WO2011134292A1 - Establishment method, system and device for communication keys among nodes - Google Patents

Establishment method, system and device for communication keys among nodes Download PDF

Info

Publication number
WO2011134292A1
WO2011134292A1 PCT/CN2011/070475 CN2011070475W WO2011134292A1 WO 2011134292 A1 WO2011134292 A1 WO 2011134292A1 CN 2011070475 W CN2011070475 W CN 2011070475W WO 2011134292 A1 WO2011134292 A1 WO 2011134292A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
switching device
packet
field
destmatl
Prior art date
Application number
PCT/CN2011/070475
Other languages
French (fr)
Chinese (zh)
Inventor
朱林
铁满霞
李琴
葛莉
曹军
张莎
李剑雄
苑克龙
Original Assignee
天维讯达无线电设备检测(北京)有限责任公司
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 天维讯达无线电设备检测(北京)有限责任公司, 西安西电捷通无线网络通信股份有限公司 filed Critical 天维讯达无线电设备检测(北京)有限责任公司
Publication of WO2011134292A1 publication Critical patent/WO2011134292A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange

Definitions

  • the present invention relates to the field of communication network applications, and in particular, to a method, system and device for establishing a communication key between nodes.
  • Wired LANs are generally broadcast networks. Data sent by one node can be received by other nodes. Each node on the network shares a channel, which brings great security risks to the network. As long as the attacker accesses the network for monitoring, it can capture all the packets on the network.
  • the LAN of the existing national standard GB/T 15629.3 (corresponding to IEEE 802.3 or ISO/IEC 8802-3) does not provide a data privacy method, which makes it easy for an attacker to steal key information.
  • IEEE 802.1AE provides a data encryption protocol for protecting Ethernet, and uses hop-by-hop encryption security measures to securely communicate data between network nodes. This security measure imposes a huge computational burden on the switching devices in the LAN, which is likely to cause an attacker to attack the switching device; and the delay of the data packet from the transmitting node to the destination node is also increased, and the network transmission is reduced. effectiveness.
  • the topology of the wired LAN is more complicated, and the number of nodes involved is also relatively large. Therefore, the data communication in the network is relatively complicated, and the terminal and the switching device are collectively referred to as nodes. If static keys are assigned between LAN nodes to ensure secure communication between nodes, the process of allocation and updating is extremely complicated.
  • the embodiments of the present invention provide a method, a system, and a device for establishing an inter-node communication key, which are capable of flexibly establishing and updating keys between the legal nodes of the local area network.
  • the technical solution of the present invention is:
  • the present invention is a method for establishing a communication key between nodes, and the method includes the following steps:
  • the switching device SW FIRST sends a second key advertisement packet to the switching device SWL 3)
  • the switching device SW St sends a third key announcement packet to the destination node N Destmatl . n ;
  • the switching device SWj ⁇ sends a second key notification response packet to the switching device SW FlKt ;
  • the switching device SW First sends a first key notification response packet to the sending source node First 8 ⁇ ;
  • the first key advertisement packet, the second key advertisement packet, and the third key advertisement packet all include the source node N ce and the destination node N Destmat1 . Communication key between n
  • a system for establishing an inter-node communication key includes transmitting a first key advertisement packet to a switching device SW First , and receiving a first key advertisement response packet sent by the switching device SW First Transmitting a source node ⁇ 8 ⁇ ; receiving a first key advertisement packet sent by the source node Ns ⁇ ce, sending a second key advertisement packet to the switching device SWL ast , and receiving a second key advertisement sent by the switching device SWL ast Transmitting the packet, transmitting the first key advertisement response packet to the source node First 8 ⁇ , switching the device SW First ; receiving the second key advertisement packet sent by the switching device SW First , to the destination node N Destmatl .
  • n sends a third key advertisement packet, and receives the destination node N Destinatl .
  • the third key announces the destination node N Destmatl of the response packet.
  • the first key advertisement packet, the second key advertisement packet, and the third key advertisement packet all include the source node N s ⁇ rce and the destination node N Destinatl . Communication key KEY D between n .
  • a device is a terminal device or a switching device, and the device includes:
  • Key notification module means for, when the transmission source node is ⁇ ⁇ , transmitting a first key notification packet to the first switching device SW FlKt, the first key notification packet includes a transmission source node N s
  • the communication key between the ⁇ rce and the destination node ⁇ causes the first switching device SW First and the second switching device SWj to send the communication key KEY D to the destination node N Destinatl .
  • a receiving module means for, when the transmission source node is ⁇ 8 ⁇ , receiving a first key of first switch devices SW First advertisement response packet sent, by the first key announcement response After the verification of the packet, the source node Nw and the destination node N Destmatl are sent .
  • n Communication is performed using the communication key KEY D.
  • the advantages of the present invention are:
  • the source node ⁇ is sent. ⁇ and destination node N Destinatl .
  • the communication key between n is temporarily generated by the sending source node Ns ⁇ ce, and is gradually advertised to the destination node N Destinatl through the established secure connection channel.
  • n The process of establishing and updating the shared key between nodes may be triggered by the sending source node ⁇ 8 ⁇ .
  • the legitimate nodes of the local area network can flexibly establish and update the keys between them, and the administrator does not need to deploy a shared static key between the two nodes.
  • FIG. 1 is a schematic diagram of a process of establishing an inter-node communication key according to the present invention.
  • the node N refers to a physical layer device such as a user terminal STA (STAtion) and a switching device SW (SWitch) 0 in a local area network, which are not handled as nodes.
  • the switching device SW First refers to the source node N s ⁇ rce to the destination node N Destinatl .
  • the first switching device through which the data packet of n passes, and the switching device SWL ast refers to the last switching device that passes through the source node N s ⁇ rce to the destination node N DestmatlM ⁇ packet.
  • the source node Ns ⁇ ce has established a secure connection with the switching device SW First , and the shared key is recorded as KEY S and the destination node N Destmatl .
  • the shared key is recorded as KEY D
  • the switching device SW FLKT and the switching device SWJ ⁇ have established a secure connection
  • the shared key is recorded as KEY F .
  • a method for establishing an inter-node communication key is a specific scheme for establishing a communication key between a source node N s ⁇ rce and a destination node N Destmatira ⁇ as follows:
  • the sending source node Ns ⁇ e sends a key notification packet 1 to the switching device SW First ;
  • the key announcement packet 1 includes:
  • n field indicates the destination node N Destinati .
  • E KEY D represents the key information and data, ⁇ by a transmission source node and the exchange using its ⁇
  • MIC1 field Indicates the message integrity verification code, which is calculated by the source function Ns ⁇ ce using the key KEY S between it and the switching device SW FIRST to advertise the other fields outside the field in the packet 1 by the hash function.
  • the hash value The hash value.
  • the switching device SW FIRST sends a key notification packet 2 to the switching device SWL
  • the key announcement packet 2 includes:
  • ID S field indicates the identifier of the sending source node N s ;
  • n field Indicates the destination node N Destmatl identifier, which has the same value as the ID DESTINATL in the received key announcement packet 1. The value of the n field;
  • MIC2 field indicates a message integrity verification code, which is calculated by the switching device SW FIRST using the key KEY F _L between the switch and the switching device SWL AST to advertise the other fields outside the field in the packet 2 by the hash function. Hash value.
  • the switching device SWj ⁇ sends the key notification packet 3 to the destination node N Destmatl n ;
  • the switching device SWL AST After receiving the key advertisement packet 2, the switching device SWL AST performs the following processing:
  • the key announcement packet 3 includes:
  • IDs ⁇ e field indicates the identifier of the source node N s ⁇ rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 2;
  • E 3 (KEY S _ D ) field indicates key data data, which is used by the switching device SWL ast with the destination node N Destmatl .
  • the key KEY D between n is encrypted by the decrypted inter-node communication key KEY D;
  • MIC3 field Indicates the message integrity verification code, which is used by the switching device SWj ⁇ with the destination node N Destmatl .
  • the key KEY D between n advertises the hash value calculated by the hash function for the other fields outside the field in the packet 3.
  • destination node N Destmatira ⁇ send key notification response packet 3 to switching device SW St ;
  • the inter-node communication key KEY S _ D can be obtained, and the KEY S _ D is the destination node N Destmatl . n and the source node.
  • the construction key notification response packet 3 is sent to the switching device SWL ast .
  • the key notification response packet 3 includes:
  • IDs ⁇ e field indicates the identifier of the source node N s ⁇ rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 3;
  • MIC4 field indicates the message integrity verification code, which is calculated by the destination node N Destmatira ⁇ with the key KEY D between the switching device SW St and the other fields outside the field in the response packet 3 of the key. Hash value.
  • the switching device SWL ast sends a key notification response packet 2 to the switching device SW FlKt ; After receiving the key notification response packet 3, the switching device SWL ast performs the following processing:
  • the construction key notification response packet 2 is sent to the switching device SW First .
  • the temporary key agreement response packet includes:
  • IDs ⁇ e field indicates the identifier of the source node N s ⁇ rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 2;
  • ID Destmatl . n field indicates the destination node N Destmatl .
  • the ID whose value is the ID Destinatl in packet 2, is the same as the received key.
  • MIC5 field Indicates the message integrity verification code, used by the switching device SWj ⁇ and the switching device
  • the key KEY F between SW FlKt reports the hash value calculated by the hash function for the other fields outside the field in the response packet 2 of the key.
  • the switching device SW Flrst sends a key notification response packet 1 to the sending source node
  • the switching device SW FlKt After receiving the key notification response packet 2, the switching device SW FlKt performs the following processing:
  • the key notification response packet 1 includes:
  • ID Destmatl . n field indicates the destination node N Destinatl .
  • the ID whose value is the same as the ID of the received key, is set to ID Destinatl in Group 1.
  • the sending source node Ns ⁇ ce receives the key notification response packet 1;
  • n field is associated with the ID Destinatl in packet 1 that was previously sent to the switching device SW First . Whether the value of the n field is consistent, if not, discard the packet; otherwise, perform 7.2);
  • the sending source node Ns ⁇ ce can also generate a value as an identifier of the communication key establishment process, and the identifier can be a clock, a sequence number or a random number, and Carrying in each message, correspondingly switching device SWj ⁇
  • the key notification response packet 3 After receiving the key notification response packet 3, it is necessary to verify whether the identity value in the packet is consistent with the identity value in the previously received key notification packet 2; Switching device SW First After receiving the key notification response packet 2, it is required to verify whether the identity value in the packet is consistent with the identity value in the key notification packet 1 received before; the source node ⁇ 8 ⁇ needs to receive the key notification response packet 1 It is verified whether the identity value in the packet is consistent with the identity value in the key notification packet 1 previously sent.
  • the source node ⁇ 8 ⁇ , the switching device SW First, and the switching device SW Last may also transmit the key advertisement packet 1, the key advertisement packet 2, and the key advertisement packet 3.
  • Each of the two independently generates a value as an advertisement identifier carried in the foregoing packet, and the advertisement identifier may be a clock, a sequence number, or a random number, and accordingly, the switching device SWL ast , the switching device SW First, and the sending source node Nso ⁇ e receive the password.
  • the key advertisement response packet 2 and the key advertisement response packet 1 both need to verify whether the advertisement identifier value in the packet is consistent with the identifier value in the previously transmitted packet.
  • a system for establishing an inter-node communication key includes transmitting a key notification packet to the switching device SW First , and transmitting a key notification response packet 1 sent by the receiving switching device SW F1Kt Node ⁇ 8 ⁇ ; receiving the key notification packet sent by the source node ⁇ 8 ⁇ Packet sent to the switching device SWL ast key announcement 2, the device receiving the exchange key announcement response packet sent SWL ast 2, SW First switch device in response to a packet transmission source node transmits N s ⁇ rce key announcement; receiving switching device The key notification packet 2 sent by SW First to the destination node N Destmatl . n sends a key announcement packet 3, and receives the destination node N Destinatl .
  • the key notification response packet sent by n the switching device SW Last transmitting the key notification response packet 2 to the switching device SW First ; receiving the key advertisement packet 3 sent by the switching device SWL ast, and transmitting the key notification to the switching device SWL ast Response destination node of group 3
  • An apparatus may be a terminal device or switching device, the apparatus may comprise: a key announcement module, means for, when the transmission source node v ⁇ , transmitting a first key notification packet to the first switching The device SW FlKt , the first key advertisement packet includes a communication key between the source node N s ⁇ rce and the destination node ⁇ to make the first switching device SW First and the second switching device SWL ast
  • the communication key KEY D is sent to the destination node N Destinatl .
  • a receiving module means for, when the transmission source node is ⁇ 8 ⁇ , receiving a first key of first switch devices SW First advertisement response packet sent, by the first key announcement response After the verification of the packet, the source node Nw and the destination node N Destmatl are sent .
  • n Communication is performed using the communication key KEY D.
  • the device may further include:
  • An announcement response module is used when the device is a destination node N Destmatl .
  • the third key advertisement packet sent by the second switching device SW Last is received, and the sending source node N s ⁇ rce and the destination node N Destmat1 in the third key advertisement packet are extracted .
  • a communication key KEY S _ D between n and constructing a third key advertisement response packet to be sent to the second switching device SW Last , so that the second switching device SWj ⁇ sends a second key notification response packet to the first exchange devices SW first, a first switching device SW first transmitting a first key announcement response packet to the transmission source node
  • the device may further include:
  • the first notification module is configured to: when the device is the first switching device SW F1Kt , receive the first key advertisement packet sent by the sending source node Ns ⁇ ce, and extract the sending source node in the first key advertisement packet ⁇ 8 ⁇ ⁇ with the destination node N Destmatl .
  • the communication key KEY S _ D between n and constructs a second key advertisement packet sent to the second switching device SWL to transmit the source node ⁇ 8 ⁇ and the destination node N Destinatl through the second key advertised packet.
  • the communication key KEY S _ D between n is sent to the second switching device S WL AST to enable
  • the second switching device SWL ast sends the communication key KEY D to the destination node N Destinatl . n-; receiving a second switching device SWL ast transmitting second key announcement response packet, and the configuration of the first key announcement response packet to the transmission source node ⁇ 8 ( ⁇ ⁇ ⁇
  • the device may further include:
  • a second announcement module when said second switching device is a device SWL ast, receiving a first transmission switching device SW FlKt second key notification packet, extracting the second key notification packet transmission source node N s ⁇ Rce and destination node N Destmatl .
  • a communication key KEY S _ D between n and a third key announcement packet is constructed to be sent to the destination node N Destmatl . n ;
  • the communication key between the source node and the destination node ⁇ 1 ⁇ 1 will be sent through the third key announcement packet! ⁇ ⁇ ⁇ is sent to the destination node N Destmatl . n ;
  • Receive destination node N Destmatl . n transmitting the third key advertisement response packet, constructing the second key advertisement response packet to be sent to the first switching device SW First ; so that the first switching device SW First sends the first key advertisement response packet to the sending source node Ns ⁇ ⁇

