is unique and can uniquely identify the security association to which the first shared key or the second shared key belongs.
步骤 405 , HA向移动 IP代理发送 PMIP信令, 该信令使用 HA与移动 IP 代理间的第二共享密钥或者第一共享密钥进行保护, 该信令中携带在步骤 404 所分配的 SPI。  Step 405: The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using a second shared key or a first shared key between the HA and the mobile IP proxy, where the signaling carries the SPI allocated in step 404. .
步骤 406, 移动 IP代理接收来自 HA的 PMIP信令, 利用接移动 IP代理和 HA之间的第一共享密钥校验该信令的完整性, 在校验成功时, 保存该 PMIP信 令中携带的 SPI。  Step 406: The mobile IP proxy receives the PMIP signaling from the HA, and checks the integrity of the signaling by using the first shared key between the mobile IP proxy and the HA. When the verification succeeds, the PMIP signaling is saved. Carrying SPI.
后续 HA和移动 IP代理交互的 PMIP信令可继续使用集中控制点计算所得 的第一共享密钥进行完整性保护, 并且在交互的 PMIP信令中携带 HA分配的 SPI。具体为: 如果移动 IP代理与 HA为特定移动终端建立的数据隧道的生命期 到达, 需要重新创建该数据隧道时, 不需要重新计算共享密钥和生成唯一标识 共享密钥的 SPI, HA与移动 IP代理交互的 PMIP信令仍釆用原来的共享密钥进 行保护, 并在交互的 PMIP信令中携带唯一标识原来的共享密钥的 SPI。 PMIP signaling for subsequent HA and mobile IP proxy interactions can continue to be calculated using centralized control points The first shared key is integrity protected and carries the HA assigned SPI in the interactive PMIP signaling. Specifically: if the mobile IP proxy and the HA establish the lifetime of the data tunnel established for the specific mobile terminal, and need to re-create the data tunnel, there is no need to recalculate the shared key and generate the SPI, HA and mobile that uniquely identify the shared key. The PMIP signaling of the IP proxy interaction is still protected by the original shared key, and the SPI that uniquely identifies the original shared key is carried in the interactive PMIP signaling.
图 5为本发明保护 PMIP信令的方法实施例四的流程图,该实施例中移动 IP 代理和 H A间的共享密钥以及 SPI由集中控制点计算生成,计算时包含了随机数。 移动 IP代理利用 PMIP信令现有的字段向 HA传递随机数。 该流程包括:  FIG. 5 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention. In this embodiment, a shared key between a mobile IP proxy and an HA and an SPI are generated by a centralized control point, and the calculation includes a random number. The Mobile IP Agent uses the existing fields of PMIP signaling to pass random numbers to HA. The process includes:
步骤 501 ,集中控制点为移动 IP代理生成 SPI,该 SPI由随机数生成器产生, 或利用随机数和其它选定的参数计算生成。 集中控制点要确保生成的 SPI在所 服务的移动终端相关的所有 SPI中的唯一性。  Step 501: The centralized control point generates an SPI for the mobile IP proxy, and the SPI is generated by a random number generator, or is generated by using a random number and other selected parameters. The centralized control point is to ensure the uniqueness of the generated SPI in all SPIs associated with the mobile terminal being served.
集中控制点计算该移动 IP代理与 HA间的第一共享密钥, 在计算第一共享 密钥时, 参与计算的参数包括: 代理移动 IP的根密钥、 SPI、 移动 IP代理的 IP 地址、 以及 HA的 IP地址等。 在这种情况下, 由于 SPI本身是随机数, 或由随 机数参与计算生成, 因此集中控制点可以将 SPI作为随机数参与共享密钥的计 算。  The centralized control point calculates a first shared key between the mobile IP proxy and the HA. When calculating the first shared key, the parameters involved in the calculation include: a root key of the proxy mobile IP, an SPI, an IP address of the mobile IP proxy, And the IP address of HA, etc. In this case, since the SPI itself is a random number or is generated by a random number, the centralized control point can participate in the calculation of the shared key as a random number.
步骤 502,集中控制点将计算所得的第一共享密钥和生成的 SPI传递给移动 IP代理。  Step 502: The centralized control point passes the calculated first shared key and the generated SPI to the mobile IP proxy.
步骤 503 ,移动 IP代理向 HA发送 PMIP信令,该信令用移动 IP代理与 HA 间的第一共享密钥保护, 并且该信令包含唯一标识该第一共享密钥的 SPI。  Step 503: The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
步骤 504, HA在接收到来自移动 IP代理的 PMIP信令后, 从该信令中获得 必要的参数, 包括 SPI和移动 IP代理的 IP地址等信息, 用与集中控制点相同的 方法计算第二共享密钥,用计算所得的第二共享密钥校验接收到的 PMIP信令的 完整性, 如果校验成功, HA计算的第二共享密钥与集中控制点计算的第一共享 密钥相同, 则保存从 PMIP信令中获取的 SPI, 并为移动终端建立移动 IP代理 和 HA之间的数据隧道。  Step 504: After receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as the IP address of the SPI and the mobile IP proxy, and calculates the second method in the same manner as the centralized control point. Sharing the key, and verifying the integrity of the received PMIP signaling by using the calculated second shared key. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point. Then, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal.
步骤 505, HA向移动 IP代理发送 PMIP信令, 该信令用 HA与移动 IP代 理间的第一共享密钥或者第二共享密钥进行保护, 并且该信令中携带唯一标识 该第一共享密钥的 SPI。  Step 505: The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share. The SPI of the key.
图 6和图 7实施例以 CDMA演进网络为例进行说明,其中 eBS充当移动 IP 代理, AGW充当 HA, SRNC充当集中控制点。 The embodiment of FIG. 6 and FIG. 7 is described by taking a CDMA evolved network as an example, where the eBS acts as a mobile IP. Agent, AGW acts as HA, and SRNC acts as a centralized control point.
图 6为本发明保护 PMIP信令的方法实施例五的流程图, 该流程包括: 步骤 601 , AT与 eBSl建立连接, SRNC保存 AT与 eBSl间的会话信息。 步骤 602, SRNC发起与 AT的接入认证,认证服务器为 AT归属网络的 AAA 服务器; 在接入认证过程中, SRNC和 AGW从 HAAA获得代理移动 IP的根密 钥 (PMN-RK, Proxy Mobile Node - Root Key )„  6 is a flowchart of Embodiment 5 of a method for protecting PMIP signaling according to the present invention. The process includes: Step 601: The AT establishes a connection with eBS1, and the SRNC saves session information between the AT and the eBS1. Step 602: The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network. In the access authentication process, the SRNC and the AGW obtain the root key of the proxy mobile IP from the HAAA (PMN-RK, Proxy Mobile Node - Root Key )„
步骤 603 , SRNC计算 eBSl与 AGW间的第一共享密钥 PMN-HA1 ,将 AGW 的 IP地址, AT的 ΝΑΙ, ΡΜΝ-ΗΑΙ ,以及随机数 noncel携带在信令中发送给 eBSl。  Step 603: The SRNC calculates the first shared key PMN-HA1 between the eBS1 and the AGW, and carries the AGW IP address, the AT ΝΑΙ, the ΡΜΝ-ΗΑΙ, and the random number noncel in the signaling to the eBS1.
其中, PMN-HA1是 SRNC根据 PMN-RK, eBSl的 IP地址、 AGW的 IP地 址, 以及 noncel计算生成的。  Among them, PMN-HA1 is generated by SRNC based on PMN-RK, IP address of eBS1, IP address of AGW, and noncel calculation.
步骤 604 , eBSl将 link ID发送给 AT , Link ID表示了 AGW范围内链路层 的标识。  Step 604: The eBS1 sends the link ID to the AT, where the Link ID indicates the identity of the link layer in the AGW range.
步骤 605 , AT将 Link ID传递给 AT的 IP层。  Step 605: The AT transmits the Link ID to the AT layer of the AT.
步骤 606, eBSl向 AGW发送 PMIP信令, eBSl用从 SRNC获得的第一共 享密钥 PMN-HA1对要发送的 PMIP信令进行保护。  Step 606: The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling to be sent by using the first shared key PMN-HA1 obtained from the SRNC.
具体的对 PMIP信令进行保护的方式为: eBSl将根据第一共享密钥  The specific way to protect PMIP signaling is: eBS1 will be based on the first shared key
PMN-HA1计算的信令摘要通过 PMN-HA认证扩展( PMN-HA AE, PMN-HA Authentication Extension )字段携带。 这里, PMN-HA AE字段中还包含了一个固 定值的 SPI,用于触发 AGW进行 SPI分配。 PMIP信令中还包括了 AT的标识信 息 (NAI )、 eBSl的 IP地址以及 noncel , noncel包含在 Identification字段的低 32bit中。 The signaling summary of the PMN-HA1 calculation is carried in the PMN-HA AAA (PMN-HA Authentication Extension) field. Here, the PMN-HA AE field also contains a fixed value SPI for triggering the AGW to perform SPI allocation. The PMIP signaling also includes AT identification information (NAI), eBS1 IP address, and noncel, which are included in the lower 32 bits of the Identification field.
