WO2012174959A1 - Group authentication method, system and gateway in machine-to-machine communication - Google Patents

Group authentication method, system and gateway in machine-to-machine communication Download PDF

Info

Publication number
WO2012174959A1
WO2012174959A1 PCT/CN2012/075475 CN2012075475W WO2012174959A1 WO 2012174959 A1 WO2012174959 A1 WO 2012174959A1 CN 2012075475 W CN2012075475 W CN 2012075475W WO 2012174959 A1 WO2012174959 A1 WO 2012174959A1
Authority
WO
WIPO (PCT)
Prior art keywords
mtc terminal
mtc
key
authentication
gateway
Prior art date
Application number
PCT/CN2012/075475
Other languages
French (fr)
Chinese (zh)
Inventor
夏正雪
田甜
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012174959A1 publication Critical patent/WO2012174959A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of machine type communication (MTC) security, and more particularly to a method, system and gateway for group authentication in machine to machine (M2M) communication.
  • MTC machine type communication
  • M2M machine to machine
  • MTC Devices MTC Devices
  • M2M communication is introduced into the communication network technology.
  • the goal of M2M communication is to enable all MTC terminals to have the ability to network and communicate, thus enabling information exchange between machines and machines, machines and people, people and machines.
  • MTC terminals A large number of MTC terminals will be deployed in the M2M system, most of which are low mobility MTC terminals.
  • an MTC application will have multiple MTC terminals participating in the communication, and these MTC terminals together become part of the MTC group.
  • the MTC terminals belonging to the same MTC group may be in the same location, or have the same MTC characteristics, or belong to the same MTC user. These can be flexibly used as the basis for grouping, and each MTC terminal in the MTC group is for the network. It is all visible. For MTC terminals in the same group, it may be necessary to communicate with the network independently, so independent session keys of each MTC terminal are also necessary.
  • the M2M system is required.
  • the system is capable of uniquely identifying the MTC group and has the ability to verify that the MTC terminal is a legitimate member of the MTC group.
  • the existing security mechanisms of the second generation (2G) and third generation (3G) mobile network systems mainly include: authentication and encryption. Certification, the process of identifying the legality of the other party's identity.
  • the following is a brief description of the Authentication and Key Agreement (AKA) authentication process for the Universal Mobile Telecommunication System (UMTS).
  • AKA Authentication and Key Agreement
  • UMTS Universal Mobile Telecommunication System
  • EPS Evolved Packet System
  • the AKA authentication of UMTS is based on the root key K stored in the Home Location Register (HLR) and the Universal Subscriber Identity Module (USIM) card built into the terminal for authentication.
  • HLR Home Location Register
  • USIM Universal Subscriber Identity Module
  • Step 101 The terminal sends an access request to a Serving GPRS Support Node/Visitors Location Register (SGSN/VLR) of the General Packet Radio Service (GPRS).
  • SGSN/VLR Serving GPRS Support Node/Visitors Location Register
  • GPRS General Packet Radio Service
  • Step 102 The SGSN/VLR initiates an authentication request to the HLR/Authentication Center (AuC) according to the terminal identifier.
  • AuC HLR/Authentication Center
  • Step 103 The HLR/AuC generates multiple sets of authentication vectors.
  • each set of authentication vectors consists of an authentication vector quintuple: a random number (RAND), a desired response (XRES), an authentication token (AUTN), a confidentiality key (CK), and an integrity key (IK).
  • RAND random number
  • XRES desired response
  • AUTN authentication token
  • CK confidentiality key
  • IK integrity key
  • Step 104 the HLR/AuC sends the generated multiple sets of authentication vector quintuals to the SGSN/VLR requesting authentication;
  • Step 105 The SGSN/VLR receives and saves multiple sets of authentication vector quintuets sent by the HLR/AuC.
  • Step 106 The SGSN/VLR selects a group from the multiple sets of authentication vectors, and sets the RAND, The AUTN sends to the terminal that sends the access request;
  • Step 107 the USIM card in the terminal checks whether the AUTN can accept, if yes, step 108 is performed;
  • the checking whether the AUTN can be accepted for example: whether the AUTN is composed of a valid authentication token.
