WO2011022963A1 - Method for protecting the security of data transmission, authentication server and terminal - Google Patents

Method for protecting the security of data transmission, authentication server and terminal Download PDF

Info

Publication number
WO2011022963A1
WO2011022963A1 PCT/CN2010/071206 CN2010071206W WO2011022963A1 WO 2011022963 A1 WO2011022963 A1 WO 2011022963A1 CN 2010071206 W CN2010071206 W CN 2010071206W WO 2011022963 A1 WO2011022963 A1 WO 2011022963A1
Authority
WO
WIPO (PCT)
Prior art keywords
function module
key information
terminal
authentication
authentication server
Prior art date
Application number
PCT/CN2010/071206
Other languages
French (fr)
Chinese (zh)
Inventor
王鸿彦
韦银星
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011022963A1 publication Critical patent/WO2011022963A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications, and in particular to a data transmission security protection method, an authentication server, and a terminal.
  • NGN Next Generation Network
  • ITU-T International Telecommunications Union-Telecommunications Standardization Sector
  • ITU-T International Telecommunications Union-Telecommunications Standardization Sector
  • other regional standards organizations have conducted extensive research and standardization work on NGN framework models, services, and related fields.
  • NGN can support heterogeneous network access, inter-network roaming, and seamless handover.
  • the continuity of the service needs to be ensured, and at the same time, the privacy and integrity of the signaling data and the user data between the mobile user terminal and the NGN network access point are guaranteed.
  • there is no security protection between the user terminal and the access network node which may have many security problems. For example, unencrypted data of the unlicensed user terminal and the access network node may be eavesdropped. The user's network behavior may also be monitored, which has a great impact on the user's privacy.
  • the present invention has been made in view of the security problem in the prior art that there is no security protection between the user terminal and the access network node in the current NGN network. Therefore, the main purpose of the present invention is to provide a data transmission security protection solution. To solve at least one of the above problems.
  • a data transmission security protection method is provided.
  • the data transmission security protection method is applied to a next generation network, including: the authentication server receives an authentication request from the terminal, and performs authentication with the terminal; the authentication server generates key information, and after the authentication succeeds Send the key information to the access network function module for easy access
  • the incoming network function module establishes a connection with the terminal through key information and/or performs data transmission.
  • the sending, by the authentication server, the key information to the access network function module includes: the authentication server sends the key information to the access network function module via the access management function module.
  • the sending, by the authentication server, the key information to the access network function module includes: sending, by the authentication server, the key information to the access network function module via the access forwarding function module.
  • the generating the key information by the authentication server includes: the authentication server cooperates with other types of servers to generate key information, wherein the other types of servers include the transmission user information server. Further, after the authentication server generates the key information, the method further includes: authenticating the server and the terminal to save the key information.
  • an authentication server is also provided.
  • the authentication server is applied to a next generation network, and includes: a first receiving module, configured to receive an authentication request from the terminal; an authentication module, configured to perform authentication with the terminal; and a key module, configured to generate key information
  • the first sending module is configured to send the key information to the access network function module after the authentication succeeds, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission.
  • the first sending module is specifically configured to send the key information to the access network function module via the access management function module, where the access management function module is configured to perform at least the following functions:: terminating the layer 2 transmission link, Obtain access network information, forward authentication request, and obtain network configuration information.
  • the first sending module is specifically configured to send the key information to the access network function module via the access forwarding function module, where the access forwarding function module is configured to perform at least one of the following functions: access and/or forwarding Network configuration information of the terminal, authentication request for accessing and/or forwarding terminals, and adding local configuration information.
  • the key module is specifically configured to cooperate with other types of servers to generate key information, where other types of servers include a transport user information server, and other types of servers are used to perform at least one of the following functions: maintaining user information, generating User authentication vector, generating key information.
  • a terminal is also provided.
  • the terminal according to the present invention is applied to a next generation network, and includes: a second sending module, configured to send an authentication request to the authentication server; a second receiving module, configured to receive key information from the authentication server; and a saving module, It is used to save key information, so as to establish a connection and/or data transmission with the access network function module through the key information.
  • the terminal and the authentication server perform authentication and generate key information
  • the access network function module communicates with the terminal securely with the key information, and solves the related technology in which the user terminal is in the current NGN network.
  • FIG. 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of obtaining a key material by an access forwarding function module in a next generation network according to an embodiment of the present invention
  • It is a flowchart of obtaining key material from an access forwarding function module in the same domain according to an embodiment of the present invention
  • FIG. 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of obtaining a key material by an access forwarding function module in a next generation network according to an embodiment of the present invention
  • It is a flowchart of obtaining key material from an access forwarding function module in the same domain according to an embodiment of the present invention
  • FIG. 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of obtaining a key material by an access forwarding function module in a next generation network according to an
  • a data transmission security protection method is provided, which is applied to a next generation network, and the method can be applied to a transmission layer.
  • 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention.
  • the method includes the following steps S2 to S4: Step S2: The authentication server receives an authentication request from the terminal, and performs authentication with the terminal. Step S4: The authentication server generates key information, and after the authentication succeeds, sends the key information to the access network function module, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission.
  • Step S2 The authentication server receives an authentication request from the terminal, and performs authentication with the terminal.
  • Step S4 The authentication server generates key information, and after the authentication succeeds, sends the key information to the access network function module, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission.
  • the access network function module can establish a connection with the terminal through the key information and/or perform data transmission, thereby improving the security of data transmission.
  • the authentication server may send the key information to the access network function module via the access management function module, where the access management function module should have, but is not limited to, the following functions: Terminating the Layer 2 transport link, Obtain access network information (for example, link layer parameters, identifiers, terminal locations, etc.), forward authentication request, and obtain network configuration information; or send key information to the access network function module via the access forwarding function module.
  • the access forwarding function module should have, but is not limited to, the following functions: accessing and forwarding the terminal authentication request. To access and forward the network configuration information of the terminal, you can add local configuration information.
  • the authentication server may separately generate key information, or may cooperate with other types of servers to generate key information, wherein other types of servers may include a transmission user information server.
  • the authentication server may save the key information and send the key information to the terminal for the terminal to save.
  • the data transmission security protection scheme of this embodiment will be described in detail below.
  • Step S22 The terminal performs authentication with the authentication server.
  • Step S24 after the authentication is successful, the terminal and the authentication server have shared key material (ie, key information). The shared key material is generated during the authentication process.
  • Step S26 The authentication server sends the shared key material to the access network function module, where the access network function module should have, but is not limited to, at least one of the following functions: a border node on the network side, responsible for data transmission with the terminal.
  • Step S28 The access network function module uses the shared key material to perform secure communication with the terminal.
  • the authentication server may derive the subkey material using the shared key material.
  • the terminal derives the shared key material from the obtained key key material.