步骤 607, AGW接到来自 eBSl的 PMIP信令后,从 Identification字段中获 取 noncel ,釆用与 SRNC相同的方法计算第二共享密钥 PMN-HA1 ,用 PMN-HA1 对 PMIP信令进行完整性校验, 如果校验成功, AGW为 PMN-HA1分配一个唯 一的 SPI, 用这个 SPI标识 PMN-HA1所属的安全关联。  Step 607: After receiving the PMIP signaling from the eBS1, the AGW obtains the noncel from the Identification field, calculates the second shared key PMN-HA1 in the same manner as the SRNC, and performs the integrity check on the PMIP signaling by using the PMN-HA1. If the check is successful, the AGW assigns a unique SPI to PMN-HA1, which is used to identify the security association to which PMN-HA1 belongs.
步骤 608, AGW向 eBSl发送 PMIP信令,用 PMN-HA1对该信令进行保护, 认证扩展 MN-HA AE字段中包含所分配的 SPI。 另外, AGW还会向 eBSl传递 GRE的 key, 目的是为了在 eBSl和 AGW间为当前所服务的 AT建立一个独立 的数据隧道, 这个数据隧道使用 GRE封装, 用 Key标识。  Step 608: The AGW sends the PMIP signaling to the eBS1, and the signaling is protected by the PMN-HA1. The Authentication Extended MN-HA AE field includes the allocated SPI. In addition, the AGW also transmits the GRE key to the eBS1, in order to establish an independent data tunnel between the eBS1 and the AGW for the currently served AT. The data tunnel is encapsulated by GRE and identified by Key.
步骤 609, eBSl将 AGW分配的 GRE key通知给 SRNC。 步骤 610, AT的 IP层根据 Link ID的值判断是否需要获取新的 IP地址, 如 果需要获取新的 IP地址, 则向 AGW请求 IP地址, AGW将分配的 IP地址发送 给 AT。 In step 609, the eBS1 notifies the SRNC of the GRE key assigned by the AGW. Step 610: The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If it needs to acquire a new IP address, it requests an IP address from the AGW, and the AGW sends the assigned IP address to the AT.
每一个 AT可能与多个 eBS建立连接, 当 AT要同时与 eBS2建立连接时, 执行步骤 611至 614。  Each AT may establish a connection with multiple eBSs. When the AT wants to establish a connection with eBS2 at the same time, steps 611 to 614 are performed.
步骤 611 , AT将 eBS2加入 AT的路由集(route set ) 中, 与 eBS2建立空口 连接。 eBS2通过与 SRNC的交互, 获得 AGW的 IP地址、 GRE Key、 SRNC计 算生成的 eBS2与 AGW之间的第一共享密钥 PMN-HA2、 以及随机数 nonce2。  Step 611: The AT adds the eBS2 to the AT route set, and establishes an air interface connection with the eBS2. The eBS2 obtains the AGW IP address, the GRE Key, the first shared key PMN-HA2 between the eBS2 and the AGW generated by the SRNC calculation, and the random number nonce2 through interaction with the SRNC.
这里 , PMN-HA2与 eBSl所使用的 PMN-HA1密钥不同 , PMN-HA2是 SRNC 根据 PMN-RK, eBS2的 IP地址、 AGW的 IP地址, 以及 nonce2计算生成的。  Here, PMN-HA2 is different from the PMN-HA1 key used by eBS1. PMN-HA2 is generated by SRNC based on PMN-RK, eBS2 IP address, AGW IP address, and nonce2.
步骤 612 , eBS2向 AGW发送 PMIP信令, eBS2用从 SRNC获得的 PMN-HA2 保护该 PMIP信令。 PMIP信令中还包括 AT的 NAI,、 eBS2的 IP地址、 GRE Key 等, 并且 Identification字段中包含了 nonce2, 认证扩展 MN-HAAE字段中携带 固定值的 SPI。  Step 612: The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the PMIP signaling by using the PMN-HA2 obtained from the SRNC. The PMIP signaling also includes the NAI of the AT, the IP address of the eBS2, the GRE Key, and the identification field includes the nonce2, and the SPI of the authentication extension MN-HAAE field carries a fixed value.
步骤 613 , AGW接到来自 eB2的 PMIP信令后, 从中提取 nonce2 , 釆用与 SRNC相同的方法计算第二共享密钥 PMN-HA2 ,用 PMN-HA2对接收到的 PMIP 信令进行完整性校验; 如果校验成功, 则分配唯一标识 PMN-HA2所属的安全 关联的 SPI。  Step 613: After receiving the PMIP signaling from the eB2, the AGW extracts the nonce2, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and performs integrity check on the received PMIP signaling by using the PMN-HA2. If the verification is successful, an SPI that uniquely identifies the security association to which the PMN-HA2 belongs is assigned.
步骤 614, AGW向 eB2发送 PMIP信令, 用 PMN-HA2对该信令进行保护, 认证扩展 MN-HAAE字段中包含步骤 613中分配的 SPI。  In step 614, the AGW sends the PMIP signaling to the eB2, and the signaling is protected by the PMN-HA2. The authentication extended MN-HAAE field includes the SPI allocated in step 613.
AGW不再分配新的 GRE key, 而是使用 eBS2在 PMIP信令中携带的 GRE key做为 eBS2与 AGW之间隧道的标识。  The AGW no longer allocates a new GRE key, but uses the GRE key carried by the eBS2 in the PMIP signaling as the identifier of the tunnel between the eBS2 and the AGW.
AGW与 eSB之间的每一个数据隧道都是有生命期的, 当 AGW与 eBSl为 特定 AT创建的数据隧道的生命期到达,需要重新创建相同的数据隧道时, AGW 和 eBSl可以通过以确定的共享密钥 PMN-HA1对交互的 PMIP信令进行保护, 并且在 PMIP信令中携带确定的 SPI1。 AGW和 eBS2为特定 AT创建的数据隧 道生命期到达时, 同样可以利用已确定的 PMN-HA2和 SPI1进行 PMIP信令交 互。  Each data tunnel between the AGW and the eSB is a lifetime. When the lifetime of the data tunnel created by the AGW and eBS1 for a specific AT arrives and the same data tunnel needs to be re-created, the AGW and the eBS1 can be determined. The shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling. When the AGW and eBS2 arrive at the data tunnel lifetime created by a specific AT, the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
在图 6中, eBS通过 PMIP信令向 AGW传递计算共享密钥的随机数时, 将 随机数携带在 PMIP信令中现有的 indification字段中发送给 AGW。在实际应用 中, eBS也可以通过在 PMIP信令中扩展新的字段, 如 Nonce字段, 将随机数携 带在新扩展的字段中发送给 AGW。 In FIG. 6, when the eBS transmits the random number of the shared key to the AGW through the PMIP signaling, the eBS carries the random number in the existing indication field in the PMIP signaling and sends the random number to the AGW. In practical application The eBS may also send a random number in the newly extended field to the AGW by extending a new field in the PMIP signaling, such as a Nonce field.
图 7为本发明保护 PMIP信令的方法实施例六的流程图, 该实施例中 SPI 充当随机数。 该流程包括:  FIG. 7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention. In this embodiment, the SPI acts as a random number. The process includes:
步骤 701 , AT与 eBSl建立连接, SRNC保存 AT与 eBSl间的会话信息。 步骤 702, SRNC发起与 AT的接入认证,认证服务器为 AT归属网络的 AAA 服务器; 在接入认证过程中, SRNC和 AGW从 HAAA获得代理移动 IP的 Step 701: The AT establishes a connection with the eBS1, and the SRNC saves the session information between the AT and the eBS1. Step 702: The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network. In the access authentication process, the SRNC and the AGW obtain the proxy mobile IP from the HAAA.
PMN-RK。 PMN-RK.
步骤 703 , SRNC将 AGW的 IP地址、 AT的 NAI、 生成的 SPI1以及利用 SPI1计算的第一共享密钥 PMN-HA1发送给 eBSl。  Step 703: The SRNC sends the IP address of the AGW, the NAI of the AT, the generated SPI1, and the first shared key PMN-HA1 calculated by using the SPI1 to the eBS1.
其中, SPI1是 SRNC根据 eBSl的 IP地址、 AGW的 IP地址、 以及一个随 机数计算生成的;第一共享密钥 PMN-HA1是 SRNC根据 PMN-RK和 SPI1计算 生成的。  The SPI1 is generated by the SRNC based on the IP address of the eBS1, the IP address of the AGW, and a random number. The first shared key PMN-HA1 is generated by the SRNC based on the PMN-RK and SPI1.