  • the terminal receives the authentication message of the SGSN/VLR, first calculates the message authentication code XMAC in the authentication message, and compares the XMAC with the MAC in the AUTN. If different, the authentication is rejected and the authentication process is abandoned; if the same, the terminal verifies the reception.
  • the sequence number (SQN) is within the valid range, if not within the valid range, send a synchronization failure message to the SGSN/VLR, and abandon the authentication process, if the XMAC is the same as the MAC in the AUTN, and the SQN is verified to be within the valid range. , go to step 108.
  • Step 108 The terminal calculates the response value RES and sends it to the SGSN/VLR.
  • the SGSN/VLR compares the RES sent by the terminal with the XRES sent by the HLR/AuC. If they are consistent, the authentication passes, otherwise the authentication fails.
  • the USIM card of the terminal calculates IK and CK at the same time, which is used for confidentiality and integrity protection in subsequent data transmission. In this way, the establishment of a secure channel between the terminal and the network is completed.
  • the group authentication is performed based on the MTC Gateway Device in the MTCe (MTCe) scenario.
  • the authentication is divided into two parts: The first part is: MTC Gateway Device and Core Network (Core Network, CN Two-way authentication between, for example, AKA certification.
  • the second part is: Two-way authentication between the MTC Gateway Device and the MTC Device, and the MTC Gateway Device notifies the CN of the authentication result of the MTC Device and the MTC Device.
  • the MTC Devices in the group have at least one identical attribute, the identity of the members in the CN independent storage group; the MTC Devices in the group communicate through a proprietary protocol, which may not be in 3GPP.
  • All MTC Devices in the group forward key material to MTC Delegate, MTC Delegate compute group key, and replace all MTC Devices and CN for authentication. Further MTC Delegate is variable.
  • scenario 1 it only involves a brief description of the solution, and does not involve the details of the solution, and the MTC Gateway Device derives the session key between the MTC Device and the CN, and sends it to the MTC Device and the CN, so that the MTC Device and the CN cannot be guaranteed. End-to-end security.
  • the MTC Gateway Device may belong to different operators. If the MTC Device and the MTC Gateway Device are non-3GPP networks, the authentication method is beyond the scope of 3GPP research.
  • the advantage of Option 2 is that the MTC Device can complete group authentication without knowing Kg.
  • Ki comes from does not stipulate, how does CN know that Ki is not specified, and each group authentication in this scheme is limited to online MTC Device. If an attacker maliciously interferes with MTC Device, it will not cause it. Stop entering the group, exiting the group, etc., will have a serious impact on the system.
  • the wrong Ki is sent for unknown reasons, it will cause the derivation of the entire key material to fail, and
  • the main purpose of the embodiments of the present invention is to provide a method, a system, and a gateway for group authentication in M2M communication, which can reduce a large amount of signaling load caused by individual authentication of an MTC terminal, and solve the above-mentioned possible security. Threats to meet the corresponding security needs.
  • the embodiment of the present invention provides a method for group authentication in M2M communication, where the method includes: a machine type communication (MTC) terminal gateway and a core network (CN) performs two-way authentication and calculates key material;
  • MTC machine type communication
  • CN core network
  • the MTC terminal gateway performs mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the root key.
  • the CN Notifying the authenticated MTC terminal of the CN, the CN generates the authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal.
  • the method further includes: the low mobility MTC terminal that belongs to the same MTC user in the same location covered by the MTC terminal gateway is signed by the same MTC group.
  • the MTC terminal gateway performs mutual authentication with the CN, including:
  • the MTC terminal gateway initiates an access request to the Access Security Management Device (ASME); the ASME requests an authentication vector from the Home Subscriber Server/Home Location Register (HSS/HLR) according to the received request; the HSS/HLR generates an authentication vector based on the subscription data. And a hash value of the MTC terminal root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway authenticate using the authentication vector, and then calculate the key material and establish a secure channel.
  • the key material is specifically: a key material calculated by a confidentiality key and an integrity key.
