WO2009094939A1 - Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof - Google Patents

Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof Download PDF

Info

Publication number
WO2009094939A1
WO2009094939A1 PCT/CN2009/070258 CN2009070258W WO2009094939A1 WO 2009094939 A1 WO2009094939 A1 WO 2009094939A1 CN 2009070258 W CN2009070258 W CN 2009070258W WO 2009094939 A1 WO2009094939 A1 WO 2009094939A1
Authority
WO
WIPO (PCT)
Prior art keywords
home
token
mobile node
secret
shared key
Prior art date
Application number
PCT/CN2009/070258
Other languages
French (fr)
Chinese (zh)
Inventor
Chunqiang Li
Zhigang Huang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009094939A1 publication Critical patent/WO2009094939A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method, system, node, and home agent for protecting mobile IP route optimization signaling. Background technique
  • MN Mobile Node
  • CN Correspondent Node
  • HA Home Agent
  • MN Mobile Node
  • CN Correspondent Node
  • HA Home Agent
  • the care-of address is generated in a certain way, and the home address agent is notified to the home address through a Binding Update (BU) message.
  • BU Binding Update
  • the home agent intercepts the message sent to the mobile node's home network and the mobile node, and then forwards the message to the mobile node through the tunnel mode; when the MN sends a message to the CN, The packet is sent to the home agent through the tunnel mode.
  • the home agent decapsulates the packet and forwards it to the CN.
  • the above communication mode is called a bidirectional tunnel communication mode.
  • the communication between the MN and the CN mobile node may not be transited through its home agent, and the method of direct communication between the MN and the CN is called a route optimization mode.
  • the MN In order to communicate directly between the MN and the CN, the MN needs to notify the CN of its care-of address through the BU message. However, if the BU message is not protected, the communication between the MN and the CN can be attacked by the forged BU message.
  • the embodiment of the invention provides a method, a system, a node and a home agent for protecting the mobile IP route optimization signaling.
  • the technical solution is as follows:
  • an embodiment of the present invention provides a method for protecting mobile IP route optimization signaling, including: a mobile node receiving a home test message sent by a home agent, where the home test message includes an encrypted home secret generation token; The hometown secret generation token is decrypted from the hometown test message.
  • an embodiment of the present invention provides a mobile node, including:
  • the home test message receiving module is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
  • an embodiment of the present invention provides a home agent, including:
  • a token encryption module is configured to encrypt the home secret generation token and place the encrypted home secret generation token in a home test message sent to the mobile node.
  • an embodiment of the present invention provides a system for protecting mobile IP route optimization signaling, including: a home agent, configured to encrypt a home secret generation token, and send the encrypted home secret generation token to the sending Give the mobile node's home test message;
  • a mobile node configured to receive a home test message sent by the home agent, and decrypt the home secret generation token from the received home test message.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • packets can be classified according to the packet header.
  • FIG. 1 is a schematic diagram of a return route reachable process method provided by the prior art
  • FIG. 2 is a schematic diagram of a format of a HoTI message provided by the prior art
  • FIG. 3 is a schematic diagram of a format of a HoT message provided by the prior art
  • FIG. 4 is a flowchart of a method for protecting mobile IP route optimization signaling according to Embodiment 1 of the present invention
  • FIG. 5 is a flowchart of another method for protecting mobile IP route optimization signaling according to Embodiment 2 of the present invention
  • FIG. 6 is a flowchart of another method for protecting mobile IP route optimization signaling according to Embodiment 3 of the present invention
  • FIG. 7 is a schematic structural diagram of a mobile node according to Embodiment 6 of the present invention.
  • FIG. 8 is a schematic structural diagram of another mobile node according to Embodiment 6 of the present invention.
  • FIG. 9 is a schematic structural diagram of a home agent provided in Embodiment 7 of the present invention.
  • FIG. 10 is a schematic structural diagram of another home agent according to Embodiment 7 of the present invention.
  • FIG. 11 is a schematic diagram of another system for protecting mobile IP route optimization signaling according to Embodiment 8 of the present invention. detailed description
  • the RFC (Request for Comments) 3775 specifies that a Binding Management Key (Kbm) needs to be established between the MN and the CN in order to protect the binding update message from the MN to the CN.
  • the binding management key protects the BU message between the MN and the CN by using the Return Routability Procedure (RRP) method.
  • RRP Return Routability Procedure
  • the method is shown in Figure 1.
  • the MN attempts to communicate with the CN using the route optimization mode, it sends a HoTI (Home Test Init) message and a CoTI (Care-of Test Init) message to the CN.
  • the HoTI message format is as shown in Figure 2. Show. If the CN supports and allows the route optimization mode to communicate with the MN, after receiving the HoTI message, calculate the Home Keygen Token by the following method:
  • Home secret generation token First(64, HMAC-SHAl(Kcn, HoA
  • Ken is the private secret of CN
  • Nonce is the random number generated by CN.
  • the CN sends the generated home secret generation token to the MN through the HA in the HoT (Home Test) message.
  • the HoT message format is shown in Figure 3.
  • the handover secret generation token is calculated as follows and sent to the MN:
  • the design goal of route optimization security is to provide the same security when the MN leaves the home network for communication with the home network.
  • the premise is that the attacker cannot steal the communication between the CN and the MN's home network, so it can be protected.
  • the communication between the mobile node and the home agent is secure to protect the security of the route optimization signaling.
  • the prior art provides an IPSec Encapsulating Security Payload (IPSec Encapsulating Security Payload) tunnel mode to protect HoT messages on the MN and the home network.
  • IPSec Encapsulating Security Payload IPSec Encapsulating Security Payload
  • the method can protect the security of the route optimization signaling between the MN and the HA by encrypting and encapsulating the HoT message, but the method requires the MN and the HA to support the IPSec (IP Security) function, because the IPSec function combines the password protection service and the security protocol. Group and dynamic key management are implemented, but the implementation is more complicated.
  • MNs for example, Worldwide Interoperability for Microwave Access (WIMAX)
  • WIMAX Worldwide Interoperability for Microwave Access
  • the embodiment of the present invention encrypts the home secret generation token by the home agent, and the encrypted home secret generation token is included in the home test message sent to the mobile node, and the mobile node decrypts the hometown from the received home test message.
  • the secret generation token protects the confidentiality of the home secret to generate the token, and the security of the route optimization signaling between the mobile node and the home agent is guaranteed.
  • the embodiment of the invention provides a method for protecting mobile IP route optimization signaling.
  • the method can protect the confidentiality of the home secret generation token in the HoT message, so that the mobile node and the home agent can not move the node when the IPSec is not supported.
  • the security of the route optimization signaling between the home agent and the agent is guaranteed, and the mobile node route optimization communication security can be protected.
  • a method for protecting mobile IP route optimization signaling provided by an embodiment of the present invention includes:
  • the MN performs home registration and establishes a shared key K with the HA.
  • the shared key between the UI and the UI may be one or multiple. In this embodiment, multiple shared keys are used as an example.
  • the MN When transmitting the HoTI message, the MN puts a random value IV1 (IV1 size is 64 bits) in the initial cookie position of the hometown, and encrypts the home initial cookie with the IV1 by using the shared key K or the derived key Ks (may also It is the intermediate value MV1 generated by other calculation methods, such as the connection operation, and the encrypted intermediate value MV1 is placed in the mobile encryption option.
  • the method of deriving the key Ks is as follows:
  • Ks KDF(K, Ho A
  • a mobile SPI When calculating the derived key Ks based on the shared key K, a mobile SPI can be generated and placed in the mobile encryption option.
  • the mobile SPI is used to index the shared key K or the derived key Ks. Mobile SPI is also not required. If there is only one shared key between MN and HA, mobile SPI may not be needed; if there are multiple shared keys between MN and HA, SPI needs to be generated. Since there are a plurality of shared keys K in 101, the mobile SPI is required to index the shared key K or the derived key Ks of the shared key.
  • MV1 is generated by a connection operation between the home secret initial cookie and the random value IV1
  • a part of the encrypted intermediate value MV1 is placed in the mobile encryption option, and a part is placed in the home initial cookie. in.
  • the HA receives the HoTI message, and decrypts the home initial according to the SPI using the shared key in the mobile encryption option.
  • Cookie replace the random value IV1 of the home initial cookie position with the decrypted home initial cookie, and send it to CN Send HoTI message.
  • the CN After receiving the HoTI message, the CN sends a HoT message to the HA, where the message includes a home secret generation token.
  • the CN After receiving the HoTI message, the CN calculates the home secret generation token as follows:
  • Home secret generation token First(64, HMAC-SHAl(Kcn, HoA
  • Ken is the private secret of CN
  • Nonce is the random number generated by CN.
  • the CN sends the generated home secret generation token to the HA in a HoT (Home Test) message.
  • the HA receives the HoT message, encrypts the home secret using the shared key K or the derived key Ks to generate the token, and sends the encrypted home secret generation token to the MN in the HoT message, where the message includes the mobile SPI.