步骤 704 , eBSl将 link ID发送给 AT , Link ID表示了 AGW范围内链路层 的标识;  Step 704: The eBS1 sends the link ID to the AT, where the Link ID indicates the identifier of the link layer in the AGW range.
步骤 705 , AT将 Link ID传递给 AT的 IP层。  Step 705: The AT transmits the Link ID to the AT layer of the AT.
步骤 706, eBSl向 AGW发送 PMIP信令, eBSl用从 SRNC获得的第一共 享密钥 PMN-HA1保护该 PMIP信令, PMIP信令中包含了 SPI1以及 AT的 NAI 和 eBSl的 IP地址。  Step 706: The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling by using the first shared key PMN-HA1 obtained from the SRNC. The PMIP signaling includes the IP addresses of the SPI1 and the AT and the eBS1 of the AT.
这里 , 具体的对 PMIP信令进行保护的方式为: eB S 1将根据 PMN-HA1计 算的信令摘要携带在 PMN-HAAE字段中, PMN-HAAE中还包含了 SPI1。  Here, the specific way to protect the PMIP signaling is: eB S 1 carries the signaling digest calculated according to PMN-HA1 in the PMN-HAAE field, and PMN-HAAE also includes SPI1.
步骤 707 , AGW接收到来自 eBSl的 PMIP信令后, 从中获取 SPI1 , 因为 AGW也具有 PMN-RK,因此 AGW釆用与 SRNC相同的方法计算第二共享密钥 PMN-HA1 , 用计算所得的第二共享密钥 PMN-HA1对消息进行校验。 如果校验 成功, 保存获取的 SPI1。  Step 707: After receiving the PMIP signaling from the eBS1, the AGW obtains the SPI1 from the UE. Because the AGW also has the PMN-RK, the AGW calculates the second shared key PMN-HA1 in the same manner as the SRNC. The shared key PMN-HA1 verifies the message. If the check is successful, save the acquired SPI1.
步骤 708, AGW向 eBSl发送 PMIP信令,用 PMN-HA1对该信令进行保护, 在 PMN-HAAE字段中携带 SPI1。 另外 AGW还会传递 GRE的 key给 eBSl , 目 的是为了在 eBSl和 AGW间为当前服务的 AT建立一个独立的数据隧道, 这个 数据隧道就使用 GRE封装, 用 Key标识。  Step 708: The AGW sends PMIP signaling to the eBS1, protects the signaling by using the PMN-HA1, and carries the SPI1 in the PMN-HAAE field. In addition, the AGW also transmits the GRE key to eBSl. The purpose is to establish an independent data tunnel between the eBS1 and the AGW for the currently serving AT. The data tunnel is encapsulated by GRE and identified by Key.
步骤 709, eBSl与 SRNC进行交互,将 AGW分配的 GRE key通知给 SRNC。 步骤 710, AT的 IP层根据 Link ID的值判断是否需要获取新的 IP地址, 如 果需要获取新的 IP地址, 则向 AGW请求 IP地址, AGW将分配的 IP地址发送 给 AT。 In step 709, the eBS1 interacts with the SRNC to notify the SRNC of the GRE key assigned by the AGW. Step 710: The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If a new IP address needs to be obtained, the IP address is requested from the AGW, and the AGW sends the assigned IP address to the AT.
每一个 AT可能与多个 eBS建立连接, 当 AT要同时与 eBS2建立连接时, 执行步骤 711至 714。  Each AT may establish a connection with multiple eBSs. When the AT wants to establish a connection with eBS2 at the same time, steps 711 to 714 are performed.
步骤 711 , AT将 eBS2加入自身的路由集中, 与 eBS2建立空口连接。 eBS2 通过与 SRNC的交互, 获得 AGW的 IP地址、 GRE Key、 PMN-HA2, 以及利用 随机数等参数生成的 SPI2。  Step 711: The AT adds the eBS2 to its own route set, and establishes an air interface connection with the eBS2. eBS2 obtains the AGW IP address, GRE Key, PMN-HA2, and SPI2 generated by parameters such as random numbers through interaction with SRNC.
其中, SPI2是 SRNC根据 eBS2的 IP地址、 AGW的 IP地址、 以及一个随 机数计算生成的; 第一共享密钥 PMN-HA2与 eBSl所使用的 PMN-HA1密钥不 同, 是 SRNC根据 SPI2和 PMN-RK计算生成的。  The SPI2 is generated by the SRNC according to the IP address of the eBS2, the IP address of the AGW, and a random number. The first shared key PMN-HA2 is different from the PMN-HA1 key used by the eBS1, and the SRNC is based on the SPI2 and the PMN. -RK calculation generated.
步骤 712, eBS2向 AGW发送 PMIP信令, eBS2用从 SRNC获得的第一共 享密钥 PMN-HA2保护该信令, 在 PMN-HAAE字段中携带 SPI2。 PMIP消息中 还包括 AT的 NAI、 eBS2的 IP地址和 GRE Key。  Step 712: The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the signaling by using the first shared key PMN-HA2 obtained from the SRNC, and carries the SPI2 in the PMN-HAAE field. The PMIP message also includes the AT of the AT, the IP address of the eBS2, and the GRE Key.
步骤 713 , AGW接收到来自 eBS2的 PMIP信令后, 从中获取 SPI2, 釆用 与 SRNC相同的方法计算第二共享密钥 PMN-HA2, 用计算所得的碟共享密钥 PMN-HA2对 PMIP信令进行校验, 如果校验成功, 则保存获取的 SPI2。  Step 713: After receiving the PMIP signaling from the eBS2, the AGW obtains the SPI2 from the UE, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and uses the calculated disc sharing key PMN-HA2 to signal the PMIP. The check is performed, and if the check is successful, the acquired SPI2 is saved.
步骤 714, AGW向 eBS2发送 PMIP信令,用 PMN-HA2对该信令进行保护, 在 PMN-HAAE字段中携带 SPI2。  Step 714: The AGW sends PMIP signaling to the eBS2, protects the signaling by using the PMN-HA2, and carries the SPI2 in the PMN-HAAE field.
AGW不再分配新的 GRE key, 而是使用 eBS2发送的 PMIP信令中携带的 GRE key做为 AGW与 eBS2之间的数据隧道的标识。  The AGW no longer allocates a new GRE key, but uses the GRE key carried in the PMIP signaling sent by the eBS2 as the identifier of the data tunnel between the AGW and the eBS2.
AGW与 eSB之间的每一个数据隧道都是有生命期的, 当 AGW与 eBSl为 特定 AT创建的数据隧道的生命期到达,需要重新创建相同的数据隧道时, AGW 和 eBSl可以通过以确定的共享密钥 PMN-HA1对交互的 PMIP信令进行保护, 并且在 PMIP信令中携带确定的 SPI1。 AGW和 eBS2为特定 AT创建的数据隧 道生命期到达时, 同样可以利用已确定的 PMN-HA2和 SPI1进行 PMIP信令交 互。  Each data tunnel between the AGW and the eSB is a lifetime. When the lifetime of the data tunnel created by the AGW and eBS1 for a specific AT arrives and the same data tunnel needs to be re-created, the AGW and the eBS1 can be determined. The shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling. When the AGW and eBS2 arrive at the data tunnel lifetime created by a specific AT, the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
本发明实施例还提供了三种保护 PMIP信令的系统。  Embodiments of the present invention also provide three systems for protecting PMIP signaling.
图 8为本发明保护 PMIP信令的系统实施例一的结构示意图。 该系统包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 生成唯一标识该第一共享密钥的 SPI; FIG. 8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention. The system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, Generating an SPI that uniquely identifies the first shared key;
移动 IP代理, 用于接收集中控制点发送的或主动从集中控制点获取所述第 一共享密钥和 SPI, 利用获取的第一共享密钥对要发送给 HA的 PMIP信令进行 完整性保护, 在要发送的 PMIP信令中携带获取的 SPI;  a mobile IP proxy, configured to receive the first shared key and the SPI sent by the centralized control point or actively from the centralized control point, and perform integrity protection on the PMIP signaling to be sent to the HA by using the obtained first shared key Carrying the acquired SPI in the PMIP signaling to be sent;
HA, 用于接收来自移动 IP代理的 PMIP信令, 釆用与集中控制点相同的方 法计算第二共享密钥,利用计算所得的第二共享密钥校验接收到的 PMIP信令的 完整性,在校验成功时,保存计算所得的第二共享密钥和接收到的 PMIP信令携 带的 SPI。  HA, configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
该系统的集中控制点包括:  The centralized control points of the system include:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥; a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA;
SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识第一共享密钥计算单元计算所得的第一共享密钥的 SPI。 The SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key calculated by the first shared key computing unit by using the selected parameter calculation.
