WO2012062077A1 - Machine type communication device group management method and system based on generic bootstrapping architecture - Google Patents

Machine type communication device group management method and system based on generic bootstrapping architecture Download PDF

Info

Publication number
WO2012062077A1
WO2012062077A1 PCT/CN2011/071938 CN2011071938W WO2012062077A1 WO 2012062077 A1 WO2012062077 A1 WO 2012062077A1 CN 2011071938 W CN2011071938 W CN 2011071938W WO 2012062077 A1 WO2012062077 A1 WO 2012062077A1
Authority
WO
WIPO (PCT)
Prior art keywords
mtc device
group
mtc
session key
universal
Prior art date
Application number
PCT/CN2011/071938
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012062077A1 publication Critical patent/WO2012062077A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • the present invention relates to a mobile communication system and MTC (Machine Type Communication) technology, and in particular, to a MTC device group management method and system based on a universal boot architecture. Background technique
  • Machine-like communication is a general term for a series of technologies and combinations that implement wireless communication technology to realize data communication and communication between machines and machines, machines and people.
  • M2M (called MTC in 3GPP) involves two levels: the first is the machine itself, called the smart device in the embedded world; the second is the connection between the machine and the machine, connecting the machines together through the network.
  • MTC's range of applications is very broad, such as smart measurements, remote monitoring, tracking, medical, etc., which makes human life more intelligent.
  • MTC equipment has a large number of applications and a wide range of applications, so it has a huge market prospect.
  • long-distance connection technology mainly includes GSM (Global System for Mobile Communications), GPRS (General Packet Radio Service), UMTS (Universal Mobile Phone Communication System), etc.; Close-range connection technology mainly includes 802.1 lb/g, Bluetooth , Zigbee, RFID (Radio Frequency Identification), etc.
  • MTC integrates wireless communication technology and information technology, and can be used for two-way communication, such as collecting information remotely, setting parameters, and sending commands, it can implement different application scenarios, such as security monitoring, vending, and goods tracking. It can be seen that almost all the equipment involved in the normal life is likely to become a potential service target.
  • GBA Generic Bootstrapping Architecture
  • the UE is a general term for the terminal device and the (U)SIM card; the terminal here may be a mobile terminal of the card (such as a mobile phone), or may be a fixed terminal of the card (such as a set-top box);
  • a (U)SIM card refers to a SIM card or a USIM (Global Subscriber Identity Module) card;
  • NAF Network Application Function
  • the BSF is the core network element of the GBA.
  • the BSF and the UE implement authentication through the AKA (Authentication and Key Agreement) protocol, and negotiate the subsequent use for the UE and The session key for communication between the NAFs.
  • the BSF can set the lifetime of the session key according to the local policy;
  • HSS Home Subscriber System: Authentication data in the storage terminal (U) SIM card, such as Ki in the SIM (User Identification Module) card;
  • SLF Subscriber Locator Function
  • the MTC device After the MTC device is introduced in the mobile communication system, the number of the MTC devices is large. To reduce the network load and save the network resources, the MTC device needs to be managed in a group manner. Thus, the MTC device can be controlled in groups. Management and billing, etc., to meet the needs of operators. At present, it is proposed that the MTC device can be grouped according to whether the area is the same, or whether it has the same MTC feature, or whether it belongs to the same MTC user. In addition, after grouping the MTC devices, the group information needs to be secured. Otherwise, an attacker may pretend to be a group member to obtain group information.
  • the main object of the present invention is to provide a GBA-based MTC device group management method and system, which can perform security management on an MTC device in an MTC device group.
  • a GBA-based MTC device group management method which is applied to a system including an MTC device, a BSF, and an M2M-SC, the method comprising:
  • the first MTC device negotiates with the M2M-SC to determine to join the MTC device group whose group identifier is G-ID, the first MTC device and the BSF and the M2M-SC pass the first GBA process, and the first MTC device and the M2M. - establishing a first session key between the SCs;
  • the M2M-SC encrypts the group identification G-ID and the group key Kg of the MTC device group by the first session key and then sends the same to the first MTC device.
  • the MTC device group is created by the second MTC device, and the creating process includes:
  • the second MTC device When the second MTC device negotiates with the M2M-SC to determine that the MTC device group is to be created, the second MTC device and the BSF and the M2M-SC establish a second GBA process between the second MTC device and the M2M-SC.
  • Second session key Second session key
  • the M2M-SC creates a group identification G-ID and a group key Kg of the MTC device group, and encrypts the created G-ID and Kg by the second session key and sends the same to the second MTC device.
  • the method further includes: creating, by the M2M-SC, a correspondence list between the G-ID and the user identity and the device identity of the MTC device, where the correspondence list includes Corresponding relationship between the G-ID and the user identity and device identity of the second MTC device;
  • the method further includes: the M2M-SC updating the correspondence list. Further, before updating the correspondence relationship list, the method further includes:
  • the M2M-SC sends a join request of the first MTC device to the second MTC device, and the second MTC device decides to allow the first MTC device to join according to the received join request, and returns the decision result to the M2M-SC, and the M2M-SC determines according to the decision.
  • the correspondence between the user identity and the device identity of the first MTC device is added to the correspondence list of the user identity and the device identity of the G-ID and the MTC device to update the correspondence relationship list.
  • the method further includes: the first MTC device decrypting the received G-ID and Kg by using the first session key, and storing the first integrated circuit in the first MTC device or the first MTC device Card UICC.
  • the method further includes: the second MTC device decrypting the received G-ID and Kg by using the second session key, and storing the G-ID and the Kg in the second MTC device or the UICC of the second MTC device.
  • the process in which the first MTC device negotiates with the M2M-SC to determine the MTC device group to be added to the group identifier as the G-ID includes:
  • the first MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for joining the MTC device group with the group identifier G-ID;
  • the M2M-SC sends a boot initialization message to the first MTC device.
  • the process in which the second MTC device negotiates with the M2M-SC to determine that the MTC device group is to be created includes:
  • the second MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for creating an MTC device group;
  • the M2M-SC sends a boot initialization message to the second MTC device.
  • a device group management system based on GBA characterized in that: the system comprises: a first MTC device, a BSF and an M2M-SC; wherein
  • the first MTC device is configured to negotiate with the M2M-SC to determine that the group identifier is to be added to the G-ID.
  • a first session key is established between the first MTC device and the M2M-SC through the first GBA process with the BSF and the M2M-SC;
  • the M2M-SC, the group identifier G-ID and the group key Kg used to group the MTC device are encrypted by the first session key and then sent to the first MTC device.
  • system further includes: a second MTC device that creates the MTC device group;
  • a second MTC device configured to determine, by the M2M-SC, that when the MTC device group is to be created, a second GBA process is performed with the BSF and the M2M-SC, and a second is established between the second MTC device and the M2M-SC. Session key
  • the M2M-SC is further configured to create a group identifier G-ID and a group key Kg of the MTC device group, and encrypt the created G-ID and Kg by using the second session key, and then send the same to the second MTC device. .
  • the M2M-SC is further configured to: after creating the G-ID and the Kg, create a correspondence list of user identity and device identity of the G-ID and the MTC device, where the correspondence relationship list includes Corresponding relationship between the G-ID and the user identity and the device identity of the second MTC device; and is further configured to update the correspondence relationship list after acquiring the first session key.
  • the present invention proposes a feasible MTC device grouping method, and since the group members in the M2M-SC and the MTC device group each have a G-ID and a Kg uniquely corresponding to the MTC device group, Therefore, it is possible to securely manage group members in the MTC device group; even if an attacker masquerades as a group member, since it cannot obtain Kg, the group information cannot be obtained.