  • the authentication server sends the derived subkey material to the access network function module, and the access network function module uses the subkey material from the authentication server to perform secure communication with the terminal.
  • the authentication server performs user authentication, may generate key material, or may cooperate with other servers (for example, a transmission user information server) to jointly generate key materials, wherein other servers (for example, transmitting user information servers)
  • the implementation process of the embodiment of the present invention will be described in detail below with reference to examples.
  • 2 is a schematic diagram of obtaining key material by an access forwarding function module in a next generation network according to an embodiment of the present invention.
  • the terminal 150 and the authentication server 130 perform authentication. After the authentication succeeds, both the terminal 150 and the authentication server 130 are authenticated. Get the shared key material.
  • the authentication server 130 can send the shared key material to the access network function module in two ways. In the first mode, the authentication server 130 sends the shared key material to the access management function module 100, and the access management function module 100 delivers the shared key material to the access network function module 120. In the second mode, the authentication server 130 sends the shared key material to the access forwarding function module 110, and the access forwarding function module 110 delivers the shared key material to the access network function module 120.
  • Step S302 The terminal and the authentication server perform authentication, and the shared key material of the terminal and the authentication server is generated in the authentication process.
  • Step S304 The authentication server sends the key material to the access forwarding function module. It should be noted that the step S304 may be performed in the authentication process or may be performed after the authentication process, but the step must be performed if the authentication is successful.
  • Step S306 the access network function module obtains the key material from the access forwarding function module.
  • Step S308 The terminal and the access forwarding function module share a key material, and the shared key can be used to establish a security alliance to secure communication between the terminal and the access forwarding function module.
  • 4 is a flowchart of obtaining key material from an access management function module in the same domain in the same domain according to an embodiment of the present invention.
  • the process includes the following steps S402 to S408: Step S402, the terminal and the authentication server perform authentication, The shared key material authentication process of the terminal and the authentication server is generated.
  • Step S404 The authentication server sends the key material to the access management function module. It should be noted that the step S404 may be performed in the authentication process or may be performed after the authentication process. However, this step must be performed only if the authentication is successful.
  • Step S406 the access network function module obtains the shared key material from the access management function module.
  • Step S408 The terminal and the access forwarding function module both share a key material, and the shared key can be used to establish a security alliance to secure communication between the terminal and the access forwarding function module.
  • FIG. 5 is a flowchart of obtaining key material in different domains of an access network function module according to an embodiment of the present invention. The process includes the following steps: Step S502: The terminal and the destination domain authentication server perform authentication, and the terminal and destination domain authentication are performed. The server's shared key material is generated during the authentication process.
  • the authentication process may involve the original access forwarding function module, the original access management function module, the original authentication server, the destination domain access forwarding function module, and the destination domain access management function module.
  • Step S504 the destination domain access network function module has two ways to obtain the shared key material.
  • the destination domain authentication server sends the shared key material to the destination domain for access.
  • the forwarding function module, the destination domain access forwarding function module sends the shared key material to the destination domain access network module; and the second method, that is, step S504b, the destination domain authentication server sends the shared key material to the destination domain access management function module, and the purpose is The domain access management function module sends the shared key material to the destination domain access network module.
  • Step S604 may be performed in the authentication process or may be performed after the authentication process, but the step must be performed if the authentication is successful.
  • Step S506 The terminal and the destination domain access forwarding function module both share a key material, and the shared key can be used to establish a security association, and the communication security between the terminal and the destination domain access forwarding function module is protected.
  • 6 is a schematic diagram of an access network function module obtaining a key in an ITU-T NGN according to an embodiment of the present invention.
  • a UE indicates a user equipment
  • an AM-FE Access Management Function Entity
  • the transport authentication and authorization functional entity indicates the function of the transmission authentication function
  • the AR-FE Access relay functional entity
  • the user information may be stored in the TUP, and an authentication vector may be generated, and then sent to the TAA to perform a user authentication process with the TAA.
  • the process includes the following steps: Step S602: The access network function module obtains key material from the access management function module. Step S604, the access network function module obtains the key material from the access forwarding function module.
  • the device embodiment provides an authentication server for use in a next generation network according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram of an authentication server according to an embodiment of the present invention.
  • the authentication server includes: A receiving module 72, an authentication module 74, a key module 76, and a first transmitting module 78 are described in detail below.
  • the first receiving module 72 is configured to receive an authentication request from the terminal; the authentication module 74 is connected to the first receiving module 72 for performing authentication with the terminal; and the key module 76 is connected to the authentication module 74 for generating key information.
  • the first sending module 78 is connected to the key module 76, and is configured to send the key information to the access network function module after the authentication succeeds, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission.
  • the first sending module 78 may be specifically configured to use a key through the access management function module.
  • the information is sent to the access network function module, where the access management function module is configured to perform at least one of the following functions: terminating the layer 2 transmission link, obtaining the access network information, forwarding the authentication request, and obtaining the network configuration information.
  • the first sending module 78 is specifically configured to send the key information to the access network function module via the access forwarding function module, where the access forwarding function module is configured to perform at least one of the following functions: access and/or Forward the network configuration information of the terminal, the authentication request of the access and/or forwarding terminal, and add the local configuration information.
  • the key module 76 is specifically configured to cooperate with other types of servers to generate key information, wherein other types of servers include a transport user information server, and other types of servers are used to perform at least one of the following functions: maintaining user information, Generate a user authentication vector and generate key information.
  • a terminal is further provided for use in a next-generation network, and FIG. 8 is a structural block diagram of a terminal according to an embodiment of the present invention. As shown in FIG. 8, the terminal includes: a second sending module 82.
  • the second receiving module 84 and the saving module 86 are described in detail below.
  • the second sending module 82 is configured to send an authentication request to the authentication server.
  • the second receiving module 84 is connected to the second sending module 82 for receiving key information from the authentication server.
  • the saving module 86 is connected to the second receiving module 84. It is used to save key information, so as to establish a connection and/or data transmission with the access network function module through the key information.
  • the invention is not limited to any specific combination of hardware and software.
  • the above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modification, equivalent substitution, improvement, etc. made within the "God and Principles" of the present invention shall be included in the protection of the present invention. Within the scope.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for protecting the security of data transmission, authentication server and terminal are disclosed in the present invention. The method includes: the authentication server receives an authentication request from the terminal and performs authentication with the terminal; the authentication server generates key information, and after the authentication is successful, it sends the key information to an access network function module so that the access network function module can establish a connection with and/or transmit data to the terminal by using the key information. With the invention, the problem is solved that there is no security protection between the terminal and the access network node in the existing NGN (next generation network) network in related technologies, and thus the security is improved when the terminal accesses the network node.