该集中控制点还可以进一步包括: 信息发送单元, 用于将第一共享密钥计 算单元计算所得的第一共享密钥和 SPI生成单元生成的 SPI发送给移动 IP代理。  The centralized control point may further include: an information sending unit, configured to send the first shared key calculated by the first shared key calculation unit and the SPI generated by the SPI generating unit to the mobile IP proxy.
如果 SPI生成单元通过随机数生成器生成 SPI,或利用随机数以及其它选定 参数计算生成 SPI,则该集中控制点中的共享密钥计算单元可以由随机数获取单 元和密钥计算单元组成。 其中,  If the SPI generation unit generates the SPI through the random number generator, or uses the random number and other selected parameters to calculate the generated SPI, the shared key calculation unit in the centralized control point may be composed of a random number acquisition unit and a key calculation unit. among them,
随机数获取单元, 用于从 SPI生成单元获取生成的 SPI;  a random number obtaining unit, configured to obtain the generated SPI from the SPI generating unit;
密钥计算单元, 用于将随机数获取单元获取的 SPI作为随机数计算移动 IP 代理和 HA之间的共享密钥。  The key calculation unit is configured to calculate the shared key between the mobile IP proxy and the HA by using the SPI acquired by the random number obtaining unit as a random number.
图 9为本发明保护 PMIP信令的系统实施例二的结构示意图。 该系统包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 移动 IP代理, 用于获取集中控制点计算的第一共享密钥, 生成唯一标识该 第一共享密钥的 SPI, 利用该第一共享密钥对要发送给 HA的 PMIP信令进行完 整性保护, 在要发送的 PMIP信令中携带生成的 SPI;  FIG. 9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention. The system includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and generate a unique identifier a shared key SPI, using the first shared key to perform integrity protection on the PMIP signaling to be sent to the HA, and carrying the generated SPI in the PMIP signaling to be sent;
HA, 用于接收来自移动 IP代理的 PMIP信令, 釆用与集中控制点相同的方 法计算第二共享密钥,利用计算所得的第二共享密钥校验接收到的 PMIP信令的 完整性,在校验成功时,保存计算所得的第二共享密钥和接收到的 PMIP信令携 带的 SPI。  HA, configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
该实施例中, 移动 IP代理包括: 共享密钥获取单元, 用于接收集中控制点发送的第一共享密钥, 或从集中 控制点主动获取第一共享密钥; In this embodiment, the mobile IP proxy includes: a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain a first shared key from a centralized control point;
SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识获取的第一共享密钥的 SPI;  An SPI generating unit, configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key obtained by using the selected parameter;
信令发送单元, 用于向 HA发送 PMIP信令, 用所述第一共享密钥对要发送 的 PMIP信令进行完整性保护,在要发送的 PMIP信令中携带 SPI生成单元生成 的 SPI。  The signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling to be sent by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling to be sent.
图 10为本发明保护 PMIP信令的系统实施例三的结构示意图。该系统包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 移动 IP代理,用于获取集中控制点计算的第一共享密钥,向 HA发送 PMIP 信令, 利用获取的第一共享密钥对该 PMIP信令进行完整性保护, 在该 PMIP信 令中携带设定的触发 SPI分配的固定标识; 接收来自 HA的 PMIP信令, 利用获 取的第一共享密钥校验接收到的 PMIP信令的完整性,在校验成功时,从接收到 的 PMIP信令中获取 HA分配的唯一标识该第一共享密钥或者第二共享密钥的 SPI;  FIG. 10 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention. The system comprises: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and send a PMIP letter to the HA And performing integrity protection on the PMIP signaling by using the obtained first shared key, carrying a fixed identifier for triggering SPI allocation in the PMIP signaling, receiving PMIP signaling from the HA, and using the obtained first The shared key checks the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key or the second shared key is obtained from the received PMIP signaling.
HA, 用于接收来自移动 IP代理的 PMIP信令, 釆用与集中控制点相同的方 法计算第二共享密钥,利用计算所得的第二共享密钥校验接收到的 PMIP信令的 完整性,在校验成功时,生成唯一标识该第一共享密钥或者第二共享密钥的 SPI; 将该 SPI携带在 PMIP信令中发送给移动 IP代理, 用计算所得的第二共享密钥 对要发送给移动 IP代理的 PMIP信令进行完整性保护。  HA, configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; carrying the SPI in the PMIP signaling and sending the same to the mobile IP proxy, using the calculated second shared key pair PMIP signaling to be sent to the Mobile IP Agent for integrity protection.
该实施例中, 家乡代理 HA包括:  In this embodiment, the home agent HA includes:
信令收发单元, 用于接收来自移动 IP代理的 PMIP信令; 将 SPI生成单元 生成的 SPI携带在 PMIP信令中发送给移动 IP代理, 用校验单元计算所得的第 二共享密钥对要发送给移动 IP代理的 PMIP信令进行完整性保护;  a signaling transceiver unit, configured to receive PMIP signaling from the mobile IP proxy; the SPI generated by the SPI generating unit is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key pair calculated by the check unit is used. PMIP signaling sent to the mobile IP proxy for integrity protection;
校验单元, 釆用与集中控制点相同的方法计算第二共享密钥, 利用计算所 得的第二共享密钥校验接收到的 PMIP信令的完整性;  The verification unit calculates the second shared key in the same manner as the centralized control point, and verifies the integrity of the received PMIP signaling by using the calculated second shared key;
SPI生成单元, 用于在校验单元校验成功时, 利用随机数生成器生成, 或利 用选定参数计算生成唯一标识所述第一共享密钥或者第二共享密钥的 SPI。  The SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key or the second shared key by using a selected parameter calculation when the check unit is successfully verified.
移动 IP代理包括:  Mobile IP agents include:
共享密钥获取单元, 用于接收集中控制点发送的或从集中控制点主动获取 该移动 IP代理与 HA的第一共享密钥; a shared key obtaining unit, configured to receive a centralized control point or actively obtain from a centralized control point The first shared key of the mobile IP proxy and the HA;
SPI分配触发单元, 用于向 HA发送 PMIP信令, 用共享密钥获取单元获取 的第一共享密钥对该 PMIP信令进行完整性保护,在该 PMIP信令中携带设定的 触发 SPI分配的固定标识;  The SPI allocation triggering unit is configured to send PMIP signaling to the HA, and perform integrity protection on the PMIP signaling by using the first shared key obtained by the shared key obtaining unit, and carry the set trigger SPI allocation in the PMIP signaling. Fixed identification
校验及 SPI获取单元, 用于接收来自 HA的 PMIP信令, 利用共享密钥获取 单元获取的第一共享密钥校验该信令的完整性, 在校验成功时, 从接收到的 PMIP信令中获取 HA分配的唯一标识所述第一共享密钥或者第二共享密钥的 SPI。  a checksum SPI obtaining unit, configured to receive PMIP signaling from the HA, and verify the integrity of the signaling by using the first shared key obtained by the shared key obtaining unit, and when the verification succeeds, the received PMIP The SPI that is assigned by the HA to uniquely identify the first shared key or the second shared key is obtained in the signaling.
图 11为本发明保护 PMIP信令的方法实施例七的流程图, 该实施例中移动 IP代理和 HA间的共享密钥由集中控制点计算生成, 计算时包含了随机数。 同 时集中控制点为移动 IP代理生成用于构造 SPI的参数。 该流程包括:  FIG. 11 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention. In this embodiment, a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the calculation includes a random number. At the same time, the centralized control point generates parameters for constructing the SPI for the mobile IP proxy. The process includes:
步骤 1101 , 集中控制点计算生成移动 IP代理与 HA间的第一共享密钥, 同 时为移动 IP代理生成用于构造 SPI的参数, 该构造参数可以由随机数生成器产 生, 或利用随机数以及其它选定的参数计算生成。  Step 1101: The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and generates a parameter for constructing the SPI for the mobile IP proxy, where the constructor parameter may be generated by a random number generator, or by using a random number and Other selected parameters are calculated and generated.
集中控制点计算该移动 IP代理与 HA间的第一共享密钥, 在计算第一共享 密钥时, 参与计算的参数包括: 代理移动 IP的根密钥、 SPI构造参数、 移动 IP 代理的 IP地址、 以及 HA的 IP地址等。 在这种情况下, 由于 SPI构造参数本身 是随机数, 或由随机数参与计算生成, 因此集中控制点可以将 SPI构造参数作 为随机数参与第二共享密钥的计算。  The centralized control point calculates the first shared key between the mobile IP proxy and the HA. When calculating the first shared key, the parameters involved in the calculation include: the root key of the proxy mobile IP, the SPI configuration parameter, and the IP of the mobile IP proxy. Address, and IP address of HA, etc. In this case, since the SPI construction parameters themselves are random numbers, or are generated by random numbers, the centralized control point can participate in the calculation of the second shared key as a random number.
步骤 1102, 集中控制点将计算所得的第一共享密钥和用于构造 SPI的参数 传递给移动 IP代理。  Step 1102: The centralized control point passes the calculated first shared key and parameters for constructing the SPI to the mobile IP proxy.