  • FIG. 1 is a schematic diagram of a GBA model in the prior art
  • FIG. 2 is a schematic diagram of a GBA-based MTC device group management system according to the present invention
  • 3 is a schematic flowchart of creating a grouping of an MTC device according to the present invention
  • FIG. 4 is a schematic flow chart of the MTC device joining the MTC device group according to the present invention. detailed description
  • the MTC device group management method based on the GBA is applied to the system shown in FIG. 2, and the system includes an MTC device, a BSF, and an M2M-SC (Machine Machine Service Center).
  • the MTC device refers to a device for machine-to-machine communication in a mobile communication network, and the MTC device is installed with a UICC (Universal Integrated Circuit Card); the M2M-SC has a network application function (NAF), Group member management functions, etc.
  • UICC Universal Integrated Circuit Card
  • NAF network application function
  • the GBA-based MTC device group management method includes two aspects: creating an MTC device grouping and an MTC device joining an MTC device grouping.
  • the process of creating an MTC device grouping according to the present invention includes:
  • Step 301 The MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for creating an MTC device group.
  • Step 302 The M2M-SC sends a boot initialization message to the MTC device.
  • Steps 301-302 mainly involve the MTC device negotiating with the M2M-SC to determine that the MTC device group is to be created;
  • Step 303 Perform a boot authentication process between the MTC device and the BSF, by which the MTC device and the BSF determine a session key (such as Ks-NAF) for subsequent communication between the MTC device and the M2M-SC. ;
  • a session key such as Ks-NAF
  • Step 304 A boot security association process is performed between the MTC device and the M2M-SC.
  • the M2M-SC obtains a session key that is communicated with the MTC device from the BSF, that is, the session key determined in step 303.
  • Steps 303-304 mainly involve the passage between the MTC device and the BSF and the M2M-SC.
  • the GBA process establishing a session key between the MTC device and the M2M-SC;
  • Step 305 After the M2M-SC obtains the session key, the M2M-SC creates a G-ID (Group Identifier) and a group key Kg according to the request information for creating the MTC device group, and creates a G-ID and A mapping list of user identities (such as IMSI, International Mobile Subscriber Identity) and device identities (such as IMEI, International Mobile Equipment Identity) of the MTC device.
  • the correspondence list initially includes only the G-ID and the MTC device that created the packet. Correspondence between user identity and device identity, and the correspondence list is managed and maintained by the M2M-SC;
  • the G-ID is used to bind the user identity and device identity of the MTC device, and the group key Kg is used for security management of the MTC device group; the G-ID is unique and can be used as an agreement between the MTC device and the M2M-SC.
  • Group key identity ie G-ID and Kg - corresponding
  • Step 306 The M2M-SC encrypts the created session key obtained by the G-ID and the Kg obtained in step 304 and sends the session key to the MTC device.
  • the MTC device decrypts the G-ID and Kg with the session key determined in step 303 and stores it. If the above boot process (steps 301-304) uses GBA-ME, ie the boot process is performed on the mobile device (ME), the G-ID and Kg may be stored in the MTC device; if the above boot process is used
  • the GBA-U that is, the boot process is performed on the UICC, can store the G-ID and Kg in the UICC of the MTC device.
  • the specific details of the boot process can be referred to the existing related protocols and will not be described in detail here.
  • Step 401 The MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries the MTC device group with the group ID being the G-ID.
  • Request 401 The MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries the MTC device group with the group ID being the G-ID.
  • Step 402 The M2M-SC sends a boot initialization message to the MTC device.
  • Steps 401-402 are mainly related to the MTC device negotiating with the M2M-SC to determine the group to join the MTC device;
  • Step 403 Perform a boot authentication process between the MTC device and the BSF, by which the MTC device and the BSF determine a session key (such as Ks-NAF) for subsequent communication between the MTC device and the M2M-SC. ;
  • a session key such as Ks-NAF
  • Step 404 A boot security association process is performed between the MTC device and the M2M-SC.
  • the M2M-SC obtains a session key that is communicated with the MTC device from the BSF, that is, the session key determined in step 403.
  • Steps 403-404 mainly involve establishing a session key between the MTC device and the M2M-SC through the GBA process between the MTC device and the BSF and the M2M-SC;
  • Step 405 After obtaining the session key by the M2M-SC, the M2M-SC updates the correspondence list between the user identity and the device identity of the G-ID and the MTC device according to the request information of the MTC device group, that is, the existing correspondence relationship.
  • the correspondence between the G-ID and the user identity (such as IMSI) and device identity (such as IMEI) of the newly joined MTC device is added to the list;
  • Step 406 The M2M-SC encrypts the G-ID and the Kg of the MTC device group by using the session key obtained in step 404, and sends the session key to the MTC device.
  • the MTC device decrypts the G-ID and Kg with the session key determined in step 403 and stores it. If the above boot process (steps 401-404) uses GBA-ME, the G-ID and Kg may be stored in the MTC device; if the above boot process uses GBA-U, the G-ID may be used. And Kg are stored in the UICC of the MTC device. The specific details of the boot process can be referred to the existing related protocols and will not be described in detail here.
  • the process for the MTC device to join the MTC device grouping further includes:
  • the M2M-SC sends the MTC device to be added to the MTC device that creates the MTC device packet.
  • a join request the join request carries information (such as an identity) of the MTC device to be joined;
  • the MTC device that creates the MTC device group determines whether to allow it to join according to the information of the MTC device to be added in the join request, and returns the decision result to the M2M-SC.
  • the M2M-SC 4 starts or terminates the joining process according to the decision result.
  • one MTC device can create multiple MTC device packets, or only one MTC device packet can be created.
  • An MTC device can join multiple MTC device groups, or only one MTC device group can be added. After joining an MTC device group, an MTC device can also create a new MTC device group. After an MTC device creates an MTC device group, it can also join other MTC device groups.
  • the MTC device completes the authentication between the MTC device and the M2M-SC according to the normal GBA process.
  • the present invention further provides a GBA-based MTC device group management system, the system comprising: a first MTC device, a BSF, and an M2M-SC; wherein, the first MTC device is configured to negotiate with the M2M-SC When determining that the MTC device group to be added to the group ID is a G-ID, the first session key is established between the first MTC device and the M2M-SC through the first GBA process with the BSF and the M2M-SC;
  • the M2M-SC, the group identifier G-ID and the group key Kg used to group the MTC device are encrypted by the first session key and then sent to the first MTC device.
  • the system further includes: a second MTC device that creates the MTC device group; wherein, the second MTC device is configured to negotiate with the M2M-SC to determine that the MTC device group is to be created, and between the BSF and the M2M-SC Establishing a second session key between the second MTC device and the M2M-SC by using the second GBA process;
  • the M2M-SC is further configured to create the G-ID and the Kg, and the created G-ID and Kg are encrypted by the second session key and sent to the second MTC device.
  • the M2M-SC is further configured to: after creating the G-ID and the Kg, create a correspondence list of the user identity and the device identity of the G-ID and the MTC device, where the correspondence relationship includes the G- Corresponding relationship between the ID and the user identity and the device identity of the second MTC device; and is further configured to update the correspondence relationship list after acquiring the first session key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention discloses a Machine Type Communication (MTC) device group management method based on Generic Bootstrapping Architecture (GBA). The method is applied in a system including the MTC device, a Bootstrapping Sever Function (BSF), and a Machine to Machine Service Center (M2M-SC). The method includes the following steps: when a first MTC device negotiates with the M2M-SC and determines to join the MTC device group with a group identifier G-ID, a first session key is established between the first MTC device and the M2M-SC via a first GBA process between the first MTC device, the BSF and the M2M-SC; the M2M-SC encrypts, with the first session key, the G-ID of the MTC device group and the group key Kg of the MTC device group and then transmits them to the first MTC device. With the present invention, a security management can be performed on group members of the MTC device group.

