WO2008154841A1 - Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent - Google Patents

Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent Download PDF

Info

Publication number
WO2008154841A1
WO2008154841A1 PCT/CN2008/071257 CN2008071257W WO2008154841A1 WO 2008154841 A1 WO2008154841 A1 WO 2008154841A1 CN 2008071257 W CN2008071257 W CN 2008071257W WO 2008154841 A1 WO2008154841 A1 WO 2008154841A1
Authority
WO
WIPO (PCT)
Prior art keywords
shared key
spi
mobile
proxy
pmip signaling
Prior art date
Application number
PCT/CN2008/071257
Other languages
English (en)
Chinese (zh)
Inventor
Jie Zhao
Jixing Liu
Zhiming Li
Longgui Huang
Xin Zhong
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008154841A1 publication Critical patent/WO2008154841A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to Mobile Internet Protocol (IP) technology, and more particularly to a method, system and apparatus for protecting Proxy Mobile IP (PMIP) signaling.
  • IP Mobile Internet Protocol
  • PMIP Proxy Mobile IP
  • FIG. 1 is a structural diagram of a prior art protection PMIP signaling system.
  • the system mainly includes: a mobile IP proxy, a home agent (HA, Home Agent), and a centralized control point.
  • the HA may also be referred to as a local mobility anchor (LMA, Local Mobility Anchor ) , The following is a description for the convenience of replacing the home agent.
  • LMA Local Mobility Anchor
  • the mobile IP proxy is usually located on the access entity of the wireless network where the mobile terminal is located, and replaces the mobile IP signaling interaction between the mobile terminal and the HA in its own management range, and usually moves IP IP signaling between the mobile IP proxy and the HA. Called PMIP signaling.
  • the mobile terminal interacts with the HA through a data tunnel established between the mobile IP agent and the HA.
  • the PMIP signaling interaction between the mobile IP proxy and the HA needs to be protected.
  • the PMIP signaling protection methods provided in the prior art include:
  • the centralized control point calculates the first shared key between the mobile IP proxy and the HA according to the obtained root key of the mobile proxy IP (PMN-RK), the IP address of the mobile IP proxy, the IP address of the HA, and a random number ( PMN-HA), and transmitting the first shared key together with the IP address of the HA, the identification information of the mobile terminal (NAI), and the random number required to calculate the second shared key to the mobile IP proxy; the mobile IP proxy
  • the PMIP signaling to be sent to the HA is protected by using the received first shared key, and the specific implementation of protecting the PMIP signaling is:
  • the mobile IP proxy calculates the signaling summary according to the received first shared key, and The calculated signaling summary is carried in the PMIP signaling and sent to the HA, where the PMIP signaling further includes an NAI of the mobile terminal, an IP address of the mobile IP proxy, and a random number required to calculate the second shared key.
  • the HA After receiving the PMIP signaling from the mobile IP proxy, the HA obtains relevant parameters from the signaling.
  • the second shared key is calculated in the same manner as the centralized control point, and the received PMIP is verified by using the calculated second shared key.
  • the specific verification method is: using the calculated second shared key Calculate the signaling summary in the same way as the mobile IP proxy, and compare the calculated signaling digest with the received signaling digest of the PMIP signaling. If the two are consistent, the second shared secret of the HA calculation is described. If the key is the same as the first shared key generated by the centralized control point, the verification is successful.
  • the HA When the verification is successful, the HA sends PMIP signaling to the mobile IP proxy, and the PMIP signaling to be transmitted is protected in the same manner as the mobile IP proxy.
  • also transmits the Generic Routing Encapsulation (GRE) key (Key) to the mobile IP proxy, and establishes an independent data tunnel between the mobile IP proxy and the HA for the mobile terminal.
  • GRE Generic Routing Encapsulation
  • the method for protecting PMIP signaling gives a method of generating a shared key between a mobile IP proxy and an HA, but does not teach how to identify a mobile IP proxy and a security association established by the HA for a particular mobile terminal.
  • the method, the security association here mainly refers to: a shared key between the mobile IP proxy and the HA, and may also include an algorithm for calculating a signaling summary that is pre-negotiated by the centralized control point and the HA. Therefore, after the shared key between the mobile IP proxy and the HA is determined, that is, after the security association between the two is determined, the HA receives the PMIP signaling from the mobile IP proxy, and performs integrity check on the PMIP signaling. Before the test, the security association corresponding to the PMIP signaling needs to be searched according to the IP address of the mobile IP proxy and the identification information of the mobile terminal. Such a search process is inefficient and does not comply with the current provisions of the protocol.
  • the method for protecting PMIP signaling in the prior art does not provide a method for transmitting a random number required for calculating a shared key, and the existing PMIP signaling does not support the transmission of a random number.
  • the embodiment of the present invention provides two methods for protecting PMIP signaling; on the other hand, four systems and devices for protecting and protecting PMIP signaling are provided, and the protection mechanism of PMIP signaling is improved.
  • the method for the first protection proxy to move the PMIP signaling includes: calculating a first shared key of the mobile IP proxy and the home agent HA;
  • the mobile IP proxy sends PMIP signaling to the HA, performs integrity protection on the PMIP signaling by using the first shared key, and carries the SPI in the PMIP signaling and sends the SPI to the HA; Receiving, by the HA, the PMIP signaling, calculating a second shared key by using the same method as calculating the shared key, and verifying integrity of the PMIP signaling by using the calculated second shared key, When the verification is successful, saving the calculated second shared key and the SPI;
  • the HA sends PMIP signaling to the mobile IP proxy, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI in the PMIP signaling.
  • the method for the second protection proxy to move the PMIP signaling includes: the mobile IP proxy receives or actively obtains the first shared key of the mobile IP proxy and the home agent HA calculated by the centralized control point, The HA sends the PMIP signaling, and the PMIP signaling is protected by using the first shared key, where the signaling carries a fixed identifier that triggers the SPI allocation;
  • the mobile IP proxy receives PMIP signaling from the HA, checks the integrity of the signaling with the first shared key, and saves the SPI when the verification is successful.
  • a centralized control point configured to calculate a first shared key between the mobile IP proxy and the home agent HA, and generate a security parameter index SPI that uniquely identifies the first shared key;
  • the mobile IP proxy is configured to receive, by the centralized control point, or actively obtain the first shared key and the SPI from the centralized control point, and send the first shared key pair to the HA by using the first shared key pair.
  • PMIP signaling for integrity protection carrying the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA; an SPI generating unit, configured to generate by using a random number generator, or generate a unique identifier to identify the first share by using a selected parameter calculation The SPI of the key.