  • a random value IV2 (IV2 size is 128 bits) is placed in the home initial cookie position and the home secret generation token position, and the home secret is generated using the shared key K or the derived key Ks to generate the token and the IV2.
  • the intermediate value MV2 generated by the exclusive OR operation places the encrypted intermediate value MV2 in the mobile encryption option, and the mobile encryption option also includes the mobile SPI.
  • the mobile SPI may be the same as or different from the mobile SPI in 102.
  • the HA may directly encrypt the home secret generation token using the shared key K or the derived key Ks, and place the encrypted home secret generation token in the home secret sent to the MN's HoT message. Generate a token location.
  • the MN receives the HoT message, and uses the shared key K or the derived key Ks to decrypt the home secret generated token according to the mobile encryption option.
  • the intermediate value MV2 is generated by using the shared key K or the derived key Ks to encrypt the home secret generated token and the IV2 by XOR operation. At this time, the decrypted MV2 and the IV2 are XORed. Generate a token from your hometown secret.
  • 102 and 103 in this embodiment are optional for encrypting and decrypting the home initial cookie.
  • the home initial cookie may not be encrypted and decrypted.
  • the reason for encrypting and decrypting the home initial cookie in this embodiment is mainly to further enhance the security of signaling between the HA and the MN.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the classification of the message can be realized.
  • the home secret generation token in the HoT message is encrypted and decrypted, thereby ensuring the security of signaling between the HA and the MN.
  • the intermediate value generated by the home secret generation token, the home initial cookie, and the random value in the HoT message is encrypted and decrypted.
  • the method for protecting mobile IP route optimization signaling includes:
  • the MN performs home registration and establishes a shared key K with the HA.
  • the HA receives the HoTI message, and decrypts the home initial according to the SPI using the shared key in the mobile encryption option.
  • the cookie replaces the random value IV1 of the home initial cookie location with the decrypted home initial cookie and sends a HoTI message to the CN.
  • the CN After receiving the HoTI message, the CN sends a HoT message to the HA, where the message includes a home secret generation token.
  • the details are the same as 104 in Embodiment 1, and will not be described again.
  • the HA receives the HoT message, encrypts the home secret generation token and the home initial cookie by using the shared key K or the derived key Ks, and places the encrypted home secret generation token and the home initial cookie in the HoT message sent to the MN.
  • the mobile SPI is also included in the message.
  • a random value IV2 (IV2 size is 128 bits) is placed in the home initial cookie position and the home secret generation token position, and the home initial cookie and the home secret generation token are connected (may be other The operation method) generates a temporary value, and uses the shared key K or the derived key Ks to encrypt the temporary value and the intermediate value MV2 generated by the X2 exclusive OR operation (which may also be other operation methods, such as a connection operation), and the middle of the encryption
  • the value MV2 is placed in the mobile encryption option, and the mobile encryption option also includes the mobile SPI.
  • the specific operation of the intermediate value MV2 is as follows:
  • MV2 (; Home Initial Cookie
  • Home secret generation token First(64, HMAC-SHAl(Kcn, HoA
  • Ken is the private secret of CN
  • Nonce is the random number generated by CN.
  • the mobile SPI may be the same as or different from the mobile SPI in 202.
  • the HA can directly encrypt the home secret generation token and the home initial cookie using the shared key K or the derived key Ks, and place the encrypted home secret generation token and the home initial cookie in the transmission. Generate a token and a home initial cookie location for the home secret in the MN's HoT message. 206: The MN receives the HoT message, and decrypts the home initial cookie and the home secret generation token by using the shared key K according to the SPI in the mobile encryption option.
  • the intermediate value MV2 is decrypted first, and then the decrypted MV2 and IV2 are XORed to obtain the home initial cookie and the home secret generating token.
  • 202 and 203 in this embodiment are optional for encrypting and decrypting the home initial cookie.
  • the home initial cookie may not be encrypted and decrypted.
  • the reason for encrypting and decrypting the home initial cookie in this embodiment is mainly to further enhance the security of signaling between the HA and the MN.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • Embodiments of the present invention provide a system for protecting mobile IP route optimization signaling.
  • the system includes a token encryption module and a token decryption module. among them,
  • a token encryption module configured to encrypt a home secret generation token, and send the encrypted home secret generation token to the token decryption module;
  • the token decryption module is configured to decrypt the encrypted home secret generation token to obtain a home secret generation token. Further, the system further includes a cookie encryption module and a cookie decryption module:
  • a cookie encryption module configured to encrypt the home initial cookie according to the shared key or the shared key of the shared key, and send the encrypted home initial cookie to the cookie decryption module;
  • the cookie decryption module is configured to decrypt the encrypted home initial cookie according to the share key of the share key or the shared key to obtain the home initial cookie.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • Embodiment 4 of the present invention provides a home agent, which includes:
  • a token encryption module is configured to encrypt the home secret generation token and place the encrypted home secret generation token in a home test message sent to the mobile node.
  • the home agent also includes:
  • the home test initiation message receiving module is configured to receive a home test initiation message sent by the mobile node, and the home test initiation message includes an encrypted home initial cookie;
  • the cookie decryption module is configured to decrypt the home initial Cooki e from the received home test initiation message.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • Embodiment 5 of the present invention provides a mobile node, where the mobile node includes:
  • the home test message receiving module is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
  • the token decryption module is configured to decrypt the home secret generation token from the received home test message.
  • the mobile node further includes:
  • a cookie encryption module that encrypts the home initial cookie and places the encrypted home initial cookie in the home test initiation message sent to the home agent.
  • the security of the optimized signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and then the security is ensured.
  • the mobile node route optimization communication security can be protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • An embodiment of the present invention provides a mobile node, as shown in FIG. 7, including:
  • the home test message receiving module 601 is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
  • the token decryption module 602 is configured to decrypt the home secret generation token from the received home test message. Further, as shown in FIG. 8, the mobile node further includes
  • the cookie encryption module 603 is configured to encrypt the home initial cookie and place the encrypted home initial cookie in the home test initiation message sent to the home agent.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the packet header is not encrypted, the packet classification can be implemented.
  • An embodiment of the present invention provides a home agent, as shown in FIG. 9, including:
  • the token encryption module 701 is configured to encrypt the home secret generation token and place the encrypted home secret generation token in the home test message sent to the mobile node.
  • the home agent further includes:
  • the home test initiation message receiving module 702 is configured to receive a home test initiation message sent by the mobile node, where the home test initiation message includes an encrypted home initial cookie;
  • the cookie decryption module 703 is configured to decrypt the home initial cookie from the received home test initiation message.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • the embodiment of the present invention provides a system for protecting mobile IP route optimization signaling.
  • the method includes: a home agent 801, configured to encrypt a home secret generation token, and generate an encrypted home password to generate a token. Placed in the home test message sent to the mobile node 802;
  • the mobile node 802 is configured to receive a home test message sent by the home agent 801, and decrypt the home secret generation token from the received home test message.
  • the mobile node 802 is further configured to encrypt the home initial cookie and place the encrypted home initial cookie in the home test initiation message sent to the home agent 801;
  • the home agent 801 is further configured to receive the home test initiation message sent by the mobile node 802, and decrypt the home initial cookie from the received home test initiation message.
  • the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured.
  • the mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement.
  • the header of the message does not need to be encrypted, the classification of the message can be realized.
  • the technical solution provided by the above embodiments can be implemented by hardware and software, and the software is stored on a readable storage medium, such as a floppy disk, a hard disk or an optical disk of a computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for protecting mobile IP route optimization signaling, the system, node and home agent thereof are disclosed in the embodiment of present invention, which belongs to network communication field. The method includes that: a mobile node receives a home test message sent from a home agent, the home test message includes an encrypted Home Keygen Token; and the mobile node decrypts the Home Keygen Token from the home test message. The node includes: a home test message receiving module and a token decrypting module. The home agent includes: a token encrypting module. The system includes: a mobile node and a home agent. The embodiment of the present invention can ensure the security of the route optimization signaling between the mobile node and the home agent by protecting the confidentiality of the Home Keygen Token.