Description

基于通用引导架构的机器类通信设备分组管理方法及系统 技术领域  Method and system for group management of machine type communication equipment based on universal booting architecture
本发明涉及移动通信系统和 MTC ( Machine Type Communication,机器 类通信)技术, 尤其涉及一种基于通用引导架构的 MTC设备分组管理方法 及系统。 背景技术  The present invention relates to a mobile communication system and MTC (Machine Type Communication) technology, and in particular, to a MTC device group management method and system based on a universal boot architecture. Background technique
机器类通信是指应用无线通信技术, 实现机器与机器、 机器与人之间 的数据通信和交流的一系列技术及其组合的总称。 M2M (在 3GPP 里称 MTC ) 涉及两个层面: 第一个是机器本身, 在嵌入式领域称为智能设备; 第二个是机器和机器之间的连接, 通过网络将机器连接在一起。 MTC的应 用范围非常广泛, 例如智能测量、 远程监控、 跟踪、 医疗等, 这使得人类 生活更加智能化。 与传统的人与人之间的通信相比, MTC设备数量众多、 应用领域广泛, 因此具有巨大的市场前景。  Machine-like communication is a general term for a series of technologies and combinations that implement wireless communication technology to realize data communication and communication between machines and machines, machines and people. M2M (called MTC in 3GPP) involves two levels: the first is the machine itself, called the smart device in the embedded world; the second is the connection between the machine and the machine, connecting the machines together through the network. MTC's range of applications is very broad, such as smart measurements, remote monitoring, tracking, medical, etc., which makes human life more intelligent. Compared with the traditional communication between people, MTC equipment has a large number of applications and a wide range of applications, so it has a huge market prospect.
在机器类通信中,远距离连接技术主要包括 GSM(全球移动通信系统)、 GPRS (通用分组无线业务)、 UMTS (通用移动电话通信系统)等; 近距离 连接技术主要包括 802.1 lb/g、 蓝牙、 Zigbee、 RFID (射频识别)等。 由于 MTC整合了无线通信技术和信息技术, 且可用于双向通信, 如远距离收集 信息、 设置参数并发送指令, 因此能够实现不同的应用方案, 如安全监测、 自动售货、 货物跟踪等。 由此可见, 几乎所有曰常生活中涉及到的设备都 有可能成为潜在的服务对象。  In machine type communication, long-distance connection technology mainly includes GSM (Global System for Mobile Communications), GPRS (General Packet Radio Service), UMTS (Universal Mobile Phone Communication System), etc.; Close-range connection technology mainly includes 802.1 lb/g, Bluetooth , Zigbee, RFID (Radio Frequency Identification), etc. Because MTC integrates wireless communication technology and information technology, and can be used for two-way communication, such as collecting information remotely, setting parameters, and sending commands, it can implement different application scenarios, such as security monitoring, vending, and goods tracking. It can be seen that almost all the equipment involved in the normal life is likely to become a potential service target.
GBA ( Generic Bootstrapping Architecture, 通用引导架构)定义了一种 在终端和服务器之间通用的密钥协商机制。 如图 1所示, GBA模型中的主 要网元有: 1 ) UE (用户设备): UE是终端设备和 (U)SIM卡的总称; 这里的终端 可以是插卡的移动终端 (如移动电话), 也可以是插卡的固定终端(如机顶 盒); 本文中, (U)SIM卡指 SIM卡或 USIM (全球用户识别模块 )卡;GBA (Generic Bootstrapping Architecture) defines a common key agreement mechanism between the terminal and the server. As shown in Figure 1, the main network elements in the GBA model are: 1) UE (User Equipment): The UE is a general term for the terminal device and the (U)SIM card; the terminal here may be a mobile terminal of the card (such as a mobile phone), or may be a fixed terminal of the card (such as a set-top box); In this document, a (U)SIM card refers to a SIM card or a USIM (Global Subscriber Identity Module) card;
2 ) NAF ( Network Application Function, 网络应用功能): 即应用服务 器, 用于实现应用的业务逻辑功能, 在完成对终端的认证后为终端提供业 务月良务; 2) NAF (Network Application Function): The application server is used to implement the business logic function of the application. After completing the authentication of the terminal, the terminal provides the service month service.
3 ) BSF ( Bootstrapping Server Function, 引导服务器功能): BSF是 GBA 的核心网元 , BSF和 UE通过 AKA ( Authentication and Key Agreement, 认 证与密钥协商)协议实现认证, 并协商出后续用于 UE和 NAF之间通信的 会话密钥, 此外, BSF能够根据本地策略设定会话密钥的生命期;  3) BSF (Bootstrapping Server Function): The BSF is the core network element of the GBA. The BSF and the UE implement authentication through the AKA (Authentication and Key Agreement) protocol, and negotiate the subsequent use for the UE and The session key for communication between the NAFs. In addition, the BSF can set the lifetime of the session key according to the local policy;
4 ) HSS ( Home Subscriber System, 归属签约系统): 存储终端 (U)SIM 卡中的鉴权数据, 如 SIM (用户识别模块)卡中的 Ki等;  4) HSS (Home Subscriber System): Authentication data in the storage terminal (U) SIM card, such as Ki in the SIM (User Identification Module) card;
5 ) SLF ( Subscriber Locator Function, 签约位置功能): BSF通过查询 SLF获得存储相关用户数据的 HSS的名称。 在单一 HSS环境中并不需要 SLF; 另外, 当 BSF配置成使用预先指定的 HSS时, 也不需要 SLF。  5) SLF (Subscriber Locator Function): The BSF obtains the name of the HSS storing the relevant user data by querying the SLF. SLF is not required in a single HSS environment; in addition, SLF is not required when the BSF is configured to use a pre-specified HSS.
在移动通信系统中引入 MTC设备后, 由于 MTC设备数量众多, 为了 降低网络负载、节省网络资源,需要对 MTC设备以组的方式进行管理优化, 这样, MTC设备就可以按组的方式进行控制、 管理及计费等, 从而适应运 营商的需求。 目前, 提出了 MTC设备可以按照所在区域是否相同、 或者是 否具有相同的 MTC特征、或者是否属于相同的 MTC用户进行分组。另夕卜, 在对 MTC设备进行分组后, 需要对组信息进行安全保护, 否则, 一个攻击 者可能伪装成组成员获得组信息。  After the MTC device is introduced in the mobile communication system, the number of the MTC devices is large. To reduce the network load and save the network resources, the MTC device needs to be managed in a group manner. Thus, the MTC device can be controlled in groups. Management and billing, etc., to meet the needs of operators. At present, it is proposed that the MTC device can be grouped according to whether the area is the same, or whether it has the same MTC feature, or whether it belongs to the same MTC user. In addition, after grouping the MTC devices, the group information needs to be secured. Otherwise, an attacker may pretend to be a group member to obtain group information.
目前虽然提出了 MTC设备按区域、 MTC特征或 MTC用户进行分组的 建议, 但是还没有基于这些建议的具体实现方案, 因此如何实现 MTC设备 分组,并对 MTC设备分组中的 MTC设备进行安全管理是需要解决的问题。 发明内容 At present, although the proposal of grouping MTC devices by region, MTC feature or MTC user is proposed, there is no specific implementation scheme based on these suggestions. Therefore, how to implement MTC device grouping and secure management of MTC devices in MTC device grouping is issues that need resolving. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种基于 GBA的 MTC设备分 组管理方法及系统 , 能够对 MTC设备分组中的 MTC设备进行安全管理。  In view of this, the main object of the present invention is to provide a GBA-based MTC device group management method and system, which can perform security management on an MTC device in an MTC device group.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种基于 GBA的 MTC设备分组管理方法, 该方法应用于包含 MTC 设备、 BSF及 M2M-SC的系统中, 该方法包括:  A GBA-based MTC device group management method, which is applied to a system including an MTC device, a BSF, and an M2M-SC, the method comprising:
当第一 MTC设备与 M2M-SC协商确定欲加入组标识为 G-ID的 MTC 设备分组时 , 第一 MTC设备与 BSF及 M2M-SC之间通过第一 GBA过 程, 在第一 MTC设备与 M2M-SC之间建立第一会话密钥;  When the first MTC device negotiates with the M2M-SC to determine to join the MTC device group whose group identifier is G-ID, the first MTC device and the BSF and the M2M-SC pass the first GBA process, and the first MTC device and the M2M. - establishing a first session key between the SCs;
M2M-SC将所述 MTC设备分组的组标识 G-ID和组密钥 Kg通过第 一会话密钥加密后发送给第一 MTC设备。  The M2M-SC encrypts the group identification G-ID and the group key Kg of the MTC device group by the first session key and then sends the same to the first MTC device.
进一步地, 所述 MTC设备分组由第二 MTC设备创建, 所述创建过 程包括:  Further, the MTC device group is created by the second MTC device, and the creating process includes:
当第二 MTC设备与 M2M-SC协商确定欲创建所述 MTC设备分组 时, 第二 MTC设备与 BSF及 M2M-SC之间通过第二 GBA过程, 在第 二 MTC设备与 M2M-SC之间建立第二会话密钥;  When the second MTC device negotiates with the M2M-SC to determine that the MTC device group is to be created, the second MTC device and the BSF and the M2M-SC establish a second GBA process between the second MTC device and the M2M-SC. Second session key;
M2M-SC创建所述 MTC设备分组的组标识 G-ID和组密钥 Kg, 并 将创建的 G-ID和 Kg通过所述第二会话密钥加密后发送给第二 MTC设 备。  The M2M-SC creates a group identification G-ID and a group key Kg of the MTC device group, and encrypts the created G-ID and Kg by the second session key and sends the same to the second MTC device.
进一步地,在创建所述 G-ID和 Kg之后,所述方法还包括: M2M-SC 创建所述 G-ID与 MTC设备的用户身份及设备身份的对应关系列表, 该 对应关系列表中包含所述 G-ID与所述第二 MTC设备的用户身份及设备 身份的对应关系;  Further, after the G-ID and the KG are created, the method further includes: creating, by the M2M-SC, a correspondence list between the G-ID and the user identity and the device identity of the MTC device, where the correspondence list includes Corresponding relationship between the G-ID and the user identity and device identity of the second MTC device;
在 M2M-SC获取所述第一会话密钥之后,所述方法还包括: M2M-SC 更新所述对应关系列表。 进一步地, 在更新所述对应关系列表之前, 所述方法还包括:After the M2M-SC obtains the first session key, the method further includes: the M2M-SC updating the correspondence list. Further, before updating the correspondence relationship list, the method further includes:
M2M-SC向第二 MTC设备发送第一 MTC设备的加入请求, 第二 MTC 设备根据收到的加入请求决定允许第一 MTC设备加入后, 将决定结果 返回给 M2M-SC , M2M-SC根据决定结果, 将第一 MTC设备的用户身 份及设备身份的对应关系添加到 G-ID与 MTC设备的用户身份及设备身 份的对应关系列表中, 以更新所述对应关系列表。 The M2M-SC sends a join request of the first MTC device to the second MTC device, and the second MTC device decides to allow the first MTC device to join according to the received join request, and returns the decision result to the M2M-SC, and the M2M-SC determines according to the decision. As a result, the correspondence between the user identity and the device identity of the first MTC device is added to the correspondence list of the user identity and the device identity of the G-ID and the MTC device to update the correspondence relationship list.
进一步地, 所述方法还包括: 所述第一 MTC设备将收到的 G-ID和 Kg通过所述第一会话密钥解密后存储在第一 MTC设备中或第一 MTC 设备的通用集成电路卡 UICC中。  Further, the method further includes: the first MTC device decrypting the received G-ID and Kg by using the first session key, and storing the first integrated circuit in the first MTC device or the first MTC device Card UICC.
进一步地, 所述方法还包括: 所述第二 MTC设备将收到的 G-ID和 Kg通过所述第二会话密钥解密后存储在第二 MTC设备中或第二 MTC 设备的 UICC中。  Further, the method further includes: the second MTC device decrypting the received G-ID and Kg by using the second session key, and storing the G-ID and the Kg in the second MTC device or the UICC of the second MTC device.
进一步地, 所述第一 MTC设备与 M2M-SC协商确定欲加入组标识 为 G-ID的 MTC设备分组的过程包括:  Further, the process in which the first MTC device negotiates with the M2M-SC to determine the MTC device group to be added to the group identifier as the G-ID includes:
第一 MTC设备向 M2M-SC发送协商请求消息, 该协商请求消息中 携带有加入组标识为 G-ID的 MTC设备分组的请求;  The first MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for joining the MTC device group with the group identifier G-ID;
M2M-SC向第一 MTC设备发送引导初始化消息。  The M2M-SC sends a boot initialization message to the first MTC device.
进一步地, 所述第二 MTC设备与 M2M-SC协商确定欲创建 MTC 设备分组的过程包括:  Further, the process in which the second MTC device negotiates with the M2M-SC to determine that the MTC device group is to be created includes:
第二 MTC设备向 M2M-SC发送协商请求消息, 该协商请求消息中 携带有创建 MTC设备分组的请求;  The second MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for creating an MTC device group;
M2M-SC向第二 MTC设备发送引导初始化消息。  The M2M-SC sends a boot initialization message to the second MTC device.
一种基于 GBA 的设备分组管理系统, 其特征在于, 该系统包括: 第一 MTC设备、 BSF及 M2M-SC; 其中,  A device group management system based on GBA, characterized in that: the system comprises: a first MTC device, a BSF and an M2M-SC; wherein
第一 MTC设备,用于与 M2M-SC协商确定欲加入组标识为 G-ID的 MTC设备分组时, 与 BSF及 M2M-SC之间通过第一 GBA过程,在第一 MTC设备与 M2M-SC之间建立第一会话密钥; The first MTC device is configured to negotiate with the M2M-SC to determine that the group identifier is to be added to the G-ID. When the MTC device is grouped, a first session key is established between the first MTC device and the M2M-SC through the first GBA process with the BSF and the M2M-SC;
M2M-SC , 用于将所述 MTC设备分组的组标识 G-ID和组密钥 Kg 通过第一会话密钥加密后发送给第一 MTC设备。  The M2M-SC, the group identifier G-ID and the group key Kg used to group the MTC device are encrypted by the first session key and then sent to the first MTC device.
进一步地, 所述系统还包括: 创建所述 MTC设备分组的第二 MTC 设备; 其中,  Further, the system further includes: a second MTC device that creates the MTC device group;
第二 MTC设备, 用于与 M2M-SC协商确定欲创建所述 MTC设备 分组时, 与 BSF及 M2M-SC之间通过第二 GBA过程, 在第二 MTC设 备与 M2M-SC之间建立第二会话密钥;  a second MTC device, configured to determine, by the M2M-SC, that when the MTC device group is to be created, a second GBA process is performed with the BSF and the M2M-SC, and a second is established between the second MTC device and the M2M-SC. Session key
M2M-SC , 还用于创建所述 MTC设备分组的组标识 G-ID和组密钥 Kg, 并将创建的 G-ID和 Kg通过所述第二会话密钥加密后发送给第二 MTC设备。  The M2M-SC is further configured to create a group identifier G-ID and a group key Kg of the MTC device group, and encrypt the created G-ID and Kg by using the second session key, and then send the same to the second MTC device. .
进一步地, 所述 M2M-SC , 还用于在创建所述 G-ID和 Kg之后, 创 建所述 G-ID与 MTC设备的用户身份及设备身份的对应关系列表, 该对 应关系列表中包含所述 G-ID与所述第二 MTC设备的用户身份及设备身 份的对应关系; 还用于在获取所述第一会话密钥之后, 更新所述对应关 系列表。  Further, the M2M-SC is further configured to: after creating the G-ID and the Kg, create a correspondence list of user identity and device identity of the G-ID and the MTC device, where the correspondence relationship list includes Corresponding relationship between the G-ID and the user identity and the device identity of the second MTC device; and is further configured to update the correspondence relationship list after acquiring the first session key.