Abstract

An establishment method, system and device for communication keys among nodes are disclosed. The method comprises the following steps: 1) a transmission source node transmits a first key announcement packet to a switch equipment ; 2) the switch equipment transmits a second key announcement packet to a switch equipment ; 3) the switch equipment transmits a third key announcement packet to a destination node ; 4) the destination node transmits a third key announcement acknowledgement packet to the switch equipment ; 5) the switch equipment transmits a second key announcement acknowledgement packet to the switch equipment ; 6) the switch equipment transmits a first key announcement acknowledgement packet to the transmission source node ; 7) the transmission source node receives the first key announcement acknowledgement packet; wherein all of the first key announcement packet, the second key announcement packet and the third key announcement packet include a communication key between the transmission source node and the destination node . With such solution, keys among legal nodes of a local area network can be established and updated flexibly.

Description

一种节点间通信密钥的建立方法、 系统及装置  Method, system and device for establishing communication key between nodes
本申请要求于 2010 年 4 月 29 日提交中国专利局、 申请号为 201010159675.2, 发明名称为 "一种节点间通信密钥的建立方法及系统,,的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。  This application claims to be submitted to the Chinese Patent Office on April 29, 2010, the application number is 201010159675.2, and the invention name is "a method and system for establishing a communication key between nodes," the priority of the Chinese patent application, the entire contents of which are The citations are incorporated herein by reference.
技术领域 Technical field
本发明涉及通信网络应用领域, 尤其涉及一种节点间通信密钥的建立方 法、 系统及装置。  The present invention relates to the field of communication network applications, and in particular, to a method, system and device for establishing a communication key between nodes.
背景技术 Background technique
有线局域网一般为广播型网络,一个节点发出的数据,其它节点都能收到。 网络上的各个节点共享信道, 这给网络带来了极大的安全隐患。 攻击者只要接 入网络进行监听, 就可以捕获网络上所有的数据包。 现有国家标准 GB/T 15629.3 (对应 IEEE 802.3或 ISO/IEC 8802-3 ) 定义的局域网 LAN并不提供数据 保密方法, 这样就使得攻击者容易窃取到关键信息。  Wired LANs are generally broadcast networks. Data sent by one node can be received by other nodes. Each node on the network shares a channel, which brings great security risks to the network. As long as the attacker accesses the network for monitoring, it can capture all the packets on the network. The LAN of the existing national standard GB/T 15629.3 (corresponding to IEEE 802.3 or ISO/IEC 8802-3) does not provide a data privacy method, which makes it easy for an attacker to steal key information.
在有线局域网中, IEEE通过对 IEEE 802.3进行安全增强来实现链路层的安 全。 IEEE 802.1AE为保护以太网提供数据加密协议, 并采用逐跳加密的安全措 施来实现网络节点之间数据的安全传达。这种安全措施给局域网中的交换设备 带来了巨大的计算负担, 容易引发攻击者对交换设备的攻击; 且数据包从发送 节点传递到目的节点的延时也会增大, 降低了网络传输效率。  In wired LANs, the IEEE implements link layer security by security enhancements to IEEE 802.3. IEEE 802.1AE provides a data encryption protocol for protecting Ethernet, and uses hop-by-hop encryption security measures to securely communicate data between network nodes. This security measure imposes a huge computational burden on the switching devices in the LAN, which is likely to cause an attacker to attack the switching device; and the delay of the data packet from the transmitting node to the destination node is also increased, and the network transmission is reduced. effectiveness.
有线局域网的拓朴结构比较复杂, 涉及到的节点数目也比较多, 因此网络 中的数据通信比较复杂, 终端和交换设备被统称为节点。如果为局域网节点间 分配静态密钥来保证节点间的保密通信, 其分配和更新过程极为复杂。  The topology of the wired LAN is more complicated, and the number of nodes involved is also relatively large. Therefore, the data communication in the network is relatively complicated, and the terminal and the switching device are collectively referred to as nodes. If static keys are assigned between LAN nodes to ensure secure communication between nodes, the process of allocation and updating is extremely complicated.
发明内容 Summary of the invention
为了解决背景技术中存在的上述问题,本发明实施例提供了一种节点间通 信密钥的建立方法、 系统及装置, 能够在局域网合法节点之间灵活建立及更新 它们之间的密钥。  In order to solve the above problems in the prior art, the embodiments of the present invention provide a method, a system, and a device for establishing an inter-node communication key, which are capable of flexibly establishing and updating keys between the legal nodes of the local area network.
本发明的技术解决方案是: 本发明为一种节点间通信密钥的建立方法, 所 述方法包括以下步骤:  The technical solution of the present invention is: The present invention is a method for establishing a communication key between nodes, and the method includes the following steps:
1 )发送源节点 Ns^e发送第一密钥通告分组给交换设备 SWFlKt; 1) the sending source node Ns^e sends the first key announcement packet to the switching device SW FlKt ;
2 ) 交换设备 SWFIRST发送第二密钥通告分组给交换设备 SWL 3 ) 交换设备 SW St发送第三密钥通告分组给目的节点 NDestmatln;2) The switching device SW FIRST sends a second key advertisement packet to the switching device SWL 3) The switching device SW St sends a third key announcement packet to the destination node N Destmatl . n ;
4 ) 目的节点 NDestmatln发送第三密钥通告响应分组给交换设备 SW St; 4) Destination node N Destmatl . n sending a third key notification response packet to the switching device SW St ;
5 ) 交换设备 SWj ^发送第二密钥通告响应分组给交换设备 SWFlKt; 5) The switching device SWj^ sends a second key notification response packet to the switching device SW FlKt ;
6 ) 交换设备 SWFirst发送第一密钥通告响应分组给发送源节点 Ν8∞Γ∞; 6) The switching device SW First sends a first key notification response packet to the sending source node First 8∞Γ∞ ;
7 )发送源节点 Ns^e接收第一密钥通告响应分组;  7) the sending source node Ns^e receives the first key notification response packet;
其中所述第一密钥通告分组、所述第二密钥通告分组及所述第三密钥通告 分组中均包含所述发送源节点 N ce与所述目的节点 NDestmatln之间的通信密钥The first key advertisement packet, the second key advertisement packet, and the third key advertisement packet all include the source node N ce and the destination node N Destmat1 . Communication key between n
KEYS-DKEY SD .
一种节点间通信密钥的建立系统,所述节点间通信密钥的建立系统包括向 交换设备 SWFirst发送第一密钥通告分组、 接收交换设备 SWFirst发送的第一密钥 通告响应分组的发送源节点 Ν8∞Γ∞;接收发送源节点 Ns^ce发送的第一密钥通告 分组、 向交换设备 SWLast发送第二密钥通告分组、 接收交换设备 SWLast发送的 第二密钥通告响应分组、 向发送源节点 Ν8∞Γ∞发送第一密钥通告响应分组的交 换设备 SWFirst; 接收交换设备 SWFirst发送的第二密钥通告分组、 向目的节点 NDestmatln发送第三密钥通告分组、 接收目的节点 NDestinatln发送的第三密钥通告 响应分组、 向交换设备 SWFlKt发送第二密钥通告响应分组的交换设备 SWLast; 接收交换设备 SWLast发送的第三密钥通告分组、 向交换设备 SWLast发送第三密 钥通告响应分组的目的节点 NDestmatln; 其中所述第一密钥通告分组、 所述第二 密钥通告分组及所述第三密钥通告分组中均包含所述发送源节点 Ns∞rce与所述 目的节点 NDestinatln之间的通信密钥 KEY DA system for establishing an inter-node communication key, the system for establishing an inter-node communication key includes transmitting a first key advertisement packet to a switching device SW First , and receiving a first key advertisement response packet sent by the switching device SW First Transmitting a source node ∞Γ∞ 8∞Γ∞ ; receiving a first key advertisement packet sent by the source node Ns^ce, sending a second key advertisement packet to the switching device SWL ast , and receiving a second key advertisement sent by the switching device SWL ast Transmitting the packet, transmitting the first key advertisement response packet to the source node First 8∞Γ∞ , switching the device SW First ; receiving the second key advertisement packet sent by the switching device SW First , to the destination node N Destmatl . n sends a third key advertisement packet, and receives the destination node N Destinatl . The third key advertisement response packet sent by n , the switching device SWL ast transmitting the second key advertisement response packet to the switching device SW F1Kt ; the third key advertisement packet sent by the receiving switching device SW Last, sent to the switching device SW Last The third key announces the destination node N Destmatl of the response packet. The first key advertisement packet, the second key advertisement packet, and the third key advertisement packet all include the source node N s ∞ rce and the destination node N Destinatl . Communication key KEY D between n .
一种装置, 所述装置是终端设备或交换设备, 所述装置包括:  A device, the device is a terminal device or a switching device, and the device includes:
密钥通告模块, 用于当所述装置为发送源节点 Ν υΓ∞时, 发送第一密钥通 告分组给第一交换设备 SWFlKt, 所述第一密钥通告分组中包含发送源节点 Ns∞rce与目的节点 ^^^之间的通信密钥 以使第一交换设备 SWFirst 及第二交换设备 SWj ^将所述通信密钥 KEY D发送至目的节点 NDestinatln; 接收模块, 用于当所述装置为发送源节点 Ν8∞Γ∞时, 接收第一交换设备 SWFirst发送的第一密钥通告响应分组,在通过对所述第一密钥通告响应分组的 验证后, 发送源节点 Nw与目的节点 NDestmatln采用通信密钥 KEY D进行通 信。 本发明的优点是: 发送源节点 ^。^和目的节点 NDestinatln之间的通信密钥 是通过发送源节点 Ns^ce临时生成, 并通过已建立的安全连接通道逐步通告给 目的节点 NDestinatln的。 节点间共享密钥的建立和更新过程可由发送源节点 Ν8∞Γ∞发起该过程触发。 通过该方法, 局域网合法节点之间可以灵活建立及更 新它们之间的密钥, 无需管理员为全网节点两两之间部署共享的静态密钥。 附图说明 Key notification module, means for, when the transmission source node is Ν υΓ∞, transmitting a first key notification packet to the first switching device SW FlKt, the first key notification packet includes a transmission source node N s The communication key between the ∞rce and the destination node ^^^ causes the first switching device SW First and the second switching device SWj to send the communication key KEY D to the destination node N Destinatl . n-; a receiving module, means for, when the transmission source node is Ν 8∞Γ∞, receiving a first key of first switch devices SW First advertisement response packet sent, by the first key announcement response After the verification of the packet, the source node Nw and the destination node N Destmatl are sent . n Communication is performed using the communication key KEY D. The advantages of the present invention are: The source node ^ is sent. ^ and destination node N Destinatl . The communication key between n is temporarily generated by the sending source node Ns^ce, and is gradually advertised to the destination node N Destinatl through the established secure connection channel. n . The process of establishing and updating the shared key between nodes may be triggered by the sending source node ∞Γ∞ 8∞Γ∞ . Through this method, the legitimate nodes of the local area network can flexibly establish and update the keys between them, and the administrator does not need to deploy a shared static key between the two nodes. DRAWINGS
图 1为本发明所提供的节点间通信密钥建立过程示意图。  FIG. 1 is a schematic diagram of a process of establishing an inter-node communication key according to the present invention.
具体实施方式 detailed description
本发明中定义的节点 N ( Node )是指局域网中的用户终端 STA ( STAtion ) 和交换设备 SW ( SWitch )0 局域网中的集线器等物理层设备不作为节点处理。 The node N (Node) defined in the present invention refers to a physical layer device such as a user terminal STA (STAtion) and a switching device SW (SWitch) 0 in a local area network, which are not handled as nodes.
假设,在网络中相邻的交换设备与用户终端之间通过预分发或其他安全机 制均已建立安全连接, 即已具有共享的密钥; 所有的交换设备两两之间通过预 分发或其他安全机制已建立安全连接, 即已具有共享的密钥。  It is assumed that a secure connection has been established between the adjacent switching device and the user terminal in the network through pre-distribution or other security mechanisms, ie, has a shared key; all switching devices are pre-distributed or otherwise securely between the two. The mechanism has established a secure connection, which already has a shared key.
以发送源节点 与目的节点 NDestmatln之间通信密钥的建立为例进行说 明, 交换设备 SWFirst是指从发送源节点 Ns∞rce到目的节点 NDestinatln的数据包经过 的第一个交换设备, 交换设备 SWLast是指从发送源节点 Ns∞rce到目的节点 NDestmatlM^数据包经过的最后一个交换设备。 To send the source node to the destination node N Destmatl . The establishment of the communication key between n is described as an example. The switching device SW First refers to the source node N s ∞ rce to the destination node N Destinatl . The first switching device through which the data packet of n passes, and the switching device SWL ast refers to the last switching device that passes through the source node N s∞rce to the destination node N DestmatlM ^ packet.
根据上述的假设, 发送源节点 Ns^ce与交换设备 SWFirst已建立安全连接, 共享的密钥记为 KEYS, 目的节点 NDestmatln与交换设备 SWi ^已建立安全连接, 共享的密钥记为 KEYD, 交换设备 SWFLKT与交换设备 SWJ ^已建立安全连接, 共 享的密钥记为 KEYFAccording to the above assumption, the source node Ns^ce has established a secure connection with the switching device SW First , and the shared key is recorded as KEY S and the destination node N Destmatl . n A secure connection has been established with the switching device SWi^, the shared key is recorded as KEY D , the switching device SW FLKT and the switching device SWJ ^ have established a secure connection, and the shared key is recorded as KEY F .
参见图 1 , 本发明所提供的一种节点间通信密钥的建立方法为发送源节点 Ns∞rce和目的节点 NDestmatira^间通信密钥的建立具体方案如下: Referring to FIG. 1 , a method for establishing an inter-node communication key provided by the present invention is a specific scheme for establishing a communication key between a source node N s∞rce and a destination node N Destmatira ^ as follows:
1 )发送源节点 Ns^e发送密钥通告分组 1给交换设备 SWFirst; 1) The sending source node Ns^e sends a key notification packet 1 to the switching device SW First ;
该密钥通告分组 1包括:
Figure imgf000005_0001
The key announcement packet 1 includes:
Figure imgf000005_0001
其巾:  Its towel:
IDDestinatin字段: 表示目的节点 NDestinatin的标识; ID Destinati . n field: indicates the destination node N Destinati . The identity of n ;
E KEY D)字段: 表示密钥资料数据, 由发送源节点 Ν ΥΓ∞利用其与交换 设备 S WFIRST之间的密钥 KEYS对 KEYS 加密后的数据; 其中 KEYS 是由发送源 节点 Ns∞rce生成的随机数, 作为与目的节点 NDestmatln之间的通信密钥; E KEY D) field: represents the key information and data, Ν by a transmission source node and the exchange using its ΥΓ∞ The key KEY S between the device SW FIRST and the KEY S encrypted data; wherein KEY S is a random number generated by the source node N s∞rce as the destination node N Destmatl . Communication key between n ;
MIC1字段: 表示消息完整性验证码, 由发送源节点 Ns^ce利用其与交换设 备 SWFIRST之间的密钥 KEYS对该密钥通告分组 1中本字段外的其他字段通过杂凑 函数计算得到的杂凑值。 MIC1 field: Indicates the message integrity verification code, which is calculated by the source function Ns^ce using the key KEY S between it and the switching device SW FIRST to advertise the other fields outside the field in the packet 1 by the hash function. The hash value.
2 ) 交换设备 SWFIRST发送密钥通告分组 2给交换设备 SWL 2) The switching device SW FIRST sends a key notification packet 2 to the switching device SWL
交换设备 SWFIRST收到密钥通告分组 1后, 进行如下处理: After receiving the key advertisement packet 1 by the switching device SW FIRST , the following processing is performed:
2.1 ) 利用其与发送源节点 之间的密钥 KEYs验证 MIC1是否正确, 若 不正确, 则丟弃该分组; 否则, 执行 2.2 );  2.1) Verify that the MIC1 is correct by using the key KEYs between it and the source node. If not, discard the packet; otherwise, execute 2.2);
2.2 )利用其与发送源节点 Ν8∞Γ∞之间的密钥 KEYs解密 字段, 即 可得到节点间通信密钥 KE YS_D2.2) Using the key KEYs decryption field between it and the source node Ν 8∞Γ∞ , the inter-node communication key KE Y S _ D can be obtained;
2.3 )构造密钥通告分组 2发送给交换设备 SWLast 2.3) Construction Key Announcement Packet 2 is sent to the switching device SWL ast
该密钥通告分组 2包括:
Figure imgf000006_0001
The key announcement packet 2 includes:
Figure imgf000006_0001
其巾:  Its towel:
IDS 字段: 表示发送源节点 Ns 的标识; ID S field: indicates the identifier of the sending source node N s ;
IDDESTMATLn字段: 表示目的节点 NDestmatl 标识, 其值同收到的密钥通告分 组 1中的 IDDESTINATLn字段的值; ID DESTMATL . n field: Indicates the destination node N Destmatl identifier, which has the same value as the ID DESTINATL in the received key announcement packet 1. The value of the n field;
E2(KEYS-D) : 表示密钥资料数据, 由交换设备 SWFIRST利用其与交换设备 SWLAST之间的密钥 KEYF_L对解密得到的节点间通信密钥 KEYs_j^p密后的数据;E 2 (KEY SD ): indicates key data data, which is decrypted by the switching device SW FIRST using the key KEY F _L between the switching device SWL AST and the decrypted inter-node communication key KEY s _j^p data;
MIC2字段:表示消息完整性验证码, 由交换设备 SWFIRST利用其与交换设备 SWLAST之间的密钥 KEYF_L对该密钥通告分组 2中本字段外的其他字段通过杂凑 函数计算得到的杂凑值。 MIC2 field: indicates a message integrity verification code, which is calculated by the switching device SW FIRST using the key KEY F _L between the switch and the switching device SWL AST to advertise the other fields outside the field in the packet 2 by the hash function. Hash value.
3 ) 交换设备 SWj ^发送密钥通告分组 3给目的节点 NDestmatl n; 3) The switching device SWj^ sends the key notification packet 3 to the destination node N Destmatl n ;
交换设备 SWLAST收到密钥通告分组 2后, 进行如下处理: After receiving the key advertisement packet 2, the switching device SWL AST performs the following processing:
3.1 ) 利用其与交换设备 SWFLKR^¾]的密钥 KEYF_L验证 MIC2是否正确, 若 不正确, 则丟弃该分组; 否则, 执行 3.2 ); 3.1) using a switching device which SW FLKR ^ ¾] key KEY F _L MIC2 to verify correct, if correct, the packet is discarded; otherwise, 3.2);
3.2 )利用其与交换设备 SWFIRST之间的密钥 KEYF 解密 E2(KEY^D)字段, 即 可得到节点间通信密钥 KE YS_D; 3.3 )构造密钥通告分组 3发送给目的节点 N 3.2) Using the key KEY F between the switching device SW FIRST to decrypt the E 2 (KEY ^ D ) field, the inter-node communication key KE Y S _ D can be obtained; 3.3) Constructing a key announcement packet 3 to be sent to the destination node N