Description

保护移动 IP路由优化信令的方法、 系统、 节点和家乡代理 本申请要求于 2008年 01月 23日提交中国专利局、 申请号为 200810056641.3、 发明名 称为"保护移动 IP路由优化信令的方法、系统、节点和家乡代理"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method, system, node and home agent for protecting mobile IP route optimization signaling The application is submitted to the Chinese Patent Office on January 23, 2008, the application number is 200810056641.3, and the invention name is "the method for protecting mobile IP route optimization signaling, The priority of the Chinese Patent Application for Systems, Nodes, and Home Agents, the entire contents of which is incorporated herein by reference. Technical field
本发明涉及网络通信领域, 特别涉及一种保护移动 IP路由优化信令的方法、 系统、 节 点和家乡代理。 背景技术  The present invention relates to the field of network communications, and in particular, to a method, system, node, and home agent for protecting mobile IP route optimization signaling. Background technique
移动 IPv6系统中涉及三种基本的网络实体: 移动节点 (Mobile Node, MN)、 通信节 点 (Correspondent Node, CN) 以及家乡代理(Home Agent, HA)。 MN漫游到外地网络时, 会通过一定方式生成转交地址, 并通过绑定更新(Binding Update, BU)消息将转交地址通 知家乡代理。 当 CN向离开家乡的 MN发送报文时, 家乡代理会截获发送到移动节点家乡 网络和移动节点的报文, 再将报文通过隧道模式转发给移动节点; 当 MN向 CN发送报文 时, 报文通过隧道模式发送到家乡代理, 家乡代理对报文进行解封装后转发给 CN。 以上通 信模式称为双向隧道通信模式。  There are three basic network entities involved in the mobile IPv6 system: Mobile Node (MN), Correspondent Node (CN), and Home Agent (HA). When the MN roams to the foreign network, the care-of address is generated in a certain way, and the home address agent is notified to the home address through a Binding Update (BU) message. When the CN sends a message to the MN leaving the hometown, the home agent intercepts the message sent to the mobile node's home network and the mobile node, and then forwards the message to the mobile node through the tunnel mode; when the MN sends a message to the CN, The packet is sent to the home agent through the tunnel mode. The home agent decapsulates the packet and forwards it to the CN. The above communication mode is called a bidirectional tunnel communication mode.
如果将 MN当前的转交地址通知 CN, MN和 CN移动节点之间的通信可以不必经过其 家乡代理中转, 这种 MN和 CN之间直接通信的方法称为路由优化模式。 为了使 MN和 CN 之间直接进行通信, MN需要将其转交地址通过 BU消息通知 CN。 但如果不对 BU消息进 行保护, 可以通过伪造的 BU消息, 使得 MN和 CN间的通信受到攻击。 发明内容  If the current care-of address of the MN is notified to the CN, the communication between the MN and the CN mobile node may not be transited through its home agent, and the method of direct communication between the MN and the CN is called a route optimization mode. In order to communicate directly between the MN and the CN, the MN needs to notify the CN of its care-of address through the BU message. However, if the BU message is not protected, the communication between the MN and the CN can be attacked by the forged BU message. Summary of the invention
为了使移动节点和家乡代理之间的通信安全得到保证, 本发明实施例提供了一种保 护移动 IP路由优化信令的方法、 系统、 节点和家乡代理。 所述技术方案如下:  In order to ensure the security of the communication between the mobile node and the home agent, the embodiment of the invention provides a method, a system, a node and a home agent for protecting the mobile IP route optimization signaling. The technical solution is as follows:
一方面, 本发明实施例提供了一种保护移动 IP路由优化信令的方法, 包括: 移动节点接收家乡代理发送的家乡测试消息, 所述家乡测试消息包括加密的家乡秘密 生成令牌; 从所述家乡测试消息解密出所述家乡秘密生成令牌。 In one aspect, an embodiment of the present invention provides a method for protecting mobile IP route optimization signaling, including: a mobile node receiving a home test message sent by a home agent, where the home test message includes an encrypted home secret generation token; The hometown secret generation token is decrypted from the hometown test message.
另一方面, 本发明实施例提供了一种移动节点, 包括:  In another aspect, an embodiment of the present invention provides a mobile node, including:
家乡测试消息接收模块, 用于接收家乡代理发送的家乡测试消息, 所述家乡测试消息 包含加密的家乡秘密生成令牌;  The home test message receiving module is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
令牌解密模块, 用于从接收的所述家乡测试消息中解密出所述家乡秘密生成令牌。 另一方面, 本发明实施例提供了一种家乡代理, 包括:  And a token decrypting module, configured to decrypt the home secret generating token from the received home test message. In another aspect, an embodiment of the present invention provides a home agent, including:
令牌加密模块, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌放 在发送给移动节点的家乡测试消息中。  A token encryption module is configured to encrypt the home secret generation token and place the encrypted home secret generation token in a home test message sent to the mobile node.
另一方面, 本发明实施例提供了一种保护移动 IP路由优化信令的系统, 包括: 家乡代理, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌放在发 送给移动节点的家乡测试消息中;  In another aspect, an embodiment of the present invention provides a system for protecting mobile IP route optimization signaling, including: a home agent, configured to encrypt a home secret generation token, and send the encrypted home secret generation token to the sending Give the mobile node's home test message;
移动节点, 用于接收家乡代理发送的家乡测试消息, 从接收的所述家乡测试消息中解 密出所述家乡秘密生成令牌。  And a mobile node, configured to receive a home test message sent by the home agent, and decrypt the home secret generation token from the received home test message.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec 功能时, 移动节点与家乡代理间路由优化信令的安全得到保证, 进而 可以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 还 可以根据报文头对报文进行分类。 附图说明  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, packets can be classified according to the packet header. DRAWINGS
图 1是现有技术提供的返回路由可达过程方法的示意图;  1 is a schematic diagram of a return route reachable process method provided by the prior art;
图 2是现有技术提供的 HoTI消息格式示意图;  2 is a schematic diagram of a format of a HoTI message provided by the prior art;
图 3是现有技术提供的 HoT消息格式示意图;  3 is a schematic diagram of a format of a HoT message provided by the prior art;
图 4是本发明实施例 1提供的一种保护移动 IP路由优化信令的方法的流程图; 图 5是本发明实施例 2提供的另一种保护移动 IP路由优化信令的方法的流程图; 图 6是本发明实施例 3提供的另一种保护移动 IP路由优化信令的方法的流程图; 图 7是本发明实施例 6提供的一种移动节点的结构示意图;  4 is a flowchart of a method for protecting mobile IP route optimization signaling according to Embodiment 1 of the present invention; FIG. 5 is a flowchart of another method for protecting mobile IP route optimization signaling according to Embodiment 2 of the present invention; FIG. 6 is a flowchart of another method for protecting mobile IP route optimization signaling according to Embodiment 3 of the present invention; FIG. 7 is a schematic structural diagram of a mobile node according to Embodiment 6 of the present invention;
图 8是本发明实施例 6提供的另一种移动节点的结构示意图;  8 is a schematic structural diagram of another mobile node according to Embodiment 6 of the present invention;
图 9是本发明实施例 7提供的一种家乡代理的结构示意图;  9 is a schematic structural diagram of a home agent provided in Embodiment 7 of the present invention;
图 10是本发明实施例 7提供的另一种家乡代理的结构示意图;  FIG. 10 is a schematic structural diagram of another home agent according to Embodiment 7 of the present invention; FIG.
图 11是本发明实施例 8提供的另一种保护移动 IP路由优化信令的系统的示意图。 具体实施方式 FIG. 11 is a schematic diagram of another system for protecting mobile IP route optimization signaling according to Embodiment 8 of the present invention. detailed description
RFC (Request for Comments, 请求注释) 3775规定了为了保护从 MN至 CN的绑定更 新消息, 需要在 MN与 CN间建立一个绑定管理密钥 (Binding Management Key, Kbm)。 绑定管理密钥利用使用返回路由可达过程 (Return Routability Procedure, RRP) 方法, 保护 MN和 CN之间 BU消息, 该方法如图 1所示。 当 MN试图使用路由优化模式和 CN进行通 信时,会向 CN发送 HoTI (Home Test Init,家乡测试发起)消息和 CoTI (Care-of Test Init, 转交测试发起) 消息, HoTI消息格式如图 2所示。 CN如果支持并允许使用路由优化模式 和 MN通信, 则在收到 HoTI消息后, 按如下的方法计算家乡秘密生成令牌 (Home Keygen Token):  The RFC (Request for Comments) 3775 specifies that a Binding Management Key (Kbm) needs to be established between the MN and the CN in order to protect the binding update message from the MN to the CN. The binding management key protects the BU message between the MN and the CN by using the Return Routability Procedure (RRP) method. The method is shown in Figure 1. When the MN attempts to communicate with the CN using the route optimization mode, it sends a HoTI (Home Test Init) message and a CoTI (Care-of Test Init) message to the CN. The HoTI message format is as shown in Figure 2. Show. If the CN supports and allows the route optimization mode to communicate with the MN, after receiving the HoTI message, calculate the Home Keygen Token by the following method:
家乡秘密生成令牌 =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )  Home secret generation token =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )
其中, Ken是 CN的私有秘密, Nonce是由 CN生成的随机数。  Among them, Ken is the private secret of CN, and Nonce is the random number generated by CN.
CN把生成的家乡秘密生成令牌放在 HoT (Home Test, 家乡测试) 消息中通过 HA发 送给 MN, HoT消息格式如图 3所示。  The CN sends the generated home secret generation token to the MN through the HA in the HoT (Home Test) message. The HoT message format is shown in Figure 3.
当 CN收到 CoTI消息后, 按如下方法计算转交秘密生成令牌, 并发送给 MN:  After the CN receives the CoTI message, the handover secret generation token is calculated as follows and sent to the MN:
转交秘密生成令牌 =First(64, HMAC-SHAl(Kcn, CoA | Nonce | 1) )  Handing over the secret generation token =First(64, HMAC-SHAl(Kcn, CoA | Nonce | 1) )
MN接收 CN发来的 HoT消息和 CoT消息, 并通过 Cookies检查后, 取出其中的家乡 秘密生成令牌和转交秘密生成令牌, 便可计算出 Kbm = SHAlC家乡秘密生成令牌 I 转交秘 密生成令牌)。  The MN receives the HoT message and the CoT message sent by the CN, and after checking the cookie, the home secret generation token and the handover secret generation token are taken out, and the Kbm = SHAlC hometown secret generation token I is transferred to the secret generation order. brand).
路由优化安全的设计目标是希望能够提供当 MN离开家乡网络进行通信与在家乡网络 进行通信具有同等的安全性, 其前提是攻击者无法窃听到 CN与 MN的家乡网络的通信, 所以可以通过保护移动节点与家乡代理间的通信安全, 以保护路由优化信令的安全。  The design goal of route optimization security is to provide the same security when the MN leaves the home network for communication with the home network. The premise is that the attacker cannot steal the communication between the CN and the MN's home network, so it can be protected. The communication between the mobile node and the home agent is secure to protect the security of the route optimization signaling.
当 MN离开家乡网络时, 为了保护 MN与 HA间路由优化信令的安全, 现有技术提供 了 IPSec ESP (IPSec Encapsulating Security Payload, IPSec封装安全载荷) 隧道模式保护 MN与家乡网络上的 HoT消息的方法。 该方法通过加密封装 HoT消息, 可以保护 MN与 HA间路由优化信令的安全, 但该方法要求 MN和 HA均支持 IPSec (IP Security, IP安全) 功能, 由于 IPSec功能结合密码保护服务、 安全协议组和动态密钥管理来实现, 但实现比较复杂, 如 果 某 些 MN( 例 如 , 微 波 存 取 全 球 互 通 ( WIMAX , Worldwide Interoperability for Microwave Access) 终端)无法支持 IPSec功能, 则 MN与 HA 间的安全通信会受到很大威胁。 此外, 由于该方法是对 HoT消息进行加密封装, 无法根据 报文头对报文进行分类。  When the MN leaves the home network, in order to protect the security of the route optimization signaling between the MN and the HA, the prior art provides an IPSec Encapsulating Security Payload (IPSec Encapsulating Security Payload) tunnel mode to protect HoT messages on the MN and the home network. method. The method can protect the security of the route optimization signaling between the MN and the HA by encrypting and encapsulating the HoT message, but the method requires the MN and the HA to support the IPSec (IP Security) function, because the IPSec function combines the password protection service and the security protocol. Group and dynamic key management are implemented, but the implementation is more complicated. If some MNs (for example, Worldwide Interoperability for Microwave Access (WIMAX)) cannot support IPSec functions, secure communication between MN and HA Will be greatly threatened. In addition, since the method encrypts and encapsulates the HoT message, the packet cannot be classified according to the packet header.
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明实施方式作 进一步地详细描述。 In order to make the objects, technical solutions and advantages of the present invention more clear, the embodiments of the present invention will be described below with reference to the accompanying drawings. Further details are described.
本发明实施例通过家乡代理对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成 令牌包含在发送给移动节点的家乡测试消息中, 移动节点从接收的所述家乡测试消息解密 出家乡秘密生成令牌来保护家乡秘密生成令牌的机密性, 并使移动节点与家乡代理间路由 优化信令的安全得到保证。  The embodiment of the present invention encrypts the home secret generation token by the home agent, and the encrypted home secret generation token is included in the home test message sent to the mobile node, and the mobile node decrypts the hometown from the received home test message. The secret generation token protects the confidentiality of the home secret to generate the token, and the security of the route optimization signaling between the mobile node and the home agent is guaranteed.
实施例 1  Example 1
本发明实施例提供了一种保护移动 IP路由优化信令的方法,该方法通过保护 HoT消息 中家乡秘密生成令牌的机密性,可以使移动节点与家乡代理间在不支持 IPSec时,移动节点 与家乡代理间路由优化信令的安全得到保证, 进而可以使移动节点路由优化通信安全得到 保护。 参见图 4, 本发明实施例提供的保护移动 IP路由优化信令的方法, 包括:  The embodiment of the invention provides a method for protecting mobile IP route optimization signaling. The method can protect the confidentiality of the home secret generation token in the HoT message, so that the mobile node and the home agent can not move the node when the IPSec is not supported. The security of the route optimization signaling between the home agent and the agent is guaranteed, and the mobile node route optimization communication security can be protected. Referring to FIG. 4, a method for protecting mobile IP route optimization signaling provided by an embodiment of the present invention includes:
101: MN执行家乡注册, 并与 HA之间建立共享密钥 K。  101: The MN performs home registration and establishes a shared key K with the HA.
其中, ΜΝ与 ΗΑ间的共享密钥可以是一个, 也可以是多个, 在本实施例中, 以多个共 享密钥为例。  The shared key between the UI and the UI may be one or multiple. In this embodiment, multiple shared keys are used as an example.
102: ΜΝ向 ΗΑ发送 ΗοΤΙ消息, 该消息中包含加密的家乡初始 Cookie和移动 SPI ( Security Parameter Index, 安全参数索弓 I )。  102: Send a ΗοΤΙ message containing the encrypted home initial cookie and the mobile SPI (Security Parameter Index).
MN在向发送 HoTI消息时, 会在家乡初始 Cookie位置放一个随机值 IV1 (IV1大小 为 64bit),并使用共享密钥 K或派生密钥 Ks加密家乡初始 Cookie与 IV1经过异或运算(也 可以是其它运算方式, 例如连接运算) 生成的中间值 MV1, 将加密后中间值 MV1放在移 动加密选项中。 其中, 派生密钥 Ks的方法如下:  When transmitting the HoTI message, the MN puts a random value IV1 (IV1 size is 64 bits) in the initial cookie position of the hometown, and encrypts the home initial cookie with the IV1 by using the shared key K or the derived key Ks (may also It is the intermediate value MV1 generated by other calculation methods, such as the connection operation, and the encrypted intermediate value MV1 is placed in the mobile encryption option. Among them, the method of deriving the key Ks is as follows:
Ks = KDF(K, Ho A | HAA | Label), 其中 Label是字符串, 比如" Home Test"。  Ks = KDF(K, Ho A | HAA | Label), where Label is a string, such as "Home Test".
根据共享密钥 K在计算派生密钥 Ks时, 可以生成移动 SPI, 并将其放在移动加密选项 中。  When calculating the derived key Ks based on the shared key K, a mobile SPI can be generated and placed in the mobile encryption option.
需要说明的是, 移动 SPI是用来对共享密钥 K或派生密钥 Ks进行索引。 移动 SPI也 不是必须的, 如果 MN与 HA间的共享密钥只有一个, 则移动 SPI可以不要; 如果 MN与 HA间存在多个共享密钥, 需要生成 SPI。 由于在 101中, 共享密钥 K为多个, 因此, 需要 移动 SPI对共享密钥 K或共享密钥的派生密钥 Ks进行索引。  It should be noted that the mobile SPI is used to index the shared key K or the derived key Ks. Mobile SPI is also not required. If there is only one shared key between MN and HA, mobile SPI may not be needed; if there are multiple shared keys between MN and HA, SPI needs to be generated. Since there are a plurality of shared keys K in 101, the mobile SPI is required to index the shared key K or the derived key Ks of the shared key.
作为另一种优选的方案, 如果 MV1是将家乡秘密初始 Cookie与随机值 IV1通过连接 运算生成的, 则将加密的中间值 MV1的一部分放在移动加密选项中, 一部分放在放在家乡 初始 Cookie中。  As another preferred solution, if MV1 is generated by a connection operation between the home secret initial cookie and the random value IV1, a part of the encrypted intermediate value MV1 is placed in the mobile encryption option, and a part is placed in the home initial cookie. in.
103: HA接收 HoTI消息, 根据移动加密选项中 SPI使用共享密钥 K解密出家乡初始 103: The HA receives the HoTI message, and decrypts the home initial according to the SPI using the shared key in the mobile encryption option.
Cookie, 用解密出的家乡初始 Cookie代替家乡初始 Cookie位置上随机值 IV1, 并向 CN发 送 HoTI消息。 Cookie, replace the random value IV1 of the home initial cookie position with the decrypted home initial cookie, and send it to CN Send HoTI message.
需要说明的是, 如果在 102中, 加密的中间值 MV1的一部分放在移动加密选项中, 一 部分放在家乡初始 Cookie,此时,需要将移动加密选项和家乡初始 Cookie的内容连在一起, 再对中间值 MV1进行解密, 进而得到家乡初始 Cookie。  It should be noted that, if at 102, a part of the encrypted intermediate value MV1 is placed in the mobile encryption option, and a part is placed in the home initial cookie, at this time, the mobile encryption option needs to be linked with the content of the home initial cookie, and then The intermediate value MV1 is decrypted to obtain the home initial cookie.
104: CN接收 HoTI消息后, 向 HA发送 HoT消息, 该消息中包含家乡秘密生成令牌。 104: After receiving the HoTI message, the CN sends a HoT message to the HA, where the message includes a home secret generation token.