  • the method further includes:
  • the MTC terminal gateway determines whether the MTC terminal is authenticated, and whether the MTC terminal gateway has the key material. If the MTC terminal is not authenticated, the MTC terminal gateway and the MTC terminal perform mutual authentication, and then send the key material to MTC terminal; if it has been authenticated but no key material exists, re-perform the MTC terminal gateway and the CN for mutual authentication, calculate the key material and send it to the MTC terminal; if it is authenticated and the key material exists, directly to the MTC terminal Send key material.
  • the method for performing mutual authentication between the MTC terminal gateway and the CN includes: AKA authentication;
  • the MTC terminal gateway performs mutual authentication with the MTC terminal, including: performing mutual authentication according to Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificate, or local access technology.
  • IPSec Internet Protocol Security
  • TLS Secure Transport Layer Protocol
  • PKI Public Key Infrastructure
  • the embodiment of the invention further provides a system for group authentication in M2M communication, the system comprising:
  • the MTC terminal gateway is configured to perform mutual authentication with the CN, calculate key material, and perform mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, and the MTC terminal that passes the authentication is notified to the CN.
  • the CN is configured to generate an authenticated communication key according to a key material and a hash value of the root key of the authenticated MTC terminal;
  • the MTC terminal is configured to generate a verified communication key according to a hash value of the key material and the root key.
  • the MTC terminal gateway is further configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
  • the CN further includes: an ASME and an HSS/HLR, where
  • the ASME is configured to obtain, in the MTC terminal gateway and the CN mutual authentication process, a hash value of the MTC terminal root key associated with the MTC terminal gateway from the HSS/HLR, and save the value in the ASME.
  • the MTC terminal gateway is further configured to determine, in the process of performing mutual authentication with the MTC terminal, whether the MTC terminal is authenticated, whether the MTC terminal gateway has a key material, and if the MTC terminal is not authenticated, The MTC terminal gateway and the MTC terminal perform two-way authentication, and then send the key material to the MTC terminal; if it has been authenticated but does not have the key material, the two-way authentication of the MTC terminal gateway and the CN is performed again, and the key material is calculated. Sent to the MTC terminal; if the key material is authenticated and present, the key material is sent directly to the MTC terminal.
  • An MTC terminal gateway where the MTC terminal gateway includes:
  • the CN two-way authentication module is configured to perform mutual authentication with the CN and calculate a key material; the terminal two-way authentication module is configured to perform mutual authentication with the MTC terminal, and after the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal is configured according to the MTC terminal.
  • Receiving the authenticated communication key by the received key material and the hash value of the own root key, and notifying the CN of the authenticated MTC terminal, so that the CN according to the key material and the root of the authenticated MTC terminal The hash value of the key generates the authenticated communication key.
  • the MTC terminal gateway further includes:
  • the contracting module is used to cover the same MTC group with the low mobility MTC terminal that belongs to the same MTC user in the same location.
  • the terminal two-way authentication module is also used in the process of performing mutual authentication with the MTC terminal. If the MTC terminal is authenticated, the MTC terminal gateway has the key material Kg. If the MTC terminal is not authenticated, the MTC terminal 63 performs mutual authentication with the MTC terminal 63, and then sends the key material to the MTC terminal. If the key material Kg is already authenticated but the key material Kg is not present, the CN mutual authentication module is triggered to re-authenticate with the CN62, and the key material is calculated and sent to the MTC terminal. If the key material Kg is authenticated and directly exists, the MTC terminal is directly sent to the MTC terminal. Send key material.
  • the MTC terminal gateway performs mutual authentication with the CN, and calculates the key material; the MTC terminal gateway performs mutual authentication with the MTC terminal, and the authentication passes the backward MTC terminal.
  • Sending a key material causing the MTC terminal to generate an authenticated communication key according to the received key material and a hash value of the own root key; notifying the CN to pass the authenticated MTC terminal, so that the CN according to the key material and the The authenticated communication key is generated by the hash value of the root key of the authenticated MTC terminal.
  • the MTC terminal and the CN respectively generate the communication key by using the key material and the hash value of the MTC terminal root key, thereby avoiding the sending of the session key by the MTC terminal gateway to the MTC terminal and the CN, and ensuring the MTC terminal and the CN. End-to-end security.