该密钥通告分组 3中包括:  The key announcement packet 3 includes:
ID Source E3(KEYS-D) MIC3 ID Source E 3 (KEY SD ) MIC3
其巾:  Its towel:
IDs^e字段: 表示发送源节点 Ns∞rce的标识, 其值同收到的密钥通告分组 2 中的 ID ce字段的值; IDs^e field: indicates the identifier of the source node N s∞rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 2;
E3(KEYS_D)字段: 表示密钥资料数据, 由交换设备 SWLast用其与目的节点 NDestmatln之间的密钥 KEYD对解密得到的节点间通信密钥 KEY D加密后的数 据; E 3 (KEY S _ D ) field: indicates key data data, which is used by the switching device SWL ast with the destination node N Destmatl . The key KEY D between n is encrypted by the decrypted inter-node communication key KEY D;
MIC3字段: 表示消息完整性验证码, 由交换设备 SWj ^用其与目的节点 NDestmatln之间的密钥 KEYD对该密钥通告分组 3中本字段外的其他字段通过杂 凑函数计算得到的杂凑值。 MIC3 field: Indicates the message integrity verification code, which is used by the switching device SWj^ with the destination node N Destmatl . The key KEY D between n advertises the hash value calculated by the hash function for the other fields outside the field in the packet 3.
4 ) 目的节点 NDestmatira^送密钥通告响应分组 3给交换设备 SW St; 4) destination node N Destmatira ^ send key notification response packet 3 to switching device SW St ;
目的节点 NDestmatln收到密钥通告分组 3后, 进行如下处理: Destination node N Destmatl . After receiving the key advertisement packet 3, the following processing is performed:
4.1 )利用与交换设备 SWLast之间的密钥 KEYD验证 MIC3是否正确, 若不正 确, 则丟弃该分组; 否则, 执行 4.2 ); 4.1) verifying whether the MIC3 is correct by using the key KEY D with the switching device SW Last , if not, discarding the packet; otherwise, executing 4.2);
4.2 )利用与交换设备 SWj ^之间的密钥 KEYD解密 E3(KEY^D)字段, 即可得 到节点间通信密钥 KEYS_D , 该 KEYS_D即为目的节点 NDestmatln与发送源节点 。 之间的通信密钥; 4.2) Using the key KEY D between the switching device SWj^ to decrypt the E 3 (KEY^ D ) field, the inter-node communication key KEY S _ D can be obtained, and the KEY S _ D is the destination node N Destmatl . n and the source node. Communication key between
4.3 )构造密钥通告响应分组 3发送给交换设备 SWLast4.3) The construction key notification response packet 3 is sent to the switching device SWL ast .
该密钥通告响应分组 3包括:  The key notification response packet 3 includes:
ID Source MIC4  ID Source MIC4
其巾:  Its towel:
IDs^e字段: 表示发送源节点 Ns∞rce的标识, 其值同收到的密钥通告分组 3 中的 ID ce字段的值; IDs^e field: indicates the identifier of the source node N s∞rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 3;
MIC4字段:表示消息完整性验证码, 由目的节点 NDestmatira^用与交换设备 SW St之间的密钥 KEYD对该密钥通告响应分组 3中本字段外的其他字段通过 杂凑函数计算得到的杂凑值。 MIC4 field: indicates the message integrity verification code, which is calculated by the destination node N Destmatira ^ with the key KEY D between the switching device SW St and the other fields outside the field in the response packet 3 of the key. Hash value.
5 ) 交换设备 SWLast发送密钥通告响应分组 2给交换设备 SWFlKt; 交换设备 SWLast收到密钥通告响应分组 3后, 进行如下处理: 5) The switching device SWL ast sends a key notification response packet 2 to the switching device SW FlKt ; After receiving the key notification response packet 3, the switching device SWL ast performs the following processing:
5.1 ) 比较 IDs^ce字段与之前发送的密钥通告分组 3中 IDs^ce字段值是否一 致, 若不一致, 则丟弃该分组; 否则, 执行 5.2 );  5.1) Compare the IDs^ce field with the IDs^ce field value in the previously sent key advertisement packet 3, if not, discard the packet; otherwise, execute 5.2);
5.2 )利用与目的节点 NDestinatln之间的密钥 KEYD验证 MIC3是否正确, 若不 正确, 则丟弃该分组; 否则, 执行 5.3 ); 5.2) Utilize with the destination node N Destinatl . The key KEY D between n verifies whether the MIC3 is correct. If not, discard the packet; otherwise, execute 5.3);
5.3 )构造密钥通告响应分组 2发送给交换设备 SWFirst5.3) The construction key notification response packet 2 is sent to the switching device SW First .
该临时密钥协商响应分组包括:  The temporary key agreement response packet includes:
ID Source ID Destination MIC5  ID Source ID Destination MIC5
其巾:  Its towel:
IDs^e字段: 表示发送源节点 Ns∞rce的标识, 其值同收到的密钥通告分组 2 中的 ID ce字段的值; IDs^e field: indicates the identifier of the source node N s∞rce , the value of which is the same as the value of the ID ce field in the received key announcement packet 2;
IDDestmatln字段: 表示目的节点 NDestmatl。 标识, 其值同收到的密钥通告分 组 2中的 IDDestinatln字段的值; ID Destmatl . n field: indicates the destination node N Destmatl . The ID, whose value is the ID Destinatl in packet 2, is the same as the received key. The value of the n field;
MIC5字段: 表示消息完整性验证码, 由交换设备 SWj ^利用与交换设备 MIC5 field: Indicates the message integrity verification code, used by the switching device SWj ^ and the switching device
SWFlKt之间的密钥 KEYF 对该密钥通告响应分组 2中本字段外的其他字段通过 杂凑函数计算得到的杂凑值。 The key KEY F between SW FlKt reports the hash value calculated by the hash function for the other fields outside the field in the response packet 2 of the key.
6 ) 交换设备 SWFlrst发送密钥通告响应分组 1给发送源节点 6) The switching device SW Flrst sends a key notification response packet 1 to the sending source node
交换设备 SWFlKt收到密钥通告响应分组 2后, 进行如下处理: After receiving the key notification response packet 2, the switching device SW FlKt performs the following processing:
6.1 )检查分组中的 IDs∞rce字段、 IDDestmatln字段与之前发送给交换设备6.1) Check the ID s∞rce field in the group, ID Destmatl . n field is sent to the switching device before
SWLast的密钥通告分组 2中对应字段值是否一致, 若不一致, 则丟弃该分组; 否 则, 执行 6.2 ); Whether the corresponding field value in the key notification packet 2 of SWL ast is consistent, if not, discard the packet; otherwise, perform 6.2);
6.2 ) 利用与交换设备 SWj ^之间的密钥 KEYF_L验证 MIC5是否正确, 若不 正确, 则丟弃该分组; 否则, 执行 6.3 ); 6.2 between the key KEY F) with switching equipment using SWj ^ _ L MIC5 verify correct, if correct, the packet is discarded; otherwise, 6.3);
6.3 )构造密钥通告响应分组 1发送给发送源节点 Ns^^  6.3) Constructing a Key Announcement Response Packet 1 Sending to the source node Ns^^
该密钥通告响应分组 1包括:  The key notification response packet 1 includes:
ID Destination MIC6  ID Destination MIC6
其巾:  Its towel:
IDDestmatln字段: 表示目的节点 NDestinatl。 标识, 其值同收到的密钥通告 组 1中的 IDDestinatln字段的值; MIC6字段:表示消息完整性验证码, 由交换设备 SWFirst用其与发送源节点 Ns^ce之间的密钥 KEYS对密钥通告响应分组 1中本字段外的其他字段通过杂凑 函数计算得到的杂凑值。 ID Destmatl . n field: indicates the destination node N Destinatl . The ID, whose value is the same as the ID of the received key, is set to ID Destinatl in Group 1. The value of the n field; MIC6 field: indicates a message integrity verification code, which is calculated by the switching function by the switching device SW First using the key KEY S between the transmission source node Ns^ce and the other fields outside the field in the key notification response packet 1. The hash value.
7 )发送源节点 Ns^ce接收密钥通告响应分组 1 ;  7) The sending source node Ns^ce receives the key notification response packet 1;
发送源节点 Ns^ee收到密钥通告响应分组 1后, 进行如下处理:  After the source node Ns^ee receives the key advertisement response packet 1, it performs the following processing:
7.1 )检查分组中的 IDDestmatln字段与之前发送给交换设备 SWFirst的密钥通告 分组 1中 IDDestinatln字段值是否一致,若不一致,则丟弃该分组;否则,执行 7.2 ); 7.1) Check the ID Destmatl in the group . The n field is associated with the ID Destinatl in packet 1 that was previously sent to the switching device SW First . Whether the value of the n field is consistent, if not, discard the packet; otherwise, perform 7.2);
7.2 )利用与交换设备 SWFirst之间的密钥 KEYS验证 MIC6是否正确, 若不正 确, 则丟弃该分组; 否则, 即完成发送源节点 Ns^ce和目的节点 NDestinatln之间 通信密钥 KEYS_D的建立过程, 此后发送源节点 Ns∞rce和目的节点 NDestmatln之间 可采用该通信密钥 KEYS_! ¾行秘密通信。 7.2) Verify that the MIC6 is correct by using the key KEY S with the switching device SW First . If not, discard the packet; otherwise, the source node Ns^ce and the destination node N Destinatl are completed . The establishment process of the communication key KEY S _ D between n , after which the source node N s ∞ rce and the destination node N Destmatl are transmitted . The communication key KEY S _! 3⁄4 line secret communication can be used between n .
发送源节点 。 需要与目的节点 NDestmatln建立通信密钥 当利用 上述方案进行具体实施时, 发送源节点 Ns^ce还可生成一个数值, 作为此次通 信密钥建立过程的标识, 该标识可为时钟、 顺序号或随机数, 且在每个消息中 进行携带,相应地交换设备 SWj ^收到密钥通告响应分组 3后需验证分组中的标 识值与其之前接收的密钥通告分组 2中的标识值是否一致; 交换设备 SWFirst收 到密钥通告响应分组 2后需验证分组中的标识值与其之前接收的密钥通告分组 1中的标识值是否一致; 发送源节点 Ν8∞Γ∞收到密钥通告响应分组 1后需验证分 组中的标识值与其之前发送的密钥通告分组 1中的标识值是否一致。 Send the source node. Need to target the node N Destmatl . n Establishing a communication key When performing the above implementation, the sending source node Ns^ce can also generate a value as an identifier of the communication key establishment process, and the identifier can be a clock, a sequence number or a random number, and Carrying in each message, correspondingly switching device SWj ^ After receiving the key notification response packet 3, it is necessary to verify whether the identity value in the packet is consistent with the identity value in the previously received key notification packet 2; Switching device SW First After receiving the key notification response packet 2, it is required to verify whether the identity value in the packet is consistent with the identity value in the key notification packet 1 received before; the source node Ν 8∞Γ∞ needs to receive the key notification response packet 1 It is verified whether the identity value in the packet is consistent with the identity value in the key notification packet 1 previously sent.