  • a second system for protecting PMIP signaling includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; the mobile IP proxy, configured to acquire the shared key, and generate an SPI that uniquely identifies the first shared key Performing integrity protection on the PMIP signaling to be sent to the HA by using the first shared key, and carrying the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • a shared key obtaining unit configured to receive a first shared key sent by the centralized control point, or actively acquire the first shared key from the centralized control point;
  • An SPI generating unit configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key by using a selected parameter calculation;
  • a signaling sending unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
  • a third protection proxy mobile PMIP signaling system includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA; a mobile IP proxy, configured to obtain The first shared key sends PMIP signaling to the HA, and performs integrity protection on the PMIP signaling by using the first shared key, where the PMIP signaling carries a fixed identifier that triggers SPI allocation.
  • a centralized control point configured to calculate a first shared key between a mobile IP proxy and a home agent HA
  • the first shared key sends PMIP signaling to the HA, and performs integrity protection on the PMIP signaling by using the first shared key, where the PMIP signaling carries a fixed identifier that triggers SPI allocation.
  • Receiving PMIP signaling from the HA verifying integrity of the received PMIP signaling by using the first shared key, and acquiring the HA allocation from the received PMIP signaling when the verification is successful SPI;
  • the HA is configured to receive PMIP signaling from the mobile IP proxy, calculate a second shared key in the same manner as the centralized control point, and use the calculated second shared key to verify the received PMIP signaling.
  • the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; and the SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and is calculated.
  • the resulting second shared key performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy.
  • a signaling transceiver unit for receiving PMIP signaling from a mobile IP proxy;
  • the generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key calculated by the check unit performs integrity protection on the PMIP signaling to be sent to the mobile IP proxy; Calculating the second shared key in the same way as the centralized control point, and verifying the integrity of the received PMIP signaling by using the calculated second shared key;
  • the SPI generating unit is configured to generate, by using a random number generator, when the verification unit is successfully verified, or generate an SPI that uniquely identifies the second shared key by using a selected parameter calculation.
  • a shared key obtaining unit configured to receive a first shared key that is sent by the centralized control point or actively acquires the mobile IP proxy and the HA from the centralized control point;
  • An SPI allocation triggering unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry a fixed identifier that triggers SPI allocation in the PMIP signaling ;
  • a checksum SPI obtaining unit configured to receive PMIP signaling from the HA, verify the integrity of the signaling by using the first shared key, and obtain, from the received PMIP signaling, when the verification succeeds An SPI that uniquely identifies the first shared key that is assigned by the HA.
  • a fourth protection proxy mobile PMIP signaling system includes: a centralized control point, configured to calculate a first shared key between a mobile IP proxy and a home agent HA, configured for the mobile IP proxy to generate Construct the parameters of the SPI;
  • a mobile IP proxy configured to acquire the first shared key, obtain a parameter for constructing an SPI, and generate an SPI that uniquely identifies the first shared key according to the parameter used to construct the SPI, by using the first
  • the shared key performs integrity protection on the PMIP signaling to be sent to the HA, and carries the SPI in the PMIP signaling;
  • the HA is configured to receive the PMIP signaling, calculate a second shared key by using the same method as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key, When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • the second centralized control point provided by the embodiment of the present invention includes:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • An SPI construction unit for generating with a random number generator, or generating parameters for constructing the SPI using selected parameters
  • An information sending unit configured to send the first shared key and the parameter used to construct the SPI Give the mobile IP proxy.
  • a shared key obtaining unit configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
  • An SPI generating unit configured to receive a parameter sent by the centralized control point for constructing an SPI, and generate an SPI that uniquely identifies the first shared key by using the parameter used to construct the SPI;
  • a signaling sending unit configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the generated by the SPI generating unit in the PMIP signaling SPI.
  • the first method for protecting PMIP signaling provided by the embodiment of the present invention generates a SPI that uniquely identifies the shared key of the mobile IP proxy and the HA by the centralized control point or the mobile IP, and the mobile IP proxy transmits the SPI to the SPI through the PMIP signaling.
  • HA HA calculates the key in the same way as the shared key, and saves the calculated key and SPI when the integrity check of the received PMIP signaling is successful.
  • the mobile IP agent and the security association established by the HA for the specific mobile terminal, including the shared key can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
  • a second method for protecting PMIP signaling when the HA receives the PMIP signaling from the mobile IP proxy that carries the fixed identifier that triggers the SPI allocation, the method uses the same method as the centralized control point to calculate the key. And using the calculated key to verify that the integrity of the received PMIP signaling is successful, generating an SPI that uniquely identifies the shared key; and transmitting the SPI in the PMIP signaling to the mobile IP proxy.
  • the mobile IP proxy and the security association established by the HA for the specific mobile terminal, including the shared key can be uniquely identified by the SPI, thereby perfecting the protection mechanism of the PMIP signaling.
  • the four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling
  • the system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
  • the first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
  • the second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
  • the second centralized control point of the embodiment of the present invention generates a parameter for constructing the SPI for the mobile IP proxy.
  • the third mobile IP proxy generates an SPI that uniquely identifies the shared key according to the parameters used to construct the SPI, and thus can achieve the object of improving the protection mechanism of PMIP signaling.
  • FIG. 1 is a structural diagram of a prior art protection PMIP signaling system
  • Embodiment 1 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 4 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention
  • Embodiment 6 is a flowchart of Embodiment 5 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention.
  • Embodiment 8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 3 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention.