Description

数据传输安全保护方法、 认证服务器及终端 技术领域 本发明涉及通信领域, 具体而言, 涉及一种数据传输安全保护方法、 认 证服务器及终端。 背景技术 下一代网络 ( Next Generation Network, 简称为 NGN )作为演进的基于 分组交换的网络框架受到越来越多的关注。 国际电信联盟 -电信标准部 ( International Telecommunications Union-Telecommunications standardization sector , 简称为 ITU-T ) 和其他地区标准组织对 NGN框架模型、 业务以及相 关领域进行了广泛的研究和标准化工作。  The present invention relates to the field of communications, and in particular to a data transmission security protection method, an authentication server, and a terminal. BACKGROUND OF THE INVENTION Next Generation Network (NGN) is receiving more and more attention as an evolved packet switching based network framework. The International Telecommunications Union-Telecommunications Standardization Sector (ITU-T) and other regional standards organizations have conducted extensive research and standardization work on NGN framework models, services, and related fields.
NGN 能够支持异构网络接入、 网间漫游和无缝切换。 在用户终端进行 数据通信和切换时, 需要保证业务的连续性, 同时, 要保证移动用户终端与 NGN网络接入点之间的信令数据和用户数据的私密性、 完整性。 在当前的 NGN网络中, 用户终端在与接入网络节点之间时没有安全保 护, 这可能会存在许多安全问题, 例如, 没有授权的用户终端与接入网络节 点的没有加密的数据可能被窃听, 用户的网络行为也可能被监测到, 从而对 用户的隐私有很大的影响。 发明内容 针对相关技术中在当前 NGN网络中用户终端在与接入网络节点之间没 有安全保护而存在安全问题而提出本发明, 为此, 本发明的主要目的在于提 供一种数据传输安全保护方案, 以解决上述问题至少之一。 为了实现上述目的, 根据本发明的一个方面, 提供了一种数据传输安全 保护方法。 根据本发明的数据传输安全保护方法, 应用于下一代网络, 包括: 认证 月艮务器接收来自终端的认证请求, 并与终端进行认证; 认证艮务器生成密钥 信息, 并在认证成功之后, 将密钥信息发送给接入网络功能模块, 以便于接 入网络功能模块通过密钥信息与终端建立连接和 /或进行数据传输。 进一步地, 认证服务器将密钥信息发送给接入网络功能模块包括: 认证 服务器经由接入管理功能模块将密钥信息发送给接入网络功能模块。 进一步地, 认证服务器将密钥信息发送给接入网络功能模块包括: 认证 服务器经由接入转发功能模块将密钥信息发送给接入网络功能模块。 进一步地, 认证服务器生成密钥信息包括: 认证服务器与其他类型的服 务器协作生成密钥信息, 其中, 其他类型的服务器包括传输用户信息服务器。 进一步地, 在认证艮务器生成密钥信息之后, 上述方法还包括: 认证月艮 务器和终端保存密钥信息。 为了实现上述目的 ,才艮据本发明的另一方面,还提供了一种认证月艮务器。 根据本发明的认证服务器,应用于下一代网络中, 包括: 第一接收模块, 用于接收来自终端的认证请求; 认证模块, 用于与终端进行认证; 密钥模块, 用于生成密钥信息; 第一发送模块, 用于在认证成功之后, 将密钥信息发送 给接入网络功能模块, 以便于接入网络功能模块通过密钥信息与终端建立连 接和 /或进行数据传输。 进一步地,第一发送模块具体用于经由接入管理功能模块将密钥信息发 送给接入网络功能模块, 其中, 接入管理功能模块用于执行以下功能至少之 —: 终结二层传输链接、 获取接入网络信息、 转发认证请求、 获取网络配置 信息。 进一步地,第一发送模块具体用于经由接入转发功能模块将密钥信息发 送给接入网络功能模块, 其中, 接入转发功能模块用于执行以下功能至少之 一: 接入和 /或转发终端的网络配置信息、 接入和 /或转发终端的认证请求、 添加本地配置信息。 进一步地, 密钥模块具体用于与其他类型的服务器协作生成密钥信息, 其中, 其他类型的服务器包括传输用户信息服务器, 其他类型的服务器用于 执行以下功能至少之一: 保持用户信息、 产生用户认证向量、 产生密钥信息。 为了实现上述目的, 根据本发明的另一方面, 还提供了一种终端。 才艮据本发明的终端, 应用于下一代网络中, 包括: 第二发送模块, 用于 向认证服务器发送认证请求; 第二接收模块, 用于接收来自认证服务器的密 钥信息; 保存模块, 用于保存密钥信息, 以便于通过密钥信息与接入网络功 能模块建立连接和 /或进行数据传输。 通过本发明, 釆用终端与认证服务器进行认证并生成密钥信息, 接入网 络功能模块同该密钥信息与终端进行安全通讯, 解决了相关技术中在当前 NGN网络中用户终端在与接入网络节点之间没有安全保护, 存在安全问题, 进而提高了终端接入网络节点时的安全性。 附图说明 此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1是根据本发明实施例的数据传输安全保护方法的流程图; 图 2 是根据本发明实施例的下一代网络中接入转发功能模块获得密钥 材料的示意图; 图 3 是根据本发明实施例的接入网络功能模块同一域内从接入转发功 能模块获得密钥材料的流程图; 图 4 是根据本发明实施例的接入网络功能模块同一域内从接入管理功 能模块获得密钥材料的流程图; 图 5 是根据本发明实施例的接入网络功能模块不同域内获得密钥材料 的流程图; 图 6是根据本发明实施例的 ITU-T NGN中接入网络功能模块获得密钥 的示意图; 图 7是根据本发明实施例的认证服务器的结构框图; 图 8是 居本发明实施例的终端的结构框图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 在以下实施例中,在附图的流程图示出的步 4聚可以在诸如一组计算机可 执行指令的计算机系统中执行, 并且, 虽然在流程图中示出了逻辑顺序, 但 是在某些情况下, 可以以不同于此处的顺序执行所示出或描述的步骤。 方法实施例 根据本发明的实施例, 提供了一种数据传输安全保护方法, 应用于下一 代网络, 该方法可以应用于传输层面。 图 1是根据本发明实施例的数据传输 安全保护方法的流程图, 该方法包括如下的步骤 S2至步骤 S4: 步骤 S2, 认证服务器接收来自终端的认证请求, 并与终端进行认证。 步骤 S4, 认证服务器生成密钥信息, 并在认证成功之后, 将密钥信息 发送给接入网络功能模块, 以便于接入网络功能模块通过密钥信息与终端建 立连接和 /或进行数据传输。 通过上述的步骤 S2和 S4,接入网络功能模块就可以通过密钥信息与终 端建立连接和 /或进行数据传输, 提高了数据传输的安全性。 优选地, 在步骤 S4中, 认证服务器可以经由接入管理功能模块将密钥 信息发送给接入网络功能模块, 其中, 接入管理功能模块应具有但不限于以 下功能: 终结二层传输链接、 获取接入网络信息(例如, 链路层参数、 标识、 终端位置等)、 转发认证请求、 获取网络配置信息; 或者, 也可以经由接入转 发功能模块将密钥信息发送给接入网络功能模块, 其中, 接入转发功能模块 应具有但不限于以下功能: 接入、 转发终端认证请求。 接入、 转发终端的网 络配置信息, 可以添加本地配置信息。 优选地, 在步骤 S4中, 认证月艮务器可以单独生成密钥信息, 也可以与 其他类型的服务器协作生成密钥信息, 其中, 其他类型的服务器可以包括传 输用户信息服务器。 在认证服务器生成密钥信息之后, 认证服务器可以保存该密钥信息, 并 将该密钥信息发送给终端, 以便于终端进行保存。 下面对本实施例的数据传输安全保护方案进行详细的说明。 步骤 S22 , 终端与认证服务器进行认证。 步骤 S24, 认证成功后, 终端与认证艮务器拥有共享密钥材料(即, 密 钥信息)。 该共享密钥材料在进行认证的过程中产生。 步骤 S26, 认证服务器将该共享密钥材料发送到接入网络功能模块, 其 中, 接入网络功能模块应具有但不限于以下功能至少之一: 网络侧的边界节 点, 负责与终端的数据传输。 步骤 S28 , 接入网络功能模块使用该共享密钥材料与终端进行安全通 信。 在步骤 S28中,认证服务器可以用该共享密钥材料进行推导得到子密钥 材料。 终端对拥有的共享密钥材料进行推导得到子密钥材料。 然后, 认证服 务器将其推导得到的子密钥材料发送到接入网络功能模块, 接入网络功能模 块使用来自认证服务器的子密钥材料与终端进行安全通信。 在步骤 S22中, 认证服务器执行用户认证, 可以产生密钥材料, 也可以 与其他服务器 (例如, 传输用户信息服务器) 协作, 共同产生密钥材料, 其 中, 其他服务器 (例如, 传输用户信息服务器) 应具有但不限于以下功能至 少之一: 保持用户信息, 产生用户认证向量, 产生密钥材料。 下面将结合实例对本发明实施例的实现过程进行详细描述。 图 2 是根据本发明实施例的下一代网络中接入转发功能模块获得密钥 材料的示意图,终端 150和认证服务器 130之间进行认证,在认证成功之后, 终端 150与认证艮务器 130均获得共享密钥材料。 认证艮务器 130可以通过 两种方式发送该将该共享密钥材料到接入网络功能模块。 方式一,认证服务器 130发送该共享密钥材料到接入管理功能模块 100, 接入管理功能模块 100下发该共享密钥材料到接入网络功能模块 120。 方式二,认证服务器 130发送该共享密钥材料到接入转发功能模块 110, 接入转发功能模块 110下发该共享密钥材料到接入网络功能模块 120。 图 3 是根据本发明实施例的接入网络功能模块同一域内从接入转发功 能模块获得密钥材料的流程图, 该流程包括如下步骤 S302至步骤 S308: 步骤 S302 , 终端和认证服务器进行认证, 终端与认证服务器的共享密 钥材料在认证过程中产生。 步骤 S304 , 认证服务器发送密钥材料到接入转发功能模块。 需要说明 的是, 该步骤 S304 可以在认证流程中执行, 也可以在认证流程后执行, 但 是, 必须在认证成功的情况下才执行该步骤。 步骤 S306 , 接入网络功能模块从接入转发功能模块获得密钥材料。 步骤 S308 , 终端与接入转发功能模块均有共享密钥材料, 可以使用该 共享密钥建立安全联盟, 保护终端与接入转发功能模块之间的通信安全。 图 4 是根据本发明实施例的接入网络功能模块同一域内从接入管理功 能模块获得密钥材料的流程图, 该流程包括如下步骤 S402至步骤 S408: 步骤 S402 , 终端和认证服务器进行认证, 终端与认证服务器的共享密 钥材料认证过程中产生。 步骤 S404 , 认证服务器发送密钥材料到接入管理功能模块, 需要说明 的是, 该步骤 S404 可以在认证流程中执行, 也可以在认证流程后执行。 但 均必须在认证成功的情况下才执行该步骤。 步骤 S406 ,接入网络功能模块从接入管理功能模块获得共享密钥材料。 步骤 S408 , 终端与接入转发功能模块均有共享密钥材料, 可以用该共 享密钥建立安全联盟, 保护终端与接入转发功能模块之间的通信安全。 图 5 是根据本发明实施例的接入网络功能模块不同域内获得密钥材料 的流程图, 该流程包括如下步 4聚: 步骤 S502 , 终端和目的域认证服务器器进行认证, 终端与目的域认证 服务器器的共享密钥材料认证过程中产生。 认证流程可以涉及到与原接入转 发功能模块, 原接入管理功能模块, 原认证服务器, 目的域接入转发功能模 块, 目的域接入管理功能模块。 步骤 S504 , 目的域接入网络功能模块有两种方式获得共享密钥材料。 方式一, 即步骤 S504a, 目的域认证服务器发送共享密钥材料到目的域接入 转发功能模块, 目的域接入转发功能模块发送共享密钥材料到目的域接入网 络模块; 方式二, 即步骤 S504b, 目的域认证服务器发送共享密钥材料到目 的域接入管理功能模块, 目的域接入管理功能模块发送共享密钥材料到目的 域接入网络模块。 需要说明的是, 该步骤 S604 可以在认证流程中执行, 也 可以在认证流程后执行, 但是, 必须在认证成功的情况下才执行该步骤。 步骤 S506, 终端与目的域接入转发功能模块均有共享密钥材料, 可以 用该共享密钥建立安全联盟, 保护终端与目的域接入转发功能模块之间的通 信安全。 图 6是根据本发明实施例的 ITU-T NGN中接入网络功能模块获得密钥 的示意图, UE 表示终端 ( User Equipment ), AM-FE ( Access Management Function Entity )表示接入管理功能模块, TAA-FE( Transport authentication and authorization functional entity ) 表示传输认证授权功能模块, AR-FE ( Access relay functional entity )表示接入转发功能模块, TUP ( Transport user profile functional entity ) 表示传输用户信息功能实体。 其中, 可以在 TUP里存储用 户信息, 并可以产生认证向量, 然后, 发送给 TAA, 与 TAA—起进行用户 认证流程。 该流程包括如下步 4聚: 步骤 S602, 接入网络功能模块从接入管理功能模块获得密钥材料。 步骤 S604 , 接入网络功能模块从接入转发功能模块获得密钥材料。 装置实施例 才艮据本发明的实施例, 提供了一种认证月艮务器, 应用于下一代网络中, 图 7是根据本发明实施例的认证服务器的结构框图, 该认证服务器包括: 第 一接收模块 72、 认证模块 74、 密钥模块 76、 第一发送模块 78 , 下面对该结 构进行详细的说明。 第一接收模块 72 , 用于接收来自终端的认证请求; 认证模块 74连接至 第一接收模块 72 , 用于与终端进行认证; 密钥模块 76连接至认证模块 74 , 用于生成密钥信息; 第一发送模块 78连接至密钥模块 76 , 用于在认证成功 之后, 将密钥信息发送给接入网络功能模块, 以便于接入网络功能模块通过 密钥信息与终端建立连接和 /或进行数据传输。 优选地, 第一发送模块 78可以具体用于经由接入管理功能模块将密钥 信息发送给接入网络功能模块, 其中, 接入管理功能模块用于执行以下功能 至少之一: 终结二层传输链接、 获取接入网络信息、 转发认证请求、 获取网 络配置信息。 优选地, 第一发送模块 78具体用于经由接入转发功能模块将密钥信息 发送给接入网络功能模块, 其中, 接入转发功能模块用于执行以下功能至少 之一: 接入和 /或转发终端的网络配置信息、 接入和 /或转发终端的认证请求、 添加本地配置信息。 优选地,密钥模块 76具体用于与其他类型的服务器协作生成密钥信息, 其中, 其他类型的服务器包括传输用户信息服务器, 其他类型的服务器用于 执行以下功能至少之一: 保持用户信息、 产生用户认证向量、 产生密钥信息。 根据本发明的实施例, 还提供了一种终端, 应用于下一代网络中, 图 8 是 居本发明实施例的终端的结构框图, 如图 8所示, 该终端包括: 第二发 送模块 82、 第二接收模块 84、 保存模块 86 , 下面对该结构进行详细的说明。 第二发送模块 82 , 用于向认证服务器发送认证请求; 第二接收模块 84 连接至第二发送模块 82 , 用于接收来自认证服务器的密钥信息; 保存模块 86 连接至第二接收模块 84 , 用于保存密钥信息, 以便于通过密钥信息与接 入网络功能模块建立连接和 /或进行数据传输。 