  • FIG. 1 is a schematic diagram of an existing authentication technology and a process in a system such as a UMTS and an EPS;
  • FIG. 2 is a schematic diagram of a network element structure according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for group authentication in an M2M communication according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an MTC terminal gateway and an MTC according to an embodiment of the present invention. Schematic diagram of the process of performing mutual authentication in the terminal;
  • FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention. detailed description
  • the basic idea of the embodiment of the present invention is: the MTC terminal gateway and the core network (CN) perform mutual authentication and calculate the key material; the MTC terminal gateway and the MTC terminal perform mutual authentication, and after the authentication passes, the key material is sent to the MTC terminal, and Notifying the CN of the authenticated MTC terminal; the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the own root key, and at the same time, the CN according to the key material and the authenticated MTC The hash value of the root key of the terminal generates an authenticated communication key.
  • FIG. 2 is a schematic diagram of a network element architecture according to an embodiment of the present invention.
  • the architecture includes: an MTC terminal 201 connected to an MTC terminal gateway 202; and an MTC terminal gateway 202 connected to an access security in an M2M system.
  • the Management Equipment (ASME) 203; ASME 203 is connected to the Home Subscriber Server/Home Location Register (HSS/HLR) 204.
  • ASME203 and HSS/HLR204 belong to the core network side.
  • FIG. 3 is a schematic flowchart of a method for group authentication in M2M communication according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
  • Step 301 The MTC terminal gateway and the CN perform mutual authentication, and calculate a key material.
  • the method for performing mutual authentication by the MTC terminal gateway and the CN includes: AKA authentication.
  • the key material is specifically: a key material calculated by the confidentiality key CK and the integrity key IK.
  • the key material Kg CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again.
  • the method further includes: the MTC terminal gateway covers a low mobility MTC device that belongs to the same MTC user in the same location and is contracted to the same MTC group.
  • the two-way authentication process further includes: obtaining the foregoing from the HSS/HLR
  • the hash value of the MTC Device root key associated with the MTC terminal gateway is stored in the Access Security Management Device (ASME).
  • the hash value of the MTC Device root key associated with the MTC terminal gateway is specifically:
  • the MTC terminal gateway covers the hash value of all MTC Device root keys of the same MTC group.
  • the two-way authentication by the MTC terminal gateway and the CN specifically includes: the MTC terminal gateway initiates an access request to the ASME; the ASME requests an authentication vector from the HSS/HLR according to the received request; and the HSS/HLR generates an authentication vector AV according to the subscription data (1) ... n ), and the hash value of the MTC Device root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway use the authentication vector for authentication, and the authentication is passed after calculation Key material and establish a secure channel.
  • the establishing the security channel specifically refers to: the ASME selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway, and uses the confidentiality and integrity protection for subsequent communication.
  • Step 302 The MTC terminal gateway and the MTC device perform mutual authentication. After the authentication is passed, the key material is sent to the MTC device, and the MTC device that is authenticated by the CN is notified. Specifically, the MTC terminal gateway and the MTC Device perform mutual authentication. : Two-way authentication based on Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificates, or local access technologies.
  • IPSec Internet Protocol Security
  • TLS Secure Transport Layer Protocol
  • PKI Public Key Infrastructure
  • the method further includes: determining, by the MTC terminal gateway, whether the MTC device is authenticated, whether the MTC terminal gateway has the key material Kg, and if the MTC Device is not authenticated, The MTC terminal gateway and the MTC Device perform bidirectional authentication, and then send the key material to the MTC Device; if it has been authenticated but does not have the key material Kg, return to step 301 to re-authenticate the MTC terminal gateway and the CN.
  • the key material is calculated and sent to the MTC terminal; if the key material Kg is authenticated and present, the key material is sent directly to the MTC Device.
  • Step 303 The MTC Device obtains a hash value according to the received key material and its own root key.
  • the authenticated communication key is generated, and at the same time, the CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device.
  • the MTC Device generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC Device according to the received key material Kg and the root key thereof.
  • the hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection.
  • the CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device, where the ASME receives the authenticated MTC Device advertised by the MTC terminal gateway.