  • Embodiment 7 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention.
  • FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention. detailed description
  • the centralized control point calculates a first shared key of the mobile IP proxy and the HA; generates an SPI that uniquely identifies the first shared key; the mobile IP proxy sends PMIP signaling to the HA, and uses the first shared key to the PMIP For integrity protection, the SPI is carried in the PMIP signaling and sent to the HA; the HA receives the PMIP signaling from the mobile IP proxy, and calculates the second shared key in the same way as the centralized control point, using the calculation The obtained second shared key verifies the integrity of the received PMIP signaling, and when the verification is successful, saves the calculated second shared key and the SPI carried in the received PMIP signaling; HA to mobile IP
  • the proxy returns the PMIP signaling, performs integrity protection on the PMIP signaling by using the calculated second shared key, and carries the SPI that uniquely identifies the first shared key in the PMIP signaling.
  • the SPI that uniquely identifies the first shared key may be generated by a centralized control point. It can also be generated by the mobile IP proxy; or the central control point generates parameters for constructing the SPI for the mobile IP proxy, and the mobile IP proxy generates an SPI that uniquely identifies the first shared key according to the parameters of the term construct SPI.
  • the method of generating an SPI that uniquely identifies the first shared key may be: the centralized control point is generated using a random number generator, or the selected parameter is used to generate an SPI that uniquely identifies the first shared key.
  • the method further includes: receiving, by the mobile IP proxy, or actively obtaining the first shared key calculated by the centralized control point and the SPI uniquely identifying the first shared key.
  • the method may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the SPI of the shared key may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the SPI of the shared key may also be: when the mobile IP proxy receives the first shared key sent by the centralized control point or actively acquires the first shared key from the centralized control point, generates the first identifier obtained by using the random number generator, or generates the unique identifier by using the selected parameter.
  • the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or proxy the root key of the mobile IP, etc.
  • the mobile IP proxy receives or actively acquires the first shared key of the mobile IP proxy and the HA calculated by the centralized control point, sends PMIP signaling to the HA, and protects the PMIP signaling by using the obtained first shared key, in the letter
  • the command carries a fixed identifier that triggers the SPI allocation
  • the HA After receiving the PMIP signaling from the mobile IP proxy, the HA calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key to verify the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key is generated; the generated SPI is carried in the PMIP signaling and sent to the mobile IP proxy;
  • the mobile IP proxy After receiving the PMIP signaling from the HA, the mobile IP proxy verifies the integrity of the signaling by using the obtained first shared key, and saves the SPI carried by the PMIP signaling when the verification succeeds.
  • the fixed identifier of the set trigger SPI allocation may be: a set SPI that triggers a fixed value of the SPI allocation.
  • the method for generating the SPI that uniquely identifies the first shared key may be: HA is generated by using a random number generator, or using the selected parameter calculation to generate an SPI that uniquely identifies the first shared key;
  • the selected parameters may include: a random number, and/or an IP address of the HA, and/or an IP address of the mobile IP proxy, and/or an SPI value, and/or Or agent move The key to IP.
  • the two methods when the HA successfully checks the received PMIP signaling, the first shared key is the same as the second shared key, and the two methods further include: a data tunnel between the agent and itself;
  • the PMIP signaling that the HA interacts with the mobile IP proxy is protected with the first shared key or the second shared key, and in the interactive PMIP signaling.
  • the SPI carrying the first shared key is uniquely identified.
  • the centralized control point may calculate the first shared key of the mobile IP proxy and the home agent HA using the random number and other selected parameters, where other selected parameters may include: a proxy mobile IP root key, a mobile IP proxy IP address , HA's IP address.
  • the mobile IP proxy receives the random number required by the centralized control point or actively acquires the centralized control point to calculate the first shared key, and then randomly The number is carried in the PMIP signaling and sent to the HA.
  • the method for carrying the random number required to calculate the first shared key in the PMIP signaling may be: carrying the random number in an existing field of the PMIP signaling, or in a newly extended field.
  • the existing field can be selected.
  • the random number generator is used to generate the SPI that uniquely identifies the first shared key, or the SPI is generated by the random number calculation, the random number required for the centralized control point to calculate the first shared key can be directly used by the generated SPI. .
  • the mobile IP proxy may be a mobility agent (MPA, Mobility Proxy Agent), or a proxy mobile entity ( ⁇ , Proxy Mobile Agent), or an evolved base station (eBS, evolved base station) of the CDMA evolved network, or Access Gateway (AGW, Access Gateway)! Because these entities can replace mobile terminals to send mobile IP messages.
  • the centralized control point can be the Signaling Radio Network Controller (SRNC) or AGW of the CDMA evolved network.
  • SRNC Signaling Radio Network Controller
  • AGW Access Gateway
  • the HA can be an AGW in a CDMA evolved network.
  • Embodiment 1 is a flowchart of Embodiment 1 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA and an SPI uniquely identifying the shared key are generated by a centralized control point. The process includes:
  • Step 201 The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and the same An SPI that uniquely identifies the first shared key is generated.
  • the parameters involved in the calculation may include: a root key of the proxy mobile IP, an IP address of the mobile IP proxy, an IP address of the HA, and a random number.
  • the method of calculating the shared key or SPI can be: Using a single function such as a hash function to generate a fixed number of values for all parameters selected for computing the shared key or SPI.
  • the centralized control point needs to ensure that the calculated SPI can uniquely identify the first shared key of the mobile IP proxy and the HA, that is, to ensure that the SPI can uniquely identify the security association established between the mobile IP proxy and the HA for a particular mobile terminal.
  • Step 202 The centralized control point passes the calculated first shared key and SPI to the mobile IP agent.
  • Step 203 The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key calculated by the centralized control point.
  • the specific implementation method for protecting the PMIP signaling to be sent by using the shared key is: calculating a signaling summary according to the received shared key, and carrying the calculated signaling summary in the required In the PMIP signaling sent.
  • Step 204 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, the data between the mobile IP proxy and the HA is established for the mobile terminal. Tunnel, and save the SPI carried by the received PMIP signaling type.