由以上技术方案可以看出,本发明提出了一种切实可行的 MTC设备分 组方法, 并且由于 M2M-SC与 MTC设备分组中的组成员各自拥有与 MTC 设备分组唯一对应的 G-ID和 Kg,因此能够对 MTC设备分组中的组成员进 行安全管理; 即使一个攻击者伪装成组成员, 由于其无法获得 Kg, 因此也 就无法获得组信息。 附图说明  It can be seen from the above technical solution that the present invention proposes a feasible MTC device grouping method, and since the group members in the M2M-SC and the MTC device group each have a G-ID and a Kg uniquely corresponding to the MTC device group, Therefore, it is possible to securely manage group members in the MTC device group; even if an attacker masquerades as a group member, since it cannot obtain Kg, the group information cannot be obtained. DRAWINGS
图 1为现有技术中 GBA模型示意图;  1 is a schematic diagram of a GBA model in the prior art;
图 2为本发明中基于 GBA的 MTC设备分组管理系统的示意图; 图 3为本发明创建 MTC设备分组的流程示意图; 2 is a schematic diagram of a GBA-based MTC device group management system according to the present invention; 3 is a schematic flowchart of creating a grouping of an MTC device according to the present invention;
图 4为本发明 MTC设备加入 MTC设备分组的流程示意图。 具体实施方式  4 is a schematic flow chart of the MTC device joining the MTC device group according to the present invention. detailed description
以下结合附图对本发明的技术方案作详细说明。  The technical solution of the present invention will be described in detail below with reference to the accompanying drawings.
本发明基于 GBA的 MTC设备分组管理方法应用于如图 2所示的系 统,该系统包括 MTC设备、 BSF及 M2M-SC( Machine to Machine Service Center, M2M 业务中心) 。 本发明中, MTC 设备指移动通信网络中用 于机器到机器通信的设备, 且该 MTC 设备安装有 UICC ( Universal Integrated Circuit Card, 通用集成电路卡); M2M-SC具有网络应用功能 ( NAF ) 、 组成员管理功能等。  The MTC device group management method based on the GBA is applied to the system shown in FIG. 2, and the system includes an MTC device, a BSF, and an M2M-SC (Machine Machine Service Center). In the present invention, the MTC device refers to a device for machine-to-machine communication in a mobile communication network, and the MTC device is installed with a UICC (Universal Integrated Circuit Card); the M2M-SC has a network application function (NAF), Group member management functions, etc.
基于 GBA 的 MTC设备分组管理方法包括创建 MTC设备分组及 MTC设备加入 MTC设备分组两个方面。  The GBA-based MTC device group management method includes two aspects: creating an MTC device grouping and an MTC device joining an MTC device grouping.
如图 3所示, 本发明创建 MTC设备分组的流程包括:  As shown in FIG. 3, the process of creating an MTC device grouping according to the present invention includes:
步骤 301 , MTC设备向 M2M-SC发送协商请求消息, 该协商请求消 息中携带有创建 MTC设备分组的请求;  Step 301: The MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for creating an MTC device group.
步骤 302 , M2M-SC向 MTC设备发送引导初始化消息;  Step 302: The M2M-SC sends a boot initialization message to the MTC device.
步骤 301-302主要涉及的是 MTC设备与 M2M-SC协商确定欲创建 MTC设备分组;  Steps 301-302 mainly involve the MTC device negotiating with the M2M-SC to determine that the MTC device group is to be created;
步骤 303 , MTC设备与 BSF之间进行引导鉴权过程, 通过该引导鉴 权过程, MTC设备和 BSF确定后续用于该 MTC设备和 M2M-SC之间 通信的会话密钥 (如 Ks-NAF ) ;  Step 303: Perform a boot authentication process between the MTC device and the BSF, by which the MTC device and the BSF determine a session key (such as Ks-NAF) for subsequent communication between the MTC device and the M2M-SC. ;
步骤 304 , MTC设备与 M2M-SC之间进行引导安全关联过程, 在该 引导安全关联过程中, M2M-SC从 BSF获取与 MTC设备通信的会话密 钥, 即步骤 303中确定的会话密钥;  Step 304: A boot security association process is performed between the MTC device and the M2M-SC. In the boot security association process, the M2M-SC obtains a session key that is communicated with the MTC device from the BSF, that is, the session key determined in step 303.
步骤 303-304主要涉及的是 MTC设备与 BSF及 M2M-SC之间通过 GBA过程, 在 MTC设备与 M2M-SC之间建立会话密钥; Steps 303-304 mainly involve the passage between the MTC device and the BSF and the M2M-SC. The GBA process, establishing a session key between the MTC device and the M2M-SC;
步骤 305 , 在 M2M-SC获取会话密钥后, M2M-SC根据创建 MTC 设备分组的请求信息, 创建一个 G-ID ( Group Identifier, 组标识) 和组 密钥 Kg, 并创建一个 G-ID与 MTC设备的用户身份(如 IMSI, 国际移 动用户识别码)及设备身份 (如 IMEI, 国际移动设备识别码)的对应关 系列表, 该对应关系列表一开始只包含 G-ID与创建分组的 MTC设备的 用户身份及设备身份的对应关系,且该对应关系列表由 M2M-SC管理和 维护;  Step 305: After the M2M-SC obtains the session key, the M2M-SC creates a G-ID (Group Identifier) and a group key Kg according to the request information for creating the MTC device group, and creates a G-ID and A mapping list of user identities (such as IMSI, International Mobile Subscriber Identity) and device identities (such as IMEI, International Mobile Equipment Identity) of the MTC device. The correspondence list initially includes only the G-ID and the MTC device that created the packet. Correspondence between user identity and device identity, and the correspondence list is managed and maintained by the M2M-SC;
其中, G-ID用于绑定 MTC设备的用户身份及设备身份, 组密钥 Kg 用于 MTC设备分组的安全管理; G-ID是唯一的, 可以作为 MTC设备 与 M2M-SC之间协议的组密钥身份 (即 G-ID与 Kg——对应 ) ;  The G-ID is used to bind the user identity and device identity of the MTC device, and the group key Kg is used for security management of the MTC device group; the G-ID is unique and can be used as an agreement between the MTC device and the M2M-SC. Group key identity (ie G-ID and Kg - corresponding);
步骤 306 , M2M-SC将创建的 G-ID和 Kg通过步骤 304获取的会话 密钥加密后发送给 MTC设备。  Step 306: The M2M-SC encrypts the created session key obtained by the G-ID and the Kg obtained in step 304 and sends the session key to the MTC device.
MTC设备用步骤 303中确定的会话密钥对 G-ID和 Kg解密后再进 行存储。 如果上述引导过程 (步骤 301-304 ) 釆用的是 GBA-ME, 即引 导过程在移动设备 ( ME )上进行, 则可将 G-ID和 Kg存储在 MTC设备 中; 如果上述引导过程釆用的是 GBA-U, 即引导过程在 UICC上进行, 则可将 G-ID和 Kg存储在 MTC设备的 UICC中。 引导过程的具体细节 可以参考现有的相关协议, 在此不做详细描述。  The MTC device decrypts the G-ID and Kg with the session key determined in step 303 and stores it. If the above boot process (steps 301-304) uses GBA-ME, ie the boot process is performed on the mobile device (ME), the G-ID and Kg may be stored in the MTC device; if the above boot process is used The GBA-U, that is, the boot process is performed on the UICC, can store the G-ID and Kg in the UICC of the MTC device. The specific details of the boot process can be referred to the existing related protocols and will not be described in detail here.
由上述流程可以看出, 当一个 MTC设备分组的 G-ID创建后, 一个 基于该 G-ID的 MTC设备分组也就确定了。  It can be seen from the above process that when the G-ID of an MTC device group is created, a grouping of MTC devices based on the G-ID is determined.
如图 4所示 , 本发明 MTC设备加入 MTC设备分组的流程包括: 步骤 401 , MTC设备向 M2M-SC发送协商请求消息, 该协商请求消 息中携带有加入组标识为 G-ID的 MTC设备分组的请求;  As shown in FIG. 4, the process for the MTC device to join the MTC device group includes: Step 401: The MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries the MTC device group with the group ID being the G-ID. Request