综上所述, 通过本发明上述实施例, 解决了相关技术中在当前 NGN网 络中用户终端在与接入网络节点之间没有安全保护, 存在安全问题, 进而提 高了终端接入网络节点时的安全性。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 或 者将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制 作成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软 件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 ^"神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 NGN can support heterogeneous network access, inter-network roaming, and seamless handover. When the user terminal performs data communication and handover, the continuity of the service needs to be ensured, and at the same time, the privacy and integrity of the signaling data and the user data between the mobile user terminal and the NGN network access point are guaranteed. In the current NGN network, there is no security protection between the user terminal and the access network node, which may have many security problems. For example, unencrypted data of the unlicensed user terminal and the access network node may be eavesdropped. The user's network behavior may also be monitored, which has a great impact on the user's privacy. SUMMARY OF THE INVENTION The present invention has been made in view of the security problem in the prior art that there is no security protection between the user terminal and the access network node in the current NGN network. Therefore, the main purpose of the present invention is to provide a data transmission security protection solution. To solve at least one of the above problems. In order to achieve the above object, according to an aspect of the present invention, a data transmission security protection method is provided. The data transmission security protection method according to the present invention is applied to a next generation network, including: the authentication server receives an authentication request from the terminal, and performs authentication with the terminal; the authentication server generates key information, and after the authentication succeeds Send the key information to the access network function module for easy access The incoming network function module establishes a connection with the terminal through key information and/or performs data transmission. Further, the sending, by the authentication server, the key information to the access network function module includes: the authentication server sends the key information to the access network function module via the access management function module. Further, the sending, by the authentication server, the key information to the access network function module includes: sending, by the authentication server, the key information to the access network function module via the access forwarding function module. Further, the generating the key information by the authentication server includes: the authentication server cooperates with other types of servers to generate key information, wherein the other types of servers include the transmission user information server. Further, after the authentication server generates the key information, the method further includes: authenticating the server and the terminal to save the key information. In order to achieve the above object, according to another aspect of the present invention, an authentication server is also provided. The authentication server according to the present invention is applied to a next generation network, and includes: a first receiving module, configured to receive an authentication request from the terminal; an authentication module, configured to perform authentication with the terminal; and a key module, configured to generate key information The first sending module is configured to send the key information to the access network function module after the authentication succeeds, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission. Further, the first sending module is specifically configured to send the key information to the access network function module via the access management function module, where the access management function module is configured to perform at least the following functions:: terminating the layer 2 transmission link, Obtain access network information, forward authentication request, and obtain network configuration information. Further, the first sending module is specifically configured to send the key information to the access network function module via the access forwarding function module, where the access forwarding function module is configured to perform at least one of the following functions: access and/or forwarding Network configuration information of the terminal, authentication request for accessing and/or forwarding terminals, and adding local configuration information. Further, the key module is specifically configured to cooperate with other types of servers to generate key information, where other types of servers include a transport user information server, and other types of servers are used to perform at least one of the following functions: maintaining user information, generating User authentication vector, generating key information. In order to achieve the above object, according to another aspect of the present invention, a terminal is also provided. The terminal according to the present invention is applied to a next generation network, and includes: a second sending module, configured to send an authentication request to the authentication server; a second receiving module, configured to receive key information from the authentication server; and a saving module, It is used to save key information, so as to establish a connection and/or data transmission with the access network function module through the key information. Through the invention, the terminal and the authentication server perform authentication and generate key information, and the access network function module communicates with the terminal securely with the key information, and solves the related technology in which the user terminal is in the current NGN network. There is no security protection between network nodes, and there are security problems, which improves the security of the terminal when accessing the network node. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention; FIG. 2 is a schematic diagram of obtaining a key material by an access forwarding function module in a next generation network according to an embodiment of the present invention; It is a flowchart of obtaining key material from an access forwarding function module in the same domain according to an embodiment of the present invention; FIG. 4 is a slave access management function module in the same domain of an access network function module according to an embodiment of the present invention; A flowchart of obtaining a key material; FIG. 5 is a flowchart of obtaining key material in different domains of an access network function module according to an embodiment of the present invention; FIG. 6 is an access network function in an ITU-T NGN according to an embodiment of the present invention; FIG. 7 is a structural block diagram of an authentication server according to an embodiment of the present invention; and FIG. 8 is a structural block diagram of a terminal according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. In the following embodiments, the steps shown in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and although the logical order is shown in the flowchart, in some In this case, the steps shown or described may be performed in a different order than the ones described herein. Method Embodiment According to an embodiment of the present invention, a data transmission security protection method is provided, which is applied to a next generation network, and the method can be applied to a transmission layer. 1 is a flowchart of a data transmission security protection method according to an embodiment of the present invention. The method includes the following steps S2 to S4: Step S2: The authentication server receives an authentication request from the terminal, and performs authentication with the terminal. Step S4: The authentication server generates key information, and after the authentication succeeds, sends the key information to the access network function module, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission. Through the above steps S2 and S4, the access network function module can establish a connection with the terminal through the key information and/or perform data transmission, thereby improving the security of data transmission. Preferably, in step S4, the authentication server may send the key information to the access network function module via the access management function module, where the access management function module should have, but is not limited to, the following functions: Terminating the Layer 2 transport link, Obtain access network information (for example, link layer parameters, identifiers, terminal locations, etc.), forward authentication request, and obtain network configuration information; or send key information to the access network function module via the access forwarding function module. The access forwarding function module should have, but is not limited to, the following functions: accessing and forwarding the terminal authentication request. To access and forward the network configuration information of the terminal, you can add local configuration information. Preferably, in step S4, the authentication server may separately generate key information, or may cooperate with other types of servers to generate key information, wherein other types of servers may include a transmission user information server. After the authentication server generates the key information, the authentication server may save the key information and send the key information to the terminal for the terminal to save. The data transmission security protection scheme of this embodiment will be described in detail below. Step S22: The terminal performs authentication with the authentication server. Step S24, after the authentication is successful, the terminal and the authentication server have shared key material (ie, key information). The shared key material is generated during the authentication process. Step S26: The authentication server sends the shared key material to the access network function module, where the access network function module should have, but is not limited to, at least one of the following functions: a border node on the network side, responsible for data transmission with the terminal. Step S28: The access network function module uses the shared key material to perform secure communication with the terminal. In step S28, the authentication server may derive the subkey material using the shared key material. The terminal derives the shared key material from the obtained key key material. Then, the authentication server sends the derived subkey material to the access network function module, and the access network function module uses the subkey material from the authentication server to perform secure communication with the terminal. In step S22, the authentication server performs user authentication, may generate key material, or may cooperate with other servers (for example, a transmission user information server) to jointly generate key materials, wherein other servers (for example, transmitting user information servers) There should be, but are not limited to, at least one of the following functions: Maintain user information, generate a user authentication vector, and generate key material. The implementation process of the embodiment of the present invention will be described in detail below with reference to examples. 2 is a schematic diagram of obtaining key material by an access forwarding function module in a next generation network according to an embodiment of the present invention. The terminal 150 and the authentication server 130 perform authentication. After the authentication succeeds, both the terminal 150 and the authentication server 130 are authenticated. Get the shared key material. The authentication server 130 can send the shared key material to the access network function module in two ways. In the first mode, the authentication server 130 sends the shared key material to the access management function module 100, and the access management function module 100 delivers the shared key material to the access network function module 120. In the second mode, the authentication server 130 sends the shared key material to the access forwarding function module 110, and the access forwarding function module 110 delivers the shared key material to the access network function module 120. 3 is an access network function module accessing a forwarding function in the same domain according to an embodiment of the present invention; The flow chart of the key module is obtained by the module, and the process includes the following steps S302 to S308: Step S302: The terminal and the authentication server perform authentication, and the shared key material of the terminal and the authentication server is generated in the authentication process. Step S304: The authentication server sends the key material to the access forwarding function module. It should be noted that the step S304 may be performed in the authentication process or may be performed after the authentication process, but the step must be performed if the authentication is successful. Step S306, the access network function module obtains the key material from the access forwarding function module. Step S308: The terminal and the access forwarding function module share a key material, and the shared key can be used to establish a security alliance to secure communication between the terminal and the access forwarding function module. 