  • the HA Before saving the SPI, the HA can also verify the validity of the SPI by using the same computational SPI as the centralized control point.
  • Step 205 The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using the first shared key or the second shared key between the calculated HA and the mobile IP proxy, and the first shared secret is uniquely identified.
  • the SPI of the key is carried in the PMIP signaling.
  • FIG. 3 is a flowchart of Embodiment 2 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the SPI is calculated and generated by a mobile IP proxy.
  • the process includes:
  • Step 301 The centralized control point calculates to generate a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
  • Step 302 The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number participates in the calculation of the shared key, the random number is simultaneously sent to the mobile IP proxy.
  • Step 303 The mobile IP proxy calculates an SPI that uniquely identifies the received first shared key, and the parameters involved in the calculation may include: a shared key between the proxy mobile IP and the HA, an IP address of the mobile IP proxy, an IP address of the HA, Root SPI value and random number.
  • the random number used by the SPI can be the same or different.
  • Step 304 The mobile IP proxy sends PMIP signaling to the HA, where the signaling carries the parameters required by the SPI and the HA to calculate the second shared key, and protects the signaling by using the first shared key between the mobile IP proxy and the HA. .
  • Step 305 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared key. Verifying the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile terminal establishes a relationship between the mobile IP proxy and the HA. Data tunnel, and save the SPI carried in the received PMIP signaling.
  • the HA can verify the SPI in the same way as the Mobile IP Agent before saving the SPI.
  • Step 306 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is also protected by using the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier.
  • the SPI of the shared key is also protected by using the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier.
  • Subsequent PMIP signaling interactions can continue to use the shared key and SPI described above. Specifically: if the lifetime of the data tunnel established by the mobile IP proxy and the HA for the specific mobile terminal needs to be re-created, the shared key and the SPI, HA and mobile that uniquely identify the shared key need not be recalculated. The PMIP signaling of the IP proxy interaction is still protected by the original shared key and is interactive. The PMIP signaling carries an SPI that uniquely identifies the original shared key.
  • FIG. 4 is a flowchart of Embodiment 3 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point.
  • the SPI in the initial PMIP signaling uses a fixed value that is used by the SPI to trigger the HA to assign an SPI that uniquely identifies the shared key between the HA and the mobile IP proxy.
  • the process includes:
  • Step 401 The centralized control point calculates a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation may include: a proxy mobile IP root key, a mobile IP proxy IP address, an HA IP address, and a random number.
  • Step 402 The centralized control point passes the calculated first shared key to the mobile IP proxy. If the random number used in calculating the first shared key is calculated, the random number needs to be transmitted to the mobile IP proxy.
  • Step 403 The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by the first shared key between the mobile IP proxy and the HA, and carries a fixed value SPI for triggering the HA to perform SPI allocation.
  • the fixed-value SPI for triggering the HA for SPI allocation is preset, and the HA is pre-negotiated with the mobile IP proxy.
  • other identification information can also be set to trigger the HA to perform SPI allocation.
  • Step 404 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains the necessary parameters from the signaling, calculates the second shared key in the same manner as the centralized control point, and uses the calculated second shared secret. Key verification of the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point, and the mobile IP proxy and the HA are established for the mobile terminal. The data tunnel between the two, and the HA allocates an SPI for the calculated second shared key. The SPI is unique and can uniquely identify the security association to which the first shared key or the second shared key belongs.
  • Step 405 The HA sends PMIP signaling to the mobile IP proxy, where the signaling is protected by using a second shared key or a first shared key between the HA and the mobile IP proxy, where the signaling carries the SPI allocated in step 404. .
  • Step 406 The mobile IP proxy receives the PMIP signaling from the HA, and checks the integrity of the signaling by using the first shared key between the mobile IP proxy and the HA. When the verification succeeds, the PMIP signaling is saved. Carrying SPI.
  • the PMIP signaling for subsequent HA and mobile IP proxy interactions can continue to be calculated using centralized control points
  • the first shared key is integrity protected and carries the HA assigned SPI in the interactive PMIP signaling. Specifically: if the mobile IP proxy and the HA establish the lifetime of the data tunnel established for the specific mobile terminal, and need to re-create the data tunnel, there is no need to recalculate the shared key and generate the SPI, HA and mobile that uniquely identify the shared key.
  • the PMIP signaling of the IP proxy interaction is still protected by the original shared key, and the SPI that uniquely identifies the original shared key is carried in the interactive PMIP signaling.
  • FIG. 5 is a flowchart of Embodiment 4 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA and an SPI are generated by a centralized control point, and the calculation includes a random number.
  • the Mobile IP Agent uses the existing fields of PMIP signaling to pass random numbers to HA. The process includes:
  • Step 501 The centralized control point generates an SPI for the mobile IP proxy, and the SPI is generated by a random number generator, or is generated by using a random number and other selected parameters.
  • the centralized control point is to ensure the uniqueness of the generated SPI in all SPIs associated with the mobile terminal being served.
  • the centralized control point calculates a first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation include: a root key of the proxy mobile IP, an SPI, an IP address of the mobile IP proxy, And the IP address of HA, etc.
  • the SPI itself is a random number or is generated by a random number
  • the centralized control point can participate in the calculation of the shared key as a random number.
  • Step 502 The centralized control point passes the calculated first shared key and the generated SPI to the mobile IP proxy.
  • Step 503 The mobile IP proxy sends PMIP signaling to the HA, where the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
  • Step 504 After receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as the IP address of the SPI and the mobile IP proxy, and calculates the second method in the same manner as the centralized control point. Sharing the key, and verifying the integrity of the received PMIP signaling by using the calculated second shared key. If the verification is successful, the second shared key calculated by the HA is the same as the first shared key calculated by the centralized control point. Then, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal.
  • Step 505 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share.
  • the SPI of the key The SPI of the key.
  • FIG. 6 and FIG. 7 The embodiment of FIG. 6 and FIG. 7 is described by taking a CDMA evolved network as an example, where the eBS acts as a mobile IP. Agent, AGW acts as HA, and SRNC acts as a centralized control point.