这里, MTC设备如何获取 MTC设备分组的 G-ID不是本发明的重 点, 在此不做描述; Here, how the MTC device acquires the G-ID of the MTC device group is not the weight of the present invention. Point, do not describe here;
步骤 402 , M2M-SC向 MTC设备发送引导初始化消息;  Step 402: The M2M-SC sends a boot initialization message to the MTC device.
步骤 401-402主要涉及的是 MTC设备与 M2M-SC协商确定欲加入 MTC设备分组;  Steps 401-402 are mainly related to the MTC device negotiating with the M2M-SC to determine the group to join the MTC device;
步骤 403 , MTC设备与 BSF之间进行引导鉴权过程, 通过该引导鉴 权过程, MTC设备和 BSF确定后续用于该 MTC设备和 M2M-SC之间 通信的会话密钥 (如 Ks-NAF ) ;  Step 403: Perform a boot authentication process between the MTC device and the BSF, by which the MTC device and the BSF determine a session key (such as Ks-NAF) for subsequent communication between the MTC device and the M2M-SC. ;
步骤 404 , MTC设备与 M2M-SC之间进行引导安全关联过程, 在该 引导安全关联过程中, M2M-SC从 BSF获取与 MTC设备通信的会话密 钥, 即步骤 403中确定的会话密钥;  Step 404: A boot security association process is performed between the MTC device and the M2M-SC. In the boot security association process, the M2M-SC obtains a session key that is communicated with the MTC device from the BSF, that is, the session key determined in step 403.
步骤 403-404主要涉及的是 MTC设备与 BSF及 M2M-SC之间通过 GBA过程, 在 MTC设备与 M2M-SC之间建立会话密钥;  Steps 403-404 mainly involve establishing a session key between the MTC device and the M2M-SC through the GBA process between the MTC device and the BSF and the M2M-SC;
步骤 405 , 在 M2M-SC获取会话密钥后, M2M-SC根据加入 MTC 设备分组的请求信息, 更新 G-ID与 MTC设备的用户身份及设备身份的 对应关系列表, 即在已有的对应关系列表中增加 G-ID与新加入的 MTC 设备的用户身份(如 IMSI )及设备身份 (如 IMEI ) 的对应关系;  Step 405: After obtaining the session key by the M2M-SC, the M2M-SC updates the correspondence list between the user identity and the device identity of the G-ID and the MTC device according to the request information of the MTC device group, that is, the existing correspondence relationship. The correspondence between the G-ID and the user identity (such as IMSI) and device identity (such as IMEI) of the newly joined MTC device is added to the list;
步骤 406 , M2M-SC将该 MTC设备分组的 G-ID和 Kg通过步骤 404 获取的会话密钥加密后发送给 MTC设备。  Step 406: The M2M-SC encrypts the G-ID and the Kg of the MTC device group by using the session key obtained in step 404, and sends the session key to the MTC device.
MTC设备用步骤 403中确定的会话密钥对 G-ID和 Kg解密后再进 行存储。 如果上述引导过程 (步骤 401-404 ) 釆用的是 GBA-ME, 则可 将 G-ID和 Kg存储在 MTC设备中;如果上述引导过程釆用的是 GBA-U, 则可将 G-ID和 Kg存储在 MTC设备的 UICC中。 引导过程的具体细节 可以参考现有的相关协议, 在此不做详细描述。  The MTC device decrypts the G-ID and Kg with the session key determined in step 403 and stores it. If the above boot process (steps 401-404) uses GBA-ME, the G-ID and Kg may be stored in the MTC device; if the above boot process uses GBA-U, the G-ID may be used. And Kg are stored in the UICC of the MTC device. The specific details of the boot process can be referred to the existing related protocols and will not be described in detail here.
在步骤 405之前 , MTC设备加入 MTC设备分组的流程还包括: Before step 405, the process for the MTC device to join the MTC device grouping further includes:
M2M-SC向创建 MTC设备分组的 MTC设备发送欲加入的 MTC设 备的加入请求, 加入请求中携带有欲加入的 MTC设备的信息 (如身份 标识) ; The M2M-SC sends the MTC device to be added to the MTC device that creates the MTC device packet. A join request, the join request carries information (such as an identity) of the MTC device to be joined;
创建 MTC设备分组的 MTC设备根据加入请求中欲加入的 MTC设 备的信息, 决定是否允许其加入, 并将决定结果返回给 M2M-SC , M2M-SC 4艮据决定结果启动或终止加入过程。  The MTC device that creates the MTC device group determines whether to allow it to join according to the information of the MTC device to be added in the join request, and returns the decision result to the M2M-SC. The M2M-SC 4 starts or terminates the joining process according to the decision result.
在本发明中, 一个 MTC设备可以创建多个 MTC设备分组, 或者仅 可以创建一个 MTC设备分组。 一个 MTC设备可以加入多个 MTC设备 分组, 或者仅可以加入一个 MTC设备分组。 一个 MTC设备在加入一个 MTC设备分组后, 还可以创建新的 MTC设备分组。 一个 MTC设备在 创建一个 MTC设备分组后, 还可以加入其他的 MTC设备分组。  In the present invention, one MTC device can create multiple MTC device packets, or only one MTC device packet can be created. An MTC device can join multiple MTC device groups, or only one MTC device group can be added. After joining an MTC device group, an MTC device can also create a new MTC device group. After an MTC device creates an MTC device group, it can also join other MTC device groups.
另外, 如果不需要对 MTC设备进行分组管理, 则 MTC设备按照通 常的 GBA过程完成 MTC设备与 M2M-SC之间的认证。  In addition, if group management of the MTC device is not required, the MTC device completes the authentication between the MTC device and the M2M-SC according to the normal GBA process.
为实现上述方法, 本发明还提供了一种基于 GBA的 MTC设备分组 管理系统, 该系统包括: 第一 MTC设备、 BSF及 M2M-SC; 其中, 第一 MTC设备,用于与 M2M-SC协商确定欲加入组标识为 G-ID的 MTC设备分组时, 与 BSF及 M2M-SC之间通过第一 GBA过程,在第一 MTC设备与 M2M-SC之间建立第一会话密钥;  In order to implement the above method, the present invention further provides a GBA-based MTC device group management system, the system comprising: a first MTC device, a BSF, and an M2M-SC; wherein, the first MTC device is configured to negotiate with the M2M-SC When determining that the MTC device group to be added to the group ID is a G-ID, the first session key is established between the first MTC device and the M2M-SC through the first GBA process with the BSF and the M2M-SC;
M2M-SC , 用于将所述 MTC设备分组的组标识 G-ID和组密钥 Kg 通过第一会话密钥加密后发送给第一 MTC设备。  The M2M-SC, the group identifier G-ID and the group key Kg used to group the MTC device are encrypted by the first session key and then sent to the first MTC device.
所述系统还包括:创建所述 MTC设备分组的第二 MTC设备;其中, 第二 MTC设备, 用于与 M2M-SC协商确定欲创建所述 MTC设备 分组时, 与 BSF及 M2M-SC之间通过第二 GBA过程, 在第二 MTC设 备与 M2M-SC之间建立第二会话密钥;  The system further includes: a second MTC device that creates the MTC device group; wherein, the second MTC device is configured to negotiate with the M2M-SC to determine that the MTC device group is to be created, and between the BSF and the M2M-SC Establishing a second session key between the second MTC device and the M2M-SC by using the second GBA process;
M2M-SC , 还用于创建所述 G-ID和 Kg, 并将创建的 G-ID和 Kg通 过所述第二会话密钥加密后发送给第二 MTC设备。 所述 M2M-SC ,还用于在创建所述 G-ID和 Kg之后 ,创建所述 G-ID 与 MTC设备的用户身份及设备身份的对应关系列表, 该对应关系列表 中包含所述 G-ID与所述第二 MTC设备的用户身份及设备身份的对应关 系; 还用于在获取所述第一会话密钥之后, 更新所述对应关系列表。 The M2M-SC is further configured to create the G-ID and the Kg, and the created G-ID and Kg are encrypted by the second session key and sent to the second MTC device. The M2M-SC is further configured to: after creating the G-ID and the Kg, create a correspondence list of the user identity and the device identity of the G-ID and the MTC device, where the correspondence relationship includes the G- Corresponding relationship between the ID and the user identity and the device identity of the second MTC device; and is further configured to update the correspondence relationship list after acquiring the first session key.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