当利用上述方案进行具体实施时, 也可以由发送源节点 Ν8∞Γ∞、 交换设备 SWFirst及交换设备 SWLast在发送密钥通告分组 1、 密钥通告分组 2及密钥通告分 组 3时, 各自独立生成一个数值作为通告标识分别携带在上述分组中, 该通告 标识可为时钟、 顺序号或随机数, 相应地交换设备 SWLast、 交换设备 SWFirst及 发送源节点 Nso^e收到密钥通告响应分组 3、 密钥通告响应分组 2及密钥通告响 应分组 1后均需验证分组中的通告标识值与其之前发送的分组中的标识值是否 一致。 When the specific implementation is implemented by using the foregoing solution, the source node Ν 8∞Γ∞ , the switching device SW First, and the switching device SW Last may also transmit the key advertisement packet 1, the key advertisement packet 2, and the key advertisement packet 3. Each of the two independently generates a value as an advertisement identifier carried in the foregoing packet, and the advertisement identifier may be a clock, a sequence number, or a random number, and accordingly, the switching device SWL ast , the switching device SW First, and the sending source node Nso^e receive the password. After the key notification response packet 3, the key advertisement response packet 2, and the key advertisement response packet 1, both need to verify whether the advertisement identifier value in the packet is consistent with the identifier value in the previously transmitted packet.
一种节点间通信密钥的建立系统,所述节点间通信密钥的建立系统包括向 交换设备 SWFirst发送密钥通告分组 1、接收交换设备 SWFlKt发送的密钥通告响 应分组 1的发送源节点 Ν8∞Γ∞;接收发送源节点 Ν8∞Γ∞发送的密钥通告分组 1、 向交换设备 SWLast发送密钥通告分组 2、接收交换设备 SWLast发送的密钥通告 响应分组 2、向发送源节点 Ns∞rce发送密钥通告响应分组 1的交换设备 SWFirst; 接收交换设备 SWFirst发送的密钥通告分组 2、向目的节点 NDestmatln发送密钥通 告分组 3、 接收目的节点 NDestinatln发送的密钥通告响应分组 3、 向交换设备 SWFirst发送密钥通告响应分组 2的交换设备 SWLast; 接收交换设备 SWLast发送 的密钥通告分组 3、 向交换设备 SWLast发送密钥通告响应分组 3 的目的节点A system for establishing an inter-node communication key, the system for establishing a communication key between nodes includes transmitting a key notification packet to the switching device SW First , and transmitting a key notification response packet 1 sent by the receiving switching device SW F1Kt Node Ν 8∞Γ∞ ; receiving the key notification packet sent by the source node Ν 8∞Γ∞ Packet sent to the switching device SWL ast key announcement 2, the device receiving the exchange key announcement response packet sent SWL ast 2, SW First switch device in response to a packet transmission source node transmits N s∞rce key announcement; receiving switching device The key notification packet 2 sent by SW First to the destination node N Destmatl . n sends a key announcement packet 3, and receives the destination node N Destinatl . The key notification response packet sent by n , the switching device SW Last transmitting the key notification response packet 2 to the switching device SW First ; receiving the key advertisement packet 3 sent by the switching device SWL ast, and transmitting the key notification to the switching device SWL ast Response destination node of group 3
Ni)estination。 Ni) estimation.
一种装置, 该装置可以是终端设备或交换设备, 该装置可以包括: 密钥通告模块, 用于当所述装置为发送源节点 Ν υΓ∞时, 发送第一密钥通 告分组给第一交换设备 SWFlKt, 所述第一密钥通告分组中包含发送源节点 Ns∞rce与目的节点 ^^^之间的通信密钥 以使第一交换设备 SWFirst 及第二交换设备 SWLast将所述通信密钥 KEY D发送至目的节点 NDestinatln; 接收模块, 用于当所述装置为发送源节点 Ν8∞Γ∞时, 接收第一交换设备 SWFirst发送的第一密钥通告响应分组,在通过对所述第一密钥通告响应分组的 验证后, 发送源节点 Nw与目的节点 NDestmatln采用通信密钥 KEY D进行通 信。 An apparatus, the apparatus may be a terminal device or switching device, the apparatus may comprise: a key announcement module, means for, when the transmission source node v υΓ∞, transmitting a first key notification packet to the first switching The device SW FlKt , the first key advertisement packet includes a communication key between the source node N s∞rce and the destination node ^^^ to make the first switching device SW First and the second switching device SWL ast The communication key KEY D is sent to the destination node N Destinatl . n-; a receiving module, means for, when the transmission source node is Ν 8∞Γ∞, receiving a first key of first switch devices SW First advertisement response packet sent, by the first key announcement response After the verification of the packet, the source node Nw and the destination node N Destmatl are sent . n Communication is performed using the communication key KEY D.
所述装置还可以包括:  The device may further include:
通告响应模块,用于当所述装置为目的节点 NDestmatln时,接收第二交换设 备 SWLast发送的第三密钥通告分组, 提取第三密钥通告分组中发送源节点 Ns∞rce与目的节点 NDestmatln之间的通信密钥 KEYS_D;并构造第三密钥通告响应 分组发送给第二交换设备 SWLast,以使第二交换设备 SWj ^发送第二密钥通告 响应分组给第一交换设备 SWFirst,第一交换设备 SWFirst发送第一密钥通告响应 分组给发送源节点
Figure imgf000010_0001
An announcement response module is used when the device is a destination node N Destmatl . When n , the third key advertisement packet sent by the second switching device SW Last is received, and the sending source node N s∞rce and the destination node N Destmat1 in the third key advertisement packet are extracted . a communication key KEY S _ D between n ; and constructing a third key advertisement response packet to be sent to the second switching device SW Last , so that the second switching device SWj^ sends a second key notification response packet to the first exchange devices SW first, a first switching device SW first transmitting a first key announcement response packet to the transmission source node
Figure imgf000010_0001
所述装置还可以包括:  The device may further include:
第一通告模块,用于当所述装置为第一交换设备 SWFlKt时,接收发送源节 点 Ns^ce发送的第一密钥通告分组, 提取第一密钥通告分组中发送源节点 Ν8∞Γ∞与目的节点 NDestmatln之间的通信密钥 KEYS_D,并构造第二密钥通告分组 发送给第二交换设备 SWL 通过第二密钥通告分组将发送源节点 Ν8∞Γ∞与目 的节点 NDestinatln之间的通信密钥 KEYS_D发送给第二交换设备 S WLAST , 以使第 二交换设备 SWLast将所述通信密钥 KEY D发送至目的节点 NDestinatln; 接收第 二交换设备 SWLast发送的第二密钥通告响应分组,并构造第一密钥通告响应分 组发送给发送源节点 Ν8(Λ^ The first notification module is configured to: when the device is the first switching device SW F1Kt , receive the first key advertisement packet sent by the sending source node Ns^ce, and extract the sending source node in the first key advertisement packet Ν 8∞ Γ∞ with the destination node N Destmatl . The communication key KEY S _ D between n , and constructs a second key advertisement packet sent to the second switching device SWL to transmit the source node Ν 8∞Γ∞ and the destination node N Destinatl through the second key advertised packet. The communication key KEY S _ D between n is sent to the second switching device S WL AST to enable The second switching device SWL ast sends the communication key KEY D to the destination node N Destinatl . n-; receiving a second switching device SWL ast transmitting second key announcement response packet, and the configuration of the first key announcement response packet to the transmission source node Ν 8 (Λ ^
所述装置还可以包括:  The device may further include:
第二通告模块, 用于当所述装置为第二交换设备 SWLast时,接收第一交换 设备 SWFlKt发送的第二密钥通告分组, 提取第二密钥通告分组中发送源节点 Ns∞rce与目的节点 NDestmatln之间的通信密钥 KEYS_D,并构造第三密钥通告分组 发送给目的节点 NDestmatln;通过第三密钥通告分组将发送源节点 与目的 节点 ^^^1∞1之间的通信密钥!^丫^发送给目的节点 NDestmatln; 接收目的节 点 NDestmatln发送的第三密钥通告响应分组,构造第二密钥通告响应分组发送给 第一交换设备 SWFirst;以使第一交换设备 SWFirst发送第一密钥通告响应分组至 发送源节点 Ns^^ A second announcement module, when said second switching device is a device SWL ast, receiving a first transmission switching device SW FlKt second key notification packet, extracting the second key notification packet transmission source node N s∞ Rce and destination node N Destmatl . A communication key KEY S _ D between n and a third key announcement packet is constructed to be sent to the destination node N Destmatl . n ; The communication key between the source node and the destination node ^^^ 1∞1 will be sent through the third key announcement packet! ^ ^ is sent to the destination node N Destmatl . n ; Receive destination node N Destmatl . n transmitting the third key advertisement response packet, constructing the second key advertisement response packet to be sent to the first switching device SW First ; so that the first switching device SW First sends the first key advertisement response packet to the sending source node Ns^ ^