CN接收到 HoTI消息后, 按如下的方法计算家乡秘密生成令牌: After receiving the HoTI message, the CN calculates the home secret generation token as follows:
家乡秘密生成令牌 =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )  Home secret generation token =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )
其中, Ken是 CN的私有秘密, Nonce是由 CN生成的随机数。  Among them, Ken is the private secret of CN, and Nonce is the random number generated by CN.
CN把生成的家乡秘密生成令牌放在 HoT (Home Test, 家乡测试) 消息中发送给 HA。 105: HA接收 HoT消息,, 使用共享密钥 K或派生密钥 Ks加密家乡秘密生成令牌, 并 将加密的家乡秘密生成令牌放在 HoT消息中发送给 MN, 该消息中包含移动 SPI。  The CN sends the generated home secret generation token to the HA in a HoT (Home Test) message. 105: The HA receives the HoT message, encrypts the home secret using the shared key K or the derived key Ks to generate the token, and sends the encrypted home secret generation token to the MN in the HoT message, where the message includes the mobile SPI.
HA向 MN发送 HoT消息时, 在家乡初始 Cookie位置和家乡秘密生成令牌位置放一个 随机值 IV2 (IV2大小为 128bit), 使用共享密钥 K或派生密钥 Ks加密家乡秘密生成令牌与 IV2经过异或运算 (也可以是其它运算方式, 例如连接运算) 生成的中间值 MV2, 将加密 的中间值 MV2放在移动加密选项中, 移动加密选项还包含移动 SPI。  When the HA sends a HoT message to the MN, a random value IV2 (IV2 size is 128 bits) is placed in the home initial cookie position and the home secret generation token position, and the home secret is generated using the shared key K or the derived key Ks to generate the token and the IV2. The intermediate value MV2 generated by the exclusive OR operation (which may also be other operation methods such as connection operation) places the encrypted intermediate value MV2 in the mobile encryption option, and the mobile encryption option also includes the mobile SPI.
其中, 移动 SPI与 102中的移动 SPI可以相同, 也可以不同。  The mobile SPI may be the same as or different from the mobile SPI in 102.
作为另一种的方案, HA可以使用共享密钥 K或派生密钥 Ks直接对家乡秘密生成令牌 进行加密, 并将加密的家乡秘密生成令牌放在发送给 MN的 HoT消息中的家乡秘密生成令 牌位置。  As another alternative, the HA may directly encrypt the home secret generation token using the shared key K or the derived key Ks, and place the encrypted home secret generation token in the home secret sent to the MN's HoT message. Generate a token location.
106: MN收到 HoT消息, 根据移动加密选项中 SPI使用共享密钥 K或派生密钥 Ks解 密出家乡秘密生成令牌。  106: The MN receives the HoT message, and uses the shared key K or the derived key Ks to decrypt the home secret generated token according to the mobile encryption option.
在 105中,中间值 MV2是使用共享密钥 K或派生密钥 Ks加密家乡秘密生成令牌与 IV2 经异或运算生成的, 此时, 将解密出的 MV2与 IV2经异或运算便可以得出家乡秘密生成令 牌。  In 105, the intermediate value MV2 is generated by using the shared key K or the derived key Ks to encrypt the home secret generated token and the IV2 by XOR operation. At this time, the decrypted MV2 and the IV2 are XORed. Generate a token from your hometown secret.
需要说明的是, 本实施例中的 102和 103是对家乡初始 Cookie进行加密和解密是可选 的。 实际应用当中, 可以不对家乡初始 Cookie进行加密和解密, 之所以在本实施例中对家 乡初始 Cookie进行加密和解密, 主要是为了进一步增强 HA和 MN之间信令的安全性。  It should be noted that 102 and 103 in this embodiment are optional for encrypting and decrypting the home initial cookie. In the actual application, the home initial cookie may not be encrypted and decrypted. The reason for encrypting and decrypting the home initial cookie in this embodiment is mainly to further enhance the security of signaling between the HA and the MN.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此, 可以实现对报文的分类。 实施例 2 In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since it is not necessary to encrypt the packet header, the classification of the message can be realized. Example 2
实施例 1中是对 HoT消息中家乡秘密生成令牌进行加密和解密, 从而保证 HA和 MN 之间信令的安全。本实施例是对 HoT消息中家乡秘密生成令牌、家乡初始 Cookie和随机值 生成的中间值进行加密和解密。 参见图 5, 本实施例提供的保护移动 IP路由优化信令的方 法, 包括:  In Embodiment 1, the home secret generation token in the HoT message is encrypted and decrypted, thereby ensuring the security of signaling between the HA and the MN. In this embodiment, the intermediate value generated by the home secret generation token, the home initial cookie, and the random value in the HoT message is encrypted and decrypted. Referring to FIG. 5, the method for protecting mobile IP route optimization signaling provided by this embodiment includes:
201: MN执行完家乡注册, 并与 HA之间建立共享密钥 K。  201: The MN performs home registration and establishes a shared key K with the HA.
具体内容与实施例 1中的 101相同, 不再赘述。  The details are the same as 101 in Embodiment 1, and will not be described again.
202: ΜΝ向 ΗΑ发送 ΗοΤΙ消息, 该消息中包含加密的家乡初始 Cookie以及移动 SPI。 具体内容与实施例 1中 102相同, 不再赘述。  202: Send a ΗοΤΙ message containing the encrypted home initial cookie and the mobile SPI. The details are the same as those in Embodiment 1 and will not be described again.
203: HA接收 HoTI消息, 根据移动加密选项中 SPI使用共享密钥 K解密出家乡初始 203: The HA receives the HoTI message, and decrypts the home initial according to the SPI using the shared key in the mobile encryption option.
Cookie, 用解密出的家乡初始 Cookie代替家乡初始 Cookie位置上随机值 IV1, 并向 CN发 送 HoTI消息。 The cookie replaces the random value IV1 of the home initial cookie location with the decrypted home initial cookie and sends a HoTI message to the CN.
具体内容与实施例 1中 103相同, 不再赘述。  The details are the same as those in Embodiment 1 and will not be described again.
204: CN接收 HoTI消息后, 向 HA发送 HoT消息, 该消息中包含家乡秘密生成令牌。 具体内容与实施例 1中的 104相同, 不再赘述。  204: After receiving the HoTI message, the CN sends a HoT message to the HA, where the message includes a home secret generation token. The details are the same as 104 in Embodiment 1, and will not be described again.
205: HA接收 HoT消息,, 使用共享密钥 K或派生密钥 Ks加密家乡秘密生成令牌和家 乡初始 Cookie, 并将加密的家乡秘密生成令牌和家乡初始 Cookie放在发送给 MN的 HoT 消息中, 该消息中还包含移动 SPI。  205: The HA receives the HoT message, encrypts the home secret generation token and the home initial cookie by using the shared key K or the derived key Ks, and places the encrypted home secret generation token and the home initial cookie in the HoT message sent to the MN. In the message, the mobile SPI is also included in the message.
HA向 MN发送 HoT消息时, 在家乡初始 Cookie位置和家乡秘密生成令牌位置放一个 随机值 IV2 (IV2大小为 128bit),对家乡初始 Cookie和家乡秘密生成令牌进行连接运算(也 可以是其它运算方式)生成一个临时值,使用共享密钥 K或派生密钥 Ks加密该临时值与 IV2 经异或运算 (也可以是其它运算方式, 例如连接运算) 生成的中间值 MV2, 将加密的中间 值 MV2放在移动加密选项中,移动加密选项还包含移动 SPI。得到中间值 MV2的具体运算 公式如下:  When HA sends a HoT message to the MN, a random value IV2 (IV2 size is 128 bits) is placed in the home initial cookie position and the home secret generation token position, and the home initial cookie and the home secret generation token are connected (may be other The operation method) generates a temporary value, and uses the shared key K or the derived key Ks to encrypt the temporary value and the intermediate value MV2 generated by the X2 exclusive OR operation (which may also be other operation methods, such as a connection operation), and the middle of the encryption The value MV2 is placed in the mobile encryption option, and the mobile encryption option also includes the mobile SPI. The specific operation of the intermediate value MV2 is as follows:
MV2 = (;家乡初始 Cookie | 家乡秘密生成令牌) © IV2 , ©表示异或运算。  MV2 = (; Home Initial Cookie | Home Secret Generate Token) © IV2 , © indicates an exclusive OR operation.
家乡秘密生成令牌 =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )  Home secret generation token =First(64, HMAC-SHAl(Kcn, HoA | Nonce | 0) )
其中, Ken是 CN的私有秘密, Nonce是由 CN生成的随机数。  Among them, Ken is the private secret of CN, and Nonce is the random number generated by CN.
其中, 移动 SPI与 202中的移动 SPI可以相同, 也可以不同。  The mobile SPI may be the same as or different from the mobile SPI in 202.
作为另一种的方案, HA可以使用共享密钥 K或派生密钥 Ks直接对家乡秘密生成令牌 和家乡初始 Cookie共同进行加密,并将加密的家乡秘密生成令牌和家乡初始 Cookie放在发 送给 MN的 HoT消息中的家乡秘密生成令牌和家乡初始 Cookie位置上。 206: MN接收 HoT消息,根据移动加密选项中的 SPI使用共享密钥 K解密出家乡初始 Cookie及家乡秘密生成令牌。 As another solution, the HA can directly encrypt the home secret generation token and the home initial cookie using the shared key K or the derived key Ks, and place the encrypted home secret generation token and the home initial cookie in the transmission. Generate a token and a home initial cookie location for the home secret in the MN's HoT message. 206: The MN receives the HoT message, and decrypts the home initial cookie and the home secret generation token by using the shared key K according to the SPI in the mobile encryption option.
其中, 首先解密出中间值 MV2, 再将解密出的 MV2与 IV2经异或运算便可以得出家 乡初始 Cookie及家乡秘密生成令牌。  First, the intermediate value MV2 is decrypted first, and then the decrypted MV2 and IV2 are XORed to obtain the home initial cookie and the home secret generating token.