权利要求书 Claim
1、 一种基于通用引导架构的机器类通信设备分组管理方法, 其特征在 于, 该方法应用于包含机器类通信 MTC设备、 引导服务器功能 BSF及机 器对机器业务中心 M2M-SC的系统中, 该方法包括:  A method for group management of a machine type communication device based on a universal booting architecture, wherein the method is applied to a system including a machine type communication MTC device, a boot server function BSF, and a machine to machine service center M2M-SC, Methods include:
当第一 MTC设备与 M2M-SC协商确定欲加入组标识为 G-ID的 MTC 设备分组时, 第一 MTC设备与 BSF及 M2M-SC之间通过第一通用引导架 构 GBA过程, 在第一 MTC设备与 M2M-SC之间建立第一会话密钥;  When the first MTC device negotiates with the M2M-SC to determine the MTC device group to be added to the group identifier as the G-ID, the first MTC device and the BSF and the M2M-SC pass the first universal booting architecture GBA process, at the first MTC. Establishing a first session key between the device and the M2M-SC;
M2M-SC将所述 MTC设备分组的组标识 G-ID和组密钥 Kg通过第一 会话密钥加密后发送给第一 MTC设备。  The M2M-SC encrypts the group identifier G-ID and the group key Kg of the MTC device group by the first session key and then sends the same to the first MTC device.
2、 根据权利要求 1所述的基于通用引导架构的机器类通信设备分组管 理方法, 其特征在于, 所述 MTC设备分组由第二 MTC设备创建, 所述创 建过程包括:  The packet management method of the machine type communication device based on the universal booting architecture according to claim 1, wherein the MTC device group is created by the second MTC device, and the creating process includes:
当第二 MTC设备与 M2M-SC协商确定欲创建所述 MTC设备分组时, 第二 MTC设备与 BSF及 M2M-SC之间通过第二 GBA过程 , 在第二 MTC 设备与 M2M-SC之间建立第二会话密钥;  When the second MTC device negotiates with the M2M-SC to determine that the MTC device group is to be created, the second MTC device and the BSF and the M2M-SC establish a second GBA process between the second MTC device and the M2M-SC. Second session key;
M2M-SC创建所述 MTC设备分组的组标识 G-ID和组密钥 Kg,并将创 建的 G-ID和 Kg通过所述第二会话密钥加密后发送给第二 MTC设备。  The M2M-SC creates a group identification G-ID and a group key Kg of the MTC device group, and encrypts the created G-ID and Kg by the second session key and sends the same to the second MTC device.
3、 根据权利要求 2所述的基于通用引导架构的机器类通信设备分组管 理方法, 其特征在于, 在创建所述 G-ID 和 Kg之后, 所述方法还包括: M2M-SC创建所述 G-ID与 MTC设备的用户身份及设备身份的对应关系列 表, 该对应关系列表中包含所述 G-ID与所述第二 MTC设备的用户身份及 设备身份的对应关系;  The method for group-based communication device group management based on the universal booting architecture according to claim 2, wherein after the creating the G-ID and the Kg, the method further comprises: creating the G by the M2M-SC - a correspondence between the ID and the user identity of the MTC device and the device identity, the correspondence list including the correspondence between the G-ID and the user identity and device identity of the second MTC device;
在 M2M-SC获取所述第一会话密钥之后, 所述方法还包括: M2M-SC 更新所述对应关系列表。  After the M2M-SC obtains the first session key, the method further includes: updating, by the M2M-SC, the correspondence list.
4、 根据权利要求 3所述的基于通用引导架构的机器类通信设备分组管 理方法, 其特征在于, 在更新所述对应关系列表之前, 所述方法还包括:4. The general-purpose booting architecture-based machine type communication device grouping tube according to claim 3. The method further includes: before updating the correspondence list, the method further includes:
M2M-SC向第二 MTC设备发送第一 MTC设备的加入请求 , 第二 MTC设 备根据收到的加入请求决定允许第一 MTC设备加入后,将决定结果返回给 M2M-SC, M2M-SC根据决定结果, 将第一 MTC设备的用户身份及设备身 份的对应关系添加到 G-ID与 MTC设备的用户身份及设备身份的对应关系 列表中, 以更新所述对应关系列表。 The M2M-SC sends a join request of the first MTC device to the second MTC device, and the second MTC device decides to allow the first MTC device to join according to the received join request, and returns the decision result to the M2M-SC, and the M2M-SC determines according to the decision. As a result, the correspondence between the user identity and the device identity of the first MTC device is added to the correspondence list of the user identity and the device identity of the G-ID and the MTC device to update the correspondence relationship list.
5、 根据权利要求 1所述的基于通用引导架构的机器类通信设备分组管 理方法,其特征在于, 所述方法还包括: 所述第一 MTC设备将收到的 G-ID 和 Kg通过所述第一会话密钥解密后存储在第一 MTC设备中或第一 MTC 设备的通用集成电路卡 UICC中。  The method according to claim 1, wherein the method further comprises: the first MTC device passing the received G-ID and Kg through the The first session key is decrypted and stored in the first MTC device or in the universal integrated circuit card UICC of the first MTC device.
6、 根据权利要求 2所述的基于通用引导架构的机器类通信设备分组管 理方法,其特征在于, 所述方法还包括: 所述第二 MTC设备将收到的 G-ID 和 Kg通过所述第二会话密钥解密后存储在第二 MTC设备中或第二 MTC 设备的 UICC中。  The method for managing a group-based communication device group based on a universal booting architecture according to claim 2, wherein the method further comprises: the second MTC device passing the received G-ID and Kg through the The second session key is decrypted and stored in the second MTC device or in the UICC of the second MTC device.
7、 根据权利要求 1所述的基于通用引导架构的机器类通信设备分组管 理方法, 其特征在于, 所述第一 MTC设备与 M2M-SC协商确定欲加入组 标识为 G-ID的 MTC设备分组的过程包括:  The method for managing a group-like communication device group based on a universal booting architecture according to claim 1, wherein the first MTC device negotiates with the M2M-SC to determine an MTC device group to be added to the group identifier as a G-ID. The process includes:
第一 MTC设备向 M2M-SC发送协商请求消息, 该协商请求消息中携 带有加入组标识为 G-ID的 MTC设备分组的请求;  The first MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for grouping the MTC device with the group identifier G-ID;
M2M-SC向第一 MTC设备发送引导初始化消息。  The M2M-SC sends a boot initialization message to the first MTC device.
8、 根据权利要求 1所述的基于通用引导架构的机器类通信设备分组管 理方法 ,其特征在于,所述第二 MTC设备与 M2M-SC协商确定欲创建 MTC 设备分组的过程包括:  The method for managing a packet of a machine type communication device based on the universal booting architecture according to claim 1, wherein the process of determining, by the second MTC device, the M2M-SC to determine the group to be created by the M2M-SC includes:
第二 MTC设备向 M2M-SC发送协商请求消息, 该协商请求消息中携 带有创建 MTC设备分组的请求; M2M-SC向第二 MTC设备发送引导初始化消息。 The second MTC device sends a negotiation request message to the M2M-SC, where the negotiation request message carries a request for creating an MTC device group; The M2M-SC sends a bootstrap initialization message to the second MTC device.
9、 一种基于通用引导架构的机器类通信设备分组管理系统, 其特征在 于, 该系统包括: 第一 MTC设备、 BSF及 M2M-SC; 其中,  9. A machine type communication device group management system based on a universal booting architecture, the system comprising: a first MTC device, a BSF, and an M2M-SC; wherein
第一 MTC设备, 用于与 M2M-SC协商确定欲加入组标识为 G-ID的 MTC设备分组时, 与 BSF及 M2M-SC之间通过第一 GBA过程, 在第一 MTC设备与 M2M-SC之间建立第一会话密钥;  The first MTC device is configured to negotiate with the M2M-SC to determine the MTC device group to be added to the group identifier as the G-ID, and pass the first GBA process with the BSF and the M2M-SC, and the first MTC device and the M2M-SC. Establishing a first session key between;
M2M-SC,用于将所述 MTC设备分组的组标识 G-ID和组密钥 Kg通过 第一会话密钥加密后发送给第一 MTC设备。  The M2M-SC is configured to encrypt the group identifier G-ID and the group key Kg of the MTC device group by using the first session key, and then send the packet to the first MTC device.
10、 根据权利要求 9所述的基于通用引导架构的机器类通信设备分组 管理系统, 其特征在于, 所述系统还包括: 创建所述 MTC设备分组的第二 MTC设备; 其中,  The device of the machine-type communication device group management system based on the universal booting architecture according to claim 9, wherein the system further comprises: a second MTC device that creates the MTC device group;
第二 MTC设备,用于与 M2M-SC协商确定欲创建所述 MTC设备分组 时, 与 BSF及 M2M-SC之间通过第二 GBA过程, 在第二 MTC设备与 M2M-SC之间建立第二会话密钥;  a second MTC device, configured to negotiate with the M2M-SC to determine that the MTC device group is to be created, and pass the second GBA process with the BSF and the M2M-SC, and establish a second between the second MTC device and the M2M-SC. Session key
M2M-SC,还用于创建所述 MTC设备分组的组标识 G-ID和组密钥 Kg, 并将创建的 G-ID和 Kg通过所述第二会话密钥加密后发送给第二 MTC设 备。  The M2M-SC is further configured to create a group identifier G-ID and a group key Kg of the MTC device group, and encrypt the created G-ID and Kg by using the second session key, and then send the same to the second MTC device. .
11、 根据权利要求 10所述的基于通用引导架构的机器类通信设备分组 管理系统, 其特征在于, 所述 M2M-SC , 还用于在创建所述 G-ID和 Kg之 后, 创建所述 G-ID与 MTC设备的用户身份及设备身份的对应关系列表, 该对应关系列表中包含所述 G-ID与所述第二 MTC设备的用户身份及设备 身份的对应关系; 还用于在获取所述第一会话密钥之后, 更新所述对应关 系列表。  The machine-based communication device group management system based on the universal booting architecture according to claim 10, wherein the M2M-SC is further configured to create the G after creating the G-ID and Kg. - a correspondence between the ID and the user identity of the MTC device and the device identity, the correspondence list including the correspondence between the G-ID and the user identity and device identity of the second MTC device; After the first session key is described, the correspondence list is updated.
PCT/CN2011/071938 2010-11-08 2011-03-17 Machine type communication device group management method and system based on generic bootstrapping architecture WO2012062077A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010535847.1A CN102469455B (en) 2010-11-08 2010-11-08 Based on equipment for machine type communication group management method and the system of universal guiding structure
CN201010535847.1 2010-11-08