Claims

权 利 要 求 Rights request
1、 一种节点间通信密钥的建立方法, 其特征在于: 所述方法包括以下步 1. A method for establishing a communication key between nodes, characterized in that: the method includes the following steps:
1 )发送源节点 Ns^e发送第一密钥通告分组给交换设备 SWFlKt; 1) The sending source node Ns^e sends the first key announcement packet to the switching device SW FlKt ;
2 ) 交换设备 SWFirst发送第二密钥通告分组给交换设备 SW St; 2) The switching device SW First sends the second key advertisement packet to the switching device SW St ;
3 ) 交换设备 SWLast发送第三密钥通告分组给目的节点 NDestmatln; 3) The switching device SWL ast sends the third key advertisement packet to the destination node N Destmatl . n ;
4 ) 目的节点 NDestmatln发送第三密钥通告响应分组给交换设备 SW St; 4) Destination node N Destmatl . nSend the third key announcement response packet to the switching device SW St ;
5 ) 交换设备 SWj ^发送第二密钥通告响应分组给交换设备 SWFlKt; 5) The switching device SWj^ sends the second key advertisement response packet to the switching device SW FlKt ;
6 ) 交换设备 SWFIRST发送第一密钥通告响应分组给发送源节点 Ν8∞Γ∞; 6) The switching device SW FIRST sends the first key announcement response packet to the sending source node N 8∞Γ∞ ;
7 )发送源节点 Ns^e接收第一密钥通告响应分组; 7) The sending source node Ns^e receives the first key announcement response packet;
其中所述第一密钥通告分组、所述第二密钥通告分组及所述第三密钥通告 分组中均包含所述发送源节点 Ns^ce与所述目的节点 NDestmatln之间的通信密钥 The first key advertisement group, the second key advertisement group and the third key advertisement group all include the sending source node Ns^ce and the destination node N Destmatl . communication key between n
KEYS-D KEYSD .
2、 根据权利要求 1所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 1 ) 中第一密钥通告分组包括 IDDestmatln字段、 E KEY D)字段以及 MIC1字 段; 其中: 2. The method for establishing a communication key between nodes according to claim 1, characterized in that: in step 1), the first key notification packet includes ID Destmatl . n field, E KEY D) field and MIC1 field; among them:
IDDestmatln字段: 表示目的节点 NDestmatln的标识; ID Destmatl . n field: Indicates the destination node N Destmatl . Identification of n ;
E KEY D)字段: 表示密钥资料数据, 由发送源节点 Ν ΥΓ∞利用其与交换 设备 S WFIRST之间的密钥 KEYS对 KEYS 加密后的数据; 其中 KEYS 是由发送源 节点 Ns∞rce生成的随机数, 作为与目的节点 NDestmatln之间的通信密钥; E KEY D) field: represents the key material data, which is the data encrypted by the sending source node Ν ΥΓ∞ using the key KEY S between it and the switching device SW FIRST ; where KEY S is the data encrypted by the sending source node N The random number generated by s∞rce is used as the destination node N Destmatl . Communication key between n ;
MIC1字段: 表示消息完整性验证码, 由发送源节点 Ns^ce利用其与交换设 备 SWFIRST之间的密钥 KEYS对第一密钥通告分组中本字段外的其他字段通过杂 凑函数计算得到的杂凑值。 MIC1 field: Represents the message integrity verification code, which is calculated by the sending source node Ns^ce using the key KEY S between it and the switching device SW FIRST through a hash function for other fields in the first key announcement group except this field. hash value.
3、根据权利要求 2所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 2 ) 中交换设备 SWFLKT在收到所述第一密钥通告分组后发送所述第二密钥 通告分组给所述交换设备 SWLast, 3. The method for establishing a communication key between nodes according to claim 2, characterized in that: in step 2), the switching device SW FLKT sends the second key after receiving the first key announcement packet. Key advertisement packet is sent to the switching device SWL ast ,
所述交换设备 SWFIRST发送第二密钥通告分组给交换设备 SWLAST, 具体包括: 2.1 ) 利用所述交换设备 SWFIRST与发送源节点 之间的密钥 KEYS验证 MIC1是否正确, 若不正确, 则丟弃该分组; 否则, 执行 2.2 ); The switching device SW FIRST sends the second key notification packet to the switching device SW LAST , specifically including: 2.1) Using the key KEY S between the switching device SW FIRST and the sending source node to verify whether MIC1 is correct, if not , then discard the packet; otherwise, perform 2.2);
2.2 ) 利用所述交换设备 SWFirst与发送源节点 之间的密钥 KEYS解密 E KEY D)字段, 得到节点间通信密钥 KEYS_D; 2.2) Use the key KEY S between the switching device SW First and the sending source node to decrypt the E KEY D) field to obtain the inter-node communication key KEY S_D ;
2.3 )构造第二密钥通告分组发送给交换设备 SW St, 所述第二密钥通告分 组包括: IDS 字段、 IDDest n字段、 E2(KEYS-D) 字段以及 MIC2字段; 2.3) Construct a second key notification packet and send it to the switching device SW St. The second key notification packet includes: I S field, ID Dest n field, E 2 (KEY SD ) field and MIC2 field;
其巾: Its scarf:
ID ce字段: 表示发送源节点 Ns 6的标识; ID ce field: Indicates the identification of the sending source node N s 6 ;
IDDestmatln字段: 表示目的节点 NDestmatl 标识, 其值同收到的密钥通告分 组 1中的 IDDestinatln字段的值; ID Destmatl . n field: Indicates the destination node N Destmatl identification, and its value is the same as the ID Destinatl in the received key advertisement group 1. The value of n field;
E2(KEYS-D) 字段: 表示密钥资料数据, 由交换设备 SWFlKt利用其与交换设 备 SWj ^之间的密钥 KEYF 对解密得到的节点间通信密钥 KEY D加密后的数 据; E 2 (KEY SD ) field: represents the key material data, which is the encrypted data of the inter-node communication key KEY D obtained by decrypting the key KEY F pair between the switching device SW FlKt and the switching device SWj^;
MIC2字段:表示消息完整性验证码, 由交换设备 SWFirst利用其与交换设备 SWLAST之间的密钥 KEYF_L对第二密钥通告分组中本字段外的其他字段通过杂 凑函数计算得到的杂凑值。 MIC2 field: represents the message integrity verification code, which is calculated by the switching device SW First using the key KEY F_L between it and the switching device SWL AST to use the hash function for other fields in the second key announcement group except this field. Hash value.
4、根据权利要求 3所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 3 )中交换设备 SWLAST在收到所述第二密钥通告分组后发送所述第三密钥通 告分组给所述目的节点 NDestmatl n, 4. The method for establishing a communication key between nodes according to claim 3, characterized in that: in step 3), the switching device SWL AST sends the third key after receiving the second key announcement packet. Key advertisement packet is sent to the destination node N Destmatl n ,
所述交换设备 SWj^发送第三密钥通告分组给目的节点 NDestinatln, 具体包 括: The switching device SWj^ sends the third key advertisement packet to the destination node N Destinatl . n , specifically including:
3.1 ) 利用所述交换设备 SWj ^与交换设备 SWFlKr^¾]的密钥 KEYF 验证 MIC2是否正确, 若不正确, 则丟弃该分组; 否则, 执行 3.2 ); 3.1) Use the key KEY F of the switching device SWj^ and the switching device SWFlKr ^¾] to verify whether MIC2 is correct. If it is incorrect, discard the packet; otherwise, perform 3.2);
3.2 ) 利用所述交换设备 SWj ^与交换设备 SWFlKr^¾]的密钥 KEYF 解密 E2(KEYS_D)字段, 得到节点间通信密钥 KEYS_D; 3.2) Use the key KEY F of the switching device SWj^ and the switching device SWFlKr ^¾] to decrypt the E2 (KEY S_D ) field to obtain the inter-node communication key KEY S_D ;
3.3 )构造第三密钥通告分组发送给目的节点 NDestmatln, 所述第三密钥通告 分组包括: IDs^e字段、 E3(KEY^D)字段以及 MIC3字段; 其中: 3.3) Construct a third key notification packet and send it to the destination node N Destmatl . n , the third key notification group includes: IDs^e field, E3 (KEY^ D ) field and MIC3 field; wherein:
IDs^e字段: 表示发送源节点 。 的标识, 其值同收到的第二密钥通告 分组中的 ID ce字段的值; IDs^e field: Indicates the sending source node. The identifier, whose value is the same as the value of the ID ce field in the received second key advertisement packet;
E3(KEYS_D)字段: 表示密钥资料数据, 由交换设备 SWLast用其与目的节点 NDestmatln之间的密钥 KEYD对解密得到的节点间通信密钥 KEYS_D 密后的数 据; E 3 (KEY S_D ) field: Indicates key material data, which is used by the switching device SWL ast with the destination node N Destmatl . The key KEY D between n pairs is decrypted and the inter-node communication key KEY S_D is the encrypted number . data;
MIC3字段: 表示消息完整性验证码, 由交换设备 SWj ^用其与目的节点 NDestmatln之间的密钥 KEYD对第三密钥通告分组中本字段外的其他字段通过杂 凑函数计算得到的杂凑值。 MIC3 field: Indicates the message integrity verification code, which is used by the switching device SWj ^ with the destination node N Destmatl . The key KEY D between n pairs the hash value calculated by the hash function for other fields in the third key notification group except this field.
5、根据权利要求 4所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 4 ) 中目的节点 NDestinatln在收到所述第三密钥通告分组后发送所述第三密 钥通告响应分组给所述交换设备 SWLast, 5. The method for establishing a communication key between nodes according to claim 4, characterized in that: the destination node N Destinatl in step 4). n After receiving the third key advertisement packet, send the third key advertisement response packet to the switching device SWL ast ,
所述目的节点 NDestmatln发送第三密钥通告响应分组给交换设备 SW St, 具 体包括: The destination node N Destmatl . nSend the third key announcement response packet to the switching device SW St , specifically including:
4.1 )利用与交换设备 SWLast之间的密钥 KEYD验证 MIC3是否正确, 若不正 确, 则丟弃该分组; 否则, 执行 4.2 ); 4.1) Use the key KEY D between the switching device SW Last to verify whether MIC3 is correct. If it is incorrect, discard the packet; otherwise, perform 4.2);
4.2 )利用与交换设备 SWLast之间的密钥 KEYD解密 E3(KEYS_D)字段,得到节 点间通信密钥 KEYS_D, 该 KEYS_D即为目的节点 NDestinatln与发送源节点 Ns^e之 间的通信密钥; 4.2) Use the key KEY D between the switching device SWL ast to decrypt the E 3 (KEY S_D ) field to obtain the inter-node communication key KEY S_D , which is the destination node N Destinatl . The communication key between n and the sending source node Ns^e;
4.3 )构造第三密钥通告响应分组发送给交换设备 SWLast, 所述第三密钥通 告响应分组包括: IDs^ce字段以及 MIC4字段; 其中: 4.3) Construct a third key notification response packet and send it to the switching device SW Last . The third key notification response packet includes: IDs^ce field and MIC4 field; wherein:
ID ce字段: 表示发送源节点 Ns 6的标识, 其值同收到的第三密钥通告 分组中的 ID ce字段的值; ID ce field: Indicates the identity of the sending source node N s 6 , and its value is the same as the value of the ID ce field in the received third key announcement packet;
MIC4字段:表示消息完整性验证码, 由目的节点 NDestmatira^用与交换设备 S WLast之间的密钥 KEYD对第三密钥通告响应分组中本字段外的其他字段通过 杂凑函数计算得到的杂凑值。 MIC4 field: represents the message integrity verification code, calculated by the destination node N Destmatira ^ using the key KEY D between the switching device S WL ast and other fields other than this field in the third key announcement response packet through a hash function. hash value.
6、 根据权利要求 5所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 5 )中交换设备 SWLast在收到所述第三密钥通告响应分组后发送所述第二密 钥通告响应分组给所述交换设备 SWFirst, 6. The inter-node communication key establishment method according to claim 5, characterized in that: in step 5), the switching device SWL ast sends the second key announcement response packet after receiving the third key announcement response packet. Key announcement response packet is sent to the switching device SW First ,
所述交换设备 SWj ^发送第二密钥通告响应分组给交换设备 SWFirst, 具体 包括: The switching device SWj sends a second key advertisement response packet to the switching device SW First , specifically including:
5.1 )比较 IDS 字段与之前发送的第三密钥通告分组中 IDS 字段值是否 一致, 若不一致, 则丟弃该分组; 否则, 执行 5.2 ); 5.1) Compare whether the ID S field is consistent with the ID S field value in the previously sent third key notification packet. If they are inconsistent, discard the packet; otherwise, perform 5.2);
5.2 )利用与目的节点 NDestinatln之间的密钥 KEYD验证 MIC3是否正确, 若不 正确, 则丟弃该分组; 否则, 执行 5.3 ); 5.2) Use and destination node N Destinatl . The key KEY D between n verifies whether MIC3 is correct, if not If correct, discard the packet; otherwise, proceed to 5.3);
5.3 )构造第二密钥通告响应分组发送给交换设备 SWFirst, 所述第二密钥通 告响应分组包括: IDs∞rce字段、 IDDestmatira^段以及 MIC5字段, 其中: 5.3) Construct a second key advertisement response packet and send it to the switching device SW First . The second key advertisement response packet includes: ID s∞rce field, ID Destmatira ^ field and MIC5 field, where:
IDs^e字段: 表示发送源节点 。 的标识, 其值同收到的第二密钥通告 分组中的 ID ce字段的值; IDs^e field: Indicates the sending source node. The identifier, whose value is the same as the value of the ID ce field in the received second key advertisement packet;