需要说明的是, 本实施例中的 202和 203是对家乡初始 Cookie进行加密和解密是可选 地。 实际应用当中, 可以不对家乡初始 Cookie进行加密和解密, 之所以在本实施例中对家 乡初始 Cookie进行加密和解密, 主要是为了进一步增强 HA和 MN之间信令的安全性。  It should be noted that 202 and 203 in this embodiment are optional for encrypting and decrypting the home initial cookie. In the actual application, the home initial cookie may not be encrypted and decrypted. The reason for encrypting and decrypting the home initial cookie in this embodiment is mainly to further enhance the security of signaling between the HA and the MN.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
实施例 3  Example 3
本发明实施例提供了一种保护移动 IP路由优化信令的系统, 图 6所示, 该系统包括令 牌加密模块和令牌解密模块。 其中,  Embodiments of the present invention provide a system for protecting mobile IP route optimization signaling. As shown in FIG. 6, the system includes a token encryption module and a token decryption module. among them,
令牌加密模块, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌发 送给令牌解密模块;  a token encryption module, configured to encrypt a home secret generation token, and send the encrypted home secret generation token to the token decryption module;
令牌解密模块, 用于对加密的家乡秘密生成令牌进行解密, 得到家乡秘密生成令牌。 进一步, 该系统还包括 Cookie加密模块和 Cookie解密模块:  The token decryption module is configured to decrypt the encrypted home secret generation token to obtain a home secret generation token. Further, the system further includes a cookie encryption module and a cookie decryption module:
Cookie加密模块, 用于根据共享密钥或共享密钥的派生密钥对家乡初始 Cookie进行加 密, 并将加密的家乡初始 Cookie发送给 Cookie解密模块;  a cookie encryption module, configured to encrypt the home initial cookie according to the shared key or the shared key of the shared key, and send the encrypted home initial cookie to the cookie decryption module;
Cookie解密模块, 用于根据享密钥或共享密钥的派生密钥对加密的家乡初始 Cookie进 行解密, 得到家乡初始 Cookie。  The cookie decryption module is configured to decrypt the encrypted home initial cookie according to the share key of the share key or the shared key to obtain the home initial cookie.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
实施例 4  Example 4
本发明实施例 4提供了一种家乡代理, 该家乡代理包括:  Embodiment 4 of the present invention provides a home agent, which includes:
令牌加密模块, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌放 在发送给移动节点的家乡测试消息中。  A token encryption module is configured to encrypt the home secret generation token and place the encrypted home secret generation token in a home test message sent to the mobile node.
进一步, 该家乡代理还包括: 家乡测试发起消息接收模块, 用于接收移动节点发送的家乡测试发起消息, 家乡测试 发起消息包含加密的家乡初始 Cookie; Further, the home agent also includes: The home test initiation message receiving module is configured to receive a home test initiation message sent by the mobile node, and the home test initiation message includes an encrypted home initial cookie;
Cookie解密模块, 用于从接收的家乡测试发起消息中解密出家乡初始 CookieThe cookie decryption module is configured to decrypt the home initial Cooki e from the received home test initiation message.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
实施例 5  Example 5
本发明实施例 5提供了一种移动节点, 该移动节点包括:  Embodiment 5 of the present invention provides a mobile node, where the mobile node includes:
家乡测试消息接收模块, 用于接收家乡代理发送的家乡测试消息, 该家乡测试消息包 含加密的家乡秘密生成令牌;  The home test message receiving module is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
令牌解密模块, 用于从接收的家乡测试消息中解密出家乡秘密生成令牌。  The token decryption module is configured to decrypt the home secret generation token from the received home test message.
进一步, 该移动节点还包括:  Further, the mobile node further includes:
Cookie加密模块,用于对家乡初始 Cookie进行加密,并将加密的家乡初始 Cookie放在 发送给家乡代理的家乡测试发起消息中。  A cookie encryption module that encrypts the home initial cookie and places the encrypted home initial cookie in the home test initiation message sent to the home agent.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路 ώ优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the home secret, the security of the optimized signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and then the security is ensured. The mobile node route optimization communication security can be protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
实施例 6  Example 6
本发明实施例提供了一种移动节点, 如图 7所示, 包括:  An embodiment of the present invention provides a mobile node, as shown in FIG. 7, including:
家乡测试消息接收模块 601, 用于接收家乡代理发送的家乡测试消息, 该家乡测试消息 包含加密的家乡秘密生成令牌;  The home test message receiving module 601 is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
令牌解密模块 602, 用于从接收的该家乡测试消息中解密出该家乡秘密生成令牌。 进一步地, 如图 8所示, 该移动节点还包括  The token decryption module 602 is configured to decrypt the home secret generation token from the received home test message. Further, as shown in FIG. 8, the mobile node further includes
Cookie加密模块 603, 用于对家乡初始 Cookie进行加密, 并将加密的家乡初始 Cookie 放在发送给该家乡代理的家乡测试发起消息中。  The cookie encryption module 603 is configured to encrypt the home initial cookie and place the encrypted home initial cookie in the home test initiation message sent to the home agent.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。 实施例 Ί In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the packet header is not encrypted, the packet classification can be implemented. Example
本发明实施例提供了一种家乡代理, 如图 9所示, 包括:  An embodiment of the present invention provides a home agent, as shown in FIG. 9, including:
令牌加密模块 701, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌 放在发送给移动节点的家乡测试消息中。  The token encryption module 701 is configured to encrypt the home secret generation token and place the encrypted home secret generation token in the home test message sent to the mobile node.
进一步地, 如图 10所示, 该家乡代理还包括:  Further, as shown in FIG. 10, the home agent further includes:
家乡测试发起消息接收模块 702, 用于接收移动节点发送的家乡测试发起消息, 该家乡 测试发起消息包含加密的家乡初始 Cookie;  The home test initiation message receiving module 702 is configured to receive a home test initiation message sent by the mobile node, where the home test initiation message includes an encrypted home initial cookie;
Cookie解密模块 703, 用于从接收的该家乡测试发起消息中解密出该家乡初始 Cookie。 在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  The cookie decryption module 703 is configured to decrypt the home initial cookie from the received home test initiation message. In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
实施例 8  Example 8
本发明实施例提供了一种保护移动 IP路由优化信令的系统, 如图 11所示, 包括: 家乡代理 801, 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌放在 发送给移动节点 802的家乡测试消息中;  The embodiment of the present invention provides a system for protecting mobile IP route optimization signaling. As shown in FIG. 11, the method includes: a home agent 801, configured to encrypt a home secret generation token, and generate an encrypted home password to generate a token. Placed in the home test message sent to the mobile node 802;
移动节点 802, 用于接收家乡代理 801发送的家乡测试消息, 从接收的该家乡测试消息 中解密出该家乡秘密生成令牌。  The mobile node 802 is configured to receive a home test message sent by the home agent 801, and decrypt the home secret generation token from the received home test message.
进一步地, 该移动节点 802还用于对家乡初始 Cookie进行加密, 并将加密的家乡初始 Cookie放在发送给该家乡代理 801的家乡测试发起消息中;  Further, the mobile node 802 is further configured to encrypt the home initial cookie and place the encrypted home initial cookie in the home test initiation message sent to the home agent 801;
相应地, 该家乡代理 801还用于接收移动节点 802发送的家乡测试发起消息, 从接收 的该家乡测试发起消息中解密出该家乡初始 Cookie。  Correspondingly, the home agent 801 is further configured to receive the home test initiation message sent by the mobile node 802, and decrypt the home initial cookie from the received home test initiation message.
在本发明实施例中, 通过保护家乡秘密生成令牌的机密性, 可以使移动节点与家乡代 理间在不支持 IPSec功能时,移动节点与家乡代理间路由优化信令的安全得到保证,进而可 以使移动节点路由优化通信安全得到保护, 并且该技术方案简单, 易于实现。 此外, 由于 无须对报文头进行加密, 因此可以实现对报文的分类。  In the embodiment of the present invention, by protecting the confidentiality of the token generated by the hometown secret, the security of the route optimization signaling between the mobile node and the home agent can be ensured when the mobile node and the home agent do not support the IPSec function, and thus the security can be ensured. The mobile node routing optimized communication security is protected, and the technical solution is simple and easy to implement. In addition, since the header of the message does not need to be encrypted, the classification of the message can be realized.
以上实施例提供的技术方案可以通过硬件和软件实现, 软件存储在可读取的存储介质 上, 如计算机的软盘, 硬盘或光盘等。  The technical solution provided by the above embodiments can be implemented by hardware and software, and the software is stored on a readable storage medium, such as a floppy disk, a hard disk or an optical disk of a computer.