  • the secret key CKi and the integrity key IKi are generated according to the key material Kg and the hash value of the root key corresponding to the MTC Device for subsequent confidentiality and integrity protection.
  • the confidentiality key CK and the integrity key IK for calculating the key material in the CN are obtained from the HSS/HLR in the process of performing the mutual authentication between the MTC terminal gateway and the CN in step 301.
  • FIG. 4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention. As shown in FIG. 4, the authentication includes the following steps:
  • Step 401 The MTC Gateway Device initiates an access request to the ASME.
  • the access request includes an identity of the MTC Gateway Device.
  • Step 402 The ASME requests an authentication vector from the HSS/HLR according to the received request.
  • Step 403 The HSS/HLR checks the MTC Gateway Device subscription data to confirm the MTC.
  • the Gateway Device is an agent that subscribes to a group of MTC Devices, and generates an authentication vector AV (1....n) and a hash value of the MTC Device root key associated with the MTC Gateway Device;
  • Step 404 The HSS/HLR sends an authentication data response message to the ASME.
  • the response message includes the foregoing authentication vector in step 403, and the MTC Device.
  • the hash value of the root key is the foregoing authentication vector in step 403, and the MTC Device.
  • Step 405 The ASME saves the authentication vector sent by the HSS/HLR and the hash value of the MTC Device root key.
  • Step 406 The ASME initiates an authentication request to the MTC Gateway Device, where the request message carries a random number (Rand) and an authentication token (AUTN);
  • Rand random number
  • AUTN authentication token
  • Step 407 the MTC Gateway Device calculates an authentication response (RES), a confidentiality key CK, and an integrity key IK according to the Rand and AUTN authentication networks;
  • RES authentication response
  • CK confidentiality key
  • IK integrity key
  • Step 408 the MTC Gateway Device returns an RES to the ASME;
  • step 409 the ASME verifies whether the RES and the XRES are consistent. If they are consistent, the authentication passes, and the corresponding confidentiality key CK and integrity key IK are selected for subsequent calculation of the key material, thereby achieving confidentiality and integrity protection; if not, the authentication fails;
  • Step 410 Establish a safety channel between the MTC Gateway Device and the network.
  • the specific calculation method and process adopt the prior art, and details are not described herein.
  • FIG. 5 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and an MTC terminal according to an embodiment of the present invention. As shown in FIG. 5, the process includes the following steps:
  • Step 501 The MTC Device initiates an access request to the MTC Gateway Device, where the request includes the identity of the MTC Device.
  • Step 502 The MTC Gateway Device determines whether the MTC Device is authenticated, and whether the MTC Gateway Device has the key material Kg. If the MTC Device is not authenticated, step 503 is performed. If the key material Kg is not present, Execute Step 504 re-establishes the secure channel between the MTC Gateway Device and the CN. If the key material Kg is authenticated and exists, step 505 is performed;
  • Step 503 Perform mutual authentication between the MTC Gateway Device and the MTC Device, and establish a secure channel.
  • the two-way authentication is specifically: performing two-way authentication by using an IPSec, a TLS, a PKI certificate, or a local access technology.
  • step 503 the MTC Gateway Device and the MTC Device perform the mutual authentication, and after the security channel is established, if the key material Kg does not exist in the MTC Gateway Device, step 504 is performed; if the MTC Gateway Device already exists The key material Kg is skipped to step 504, and step 505 is performed.
  • Step 504 Establish a secure channel between the MTC Gateway Device and the CN.
  • Step 505 The MTC Gateway Device sends an access response to the MTC Device, where the response message includes the key material Kg and the key lifetime of the key material Kg;
  • Step 506 At the same time, the MTC Gateway device advertises the identity of the MTC Device (such as the Device ID) to the ASME, indicating that the MTC Device passes the intra-group authentication.
  • the MTC Gateway device advertises the identity of the MTC Device (such as the Device ID) to the ASME, indicating that the MTC Device passes the intra-group authentication.