IDDestmatln字段: 表示目的节点 NDestinatln 标识, 其值同收到的第二密钥通 告分组中的 IDDestmatln字段的值; ID Destmatl . n field: Indicates the destination node N Destinatl . n identifier, whose value is the same as the ID Destmatl in the received second key advertisement packet. The value of n field;
MIC5字段: 表示消息完整性验证码, 由交换设备 SWj ^利用与交换设备 S WFLKT之间的密钥 KEYF_L对第二密钥通告响应分组中本字段外的其他字段通 过杂凑函数计算得到的杂凑值。 MIC5 field: Indicates the message integrity verification code, which is calculated by the switching device SWj ^ using the key KEY F_L between the switching device SW FLKT and other fields other than this field in the second key announcement response packet through a hash function. Hash value.
7、 根据权利要求 6所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 6 ) 中交换设备 SWFirst在收到所述第二密钥通告响应分组后发送所述第一
Figure imgf000015_0001
 7. The method for establishing a communication key between nodes according to claim 6, characterized in that: in step 6), the switching device SW First sends the first key notification response packet after receiving the second key notification response packet.
Figure imgf000015_0001
所述交换设备 SWFirst发送第一密钥通告响应
Figure imgf000015_0002
具 体包括: The switching device SW First sends a first key advertisement response
Figure imgf000015_0002
Specifically include:
6.1 )检查分组中的 IDs∞rce字段、 IDDestmatln字段与之前发送给交换设备 6.1) Check the ID s∞rce field and ID Destmatl in the group. n field is the same as before sent to the switching device
SWLast的第二密钥通告分组中对应字段值是否一致,若不一致,则丟弃该分组; 否则, 执行 6.2 ); Whether the corresponding field values in the second key notification packet of SWL ast are consistent, if not, discard the packet; otherwise, perform 6.2);
6.2 ) 利用与交换设备 SWj ^之间的密钥 KEYF_L验证 MIC5是否正确, 若不 正确, 则丟弃该分组; 否则, 执行 6.3 ); 6.2) Use the key KEY F_L between the switching device SWj^ to verify whether the MIC5 is correct. If it is incorrect, discard the packet; otherwise, perform 6.3);
6.3 )构造第一密钥通告响应
Figure imgf000015_0003
所述第一密钥 通告响应分组包括: !^皿^字段以及 MIC6字段, 其中: 6.3) Construct the first key advertisement response
Figure imgf000015_0003
The first key advertisement response packet includes: ! ^EM^ field and MIC6 field, where:
IDDestmatln字段: 表示目的节点 NDestinatln 标识, 其值同收到的第一密钥通 告分组中的 IDDestmatln字段的值; ID Destmatl . n field: Indicates the destination node N Destinatl . n identifier, whose value is the same as the ID Destmatl in the first key notification packet received. The value of n field;
MIC6字段:表示消息完整性验证码, 由交换设备 SWFirst用其与发送源节点 Ns^e之间的密钥 KEYS对第一密钥通告响应分组中本字段外的其他字段通过 杂凑函数计算得到的杂凑值。 MIC6 field: represents the message integrity verification code. The switching device SW First uses the key KEY S between it and the sending source node Ns^e to calculate other fields other than this field in the first key announcement response packet through a hash function. The resulting hash value.
8、 根据权利要求 7所述的节点间通信密钥的建立方法, 其特征在于: 所述 步骤 7 ) 的具体实现方式是: 8. The method for establishing a communication key between nodes according to claim 7, characterized in that: the specific implementation of step 7) is:
7.1 )检查所述第一密钥通告响应分组中的 IDDestmatln字段与之前发送给交 换设备 SWFlKt的第一密钥通告分组中 IDDestmatln字段值是否一致, 若不一致, 则 丟弃该分组; 否则, 执行 7.2 ); 7.1) Check the ID Destmatl in the first key advertisement response packet. The n field corresponds to the ID Destmatl in the first key advertisement packet previously sent to the switching device SW FlKt . Whether the n field values are consistent, if not, discard the packet; otherwise, perform 7.2);
7.2 )利用与交换设备 SWFlKr^¾]的密钥 KEYs验证 MIC6是否正确, 若不正 确, 则丟弃该分组; 否则, 即完成发送源节点 Ν8∞Γ∞和目的节点 NDestinatln之间 通信密钥 KEYS_D的建立过程, 此后发送源节点 Ν8∞Γ∞和目的节点 NDestmatln之间 采用该通信密钥 KEYS_! ¾行秘密通信。 7.2) Use the key KEYs of the switching device SW FlKr to verify whether the MIC6 is correct. If it is incorrect, discard the packet; otherwise, complete the sending of the source node N8∞Γ∞ and the destination node N Destinatl . The establishment process of the communication key KEY S_D between n , after which the source node N 8∞Γ∞ and the destination node N Destmatl are sent. The communication key KEY S_ ! ¾ is used to communicate secretly between n .
9、 一种节点间通信密钥的建立系统, 其特征在于: 所述节点间通信密钥 的建立系统包括向交换设备 SWFlKt发送第一密钥通告分组、 接收交换设备 SWFirst发送的第一密钥通告响应分组的发送源节点
Figure imgf000016_0001
接收发送源节点 Ν8∞Γ∞发送的第一密钥通告分组、 向交换设备 SWi ^发送第二密钥通告分组、 接收交换设备 SWLast发送的第二密钥通告响应分组、向发送源节点 Ns∞rce发送 第一密钥通告响应分组的交换设备 SWFirst;接收交换设备 SWFirst发送的第二密 钥通告分组、 向目的节点 NDestmatln发送第三密钥通告分组、 接收目的节点 NDestmatln发送的第三密钥通告响应分组、向交换设备 SWFlKt发送第二密钥通告 响应分组的交换设备 SWLast; 接收交换设备 SWLast发送的第三密钥通告分组、 向交换设备 SWLast发送第三密钥通告响应分组的目的节点 NDestmatln;其中所述 第一密钥通告分组、所述第二密钥通告分组及所述第三密钥通告分组中均包含 所述发送源节点 Ν8∞Γ∞与所述目的节点 ^^^1∞之间的通信密钥 KEYS_D 9. A system for establishing a communication key between nodes, characterized in that: the system for establishing a communication key between nodes includes sending a first key announcement packet to the switching device SW FlKt , and receiving the first key notification packet sent by the switching device SW First . The source node of the key advertisement response packet
Figure imgf000016_0001
Receive the first key advertisement packet sent by the sending source node N8∞Γ∞ , send the second key advertisement packet to the switching device SWi^, receive the second key notification response packet sent by the switching device SWL ast , and send the second key notification packet to the sending source node N s∞rce the switching device SW First that sends the first key advertisement response packet; receives the second key advertisement packet sent by the switching device SW First to the destination node N Destmatl . n sends the third key announcement packet and receives the destination node N Destmatl . The third key advertisement response packet sent by n , the switching device SW Last that sends the second key advertisement response packet to the switching device SW FlKt ; receiving the third key advertisement response packet sent by the switching device SWL ast , and sending it to the switching device SWL ast The destination node N Destmatl of the third key advertisement response packet. n ; wherein the first key announcement group, the second key announcement group and the third key announcement group all include the sending source node N 8∞Γ∞ and the destination node ^^^ The communication key KEY S_D between 1∞ .
10、 一种装置, 其特征在于, 所述装置是终端设备或交换设备, 所述装置 包括: 10. A device, characterized in that the device is a terminal device or a switching device, and the device includes:
密钥通告模块, 用于当所述装置为发送源节点 Ν υΓ∞时, 发送第一密钥通 告分组给第一交换设备 SWFlKt, 所述第一密钥通告分组中包含发送源节点 Ns∞rce与目的节点 ^^^之间的通信密钥 以使第一交换设备 SWFirst 及第二交换设备 SWj ^将所述通信密钥 KEY D发送至目的节点 NDestinatln; 接收模块, 用于当所述装置为发送源节点 Ν8∞Γ∞时, 接收第一交换设备 SWFirst发送的第一密钥通告响应分组,在通过对所述第一密钥通告响应分组的 验证后, 发送源节点 Nw与目的节点 NDestmatln采用通信密钥 KEY D进行通 信。 A key notification module, configured to send a first key notification packet to the first switching device SW FlKt when the device is the sending source node N υΓ∞ , and the first key notification packet contains the sending source node N s The communication key between ∞rce and the destination node ^^^ is such that the first switching device SW First and the second switching device SWj ^ send the communication key KEY D to the destination node N Destinatl . n ; a receiving module, configured to receive the first key announcement response packet sent by the first switching device SW First when the device is the sending source node N8∞1∞ , and respond to the first key announcement by After the verification of the packet, the source node Nw and the destination node N Destmatl are sent. n uses the communication key KEY D to communicate.
11、 根据权利要求 10所述的装置, 其特征在于, 所述装置还包括: 通告响应模块,用于当所述装置为目的节点 NDESTMATLn时,接收第二交换设 备 SWLAST发送的第三密钥通告分组, 提取第三密钥通告分组中发送源节点 NS∞RCE与目的节点 NDESTMATLn之间的通信密钥 KEYS_D;并构造第三密钥通告响应 分组发送给第二交换设备 SWLast,以使第二交换设备 SWj ^发送第二密钥通告 响应分组给第一交换设备 SWFIRST,第一交换设备 SWFIRST发送第一密钥通告响应 分组给发送源节点 Ν811. The device according to claim 10, characterized in that the device further includes: a notification response module, used when the device is the destination node N DESTMATL . At time n , receive the third key notification packet sent by the second switching device SW LAST , and extract the sending source node N S∞RCE and the destination node N DESTMATL in the third key notification packet. The communication key KEY S_D between n ; and construct a third key notification response packet and send it to the second switching device SW Last , so that the second switching device SWj^ sends the second key notification response packet to the first switch The device SW FIRST , the first switching device SW FIRST sends the first key announcement response packet to the sending source node N8
12、 根据权利要求 10所述的装置, 其特征在于, 所述装置还包括: 第一通告模块,用于当所述装置为第一交换设备 SWFLKT时,接收发送源节 点 Ns^ce发送的第一密钥通告分组, 提取第一密钥通告分组中发送源节点 Ν8∞Γ∞与目的节点 NDESTMATLn之间的通信密钥 KEYS_D,并构造第二密钥通告分组 发送给第二交换设备 SWL 通过第二密钥通告分组将发送源节点 Ν8∞Γ∞与目 的节点 ^^^皿之间的通信密钥 KEYS_D发送给第二交换设备 SWLAST, 以使第 二交换设备 SWLAST将所述通信密钥 KEY D发送至目的节点 NDESTINATLn; 接收第 二交换设备 SWLAST发送的第二密钥通告响应分组,并构造第一密钥通告响应分 组发送给发送源节点 Ns^^ 12. The device according to claim 10, characterized in that, the device further includes: a first notification module, configured to receive, when the device is the first switching device SW FLKT , received by the sending source node Ns^ce. The first key notification packet is to extract the sending source node N 8∞Γ∞ and the destination node N DESTMATL in the first key notification packet. The communication key KEY S_D between n , and construct a second key advertisement packet and send it to the second switching device SWL. Through the second key advertisement packet, the source node N 8∞Γ∞ and the destination node ^^^ are sent The communication key KEY S_D between them is sent to the second switching device SW LAST , so that the second switching device SWL AST sends the communication key KEY D to the destination node NDESTINATL . n ; Receive the second key advertisement response packet sent by the second switching device SWL AST , and construct the first key advertisement response packet and send it to the sending source node Ns^^
13、 根据权利要求 10所述的装置, 其特征在于, 所述装置还包括: 第二通告模块, 用于当所述装置为第二交换设备 SWLAST时,接收第一交换 设备 SWFLKT发送的第二密钥通告分组, 提取第二密钥通告分组中发送源节点 NS∞RCE与目的节点 NDESTMATLn之间的通信密钥 KEYS_D,并构造第三密钥通告分组 发送给目的节点 NDESTMATLn;通过第三密钥通告分组将发送源节点 与目的 节点 ^^^1∞1之间的通信密钥!^丫^发送给目的节点 NDESTMATLn; 接收目的节 点 NDESTMATLn发送的第三密钥通告响应分组,构造第二密钥通告响应分组发送给 第一交换设备 SWFIRST;以使第一交换设备 SWFIRST发送第一密钥通告响应分组至 发送源节点 Ns^^ 13. The device according to claim 10, characterized in that, the device further includes: a second notification module, configured to receive the message sent by the first switching device SW FLKT when the device is the second switching device SWL AST . In the second key announcement packet, extract the sending source node N S∞RCE and the destination node N DESTMATL in the second key announcement packet. The communication key KEY S_D between n is constructed and the third key announcement packet is sent to the destination node N DESTMATL . n ; The communication key between the source node and the destination node ^^^ 1∞1 will be sent through the third key announcement packet! ^Y^ is sent to the destination node N DESTMATL . n ; Receive destination node N DESTMATL . The third key announcement response packet sent by n constructs a second key announcement response packet and sends it to the first switching device SW FIRST ; so that the first switching device SW FIRST sends the first key announcement response packet to the sending source node Ns^ ^
PCT/CN2011/070475 2010-04-29 2011-01-21 Establishment method, system and device for communication keys among nodes WO2011134292A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010159675.2 2010-04-29
CN2010101596752A CN101902324B (en) 2010-04-29 2010-04-29 Method and system for establishing communication key between nodes