以上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的精神和原则 之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., which are within the spirit and scope of the present invention, should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 Claim
1、 一种保护移动 IP路由优化信令的方法, 其特征在于, 所述方法包括: A method for protecting mobile IP route optimization signaling, the method comprising:
移动节点接收家乡代理发送的家乡测试消息, 所述家乡测试消息包括加密的家乡秘密 生成令牌;  The mobile node receives a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
从所述家乡测试消息解密出所述家乡秘密生成令牌。  The hometown secret generation token is decrypted from the hometown test message.
2、如权利要求 1所述的保护移动 IP路由优化信令的方法, 其特征在于, 所述加密的家 乡秘密生成令牌为: 利用所述家乡代理和所述移动节点间的共享密钥或所述共享密钥的派 生密钥直接加密的所述家乡秘密生成令牌; The method for protecting mobile IP route optimization signaling according to claim 1, wherein the encrypted home secret generation token is: using a shared key between the home agent and the mobile node or The home secret generating token directly encrypted by the derived key of the shared key;
相应地, 所述从所述家乡测试消息解密出所述家乡秘密生成令牌, 包括:  Correspondingly, the decrypting the home secret generating token from the home test message includes:
利用述共享密钥或所述共享密钥的派生密钥从所述家乡测试消息解密出所述家乡秘密 生成令牌。  The home secret generated token is decrypted from the home test message using the shared key or the derived key of the shared key.
3、如权利要求 1所述的保护移动 IP路由优化信令的方法, 其特征在于, 所述加密的家 乡秘密生成令牌为: 利用所述家乡代理和所述移动节点间的共享密钥或所述共享密钥的派 生密钥加密所述家乡秘密生成令牌与随机值生成的中间值; The method for protecting mobile IP route optimization signaling according to claim 1, wherein the encrypted home secret generation token is: using a shared key between the home agent and the mobile node or The derived key of the shared key encrypts an intermediate value generated by the home secret generating token and a random value;
相应地, 所述从所述家乡测试消息解密出所述家乡秘密生成令牌, 包括:  Correspondingly, the decrypting the home secret generating token from the home test message includes:
利用所述共享密钥或所述共享密钥的派生密钥从所述家乡测试消息对所述中间值进行 解密, 根据所述中间值解密出所述家乡秘密生成令牌。  The intermediate value is decrypted from the home test message using the shared key or a derived key of the shared key, and the home secret generated token is decrypted based on the intermediate value.
4、如权利要求 1所述的保护移动 IP路由优化信令的方法, 其特征在于, 所述加密的家 乡秘密生成令牌为: 利用所述家乡代理与移动节点间的共享密钥或共享密钥的派生密钥加 密所述家乡秘密生成令牌与家乡初始 Cookie; The method for protecting mobile IP route optimization signaling according to claim 1, wherein the encrypted home secret generation token is: using a shared key or shared secret between the home agent and the mobile node. The derived key of the key encrypts the home secret generating token and the home initial cookie;
相应地, 所述从所述家乡测试消息解密出所述家乡秘密生成令牌, 包括:  Correspondingly, the decrypting the home secret generating token from the home test message includes:
利用所述共享密钥或所述共享密钥的派生密钥从所述家乡测试消息中解密出所述家乡 秘密生成令牌与所述家乡初始 Cookie。  The home secret generation token and the home initial cookie are decrypted from the home test message using the shared key or a derived key of the shared key.
5、如权利要求 1所述的保护移动 IP路由优化信令的方法, 其特征在于, 所述加密的家 乡秘密生成令牌为: 利用所述家乡代理与所述移动节点间的共享密钥或所述共享密钥的派 生密钥加密所述家乡秘密生成令牌、 家乡初始 Cookie与随机值生成的中间值; 相应地, 所述从所述家乡测试消息解密出所述家乡秘密生成令牌, 包括: 利用所述共享密钥或所述共享密钥的派生密钥对所述中间值进行解密, 根据所述中间 值解密出所述家乡秘密生成令牌和所述家乡初始 CookieThe method for protecting mobile IP route optimization signaling according to claim 1, wherein the encrypted home secret generation token is: using a shared key between the home agent and the mobile node or The derived key of the shared key encrypts the intermediate value generated by the home secret generation token, the home initial cookie, and the random value; Correspondingly, the decrypting the home secret generating token from the home test message comprises: decrypting the intermediate value by using the shared key or the derived key of the shared key, according to the The intermediate value decrypts the home secret generation token and the home initial Cooki e .
6、如权利要求 1-5任意一项权利要求所述的保护移动 IP路由优化信令的方法, 其特征 在于, 所述家乡测试信息中还包括移动安全索引系数, 所述安全索引系数用于对所述共享 密钥或所述共享密钥的派生密钥进行索引。 The method for protecting mobile IP route optimization signaling according to any one of claims 1 to 5, wherein the home test information further includes a mobile security index coefficient, and the security index coefficient is used for The shared key or the derived key of the shared key is indexed.
7、如权利要求 1-5任意一项权利要求所述的保护移动 IP路由优化信令的方法, 其特征 在于, 所述方法还包括: The method for protecting mobile IP route optimization signaling according to any one of claims 1 to 5, wherein the method further comprises:
所述移动节点向所述家乡代理发送家乡测试发起消息, 所述消息中包含利用所述共享 密钥或所述共享密钥的派生密钥加密的家乡初始 Cookie;  Sending, by the mobile node, a home test initiation message to the home agent, where the message includes a home initial cookie encrypted by using the shared key or a derived key of the shared key;
所述家乡代理接收所述家乡测试发起消息, 根据所述共享密钥或所述共享密钥的派生 密钥解密出所述家乡初始 Cookie。  The home agent receives the home test initiation message, and decrypts the home initial cookie according to the shared key or the derived key of the shared key.
8、 一种移动节点, 其特征在于, 包括: 8. A mobile node, comprising:
家乡测试消息接收模块 (601 ), 用于接收家乡代理发送的家乡测试消息, 所述家乡测 试消息包含加密的家乡秘密生成令牌;  The home test message receiving module (601) is configured to receive a home test message sent by the home agent, where the home test message includes an encrypted home secret generation token;
令牌解密模块 (602), 用于从接收的所述家乡测试消息中解密出所述家乡秘密生成令 牌。  The token decryption module (602) is configured to decrypt the home secret generation token from the received home test message.
9、 如权利要求 8所述的移动节点, 其特征在于, 还包括 9. The mobile node of claim 8, further comprising
Cookie加密模块(603 ),用于对家乡初始 Cookie进行加密,并将加密的家乡初始 Cookie 放在发送给所述家乡代理的家乡测试发起消息中。  A cookie encryption module (603) for encrypting the home initial cookie and placing the encrypted home initial cookie in a home test initiation message sent to the home agent.
10、 一种家乡代理, 其特征在于, 包括: 10. A home agent, characterized by comprising:
令牌加密模块 (701 ), 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成 令牌放在发送给移动节点的家乡测试消息中。  A token encryption module (701) is configured to encrypt the home secret generation token and place the encrypted home secret generation token in a home test message sent to the mobile node.
11、 如权利要求 10所述的家乡代理, 其特征在于, 还包括: 11. The home agent according to claim 10, further comprising:
家乡测试发起消息接收模块 (702), 用于接收移动节点发送的家乡测试发起消息, 所 述家乡测试发起消息包含加密的家乡初始 Cookie; The home test initiation message receiving module (702) is configured to receive a home test initiation message sent by the mobile node, where The hometown test initiation message contains an encrypted home initial cookie;
Cookie解密模块 (703 ), 用于从接收的所述家乡测试发起消息中解密出所述家乡初始 Cookie a cookie decryption module (703), configured to decrypt the home initial cookie from the received home test initiation message
12、 一种保护移动 IP路由优化信令的系统, 其特征在于, 包括: 12. A system for protecting mobile IP route optimization signaling, comprising:
家乡代理 (801 ), 用于对家乡秘密生成令牌进行加密, 并将加密的家乡秘密生成令牌 放在发送给移动节点 (802) 的家乡测试消息中;  The home agent (801) is configured to encrypt the home secret generation token and place the encrypted home secret generation token in the home test message sent to the mobile node (802);
移动节点 (802), 用于接收家乡代理 (801 ) 发送的家乡测试消息, 从接收的所述家乡 测试消息中解密出所述家乡秘密生成令牌。  The mobile node (802) is configured to receive a home test message sent by the home agent (801), and decrypt the home secret generation token from the received home test message.
13、如权利要求 12所述保护移动 IP路由优化信令的系统, 其特征在于, 所述移动节点 ( 802) 还用于对家乡初始 Cookie进行加密, 并将加密的家乡初始 Cookie放在发送给所述 家乡代理 (801 ) 的家乡测试发起消息中; 13. The system for protecting mobile IP route optimization signaling according to claim 12, wherein said mobile node (802) is further configured to encrypt an initial home cookie, and send the encrypted home initial cookie to the mobile node. The hometown agent (801) is in the home test initiation message;
相应地, 所述家乡代理 (801 ) 还用于接收移动节点 (802) 发送的家乡测试发起消息, 从接收的所述家乡测试发起消息中解密出所述家乡初始 Co0kie。 Correspondingly, the home agent (801) is further configured to receive a home test initiation message sent by the mobile node (802), and decrypt the home initial Co 0 kie from the received home test initiation message.
PCT/CN2009/070258 2008-01-23 2009-01-21 Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof WO2009094939A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNA2008100566413A CN101494640A (en) 2008-01-23 2008-01-23 Method for protecting movable IP routing optimizing signaling, system, node and hometown proxy
CN200810056641.3 2008-01-23