  • Step 507 The MTC Device generates a confidentiality key CKi and an integrity key IKi according to the received key material Kg and a hash value of the own root key, for subsequent confidentiality and integrity protection;
  • Step 508 After receiving the identity of the MTC Device advertised by the MTC Gateway Device, the ASME generates a confidentiality key CKi and an integrity key IKi according to the hash value of the Kg and the root key corresponding to the MTC Device, for subsequent Confidentiality and integrity protection;
  • Step 509 The MTC Device and the ASME in the core network establish a secure channel based on the confidentiality key CKi and the integrity key IKi described above.
  • FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention.
  • the system includes: an MTC terminal gateway 61, a CN62, and an MTC terminal 63, where The MTC terminal gateway 61 is configured to perform mutual authentication with the CN62, calculate key material, and perform mutual authentication with the MTC terminal 63. After the authentication is passed, the key material is sent to the MTC terminal 63, and the MTC that passes the authentication is notified to the CN62. Terminal 63;
  • the method for performing mutual authentication by the MTC terminal gateway 61 and the CN62 includes: ⁇ authentication.
  • the key material is specifically: a key material calculated by the confidentiality key CK and the integrity key ⁇ .
  • the key material Kg CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again.
  • the two-way authentication of the MTC terminal gateway 61 and the MTC terminal 63 includes: performing two-way authentication according to IPSec, TLS, PKI certificate or local access technology.
  • the MTC terminal gateway 61 is further configured to sign a low mobility MTC terminal that belongs to the same MTC user with the same location and the same MTC group.
  • the MTC terminal gateway 61 is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 has the key material Kg itself, if the MTC terminal If the authentication is not performed, the MTC terminal gateway 61 and the MTC terminal 63 perform mutual authentication, and the key material is sent to the MTC terminal 63 after passing. If the key material Kg is not authenticated, the MTC terminal gateway is re-executed. The mutual authentication of 61 and CN62, the key material is calculated and sent to the MTC terminal 63; if the key material Kg is authenticated and the key material Kg is present, the key material is directly transmitted to the MTC terminal 63.
  • the MTC terminal gateway 61 includes: a CN two-way authentication module and a terminal two-way authentication module, wherein the CN two-way authentication module is configured to perform mutual authentication with the CN62 and calculate a key material; and the terminal two-way authentication module is configured to perform bidirectional with the MTC terminal 63.
  • the key material is sent to the MTC terminal 63, and the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, and notifies the CN62 of the authentication.
  • the MTC terminal 63 causes the CN 62 to generate an authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal 63.
  • the MTC terminal gateway 61 further includes: a subscription module, configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
  • the terminal mutual authentication module is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 itself has the key material Kg, if the MTC terminal 63 is not If the authentication is performed, the MTC terminal 63 performs mutual authentication, and the key material is sent to the MTC terminal 63. If the key material Kg is not authenticated, the CN mutual authentication module is triggered to perform the mutual authentication with the CN62. The key material is sent to the MTC terminal 63; if the key material Kg is authenticated and present, the key material is sent directly to the MTC terminal 63.
  • the CN62 is configured to generate an authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63;
  • the CN62 further includes: an ASME64 and an HSS/HLR 65, where the ASME64 is configured to acquire the MTC terminal gateway 61 from the HSS/HLR 65 in the mutual authentication process of the MTC terminal gateway 61 and the CN62.
  • the hash value of the associated MTC terminal 63 root key is stored in the ASME64.
  • the hash value of the MTC terminal 63 key of the MTC terminal gateway 61 is specifically: the MTC terminal gateway 61 covers the hash value of the 63 keys of all the MTC terminals of the same MTC group.
  • the MTC terminal gateway 61 and the CN62 performing the mutual authentication specifically include: the MTC terminal gateway 61 initiates an access request to the ASME64; the ASME64 requests an authentication vector from the HSS/HLR 65 according to the received request; and the HSS/HLR 65 generates an authentication vector AV according to the subscription data. (1...n), and the hash value of the MTC terminal 63 root key associated with the MTC terminal gateway 61, and returned to the ASME64 for saving; the ASME64 and the MTC terminal gateway 61 authenticate using the authentication vector After the key material Kg is calculated and a secure channel is established.