步骤 1103 , 移动 IP代理根据 SPI构造参数生成 SPI。  Step 1103: The mobile IP proxy generates an SPI according to the SPI configuration parameters.
步骤 1104, 移动 IP代理向 HA发送 PMIP信令, 该信令用移动 IP代理与 HA间的第一共享密钥保护, 并且该信令包含唯一标识该第一共享密钥的 SPI。  Step 1104: The mobile IP proxy sends PMIP signaling to the HA, the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
步骤 1105, HA在接收到来自移动 IP代理的 PMIP信令后, 从该信令中获 得必要的参数,包括 SPI或用于构造 SPI的参数和移动 IP代理的 IP地址等信息, 用与集中控制点相同的方法计算第二共享密钥, 用计算所得的第二共享密钥校 验接收到的 PMIP信令的完整性, 如果校验成功, HA计算的第二共享密钥与集 中控制点计算的第一共享密钥相同, 则保存从 PMIP信令中获取的 SPI, 并为移 动终端建立移动 IP代理和 HA之间的数据隧道。 步骤 1106, HA向移动 IP代理发送 PMIP信令, 该信令用 HA与移动 IP代 理间的第一共享密钥或者第二共享密钥进行保护, 并且该信令中携带唯一标识 该第一共享密钥的 SPI。 Step 1105, after receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as SPI or parameters for constructing the SPI and the IP address of the mobile IP proxy, and centralized control. The same method is used to calculate the second shared key, and the calculated second shared key is used to verify the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA and the centralized control point are calculated. If the first shared key is the same, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal. Step 1106: The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share. The SPI of the key.
图 12为本发明保护 PMIP信令的系统实施例四的结构示意图。该系统包括: 集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 为移动 IP代理生成用于构造 SPI的参数;  FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention. The system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, and generating parameters for constructing the SPI for the mobile IP proxy;
移动 IP代理, 用于获取该第一共享密钥, 获取用于构造 SPI的参数, 根据 用于构造 SPI的参数生成唯一标识所述第一共享密钥的 SPI, 利用第一共享密钥 对要发送给所述 HA的 PMIP信令进行完整性保护, 在 PMIP信令中携带所述 SPI;  a mobile IP proxy, configured to obtain the first shared key, obtain a parameter for constructing the SPI, generate an SPI that uniquely identifies the first shared key according to a parameter used to construct the SPI, and use the first shared key to Performing integrity protection on the PMIP signaling sent to the HA, and carrying the SPI in the PMIP signaling;
家乡代理 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计 算第二共享密钥,利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整 性,在校验成功时,保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The home agent HA is configured to receive the PMIP signaling, calculate a second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key. When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
集中控制点包括:  Centralized control points include:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥; SPI构造单元, 用于利用随机数生成器生成, 或利用选定参数计算生成用于 构造 SPI的参数;  a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI construction unit, configured to generate by using a random number generator, or generate a parameter for constructing the SPI by using a selected parameter;
信息发送单元, 用于将第一共享密钥和所述用于构造 SPI的参数发送给所 述移动 IP代理。  And an information sending unit, configured to send the first shared key and the parameter used to construct the SPI to the mobile IP proxy.
移动 IP代理包括:  Mobile IP agents include:
共享密钥获取单元, 用于接收集中控制点发送的第一共享密钥, 或从所述 集中控制点主动获取所述第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
SPI生成单元, 用于接收所述集中控制点发送的用于构造 SPI的参数, 并利 用于构造 SPI的参数生成唯一标识第一共享密钥的 SPI;  An SPI generating unit, configured to receive a parameter sent by the centralized control point for constructing the SPI, and use the parameter for constructing the SPI to generate an SPI that uniquely identifies the first shared key;
信令发送单元, 用于向 HA发送 PMIP信令, 用第一共享密钥对所述 PMIP 信令进行完整性保护, 在所述 PMIP信令中携带所述 SPI生成单元生成的 SPI。  The signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling.
由以上描述可见, 本发明实施例中由集中控制点计算移动 IP代理与 HA之 间的共享密钥,由集中控制点或移动 IP代理或 HA生成唯一标识移动 IP代理与 HA的共享密钥的 SPI, 釆用集中控制点计算所得的共享密钥对移动 IP代理与 HA交互的 PMIP信令进行完整性保护, 并且在 PMIP信令中携带生成的 SPI, 进而使得在安全关联确定后, HA再接收到来自移动 IP代理的 PMIP信令时, 可以根据 SPI查找 PMIP信令对应的安全关联, 这样的查找过程不仅效率高, 而 且符合协议目前的规定。 因此, 本发明实施例提供的保护 PMIP信令的方法完善 了 PMIP信令的保护机制。 As can be seen from the above description, in the embodiment of the present invention, the shared key between the mobile IP proxy and the HA is calculated by the centralized control point, and the shared control key or the mobile IP proxy or the HA generates a shared key that uniquely identifies the mobile IP proxy and the HA. SPI, using the shared key calculated by the centralized control point to perform integrity protection on the PMIP signaling of the mobile IP proxy and the HA interaction, and carrying the generated SPI in the PMIP signaling, In addition, after the security association is determined, when the HA receives the PMIP signaling from the mobile IP proxy, the HA can search for the security association corresponding to the PMIP signaling according to the SPI. Such a search process is not only efficient but also conforms to the current provisions of the protocol. Therefore, the method for protecting PMIP signaling provided by the embodiment of the present invention improves the protection mechanism of PMIP signaling.
本发明实施例提供的四种保护 PMIP信令的系统,分别实现了由集中控制点 生成、 由移动 IP代理和由 HA生成唯一标识共享密钥的 SPI的方法, 因此这四 种保护 PMIP信令的系统能够达到完善 PMIP信令的保护机制的发明目的。  The four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling The system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
本发明实施例提供的第一种移动 IP代理、 HA以及第一种集中控制点, 可 以生成唯一标识共享密钥的 SPI, 因此能够达到完善 PMIP信令的保护机制的发 明目的。  The first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
本发明实施例提供的第二种移动 IP代理能够触发并获取 HA为共享密钥分 配的唯一标识 SPI, 因此能够达到完善 PMIP信令的保护机制的发明目的。  The second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
本发明实施例第二种集中控制点为移动 IP代理生成用于构造 SPI的参数, 第三种移动 IP代理根据所述用于构造 SPI的参数生成唯一标识共享密钥的 SPI, 因此能够达到完善 PMIP信令的保护机制的发明目的。  In the second embodiment of the present invention, the second centralized control point generates a parameter for constructing the SPI for the mobile IP proxy, and the third mobile IP proxy generates the SPI that uniquely identifies the shared key according to the parameter used to construct the SPI, so that the SPI can be perfected. The object of the invention of the protection mechanism of PMIP signaling.
综上所述, 本发明实施例给出了生成 SPI的方法, 完善了 PMIP信令的保护 机制, 提高了 HA查找特定移动终端的安全关联的效率。 另外, 本发明实施例 还提供了集中控制点计算共享密钥所需随机数的传递方式, 不仅进一步完善了 PMIP信令的保护机制, 而且对现有协议的影响很小。  In summary, the embodiment of the present invention provides a method for generating an SPI, which improves the protection mechanism of the PMIP signaling, and improves the efficiency of the HA to find a security association of a specific mobile terminal. In addition, the embodiment of the present invention further provides a method for transmitting a random number required for a centralized control point to calculate a shared key, which not only further improves the protection mechanism of the PMIP signaling, but also has little impact on the existing protocol.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  In summary, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种保护代理移动 PMIP信令的方法, 其特征在于, 包括: A method for protecting a proxy mobile PMIP signaling, comprising:
计算移动 IP代理和家乡代理 HA的第一共享密钥;  Calculating a first shared key of the mobile IP proxy and the home agent HA;
生成唯一标识所述第一共享密钥的安全参数索引 SPI;  Generating a security parameter index SPI that uniquely identifies the first shared key;
所述移动 IP代理向所述 HA发送 PMIP信令,用所述第一共享密钥对该 PMIP 信令进行完整性保护, 将所述 SPI携带在该 PMIP信令中发送给所述 HA;  The mobile IP proxy sends PMIP signaling to the HA, performs integrity protection on the PMIP signaling by using the first shared key, and carries the SPI in the PMIP signaling and sends the SPI to the HA;
所述 HA接收所述 PMIP信令,釆用与计算所述共享密钥相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验所述 PMIP信令的完整性,在校 验成功时, 保存计算所得的第二共享密钥和所述 SPI;  Receiving, by the HA, the PMIP signaling, calculating a second shared key by using the same method as calculating the shared key, and verifying integrity of the PMIP signaling by using the calculated second shared key, When the verification is successful, saving the calculated second shared key and the SPI;
所述 HA向所述移动 IP代理回送 PMIP信令, 用计算所得的第二共享密钥 对该 PMIP信令进行完整性保护, 并将所述 SPI携带在该 PMIP信令中。  The HA sends PMIP signaling to the mobile IP proxy, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI in the PMIP signaling.