Publications (1)

Publication Number Publication Date
WO2012062077A1 true WO2012062077A1 (en) 2012-05-18

Family

ID=46050354

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071938 WO2012062077A1 (en) 2010-11-08 2011-03-17 Machine type communication device group management method and system based on generic bootstrapping architecture

Country Status (2)

Country Link
CN (1) CN102469455B (en)
WO (1) WO2012062077A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2518255A (en) * 2013-09-13 2015-03-18 Vodafone Ip Licensing Ltd Communicating with a machine to machine device
CN104717232A (en) * 2015-04-09 2015-06-17 武汉理工大学 Cryptosystem facing to group
WO2020142970A1 (en) * 2019-01-10 2020-07-16 Telefonaktiebolaget Lm Ericsson (Publ) METHOD AND APPARATUS FOR MANAGING ONE OR MORE GROUPS OF MACHINE‐TYPE COMMUNICATION (MTC) DEVICES IN A CELLULAR NETWORk

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103813309B (en) 2012-11-15 2019-03-29 中兴通讯股份有限公司 Safety communicating method, apparatus and system between a kind of MTC device based on SIP
JP6040037B2 (en) * 2013-01-30 2016-12-07 シャープ株式会社 Wireless communication system
CN104661171B (en) 2013-11-25 2020-02-28 中兴通讯股份有限公司 Small data secure transmission method and system for MTC (machine type communication) equipment group
CN105636031A (en) * 2014-11-05 2016-06-01 中兴通讯股份有限公司 Packet communication management method, apparatus and system
CN105792196B (en) * 2014-12-23 2020-06-16 中兴通讯股份有限公司 MTC grouping management method, device and system, and network entity
GB2579574B (en) * 2018-12-03 2021-08-11 Advanced Risc Mach Ltd Bootstrapping with common credential data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009092115A2 (en) * 2008-01-18 2009-07-23 Interdigital Patent Holdings, Inc. Method and apparatus for enabling machine to machine communication
US20090191857A1 (en) * 2008-01-30 2009-07-30 Nokia Siemens Networks Oy Universal subscriber identity module provisioning for machine-to-machine communications
CN101523808A (en) * 2006-10-13 2009-09-02 阿尔卡特朗讯公司 Network service usage management systems and methods

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101523808A (en) * 2006-10-13 2009-09-02 阿尔卡特朗讯公司 Network service usage management systems and methods
WO2009092115A2 (en) * 2008-01-18 2009-07-23 Interdigital Patent Holdings, Inc. Method and apparatus for enabling machine to machine communication
US20090191857A1 (en) * 2008-01-30 2009-07-30 Nokia Siemens Networks Oy Universal subscriber identity module provisioning for machine-to-machine communications

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"A Solution for Group Based Addressing.", 3GPP. TD S2-102271, May 2010 (2010-05-01), pages 2 - 4 *
"ETSI. ETSI TS 102 689 V1.1.1: Machine-to-Machine Communications (M2M)", M2M SERVICE REQUIREMENTS., August 2010 (2010-08-01), pages 13 - 14 *
"Service Requirements for Machine-Type Communications (MTC)", 3GPP. TS 22.368 V10.2.0, September 2010 (2010-09-01), pages 16 - 17 *
3GPP. SL-100046: CONTRIBUTION TO TS 22.368 - SECTION 3.1 & 7.1.3 & 7.2.16.3: MTC GROUP., February 2010 (2010-02-01), pages 1 - 3 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2518255A (en) * 2013-09-13 2015-03-18 Vodafone Ip Licensing Ltd Communicating with a machine to machine device
US10313307B2 (en) 2013-09-13 2019-06-04 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US10412052B2 (en) 2013-09-13 2019-09-10 Vodafone Ip Licensing Limited Managing machine to machine devices
US10439991B2 (en) 2013-09-13 2019-10-08 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US10630646B2 (en) 2013-09-13 2020-04-21 Vodafone Ip Licensing Limited Methods and systems for communicating with an M2M device
US10673820B2 (en) 2013-09-13 2020-06-02 Vodafone Ip Licensing Limited Communicating with a machine to machine device
US11063912B2 (en) 2013-09-13 2021-07-13 Vodafone Ip Licensing Limited Methods and systems for communicating with an M2M device
CN104717232A (en) * 2015-04-09 2015-06-17 武汉理工大学 Cryptosystem facing to group
WO2020142970A1 (en) * 2019-01-10 2020-07-16 Telefonaktiebolaget Lm Ericsson (Publ) METHOD AND APPARATUS FOR MANAGING ONE OR MORE GROUPS OF MACHINE‐TYPE COMMUNICATION (MTC) DEVICES IN A CELLULAR NETWORk

Also Published As

Publication number Publication date
CN102469455B (en) 2016-04-13
CN102469455A (en) 2012-05-23

Similar Documents

Publication Publication Date Title
WO2012062077A1 (en) Machine type communication device group management method and system based on generic bootstrapping architecture
CN111052777B (en) Method and apparatus for supporting inter-device profile transfer in a wireless communication system
EP2750424B1 (en) Method, device and system for binding mtc device and uicc
EP2521387B1 (en) Method, device and network for supporting security in a mobile communication system
WO2012094879A1 (en) Key sharing method and system for machine type communication (mtc) server
WO2011035572A1 (en) Method and system for changing selected home operator of machine to machine equipment
KR20210157410A (en) Technique for remote sim provisioning
CN103843379B (en) Information processing method and device
US20130326603A1 (en) Wireless device, registration server and method for provisioning of wireless devices
EP2744250B1 (en) Method and apparatus for binding universal integrated circuit card and machine type communication device
CN104904164A (en) Method for changing gateway in machine-to-machine (M2M) system and device therefor
WO2009103621A1 (en) Methods and apparatus locating a device registration server in a wireless network
EP2466759B1 (en) Method and system for changing a selected home operator of a machine to machine equipment
EP3076695B1 (en) Method and system for secure transmission of small data of mtc device group
WO2012075814A1 (en) Method and system for application key management for mtc group devices
KR20150051568A (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
KR102088848B1 (en) Security supporting method and system for proximity based service group communication or public safety in mobile telecommunication system environment
WO2011116598A1 (en) Method and system for achieving management of gateway
WO2011029296A1 (en) System and method for providing machine-to-machine equipment with machine communication identity module
WO2010096996A1 (en) Method for realizing integration of wapi and capwap in local mac mode
CN104581704A (en) Method for secure communication between MTC (Machine Type Communication) devices and network entity
WO2012151819A1 (en) Method and system for triggering mtc device
WO2011029308A1 (en) Method for altering selected home operator of machine-to-machine equipment and system thereof
WO2011029297A1 (en) System and method for providing a machine communication identity module to a machine to machine equipment
KR101643334B1 (en) Gateway apparatus for interlocking of Machine to Machine local network and Machine to Machine network and system for it

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11840233

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11840233

Country of ref document: EP

Kind code of ref document: A1