  • the construction The security channel specifically refers to: ASME 64 selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway 61 for confidentiality and integrity protection of subsequent communication.
  • the CN62 generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63. Specifically, the ASME 64 in the CN62 receives the authenticated MTC notified by the MTC terminal gateway 61. After the identity of the terminal 63, the confidentiality key CKi and the integrity key IKi are generated based on the key material Kg and the hash value of the root key corresponding to the MTC terminal 63 for subsequent confidentiality and integrity protection.
  • the MTC terminal 63 is configured to generate an authenticated communication key according to the received key material and a hash value of the root key.
  • the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC terminal 63 according to the received key material Kg and its own root key.
  • the hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection.

Abstract

Disclosed are a group authentication method, system and gateway in M2M communication. The method includes: an MTC terminal gateway performing bidirectional authentication with a CN and calculating key material; the MTC terminal gateway performing bidirectional authentication with an MTC terminal and sending the key material thereto after the authentication is passed through to enable the MTC terminal to generate an authenticated communication key according to the received key material and the hash value of the root key of the MTC terminal; notifying the CN of the MTC terminal that has passed through the authentication to enable the CN to generate an authenticated communication key according to the key material and the hash value of the root key of the MTC terminal that has passed through the authentication. The embodiments in the present invention will greatly reduce the signalling load between the MTC terminal and the core network, improve the authentication efficiency of the MTC terminal access, avoiding a session key being derived by the MTC terminal gateway to be sent to the MTC terminal and CN, and guaranteeing end-to-end security between the MTC terminal and the CN.

Description

一种机器到机器通信中组认证的方法、 系统及网关 技术领域  Method, system and gateway for group authentication in machine to machine communication
本发明涉及机器类通信 ( Machine Type Communication, MTC )安全领 域, 特别是指一种机器到机器(M2M )通信中组认证的方法、 系统及网关。 背景技术  The present invention relates to the field of machine type communication (MTC) security, and more particularly to a method, system and gateway for group authentication in machine to machine (M2M) communication. Background technique
随着全球信息化、 以及通信网络技术的发展, 人类社会出现了巨大的 变化。 人与人之间可以更便捷地进行沟通, 信息的交换也越来越频繁。 然 而当前只有在人为干预的情况下, 计算机或其他一些智能终端才具备联网 和通信的能力, 众多普通的 MTC终端 (MTC Device ) 几乎不具备主动联 网和通信的能力。 为了让这些普通的 MTC 终端具备主动联网和通信的能 力, 以便让通信网络技术更好地为社会生活提供服务和保障, 使城市变得 智能化, M2M通信的概念被引入到通信网络技术中。 M2M通信的目标就 是: 使所有 MTC终端都具备联网和通信的能力, 从而实现机器与机器、 机 器与人、 人与机器之间的信息交换。  With the development of global information technology and communication network technology, human society has undergone tremendous changes. People can communicate more easily and exchange information more and more frequently. However, only in the case of human intervention, computers or other intelligent terminals have the ability to network and communicate. Many common MTC devices (MTC Devices) have little ability to actively connect and communicate. In order to enable these common MTC terminals to have the ability to actively network and communicate, so that communication network technology can better serve and guarantee social life, and make the city intelligent, the concept of M2M communication is introduced into the communication network technology. The goal of M2M communication is to enable all MTC terminals to have the ability to network and communicate, thus enabling information exchange between machines and machines, machines and people, people and machines.