2、 如权利要求 1所述的方法, 其特征在于, 所述 HA校验成功时, 该方法 还包括: 所述 HA创建所述移动 IP代理与自身之间的数据隧道;  2. The method according to claim 1, wherein, when the HA verification is successful, the method further includes: the HA creating a data tunnel between the mobile IP proxy and itself;
如果所述数据隧道的生命期到达时, 需要重新创建该数据隧道时, 所述 HA 与所述移动 IP代理交互的 PMIP信令釆用所述第二共享密钥或者第一共享密钥 进行保护, 并在交互的 PMIP信令中携带所述 SPI。  If the data tunnel needs to be re-created when the lifetime of the data tunnel arrives, the PMIP signaling that the HA interacts with the mobile IP proxy is protected by the second shared key or the first shared key. And carrying the SPI in the interactive PMIP signaling.
3、 如权利要求 1所述的方法, 其特征在于, 所述生成唯一标识所述第一共 享密钥的 SPI的方法为: 集中控制点利用随机数生成器生成, 或利用选定的参 数生成唯一标识所述第一共享密钥的 SPI,  3. The method according to claim 1, wherein the method of generating an SPI that uniquely identifies the first shared key is: a centralized control point is generated by using a random number generator, or generated by using a selected parameter. An SPI uniquely identifying the first shared key,
该方法还包括: 所述移动 IP代理接收, 或主动获取所述集中控制点计算所 得的第一共享密钥和所述 SPI。  The method further includes: the mobile IP proxy receiving, or actively acquiring, the first shared key and the SPI calculated by the centralized control point.
4、 如权利要求 1所述的方法, 其特征在于, 所述生成唯一标识所述第一共 享密钥的 SPI的方法为: 所述移动 IP代理接收或主动获取到所述第一共享密钥 时, 利用随机数生成器生成, 或利用选定的参数生成唯一标识所述第一共享密 钥的 SPI; 或  The method according to claim 1, wherein the method for generating an SPI that uniquely identifies the first shared key is: the mobile IP proxy receives or actively acquires the first shared key Generating, using the random number generator, or using the selected parameters to generate an SPI that uniquely identifies the first shared key; or
所述移动 IP代理接收或主动获取到所述第一共享密钥时, 接收或主动获取 集中控制点为移动代理生成的用于构造 SPI的参数,所述构造 SPI的参数由集中 控制点利用随机数生成器生成, 或利用选定的参数生成, 移动 IP代理根据所述 构造的 SPI的参数生成唯一标识所述第一共享密钥的 SPI。 When the mobile IP proxy receives or actively acquires the first shared key, it receives or actively acquires a parameter generated by the mobile control agent for constructing the SPI, and the parameter of the constructed SPI is randomly used by the centralized control point. The number generator generates, or is generated with the selected parameters, and the mobile IP agent generates an SPI that uniquely identifies the first shared key based on the parameters of the constructed SPI.
5、 如权利要求 3或 4所述的方法, 其特征在于, 所述选定的参数包括: 随 机数、 和所述 HA的 IP地址、 所述移动 IP代理的 IP地址、 代理移动 IP的根密 钥中的一种。 The method according to claim 3 or 4, wherein the selected parameters comprise: a random number, an IP address of the HA, an IP address of the mobile IP proxy, and a root of the proxy mobile IP One of the keys.
6、 如权利要求 1至 4任一项所述的方法, 其特征在于, 所述计算第一共享 密钥的方法为: 集中控制点利用随机数以及选定参数计算移动 IP代理和家乡代 理 HA的第一共享密钥;  The method according to any one of claims 1 to 4, wherein the method for calculating the first shared key is: the centralized control point calculates the mobile IP proxy and the home agent HA by using the random number and the selected parameter. First shared key;
该方法进一步包括: 所述移动 IP代理接收, 或主动获取所述集中控制点计 算所述第一共享密钥所需的随机数;  The method further includes: receiving, by the mobile IP proxy, or actively acquiring a random number required by the centralized control point to calculate the first shared key;
所述移动 IP代理将所述计算第一共享密钥的随机数携带在所述 PMIP信令 中发送给所述 HA。  The mobile IP proxy carries the random number for calculating the first shared key in the PMIP signaling and sends the random number to the HA.
7、 如权利要求 6所述的方法, 其特征在于, 将计算所述第一共享密钥的随 机数携带在 PMIP信令中的方法为:  7. The method according to claim 6, wherein the method for calculating the random number of the first shared key to be carried in the PMIP signaling is:
将计算所述第一共享密钥的随机数携带在 PMIP信令现有的字段,或新扩展 的字段中, 其中:  Carrying the random number for calculating the first shared key in an existing field of PMIP signaling, or a newly extended field, where:
当将计算所述第一共享密钥的随机数携带在 PMIP信令现有的字段中时,所 述现有字段为 Identification字段或 SPI字段。  When the random number for calculating the first shared key is carried in an existing field of the PMIP signaling, the existing field is an Identification field or an SPI field.
8、 如权利要求 6所述的方法, 其特征在于, 当釆用随机数生成器生成或利 用随机数计算生成唯一标识所述第一共享密钥的 SPI或者构造 SPI的参数时,所 述集中控制点将所述 SPI或者构造 SPI的参数作为随机数计算所述第一共享密 钥。  8. The method according to claim 6, wherein the concentration is generated when a random number generator is used to generate or utilize a random number calculation to generate a parameter that uniquely identifies the first shared key or constructs a parameter of the SPI. The control point calculates the first shared key as a random number using the parameters of the SPI or the SPI.
9、 一种保护代理移动 PMIP信令的方法, 其特征在于, 包括:  9. A method for protecting proxy mobile PMIP signaling, comprising:
移动 IP代理接收或主动获取集中控制点计算的所述移动 IP代理和家乡代理 HA的第一共享密钥, 向所述 HA发送 PMIP信令, 利用所述第一共享密钥对该 PMIP信令进行保护, 在该信令中携带设定的触发 SPI分配的固定标识;  The mobile IP proxy receives or actively acquires the first shared key of the mobile IP proxy and the home agent HA calculated by the centralized control point, sends PMIP signaling to the HA, and uses the first shared key to signal the PMIP. Performing protection, carrying a fixed identifier for setting the triggered SPI allocation in the signaling;
所述 HA接收来自所述移动 IP代理的 PMIP信令, 釆用与所述集中控制点 相同的方法计算第二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 生成唯一标识所述第一共享密钥或者第二 共享密钥的 SPI; 将所述 SPI携带在 PMIP信令中发送给所述移动 IP代理,用计 算所得的第二共享密钥对该 PMIP信令进行保护;  Receiving, by the HA, PMIP signaling from the mobile IP proxy, calculating a second shared key in the same manner as the centralized control point, and verifying the received PMIP signaling by using the calculated second shared key Integrity, when the verification is successful, generating an SPI that uniquely identifies the first shared key or the second shared key; carrying the SPI in the PMIP signaling and sending it to the mobile IP proxy, using the calculation result The second shared key protects the PMIP signaling;
所述移动 IP代理接收来自所述 HA的 PMIP信令, 利用所述第一共享密钥 校验该信令的完整性, 在校验成功时, 保存所述 SPI。 The mobile IP proxy receives PMIP signaling from the HA, utilizing the first shared key The integrity of the signaling is verified, and when the verification is successful, the SPI is saved.
10、 如权利要求 9所述的方法, 其特征在于, 所述 HA校验成功时, 该方 法还包括: 所述 HA创建所述移动 IP代理与自身之间的数据隧道;  The method according to claim 9, wherein, when the HA verification is successful, the method further includes: the HA creating a data tunnel between the mobile IP proxy and itself;
如果所述数据隧道的生命期到达时, 需要重新创建该数据隧道时, 所述 HA 与所述移动 IP代理交互的 PMIP信令釆用所述第一共享密钥或者第二共享密钥 进行保护, 并在交互的 PMIP信令中携带所述 SPI。  If the data tunnel needs to be re-created when the lifetime of the data tunnel arrives, the PMIP signaling that the HA interacts with the mobile IP proxy is protected by the first shared key or the second shared key. And carrying the SPI in the interactive PMIP signaling.
11、 如权利要求 9或 10所述的方法, 其特征在于, 所述设定的触发 SPI分 配的固定标识为: 设定的触发 SPI分配的固定值的 SPI。  The method according to claim 9 or 10, wherein the fixed identifier of the set trigger SPI assignment is: a set SPI that triggers a fixed value of the SPI allocation.