Publications (1)

Publication Number Publication Date
WO2011134292A1 true WO2011134292A1 (en) 2011-11-03

Family

ID=43227548

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/070475 WO2011134292A1 (en) 2010-04-29 2011-01-21 Establishment method, system and device for communication keys among nodes

Country Status (2)

Country Link
CN (1) CN101902324B (en)
WO (1) WO2011134292A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902324B (en) * 2010-04-29 2012-11-07 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes
CN101841414B (en) * 2010-05-20 2012-05-23 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end communication key and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534935A (en) * 2003-03-31 2004-10-06 华为技术有限公司 Key distribution method based on preshared key
CN1534931A (en) * 2003-04-02 2004-10-06 华为技术有限公司 Method of forming dynamic key in radio local network
WO2009045282A1 (en) * 2007-10-02 2009-04-09 Lucent Technologies Inc. Method of establishing authentication keys and secure wireless communication
CN101902324A (en) * 2010-04-29 2010-12-01 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4735157B2 (en) * 2005-09-22 2011-07-27 ソニー株式会社 Wireless communication system, wireless communication apparatus, wireless communication method, and computer program
CN101227272A (en) * 2007-01-19 2008-07-23 华为技术有限公司 System and method for obtaining media stream protection cryptographic key
CN101183934A (en) * 2007-10-23 2008-05-21 中兴通讯股份有限公司 Cipher key updating method in passive optical network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1534935A (en) * 2003-03-31 2004-10-06 华为技术有限公司 Key distribution method based on preshared key
CN1534931A (en) * 2003-04-02 2004-10-06 华为技术有限公司 Method of forming dynamic key in radio local network
WO2009045282A1 (en) * 2007-10-02 2009-04-09 Lucent Technologies Inc. Method of establishing authentication keys and secure wireless communication
CN101902324A (en) * 2010-04-29 2010-12-01 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes

Also Published As

Publication number Publication date
CN101902324A (en) 2010-12-01
CN101902324B (en) 2012-11-07

Similar Documents

Publication Publication Date Title
KR101421399B1 (en) Terminal apparatus having link layer encryption and decryption capabilities and method for processing data thereof
KR101492179B1 (en) Method and system for establishing secure connection between user terminals
KR101019300B1 (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
KR101485279B1 (en) Switch equipment and data processing method for supporting link layer security transmission
WO2012019466A1 (en) Secret communication method, terminal, switching equipment and system between neighboring user terminals
US20070189528A1 (en) Wireless LAN transmitting and receiving apparatus and key distribution method
JP2011139457A (en) System and method for secure transaction of data between wireless communication device and server
KR20110119785A (en) Un-ciphered network operation solution
WO2010135890A1 (en) Bidirectional authentication method and system based on symmetrical encryption algorithm
WO2011143943A1 (en) Method, system and apparatus for establishing end-to-end security connection
JP2016063233A (en) Communication control device
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
KR101421259B1 (en) Method and system for establishing security connection between switch equipments
WO2011143945A1 (en) Method, system, and apparatus for establishing end-to-end shared key
US20100131762A1 (en) Secured communication method for wireless mesh network
CN108965266B (en) User-to-User identity authentication system and method based on group key pool and Kerberos
WO2011134294A1 (en) Method and system for establishing safety connection between nodes
WO2011134291A1 (en) Method, system and apparatus for establishing keys between nodes
WO2011134293A1 (en) Method and system for establishing secure connection between local area network nodes
WO2011134292A1 (en) Establishment method, system and device for communication keys among nodes
WO2012055173A1 (en) System, method and apparatus for establishing session key between nodes
WO2011143944A1 (en) Method, system and apparatus for establshing end-to-end communication key
WO2012100552A1 (en) Secure updating method, system and device for multicast key
Egners et al. Fsasd: A framework for establishing security associations for sequentially deployed wmn
CN108964900B (en) Improved Kerberos identity authentication system and method based on group key pool

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11774283

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11774283

Country of ref document: EP

Kind code of ref document: A1