Publications (1)

Publication Number Publication Date
WO2009094939A1 true WO2009094939A1 (en) 2009-08-06

Family

ID=40912285

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070258 WO2009094939A1 (en) 2008-01-23 2009-01-21 Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof

Country Status (2)

Country Link
CN (1) CN101494640A (en)
WO (1) WO2009094939A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661759B (en) * 2018-06-30 2021-10-01 华为技术有限公司 Access detection method and device
CN109474425B (en) * 2018-12-25 2021-06-25 国科量子通信网络有限公司 Method for obtaining derived key with any specified length based on multiple shared keys
CN110022320B (en) * 2019-04-08 2020-12-18 北京纬百科技有限公司 Communication pairing method and communication device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1543117A (en) * 2003-03-12 2004-11-03 ���ǵ�����ʽ���� Return routability method for secure communication
CN1969526A (en) * 2004-04-14 2007-05-23 北方电讯网络有限公司 Securing home agent to mobile node communication with HA-MN key
CN101076195A (en) * 2007-06-29 2007-11-21 中国移动通信集团公司 Mobile terminal, network, method and system for switch network by mobile terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1543117A (en) * 2003-03-12 2004-11-03 ���ǵ�����ʽ���� Return routability method for secure communication
CN1969526A (en) * 2004-04-14 2007-05-23 北方电讯网络有限公司 Securing home agent to mobile node communication with HA-MN key
CN101076195A (en) * 2007-06-29 2007-11-21 中国移动通信集团公司 Mobile terminal, network, method and system for switch network by mobile terminal

Also Published As

Publication number Publication date
CN101494640A (en) 2009-07-29

Similar Documents

Publication Publication Date Title
EP3499840B1 (en) User-plane security for next generation cellular networks
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
JP4820429B2 (en) Method and apparatus for generating a new key
JP5625703B2 (en) Mobile communication system, communication control method, and radio base station
US20060182083A1 (en) Secured virtual private network with mobile nodes
CN105376737B (en) Machine-to-machine cellular communication security
US20080291885A1 (en) METHOD FOR COMMUNICATION OF MIPv6 MOBILE NODES
US8611543B2 (en) Method and system for providing a mobile IP key
US10027636B2 (en) Data transmission method, apparatus, and system
JP2003051818A (en) Method for implementing ip security in mobile ip networks
JP2008527826A (en) Method and apparatus for providing low-latency security session continuity between mobile nodes
KR100636318B1 (en) Method and system for authentication of address ownership using care of address binding protocol
KR20110119785A (en) Un-ciphered network operation solution
WO2008040178A1 (en) Method and device for binding update between mobile node and correspondent node
JP3837137B2 (en) Return routability method in mobile communication
JP2007036641A (en) Home agent device, and communication system
WO2009078615A2 (en) Integrated handover authenticating method for next generation network (ngn) with wireless access technologies and mobile ip based mobility control
US7551915B1 (en) Method of establishing route optimized communication in mobile IPv6 by securing messages sent between a mobile node and home agent
WO2009012676A1 (en) A method and equipment for generating care of address and a method and system for improving route optimization security
JP5113717B2 (en) Mobile communication network system
US20100106971A1 (en) Method and communication system for protecting an authentication connection
WO2009094939A1 (en) Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof
JP5275050B2 (en) Authentication method and system in handover between terminals
JP5015324B2 (en) Protection method and apparatus during mobile IPV6 fast handover
JP5186265B2 (en) Mobile communication system, mobile router, home agent, and mobile communication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09705124

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09705124

Country of ref document: EP

Kind code of ref document: A1