4 is a flowchart of obtaining key material from an access management function module in the same domain in the same domain according to an embodiment of the present invention. The process includes the following steps S402 to S408: Step S402, the terminal and the authentication server perform authentication, The shared key material authentication process of the terminal and the authentication server is generated. Step S404: The authentication server sends the key material to the access management function module. It should be noted that the step S404 may be performed in the authentication process or may be performed after the authentication process. However, this step must be performed only if the authentication is successful. Step S406, the access network function module obtains the shared key material from the access management function module. Step S408: The terminal and the access forwarding function module both share a key material, and the shared key can be used to establish a security alliance to secure communication between the terminal and the access forwarding function module. FIG. 5 is a flowchart of obtaining key material in different domains of an access network function module according to an embodiment of the present invention. The process includes the following steps: Step S502: The terminal and the destination domain authentication server perform authentication, and the terminal and destination domain authentication are performed. The server's shared key material is generated during the authentication process. The authentication process may involve the original access forwarding function module, the original access management function module, the original authentication server, the destination domain access forwarding function module, and the destination domain access management function module. Step S504, the destination domain access network function module has two ways to obtain the shared key material. In the first mode, in step S504a, the destination domain authentication server sends the shared key material to the destination domain for access. The forwarding function module, the destination domain access forwarding function module sends the shared key material to the destination domain access network module; and the second method, that is, step S504b, the destination domain authentication server sends the shared key material to the destination domain access management function module, and the purpose is The domain access management function module sends the shared key material to the destination domain access network module. It should be noted that the step S604 may be performed in the authentication process or may be performed after the authentication process, but the step must be performed if the authentication is successful. Step S506: The terminal and the destination domain access forwarding function module both share a key material, and the shared key can be used to establish a security association, and the communication security between the terminal and the destination domain access forwarding function module is protected. 6 is a schematic diagram of an access network function module obtaining a key in an ITU-T NGN according to an embodiment of the present invention. A UE indicates a user equipment, and an AM-FE (Access Management Function Entity) indicates an access management function module, TAA. The transport authentication and authorization functional entity (FE) indicates the function of the transmission authentication function, and the AR-FE (Access relay functional entity) indicates the function of transmitting the user information. The user information may be stored in the TUP, and an authentication vector may be generated, and then sent to the TAA to perform a user authentication process with the TAA. The process includes the following steps: Step S602: The access network function module obtains key material from the access management function module. Step S604, the access network function module obtains the key material from the access forwarding function module. The device embodiment provides an authentication server for use in a next generation network according to an embodiment of the present invention. FIG. 7 is a structural block diagram of an authentication server according to an embodiment of the present invention. The authentication server includes: A receiving module 72, an authentication module 74, a key module 76, and a first transmitting module 78 are described in detail below. The first receiving module 72 is configured to receive an authentication request from the terminal; the authentication module 74 is connected to the first receiving module 72 for performing authentication with the terminal; and the key module 76 is connected to the authentication module 74 for generating key information. The first sending module 78 is connected to the key module 76, and is configured to send the key information to the access network function module after the authentication succeeds, so that the access network function module establishes a connection with the terminal through the key information and/or performs data transmission. Preferably, the first sending module 78 may be specifically configured to use a key through the access management function module. The information is sent to the access network function module, where the access management function module is configured to perform at least one of the following functions: terminating the layer 2 transmission link, obtaining the access network information, forwarding the authentication request, and obtaining the network configuration information. Preferably, the first sending module 78 is specifically configured to send the key information to the access network function module via the access forwarding function module, where the access forwarding function module is configured to perform at least one of the following functions: access and/or Forward the network configuration information of the terminal, the authentication request of the access and/or forwarding terminal, and add the local configuration information. Preferably, the key module 76 is specifically configured to cooperate with other types of servers to generate key information, wherein other types of servers include a transport user information server, and other types of servers are used to perform at least one of the following functions: maintaining user information, Generate a user authentication vector and generate key information. According to an embodiment of the present invention, a terminal is further provided for use in a next-generation network, and FIG. 8 is a structural block diagram of a terminal according to an embodiment of the present invention. As shown in FIG. 8, the terminal includes: a second sending module 82. The second receiving module 84 and the saving module 86 are described in detail below. The second sending module 82 is configured to send an authentication request to the authentication server. The second receiving module 84 is connected to the second sending module 82 for receiving key information from the authentication server. The saving module 86 is connected to the second receiving module 84. It is used to save key information, so as to establish a connection and/or data transmission with the access network function module through the key information. In summary, the foregoing embodiments of the present invention solve the problem that the user terminal does not have security protection between the user terminal and the access network node in the current NGN network, and there is a security problem, thereby improving the terminal accessing the network node. safety. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device, or they may be separately fabricated into individual integrated circuit modules, or they may be Multiple modules or steps are made into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modification, equivalent substitution, improvement, etc. made within the "God and Principles" of the present invention shall be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 书 一种数据传输安全保护方法, 应用于下一代网络, 其特征在于, 包括: 认证艮务器接收来自终端的认证请求, 并与所述终端进行认证; 生成密钥信息, 并在认证成功之后, 将所述密钥信息发送给接入网 络功能模块, 以便于所述接入网络功能模块通过所述密钥信息与所述终 端建立连接和 /或进行数据传输。 才艮据权利要求 1所述的方法, 其特征在于, 所述认证艮务器将所述密钥 信息发送给所述接入网络功能模块包括: A data transmission security protection method is applied to a next generation network, and the method includes: the authentication server receives an authentication request from the terminal, and performs authentication with the terminal; generates key information, and authenticates After the success, the key information is sent to the access network function module, so that the access network function module establishes a connection with the terminal and/or performs data transmission by using the key information. The method according to claim 1, wherein the sending, by the authentication server, the key information to the access network function module comprises:
所述认证服务器经由接入管理功能模块将所述密钥信息发送给所 述接入网络功能模块。 才艮据权利要求 1所述的方法, 其特征在于, 所述认证艮务器将所述密钥 信息发送给所述接入网络功能模块包括:  The authentication server transmits the key information to the access network function module via an access management function module. The method according to claim 1, wherein the sending, by the authentication server, the key information to the access network function module comprises:
所述认证服务器经由所述接入转发功能模块将所述密钥信息发送 给所述接入网络功能模块。 才艮据权利要求 1至 3中任一项所述的方法, 其特征在于, 所述认证艮务 器生成所述密钥信息包括:  The authentication server sends the key information to the access network function module via the access forwarding function module. The method according to any one of claims 1 to 3, wherein the generating, by the authentication server, the key information comprises:
所述认证服务器与其他类型的服务器协作生成所述密钥信息, 其 中, 所述其他类型的服务器包括传输用户信息服务器。 才艮据权利要求 1至 3中任一项所述的方法, 其特征在于, 在所述认证月艮 务器生成所述密钥信息之后, 所述方法还包括:  The authentication server cooperates with other types of servers to generate the key information, wherein the other types of servers include a transport user information server. The method according to any one of claims 1 to 3, wherein after the authentication server generates the key information, the method further comprises:
所述认证艮务器和所述终端保存所述密钥信息。 一种认证月艮务器, 应用于下一代网络中, 其特征在于, 包括: 第一接收模块, 用于接收来自终端的认证请求;  The authentication server and the terminal save the key information. The authentication server is applied to the next generation network, and is characterized in that: the first receiving module is configured to receive an authentication request from the terminal;
认证模块, 用于与所述终端进行认证; 密钥模块, 用于生成密钥信息; 第一发送模块, 用于在认证成功之后, 将所述密钥信息发送给接入 网络功能模块, 以便于所述接入网络功能模块通过所述密钥信息与所述 终端建立连接和 /或进行数据传输。 根据权利要求 6所述的认证服务器, 其特征在于, 所述第一发送模块具 体用于经由接入管理功能模块将所述密钥信息发送给所述接入网络功能 模块, 其中, 所述接入管理功能模块用于执行以下功能至少之一: 终结 二层传输链接、 获取接入网络信息、 转发认证请求、 获取网络配置信息。 根据权利要求 6所述的认证服务器, 其特征在于, 所述第一发送模块具 体用于经由接入转发功能模块将所述密钥信息发送给所述接入网络功能 模块, 其中, 所述接入转发功能模块用于执行以下功能至少之一: 接入 和 /或转发所述终端的网络配置信息、 接入和 /或转发所述终端的认证请 求、 添加本地配置信息。 根据权利要求 6至 8中任一项所述的认证服务器, 其特征在于, 所述密 钥模块具体用于与其他类型的服务器协作生成所述密钥信息, 其中, 所 述其他类型的服务器包括传输用户信息服务器, 所述其他类型的服务器 用于执行以下功能至少之一: 保持用户信息、 产生用户认证向量、 产生 密钥信息。 一种终端, 应用于下一代网络中, 其特征在于, 包括: An authentication module, configured to perform authentication with the terminal; and a key module, configured to generate key information; a first sending module, configured to send the key information to an access network function module after the authentication succeeds, so that the access network function module establishes a connection with the terminal by using the key information, and/or Data transfer. The authentication server according to claim 6, wherein the first sending module is specifically configured to send the key information to the access network function module via an access management function module, where the The ingress management function module is configured to perform at least one of the following functions: Terminating a Layer 2 transport link, obtaining access network information, forwarding an authentication request, and obtaining network configuration information. The authentication server according to claim 6, wherein the first sending module is configured to send the key information to the access network function module via an access forwarding function module, where the The ingress forwarding function module is configured to perform at least one of: accessing and/or forwarding network configuration information of the terminal, accessing and/or forwarding an authentication request of the terminal, and adding local configuration information. The authentication server according to any one of claims 6 to 8, wherein the key module is specifically configured to generate the key information in cooperation with other types of servers, wherein the other types of servers include The user information server is transmitted, and the other type of server is configured to perform at least one of the following functions: maintaining user information, generating a user authentication vector, and generating key information. A terminal, applied to a next generation network, characterized in that:
第二发送模块, 用于向认证服务器发送认证请求;  a second sending module, configured to send an authentication request to the authentication server;
第二接收模块, 用于接收来自所述认证服务器的密钥信息; 保存模块, 用于保存所述密钥信息, 以便于通过所述密钥信息与接 入网络功能模块建立连接和 /或进行数据传输。  a second receiving module, configured to receive key information from the authentication server, and a saving module, configured to save the key information, so as to establish a connection and/or perform connection with the access network function module by using the key information. data transmission.
PCT/CN2010/071206 2009-08-31 2010-03-23 Method for protecting the security of data transmission, authentication server and terminal WO2011022963A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910171630.4 2009-08-31
CN2009101716304A CN102006591A (en) 2009-08-31 2009-08-31 Data transmission security protection method, authentication server and terminal