  • Step 601 The AT establishes a connection with eBS1, and the SRNC saves session information between the AT and the eBS1.
  • Step 602 The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network.
  • the SRNC and the AGW obtain the root key of the proxy mobile IP from the HAAA (PMN-RK, Proxy Mobile Node - Root Key ) radical
  • Step 603 The SRNC calculates the first shared key PMN-HA1 between the eBS1 and the AGW, and carries the AGW IP address, the AT ⁇ , the ⁇ - ⁇ , and the random number noncel in the signaling to the eBS1.
  • PMN-HA1 is generated by SRNC based on PMN-RK, IP address of eBS1, IP address of AGW, and noncel calculation.
  • Step 604 The eBS1 sends the link ID to the AT, where the Link ID indicates the identity of the link layer in the AGW range.
  • Step 605 The AT transmits the Link ID to the AT layer of the AT.
  • Step 606 The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling to be sent by using the first shared key PMN-HA1 obtained from the SRNC.
  • eBS1 will be based on the first shared key
  • the signaling summary of the PMN-HA1 calculation is carried in the PMN-HA AAA (PMN-HA Authentication Extension) field.
  • PMN-HA AE field also contains a fixed value SPI for triggering the AGW to perform SPI allocation.
  • the PMIP signaling also includes AT identification information (NAI), eBS1 IP address, and noncel, which are included in the lower 32 bits of the Identification field.
  • Step 607 After receiving the PMIP signaling from the eBS1, the AGW obtains the noncel from the Identification field, calculates the second shared key PMN-HA1 in the same manner as the SRNC, and performs the integrity check on the PMIP signaling by using the PMN-HA1. If the check is successful, the AGW assigns a unique SPI to PMN-HA1, which is used to identify the security association to which PMN-HA1 belongs.
  • Step 608 The AGW sends the PMIP signaling to the eBS1, and the signaling is protected by the PMN-HA1.
  • the Authentication Extended MN-HA AE field includes the allocated SPI.
  • the AGW also transmits the GRE key to the eBS1, in order to establish an independent data tunnel between the eBS1 and the AGW for the currently served AT.
  • the data tunnel is encapsulated by GRE and identified by Key.
  • step 609 the eBS1 notifies the SRNC of the GRE key assigned by the AGW.
  • Step 610 The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If it needs to acquire a new IP address, it requests an IP address from the AGW, and the AGW sends the assigned IP address to the AT.
  • Each AT may establish a connection with multiple eBSs.
  • steps 611 to 614 are performed.
  • Step 611 The AT adds the eBS2 to the AT route set, and establishes an air interface connection with the eBS2.
  • the eBS2 obtains the AGW IP address, the GRE Key, the first shared key PMN-HA2 between the eBS2 and the AGW generated by the SRNC calculation, and the random number nonce2 through interaction with the SRNC.
  • PMN-HA2 is different from the PMN-HA1 key used by eBS1.
  • PMN-HA2 is generated by SRNC based on PMN-RK, eBS2 IP address, AGW IP address, and nonce2.
  • Step 612 The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the PMIP signaling by using the PMN-HA2 obtained from the SRNC.
  • the PMIP signaling also includes the NAI of the AT, the IP address of the eBS2, the GRE Key, and the identification field includes the nonce2, and the SPI of the authentication extension MN-HAAE field carries a fixed value.
  • Step 613 After receiving the PMIP signaling from the eB2, the AGW extracts the nonce2, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and performs integrity check on the received PMIP signaling by using the PMN-HA2. If the verification is successful, an SPI that uniquely identifies the security association to which the PMN-HA2 belongs is assigned.
  • step 614 the AGW sends the PMIP signaling to the eB2, and the signaling is protected by the PMN-HA2.
  • the authentication extended MN-HAAE field includes the SPI allocated in step 613.
  • the AGW no longer allocates a new GRE key, but uses the GRE key carried by the eBS2 in the PMIP signaling as the identifier of the tunnel between the eBS2 and the AGW.
  • Each data tunnel between the AGW and the eSB is a lifetime.
  • the AGW and the eBS1 can be determined.
  • the shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling.
  • the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
  • the eBS when the eBS transmits the random number of the shared key to the AGW through the PMIP signaling, the eBS carries the random number in the existing indication field in the PMIP signaling and sends the random number to the AGW.
  • the eBS may also send a random number in the newly extended field to the AGW by extending a new field in the PMIP signaling, such as a Nonce field.
  • FIG. 7 is a flowchart of Embodiment 6 of a method for protecting PMIP signaling according to the present invention.
  • the SPI acts as a random number.
  • the process includes:
  • Step 701 The AT establishes a connection with the eBS1, and the SRNC saves the session information between the AT and the eBS1.
  • Step 702 The SRNC initiates access authentication with the AT, and the authentication server is an AAA server of the AT home network. In the access authentication process, the SRNC and the AGW obtain the proxy mobile IP from the HAAA.
  • Step 703 The SRNC sends the IP address of the AGW, the NAI of the AT, the generated SPI1, and the first shared key PMN-HA1 calculated by using the SPI1 to the eBS1.
  • the SPI1 is generated by the SRNC based on the IP address of the eBS1, the IP address of the AGW, and a random number.
  • the first shared key PMN-HA1 is generated by the SRNC based on the PMN-RK and SPI1.
  • Step 704 The eBS1 sends the link ID to the AT, where the Link ID indicates the identifier of the link layer in the AGW range.
  • Step 705 The AT transmits the Link ID to the AT layer of the AT.
  • Step 706 The eBS1 sends PMIP signaling to the AGW, and the eBS1 protects the PMIP signaling by using the first shared key PMN-HA1 obtained from the SRNC.
  • the PMIP signaling includes the IP addresses of the SPI1 and the AT and the eBS1 of the AT.
  • eB S 1 carries the signaling digest calculated according to PMN-HA1 in the PMN-HAAE field, and PMN-HAAE also includes SPI1.
  • Step 707 After receiving the PMIP signaling from the eBS1, the AGW obtains the SPI1 from the UE. Because the AGW also has the PMN-RK, the AGW calculates the second shared key PMN-HA1 in the same manner as the SRNC. The shared key PMN-HA1 verifies the message. If the check is successful, save the acquired SPI1.
  • Step 708 The AGW sends PMIP signaling to the eBS1, protects the signaling by using the PMN-HA1, and carries the SPI1 in the PMN-HAAE field.
  • the AGW also transmits the GRE key to eBSl.
  • the purpose is to establish an independent data tunnel between the eBS1 and the AGW for the currently serving AT.
  • the data tunnel is encapsulated by GRE and identified by Key.
  • step 709 the eBS1 interacts with the SRNC to notify the SRNC of the GRE key assigned by the AGW.
  • Step 710 The IP layer of the AT determines whether it needs to acquire a new IP address according to the value of the Link ID. If a new IP address needs to be obtained, the IP address is requested from the AGW, and the AGW sends the assigned IP address to the AT.
  • Each AT may establish a connection with multiple eBSs.
  • steps 711 to 714 are performed.
  • Step 711 The AT adds the eBS2 to its own route set, and establishes an air interface connection with the eBS2.
  • eBS2 obtains the AGW IP address, GRE Key, PMN-HA2, and SPI2 generated by parameters such as random numbers through interaction with SRNC.
  • the SPI2 is generated by the SRNC according to the IP address of the eBS2, the IP address of the AGW, and a random number.
  • the first shared key PMN-HA2 is different from the PMN-HA1 key used by the eBS1, and the SRNC is based on the SPI2 and the PMN. -RK calculation generated.