12、 如权利要求 9所述的方法, 其特征在于, 生成唯一标识所述第一共享 密钥或者第二共享密钥的 SPI的方法为: 所述 HA利用随机数生成器生成,或利 用选定的参数计算生成唯一标识所述第一共享密钥或者第二共享密钥的 SPI; 所述选定的参数包括: 随机数、 和所述 HA的 IP地址、 所述移动 IP代理的 IP地址、 代理移动 IP的根密钥中的一种。  12. The method according to claim 9, wherein the method of generating an SPI that uniquely identifies the first shared key or the second shared key is: the HA is generated by using a random number generator, or is selected by using The determined parameter calculation generates an SPI that uniquely identifies the first shared key or the second shared key; the selected parameters include: a random number, and an IP address of the HA, an IP address of the mobile IP proxy One of the root keys of the proxy mobile IP.
13、 如权利要求 9或 10所述的方法, 其特征在于, 所述集中控制点计算共 享密钥的方法为: 集中控制点利用随机数以及选定参数计算所述第一共享密钥; 该方法进一步包括: 所述移动 IP代理接收, 或主动获取所述集中控制点计 算所述第一共享密钥所需的随机数;  The method according to claim 9 or 10, wherein the method for calculating the shared key by the centralized control point is: the centralized control point calculates the first shared key by using a random number and a selected parameter; The method further includes: receiving, by the mobile IP proxy, or actively acquiring a random number required by the centralized control point to calculate the first shared key;
所述移动 IP代理将所述计算第一共享密钥的随机数携带在所述 PMIP信令 中发送给所述 HA。  The mobile IP proxy carries the random number for calculating the first shared key in the PMIP signaling and sends the random number to the HA.
14、 如权利要求 13所述的方法, 其特征在于, 将计算所述第一共享密钥的 随机数携带在 PMIP信令中的方法为:  The method according to claim 13, wherein the method for carrying the random number for calculating the first shared key in the PMIP signaling is:
将计算所述第一共享密钥的随机数携带在 PMIP信令现有的字段,或新扩展 的字段中, 其中:  Carrying the random number for calculating the first shared key in an existing field of PMIP signaling, or a newly extended field, where:
当将计算所述第一共享密钥的随机数携带在 PMIP信令现有的字段中时,所 述现有字段为 Identification字段。  When the random number for calculating the first shared key is carried in an existing field of the PMIP signaling, the existing field is an Identification field.
15、 如权利要求 13所述的方法, 其特征在于, 当釆用随机数生成器生成或 利用随机数计算生成唯一标识所述第一共享密钥的 SPI时, 所述集中控制点将 所述 SPI作为随机数计算所述第一共享密钥。  15. The method according to claim 13, wherein when the SAR is generated by a random number generator or by using a random number calculation to generate an SPI uniquely identifying the first shared key, the centralized control point will The SPI calculates the first shared key as a random number.
16、 一种保护 PMIP信令的系统, 其特征在于, 包括:  16. A system for protecting PMIP signaling, comprising:
集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 生成唯一标识所述第一共享密钥的安全参数索引 SPI; a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, Generating a security parameter index SPI that uniquely identifies the first shared key;
所述移动 IP代理, 用于接收所述集中控制点发送的或主动从所述集中控制 点获取所述第一共享密钥和 SPI,利用所述第一共享密钥对要发送给所述 HA的 PMIP信令进行完整性保护, 在所述 PMIP信令中携带所述 SPI;  The mobile IP proxy is configured to receive, by the centralized control point, or actively obtain the first shared key and the SPI from the centralized control point, and send the first shared key pair to the HA by using the first shared key pair. PMIP signaling for integrity protection, carrying the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
17、 一种集中控制点, 其特征在于, 包括:  17. A centralized control point, characterized by comprising:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥; SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识所述第一共享密钥的 SPI。  a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI generating unit, configured to generate by using a random number generator, or generate a unique identifier to identify the first share by using a selected parameter calculation The SPI of the key.
18、 如权利要求 17所述的集中控制点, 其特征在于, 进一步包括: 信息发 送单元, 用于将所述第一共享密钥和所述 SPI发送给所述移动 IP代理。  The centralized control point according to claim 17, further comprising: an information sending unit, configured to send the first shared key and the SPI to the mobile IP proxy.
19、 如权利要求 18所述的集中控制点, 其特征在于, 所述共享密钥计算单 元包括:  The centralized control point according to claim 18, wherein the shared key calculation unit comprises:
随机数获取单元, 用于从所述 SPI生成单元获取所述 SPI, 所述 SPI通过随 机数生成器生成, 或利用随机数计算生成;  a random number obtaining unit, configured to acquire the SPI from the SPI generating unit, where the SPI is generated by a random number generator, or generated by using a random number calculation;
密钥计算单元, 用于将所述 SPI作为随机数计算所述移动 IP代理和 HA之 间的共享密钥。  And a key calculation unit, configured to calculate the shared key between the mobile IP proxy and the HA by using the SPI as a random number.
20、 一种保护 PMIP信令的系统, 其特征在于, 包括:  20. A system for protecting PMIP signaling, comprising:
集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 所述移动 IP代理, 用于获取所述第一共享密钥, 生成唯一标识所述第一共 享密钥的 SPI, 利用所述第一共享密钥对要发送给所述 HA的 PMIP信令进行完 整性保护, 在所述 PMIP信令中携带所述 SPI;  a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; the mobile IP proxy, configured to acquire the first shared key, and generate a unique identifier for the first shared key SPI, using the first shared key to perform integrity protection on the PMIP signaling to be sent to the HA, and carrying the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
21、 一种移动 IP代理, 其特征在于, 包括:  21. A mobile IP agent, comprising:
共享密钥获取单元, 用于接收所述集中控制点发送的第一共享密钥, 或从 所述集中控制点主动获取所述第一共享密钥; SPI生成单元, 用于利用随机数生成器生成, 或利用选定参数计算生成唯一 标识所述第一共享密钥的 SPI; a shared key obtaining unit, configured to receive a first shared key sent by the centralized control point, or actively acquire the first shared key from the centralized control point; An SPI generating unit, configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key by using a selected parameter;
信令发送单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥对所 述 PMIP信令进行完整性保护,在所述 PMIP信令中携带所述 SPI生成单元生成 的 SPI。  a signaling sending unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
22、 一种保护代理移动 PMIP信令的系统, 其特征在于, 包括:  22. A system for protecting proxy mobile PMIP signaling, comprising:
集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥; 移动 IP代理, 用于获取所述第一共享密钥, 向 HA发送 PMIP信令, 利用 所述第一共享密钥对该 PMIP信令进行完整性保护,在该 PMIP信令中携带设定 的触发 SPI分配的固定标识; 接收来自所述 HA的 PMIP信令, 利用所述第一共 享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 从接收到的 PMIP信 令中获取所述 HA分配的 SPI;  a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to acquire the first shared key, and send PMIP signaling to the HA, using the first The shared key performs integrity protection on the PMIP signaling, and carries a fixed identifier that triggers the SPI allocation in the PMIP signaling; receives PMIP signaling from the HA, and uses the first shared key to verify The integrity of the received PMIP signaling, when the verification is successful, obtaining the SPI allocated by the HA from the received PMIP signaling;
所述 HA, 用于接收来自所述移动 IP代理的 PMIP信令, 釆用与集中控制 点相同的方法计算第二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 生成唯一标识所述第一共享密钥的 SPI; 将所述 SPI携带在 PMIP信令中发送给所述移动 IP代理, 用计算所得的第二共 享密钥对要发送给所述移动 IP代理的 PMIP信令进行完整性保护。  The HA is configured to receive PMIP signaling from the mobile IP proxy, calculate a second shared key in the same manner as the centralized control point, and use the calculated second shared key to verify the received PMIP signaling. In the integrity of the command, when the verification is successful, generating an SPI that uniquely identifies the first shared key; carrying the SPI in the PMIP signaling and sending it to the mobile IP proxy, using the calculated second shared secret The key performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy.
23、 一种家乡代理, 其特征在于, 包括:  23. A home agent, characterized by comprising:
信令收发单元, 用于接收来自移动 IP代理的 PMIP信令; 将 SPI生成单元 生成的 SPI携带在 PMIP信令中发送给所述移动 IP代理, 用校验单元计算所得 的第二共享密钥对要发送给所述移动 IP代理的 PMIP信令进行完整性保护; 校验单元, 釆用与集中控制点相同的方法计算第二共享密钥, 利用计算所 得的第二共享密钥校验接收到的 PMIP信令的完整性;  a signaling transceiver unit, configured to receive PMIP signaling from the mobile IP proxy; carry the SPI generated by the SPI generating unit in the PMIP signaling and send the SPI to the mobile IP proxy, and calculate the obtained second shared key by using the check unit Performing integrity protection on the PMIP signaling to be sent to the mobile IP proxy; the verification unit calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key to verify the reception. The integrity of the PMIP signaling to;
所述 SPI生成单元, 用于在所述校验单元校验成功时, 利用随机数生成器 生成, 或利用选定参数计算生成唯一标识所述第二共享密钥的 SPI。  The SPI generating unit is configured to generate, by using a random number generator, when the verification unit is successfully verified, or generate an SPI that uniquely identifies the second shared key by using a selected parameter calculation.