Publications (1)

Publication Number Publication Date
WO2011022963A1 true WO2011022963A1 (en) 2011-03-03

Family

ID=43627196

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/071206 WO2011022963A1 (en) 2009-08-31 2010-03-23 Method for protecting the security of data transmission, authentication server and terminal

Country Status (2)

Country Link
CN (1) CN102006591A (en)
WO (1) WO2011022963A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106162635A (en) * 2015-04-01 2016-11-23 北京佰才邦技术有限公司 The authentication method of subscriber equipment and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys
CN1658547A (en) * 2004-02-16 2005-08-24 华为技术有限公司 Crytographic keys distribution method
CN101001143A (en) * 2006-01-12 2007-07-18 中兴通讯股份有限公司 Method for authenticating system equipment by terminal equipment
EP1841260A2 (en) * 2006-03-29 2007-10-03 Fujitsu Limited Wireless terminal and authentication device
CN101321395A (en) * 2008-06-24 2008-12-10 中兴通讯股份有限公司 Method and system for supporting mobility safety in next generation network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1444362A (en) * 2002-03-08 2003-09-24 华为技术有限公司 Distribution method of wireless local area network encrypted keys
CN1658547A (en) * 2004-02-16 2005-08-24 华为技术有限公司 Crytographic keys distribution method
CN101001143A (en) * 2006-01-12 2007-07-18 中兴通讯股份有限公司 Method for authenticating system equipment by terminal equipment
EP1841260A2 (en) * 2006-03-29 2007-10-03 Fujitsu Limited Wireless terminal and authentication device
CN101321395A (en) * 2008-06-24 2008-12-10 中兴通讯股份有限公司 Method and system for supporting mobility safety in next generation network

Also Published As

Publication number Publication date
CN102006591A (en) 2011-04-06

Similar Documents

Publication Publication Date Title
JP5043117B2 (en) Kerberos handover keying
CA2649639C (en) Channel binding mechanism based on parameter binding in key derivation
EP2335391B1 (en) Key management in a communication network
US20110078442A1 (en) Method, device, system and server for network authentication
US8385269B2 (en) Enabling IPv6 mobility with sensing features for AD-HOC networks derived from long term evolution networks
KR101146204B1 (en) System and Methods For Providing Emergency Service Trust in Packet Data Networks
JP2010514229A (en) Authentication method, system and apparatus for inter-domain information communication
JP2010521086A (en) Kerberos handover keying optimized for reactive operation
JP5415563B2 (en) Methods and apparatus related to address generation, communication and / or validity checking
US9185092B2 (en) Confidential communication method using VPN, system thereof, program thereof, and recording medium for the program
WO2009135445A1 (en) Roaming authentication method based on wapi
JP3822555B2 (en) Secure network access method
CN110808834B (en) Quantum key distribution method and quantum key distribution system
US10270747B2 (en) Methods and devices having a key distributor function for improving the speed and quality of a handover
CN112769568A (en) Security authentication communication system and method in fog computing environment and Internet of things equipment
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
WO2012151905A1 (en) Method and device for network handover
WO2010133073A1 (en) Method for obtaining certificate state information and system for managing certificate state
WO2011127732A1 (en) Method and system for multi-access authentication in next generation network
WO2011022963A1 (en) Method for protecting the security of data transmission, authentication server and terminal
WO2014153908A1 (en) Communication device and wireless communication method
WO2010094185A1 (en) Secure handoff method and system
Monira et al. An Efficient and Secure Handover Mechanism for SDN-Enabled 5G HetNet
KR100729729B1 (en) authentication device and method of access point in wireless portable internet system
CN1996838A (en) AAA certification and optimization method for multi-host WiMAX system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10811129

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10811129

Country of ref document: EP

Kind code of ref document: A1