  • Step 712 The eBS2 sends PMIP signaling to the AGW, and the eBS2 protects the signaling by using the first shared key PMN-HA2 obtained from the SRNC, and carries the SPI2 in the PMN-HAAE field.
  • the PMIP message also includes the AT of the AT, the IP address of the eBS2, and the GRE Key.
  • Step 713 After receiving the PMIP signaling from the eBS2, the AGW obtains the SPI2 from the UE, calculates the second shared key PMN-HA2 in the same manner as the SRNC, and uses the calculated disc sharing key PMN-HA2 to signal the PMIP. The check is performed, and if the check is successful, the acquired SPI2 is saved.
  • Step 714 The AGW sends PMIP signaling to the eBS2, protects the signaling by using the PMN-HA2, and carries the SPI2 in the PMN-HAAE field.
  • the AGW no longer allocates a new GRE key, but uses the GRE key carried in the PMIP signaling sent by the eBS2 as the identifier of the data tunnel between the AGW and the eBS2.
  • Each data tunnel between the AGW and the eSB is a lifetime.
  • the AGW and the eBS1 can be determined.
  • the shared key PMN-HA1 protects the interacting PMIP signaling and carries the determined SPI1 in the PMIP signaling.
  • the PMN-HA2 and SPI1 can also be used for PMIP signaling interaction.
  • Embodiments of the present invention also provide three systems for protecting PMIP signaling.
  • FIG. 8 is a schematic structural diagram of Embodiment 1 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, Generating an SPI that uniquely identifies the first shared key;
  • a mobile IP proxy configured to receive the first shared key and the SPI sent by the centralized control point or actively from the centralized control point, and perform integrity protection on the PMIP signaling to be sent to the HA by using the obtained first shared key Carrying the acquired SPI in the PMIP signaling to be sent;
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
  • the centralized control points of the system include:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • the SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key calculated by the first shared key computing unit by using the selected parameter calculation.
  • the centralized control point may further include: an information sending unit, configured to send the first shared key calculated by the first shared key calculation unit and the SPI generated by the SPI generating unit to the mobile IP proxy.
  • the shared key calculation unit in the centralized control point may be composed of a random number acquisition unit and a key calculation unit. among them,
  • a random number obtaining unit configured to obtain the generated SPI from the SPI generating unit
  • the key calculation unit is configured to calculate the shared key between the mobile IP proxy and the HA by using the SPI acquired by the random number obtaining unit as a random number.
  • FIG. 9 is a schematic structural diagram of Embodiment 2 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and generate a unique identifier a shared key SPI, using the first shared key to perform integrity protection on the PMIP signaling to be sent to the HA, and carrying the generated SPI in the PMIP signaling to be sent;
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification is successful, the calculated second shared key and the received SPI carried by the PMIP signaling are saved.
  • the mobile IP proxy includes: a shared key obtaining unit, configured to receive a first shared key sent by a centralized control point, or actively obtain a first shared key from a centralized control point;
  • An SPI generating unit configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key obtained by using the selected parameter;
  • the signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling to be sent by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling to be sent.
  • FIG. 10 is a schematic structural diagram of Embodiment 3 of a system for protecting PMIP signaling according to the present invention.
  • the system comprises: a centralized control point, configured to calculate a first shared key between the mobile IP proxy and the home agent HA; a mobile IP proxy, configured to obtain a first shared key calculated by the centralized control point, and send a PMIP letter to the HA And performing integrity protection on the PMIP signaling by using the obtained first shared key, carrying a fixed identifier for triggering SPI allocation in the PMIP signaling, receiving PMIP signaling from the HA, and using the obtained first
  • the shared key checks the integrity of the received PMIP signaling. When the verification succeeds, the SPI that uniquely identifies the first shared key or the second shared key is obtained from the received PMIP signaling.
  • HA configured to receive PMIP signaling from the mobile IP proxy, calculate the second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key When the verification succeeds, generating an SPI that uniquely identifies the first shared key or the second shared key; carrying the SPI in the PMIP signaling and sending the same to the mobile IP proxy, using the calculated second shared key pair PMIP signaling to be sent to the Mobile IP Agent for integrity protection.
  • the home agent HA includes:
  • a signaling transceiver unit configured to receive PMIP signaling from the mobile IP proxy; the SPI generated by the SPI generating unit is carried in the PMIP signaling and sent to the mobile IP proxy, and the second shared key pair calculated by the check unit is used. PMIP signaling sent to the mobile IP proxy for integrity protection;
  • the verification unit calculates the second shared key in the same manner as the centralized control point, and verifies the integrity of the received PMIP signaling by using the calculated second shared key;
  • the SPI generating unit is configured to generate, by using a random number generator, or generate a SPI that uniquely identifies the first shared key or the second shared key by using a selected parameter calculation when the check unit is successfully verified.
  • Mobile IP agents include:
  • a shared key obtaining unit configured to receive a centralized control point or actively obtain from a centralized control point The first shared key of the mobile IP proxy and the HA;
  • the SPI allocation triggering unit is configured to send PMIP signaling to the HA, and perform integrity protection on the PMIP signaling by using the first shared key obtained by the shared key obtaining unit, and carry the set trigger SPI allocation in the PMIP signaling.
  • a checksum SPI obtaining unit configured to receive PMIP signaling from the HA, and verify the integrity of the signaling by using the first shared key obtained by the shared key obtaining unit, and when the verification succeeds, the received PMIP
  • the SPI that is assigned by the HA to uniquely identify the first shared key or the second shared key is obtained in the signaling.
  • FIG. 11 is a flowchart of Embodiment 7 of a method for protecting PMIP signaling according to the present invention.
  • a shared key between a mobile IP proxy and an HA is generated by a centralized control point, and the calculation includes a random number.
  • the centralized control point generates parameters for constructing the SPI for the mobile IP proxy. The process includes:
  • Step 1101 The centralized control point calculates a first shared key between the mobile IP proxy and the HA, and generates a parameter for constructing the SPI for the mobile IP proxy, where the constructor parameter may be generated by a random number generator, or by using a random number and Other selected parameters are calculated and generated.
  • the centralized control point calculates the first shared key between the mobile IP proxy and the HA.
  • the parameters involved in the calculation include: the root key of the proxy mobile IP, the SPI configuration parameter, and the IP of the mobile IP proxy. Address, and IP address of HA, etc.