24、 一种移动 IP代理, 其特征在于, 包括:  24. A mobile IP agent, comprising:
共享密钥获取单元, 用于接收集中控制点发送的或从所述集中控制点主动 获取该移动 IP代理与 HA的第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key that is sent by the centralized control point or actively acquires the mobile IP proxy and the HA from the centralized control point;
SPI分配触发单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥 对该 PMIP信令进行完整性保护,在该 PMIP信令中携带设定的触发 SPI分配的 固定标识; An SPI allocation triggering unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the set trigger SPI allocation in the PMIP signaling Fixed identification
校验及 SPI获取单元, 用于接收来自 HA的 PMIP信令, 利用所述第一共享 密钥校验该信令的完整性, 在校验成功时, 从接收到的 PMIP信令中获取所述 HA分配的唯一标识所述第一共享密钥的 SPI。  a checksum SPI obtaining unit, configured to receive PMIP signaling from the HA, verify the integrity of the signaling by using the first shared key, and obtain, from the received PMIP signaling, when the verification succeeds An SPI that uniquely identifies the first shared key that is assigned by the HA.
25、 一种保护代理移动 PMIP信令的系统, 其特征在于, 包括:  25. A system for protecting proxy mobile PMIP signaling, comprising:
集中控制点, 用于计算移动 IP代理和家乡代理 HA之间的第一共享密钥, 为移动 IP代理生成用于构造 SPI的参数;  a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA, and generate parameters for constructing the SPI for the mobile IP proxy;
移动 IP代理, 用于获取所述第一共享密钥, 获取用于构造 SPI的参数, 根 据所述用于构造 SPI的参数生成唯一标识所述第一共享密钥的 SPI, 利用所述第 一共享密钥对要发送给所述 HA的 PMIP信令进行完整性保护,在所述 PMIP信 令中携带所述 SPI;  a mobile IP proxy, configured to acquire the first shared key, obtain a parameter for constructing an SPI, and generate an SPI that uniquely identifies the first shared key according to the parameter used to construct the SPI, by using the first The shared key performs integrity protection on the PMIP signaling to be sent to the HA, and carries the SPI in the PMIP signaling;
所述 HA, 用于接收所述 PMIP信令, 釆用与集中控制点相同的方法计算第 二共享密钥, 利用计算所得的第二共享密钥校验接收到的 PMIP信令的完整性, 在校验成功时, 保存计算所得的第二共享密钥和所述 PMIP信令携带的 SPI。  The HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
26、 一种集中控制点, 其特征在于, 包括:  26. A centralized control point, characterized by comprising:
共享密钥计算单元, 用于计算移动 IP代理和 HA之间的第一共享密钥; SPI构造单元, 用于利用随机数生成器生成, 或利用选定参数计算生成用于 构造 SPI的参数;  a shared key calculation unit, configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI construction unit, configured to generate by using a random number generator, or generate a parameter for constructing the SPI by using a selected parameter;
信息发送单元, 用于将所述第一共享密钥和所述用于构造 SPI的参数发送 给所述移动 IP代理。  And an information sending unit, configured to send the first shared key and the parameter used to construct the SPI to the mobile IP proxy.
27、 一种移动 IP代理, 其特征在于, 包括:  27. A mobile IP agent, comprising:
共享密钥获取单元, 用于接收集中控制点发送的第一共享密钥, 或从所述 集中控制点主动获取所述第一共享密钥;  a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
SPI生成单元, 用于接收所述集中控制点发送的用于构造 SPI的参数, 并利 用所述用于构造 SPI的参数生成唯一标识所述第一共享密钥的 SPI;  An SPI generating unit, configured to receive a parameter sent by the centralized control point for constructing an SPI, and generate an SPI that uniquely identifies the first shared key by using the parameter used to construct the SPI;
信令发送单元, 用于向所述 HA发送 PMIP信令, 用所述第一共享密钥对所 述 PMIP信令进行完整性保护,在所述 PMIP信令中携带所述 SPI生成单元生成 的 SPI。  a signaling sending unit, configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
PCT/CN2008/071257 2007-06-15 2008-06-11 Method, system and apparatus for protecting agent mobile internet protocol signaling WO2008154841A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101067278A CN101325582B (en) 2007-06-15 2007-06-15 Method, system and apparatus for protecting proxy mobile internet protocol signalling
CN200710106727.8 2007-06-15

Publications (1)

Publication Number Publication Date
WO2008154841A1 true WO2008154841A1 (en) 2008-12-24

Family

ID=40155899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071257 WO2008154841A1 (en) 2007-06-15 2008-06-11 Method, system and apparatus for protecting agent mobile internet protocol signaling

Country Status (2)

Country Link
CN (1) CN101325582B (en)
WO (1) WO2008154841A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281287B (en) * 2011-06-23 2014-05-28 北京交通大学 TLS (transport layer security)-based separation mechanism mobile signaling protection system and method
US11075949B2 (en) * 2017-02-02 2021-07-27 Nicira, Inc. Systems and methods for allocating SPI values
CN108777720A (en) * 2018-07-05 2018-11-09 湖州贝格信息安全科技有限公司 Document transmission method and Related product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006203764A (en) * 2005-01-24 2006-08-03 Nec Corp Mobile communication system
US20060251257A1 (en) * 2005-04-14 2006-11-09 Nokia Corporation Utilizing generic authentication architecture for mobile internet protocol key distribution
CN1969526A (en) * 2004-04-14 2007-05-23 北方电讯网络有限公司 Securing home agent to mobile node communication with HA-MN key

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1297107C (en) * 2003-03-31 2007-01-24 华为技术有限公司 Key distribution method based on preshared key
CN100450109C (en) * 2003-07-14 2009-01-07 华为技术有限公司 A safety authentication method based on media gateway control protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1969526A (en) * 2004-04-14 2007-05-23 北方电讯网络有限公司 Securing home agent to mobile node communication with HA-MN key
JP2006203764A (en) * 2005-01-24 2006-08-03 Nec Corp Mobile communication system
US20060251257A1 (en) * 2005-04-14 2006-11-09 Nokia Corporation Utilizing generic authentication architecture for mobile internet protocol key distribution

Also Published As

Publication number Publication date
CN101325582B (en) 2012-08-08
CN101325582A (en) 2008-12-17

Similar Documents

Publication Publication Date Title
JP4965671B2 (en) Distribution of user profiles, policies and PMIP keys in wireless communication networks
US7475241B2 (en) Methods and apparatus for dynamic session key generation and rekeying in mobile IP
JP5933259B2 (en) Traffic encryption key generation in wireless communication networks
CN101006682B (en) Fast network attchment
US20110010538A1 (en) Method and system for providing an access specific key
KR101398908B1 (en) Method and system for managing mobility in mobile telecommunication system using mobile ip
KR101002799B1 (en) mobile telecommunication network and method for authentication of mobile node in mobile telecommunication network
WO2011127810A1 (en) Method and apparatus for authenticating communication devices
WO2019137030A1 (en) Safety certification method, related device and system
US20080294891A1 (en) Method for Authenticating a Mobile Node in a Communication Network
JP2008537398A (en) Using Generic Authentication Architecture for Mobile Internet Protocol Key Distribution
KR101523090B1 (en) Method and apparatus for managing mobility of access terminal using mobile internet protocol in a mobile communication system
KR20060067263A (en) Fast re-authentication method when handoff in wlan-umts interworking network
JP2004241976A (en) Mobile communication network system and method for authenticating mobile terminal
WO2015123953A1 (en) Key generation method, device and system
WO2008009232A1 (en) A method system and device for determining the mobile ip key and notifying the mobile ip type
WO2007134547A1 (en) A method and system for generating and distributing mobile ip security key after reauthentication
JP2011515930A (en) Method and apparatus for dynamically managing security associations in a wireless network
WO2009012676A1 (en) A method and equipment for generating care of address and a method and system for improving route optimization security
WO2008154841A1 (en) Method, system and apparatus for protecting agent mobile internet protocol signaling
CN114946153A (en) Method, device and system for application key generation and management in a communication network in encrypted communication with a service application
CN101569160B (en) Method for transmission of DHCP messages
WO2008052470A1 (en) Method for establishing mobile ip security mechanism, security system and the relevant device
KR100687721B1 (en) Method for extending of diameter AAA protocol supporting mobile IPv6
CN101447978B (en) Method for acquiring correct HA-RK Context by accessing AAA server in WiMAX network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757668

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757668

Country of ref document: EP

Kind code of ref document: A1