  • the centralized control point can participate in the calculation of the second shared key as a random number.
  • Step 1102 The centralized control point passes the calculated first shared key and parameters for constructing the SPI to the mobile IP proxy.
  • Step 1103 The mobile IP proxy generates an SPI according to the SPI configuration parameters.
  • Step 1104 The mobile IP proxy sends PMIP signaling to the HA, the signaling is protected by a first shared key between the mobile IP proxy and the HA, and the signaling includes an SPI that uniquely identifies the first shared secret.
  • Step 1105 after receiving the PMIP signaling from the mobile IP proxy, the HA obtains necessary parameters from the signaling, including information such as SPI or parameters for constructing the SPI and the IP address of the mobile IP proxy, and centralized control.
  • the same method is used to calculate the second shared key, and the calculated second shared key is used to verify the integrity of the received PMIP signaling. If the verification is successful, the second shared key calculated by the HA and the centralized control point are calculated. If the first shared key is the same, the SPI obtained from the PMIP signaling is saved, and a data tunnel between the mobile IP proxy and the HA is established for the mobile terminal.
  • Step 1106 The HA sends the PMIP signaling to the mobile IP proxy, where the signaling is protected by the first shared key or the second shared key between the HA and the mobile IP proxy, and the signaling carries the unique identifier of the first share.
  • the SPI of the key The SPI of the key.
  • FIG. 12 is a schematic structural diagram of Embodiment 4 of a system for protecting PMIP signaling according to the present invention.
  • the system includes: a centralized control point for calculating a first shared key between the mobile IP proxy and the home agent HA, and generating parameters for constructing the SPI for the mobile IP proxy;
  • a mobile IP proxy configured to obtain the first shared key, obtain a parameter for constructing the SPI, generate an SPI that uniquely identifies the first shared key according to a parameter used to construct the SPI, and use the first shared key to Performing integrity protection on the PMIP signaling sent to the HA, and carrying the SPI in the PMIP signaling;
  • the home agent HA is configured to receive the PMIP signaling, calculate a second shared key in the same manner as the centralized control point, and verify the integrity of the received PMIP signaling by using the calculated second shared key. When the verification is successful, the calculated second shared key and the SPI carried by the PMIP signaling are saved.
  • Centralized control points include:
  • a shared key calculation unit configured to calculate a first shared key between the mobile IP proxy and the HA
  • an SPI construction unit configured to generate by using a random number generator, or generate a parameter for constructing the SPI by using a selected parameter
  • an information sending unit configured to send the first shared key and the parameter used to construct the SPI to the mobile IP proxy.
  • Mobile IP agents include:
  • a shared key obtaining unit configured to receive a first shared key sent by a centralized control point, or actively obtain the first shared key from the centralized control point;
  • An SPI generating unit configured to receive a parameter sent by the centralized control point for constructing the SPI, and use the parameter for constructing the SPI to generate an SPI that uniquely identifies the first shared key;
  • the signaling sending unit is configured to send PMIP signaling to the HA, perform integrity protection on the PMIP signaling by using the first shared key, and carry the SPI generated by the SPI generating unit in the PMIP signaling.
  • the shared key between the mobile IP proxy and the HA is calculated by the centralized control point, and the shared control key or the mobile IP proxy or the HA generates a shared key that uniquely identifies the mobile IP proxy and the HA.
  • SPI using the shared key calculated by the centralized control point to perform integrity protection on the PMIP signaling of the mobile IP proxy and the HA interaction, and carrying the generated SPI in the PMIP signaling,
  • the HA can search for the security association corresponding to the PMIP signaling according to the SPI.
  • Such a search process is not only efficient but also conforms to the current provisions of the protocol. Therefore, the method for protecting PMIP signaling provided by the embodiment of the present invention improves the protection mechanism of PMIP signaling.
  • the four systems for protecting PMIP signaling provided by the embodiments of the present invention respectively implement a method for generating an SPI generated by a centralized control point, generated by a mobile IP proxy, and generated by a HA to uniquely identify a shared key, and thus the four types of protection PMIP signaling
  • the system can achieve the purpose of perfecting the protection mechanism of PMIP signaling.
  • the first mobile IP proxy, the HA, and the first centralized control point provided by the embodiments of the present invention can generate an SPI that uniquely identifies the shared key, and thus can achieve the purpose of improving the protection mechanism of the PMIP signaling.
  • the second mobile IP proxy provided by the embodiment of the present invention can trigger and acquire the unique identifier SPI that the HA allocates as the shared key, so that the invention aims to improve the protection mechanism of the PMIP signaling.
  • the second centralized control point generates a parameter for constructing the SPI for the mobile IP proxy
  • the third mobile IP proxy generates the SPI that uniquely identifies the shared key according to the parameter used to construct the SPI, so that the SPI can be perfected.
  • the object of the invention of the protection mechanism of PMIP signaling.
  • the embodiment of the present invention provides a method for generating an SPI, which improves the protection mechanism of the PMIP signaling, and improves the efficiency of the HA to find a security association of a specific mobile terminal.
  • the embodiment of the present invention further provides a method for transmitting a random number required for a centralized control point to calculate a shared key, which not only further improves the protection mechanism of the PMIP signaling, but also has little impact on the existing protocol.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne deux procédés pour protéger le signalement PMIP. Le premier est tel que le nœud de commande centralisé ou l'agent IP mobile génère un SPI pour identifier de manière unique la clé partagée ou être déclenché par l'agent IP et le HA d'agent d'accueil génère un SPI pour identifier de manière unique la clé partagée. L'invention concerne aussi quatre systèmes pour protéger le signalement PMIP. Les quatre systèmes réalisent respectivement le procédé pour générer le SPI pour identifier la clé partagée de manière unique, le SPI a été généré respectivement par le nœud de commande centralisé, par l'agent IP mobile et par le HA. Un agent IP mobile, un nœud de commande centralisé et un agent d'accueil qui peut générer un SPI pour identifier de manière unique la clé partagée. L'invention concerne aussi un autre agent IP mobile pour déclencher l'agent d'accueil afin de générer le SPI pour identifier de manière unique la clé partagée. Les solutions du procédé, du système et de l'appareil doivent parfaire le mécanisme de protection du signalement du PMIP.
PCT/CN2008/071257 2007-06-15 2008-06-11 Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent WO2008154841A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710106727.8 2007-06-15
CN2007101067278A CN101325582B (zh) 2007-06-15 2007-06-15 保护代理移动互联网协议信令的方法、系统及装置

Publications (1)

Publication Number Publication Date
WO2008154841A1 true WO2008154841A1 (fr) 2008-12-24

Family

ID=40155899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071257 WO2008154841A1 (fr) 2007-06-15 2008-06-11 Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent

Country Status (2)

Country Link
CN (1) CN101325582B (fr)
WO (1) WO2008154841A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281287B (zh) * 2011-06-23 2014-05-28 北京交通大学 基于tls的分离机制移动性信令保护系统及保护方法
US11075949B2 (en) * 2017-02-02 2021-07-27 Nicira, Inc. Systems and methods for allocating SPI values
CN108777720A (zh) * 2018-07-05 2018-11-09 湖州贝格信息安全科技有限公司 文件传输方法及相关产品

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006203764A (ja) * 2005-01-24 2006-08-03 Nec Corp 移動通信システム
US20060251257A1 (en) * 2005-04-14 2006-11-09 Nokia Corporation Utilizing generic authentication architecture for mobile internet protocol key distribution
CN1969526A (zh) * 2004-04-14 2007-05-23 北方电讯网络有限公司 使用ha-mn密钥来保护本地代理与移动节点的通信

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1297107C (zh) * 2003-03-31 2007-01-24 华为技术有限公司 一种基于预共享密钥的密钥分发方法
CN100450109C (zh) * 2003-07-14 2009-01-07 华为技术有限公司 一种基于媒体网关控制协议的安全认证方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1969526A (zh) * 2004-04-14 2007-05-23 北方电讯网络有限公司 使用ha-mn密钥来保护本地代理与移动节点的通信
JP2006203764A (ja) * 2005-01-24 2006-08-03 Nec Corp 移動通信システム
US20060251257A1 (en) * 2005-04-14 2006-11-09 Nokia Corporation Utilizing generic authentication architecture for mobile internet protocol key distribution

Also Published As

Publication number Publication date
CN101325582A (zh) 2008-12-17
CN101325582B (zh) 2012-08-08

Similar Documents

Publication Publication Date Title
JP4965671B2 (ja) 無線通信ネットワークにおけるユーザ・プロファイル、ポリシー及びpmipキーの配布
US7475241B2 (en) Methods and apparatus for dynamic session key generation and rekeying in mobile IP
JP5933259B2 (ja) ワイヤレス通信ネットワークでのトラフィック暗号鍵生成
CN101006682B (zh) 快速网络附着
US20110010538A1 (en) Method and system for providing an access specific key
KR101398908B1 (ko) 모바일 아이피를 사용하는 이동 통신 시스템에서 단말의이동성 관리 방법 및 시스템
KR101002799B1 (ko) 이동통신 네트워크 및 상기 이동통신 네트워크에서 이동 노드의 인증을 수행하는 방법 및 장치
WO2011127810A1 (fr) Procédé et appareil d'authentification de dispositifs de communication
US20080294891A1 (en) Method for Authenticating a Mobile Node in a Communication Network
JP2008537398A (ja) モバイルインターネットプロトコル鍵配布のためのジェネリック認証アーキテクチャの利用
WO2019137030A1 (fr) Procédé de certification de sécurité, dispositif associé, et système
KR101523090B1 (ko) 모바일 아이피를 이용하는 이동통신 시스템에서 단말의 이동성 관리 방법 및 장치
KR20060067263A (ko) Wlan-umts 연동망 시스템과 이를 위한 인증 방법
JP2004241976A (ja) 移動通信ネットワークシステムおよび移動端末認証方法
WO2015123953A1 (fr) Procédé, dispositif et système de génération de clé
WO2008009232A1 (fr) Procédé, système et dispositif pour déterminer la clé ip mobile et notifier le type ip mobile
WO2007134547A1 (fr) Procédé et système pour créer et distribuer une clé de sécurité ip mobile après réauthentification
JP2011515930A (ja) 無線ネットワーク内のセキュリティアソシエーションを動的に管理するための方法及び装置
WO2009012676A1 (fr) Procédé et équipement pour générer une adresse temporaire, procédé et système pour améliorer la sécurité d'optimisation de route
WO2008154841A1 (fr) Procédé, système et appareil pour protéger le signalement de protocole internet mobile d'un agent
CN114946153A (zh) 与服务应用进行加密通信的通信网络中的应用密钥生成与管理的方法、设备及系统
CN101569160B (zh) 用于传输dhcp消息的方法
WO2008052470A1 (fr) Procédé d'établissement de mécanisme de sécurité d'appareil ip mobile, système de sécurité et dispositif correspondant
KR100687721B1 (ko) 모바일 IPv 6를 지원하는 다이아미터 AAA프로토콜의 확장 방법
CN101447978B (zh) 在WiMAX网络中拜访AAA服务器获取正确的HA-RK Context的方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757668

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757668

Country of ref document: EP

Kind code of ref document: A1