在 M2M系统中将部署大量的 MTC终端, 其中绝大部分为低移动性的 MTC 终端。 通常一个 MTC应用会有多个 MTC终端参与通信, 这些 MTC 终端一起成为 MTC组的一部分。 属于同一个 MTC组的 MTC终端可能在 同一个地点, 或者有相同的 MTC特性, 又或者属于同一个 MTC用户, 这 些都可以灵活的作为分组的依据, 而且, MTC组内的各个 MTC终端对于 网络都是可见的。 对于同一个组内的 MTC终端, 可能需要独立地和网络进 行通信, 因此各个 MTC终端的独立的会话密钥也是必须的。 另外, 由于计 费、 拥塞控制等原因, 如果没有安全机制进行保护的话, 攻击者可以伪装 成属于特定 MTC组的 MTC终端来获取或者发送信息。 因此要求 M2M系 统能够唯一地识别 MTC组, 并且具备验证 MTC终端是否为 MTC组内的 一个合法成员的能力。 A large number of MTC terminals will be deployed in the M2M system, most of which are low mobility MTC terminals. Usually, an MTC application will have multiple MTC terminals participating in the communication, and these MTC terminals together become part of the MTC group. The MTC terminals belonging to the same MTC group may be in the same location, or have the same MTC characteristics, or belong to the same MTC user. These can be flexibly used as the basis for grouping, and each MTC terminal in the MTC group is for the network. It is all visible. For MTC terminals in the same group, it may be necessary to communicate with the network independently, so independent session keys of each MTC terminal are also necessary. In addition, due to billing, congestion control, etc., if there is no security mechanism to protect, the attacker can masquerade as an MTC terminal belonging to a specific MTC group to acquire or send information. Therefore, the M2M system is required. The system is capable of uniquely identifying the MTC group and has the ability to verify that the MTC terminal is a legitimate member of the MTC group.
现有第二代(2G )和第三代(3G )移动网络系统的安全机制主要有: 认证和加密等。 认证, 即识别对方身份合法性的过程。 下面简述全球移动 通信系统 ( Universal Mobile Telecommunication System, UMTS ) 的认证和 密钥协商机制 ( Authentication and Key Agreement, AKA ) 认证过程。 需要 说明的是在演进分组系统( Evolved Packet System, EPS )中 AKA认证过程 和 UMTS系统并无本质区别。 UMTS的 AKA认证是基于存储在归属位置 寄存器 (Home Location Register, HLR ) 和内置在终端的全球用户识别 ( Universal Subscriber Identity Module, USIM )卡中的根密钥 K进行认证。 图 1为现有 UMTS、 EPS等系统中的现有认证技术和流程示意图, 如图 1 所示, 其认证过程如下:  The existing security mechanisms of the second generation (2G) and third generation (3G) mobile network systems mainly include: authentication and encryption. Certification, the process of identifying the legality of the other party's identity. The following is a brief description of the Authentication and Key Agreement (AKA) authentication process for the Universal Mobile Telecommunication System (UMTS). It should be noted that there is no essential difference between the AKA authentication process and the UMTS system in the Evolved Packet System (EPS). The AKA authentication of UMTS is based on the root key K stored in the Home Location Register (HLR) and the Universal Subscriber Identity Module (USIM) card built into the terminal for authentication. Figure 1 shows the existing authentication technologies and processes in the existing UMTS and EPS systems. As shown in Figure 1, the authentication process is as follows:
步驟 101 , 终端向通用分组无线服务(General Packet Radio Service, GPRS ) 的服务支持节点 /拜访位置寄存器 ( Serving GPRS Support Node/Visitors Location Register, SGSN/VLR )发出接入请求;  Step 101: The terminal sends an access request to a Serving GPRS Support Node/Visitors Location Register (SGSN/VLR) of the General Packet Radio Service (GPRS).
步驟 102, SGSN/VLR根据终端标识向 HLR/认证中心 ( AuC )发起认 证请求;  Step 102: The SGSN/VLR initiates an authentication request to the HLR/Authentication Center (AuC) according to the terminal identifier.
步驟 103 , HLR/AuC生成多组认证向量;  Step 103: The HLR/AuC generates multiple sets of authentication vectors.
具体的, 每组认证向量由认证向量五元组组成: 随机数(RAND )、 期 望响应( XRES )、认证令牌( AUTN ),机密性密钥( CK )、完整性密钥( IK )。  Specifically, each set of authentication vectors consists of an authentication vector quintuple: a random number (RAND), a desired response (XRES), an authentication token (AUTN), a confidentiality key (CK), and an integrity key (IK).
步驟 104, HLR/AuC将生成的多组认证向量五元组发送给请求认证的 SGSN/VLR;  Step 104, the HLR/AuC sends the generated multiple sets of authentication vector quintuals to the SGSN/VLR requesting authentication;
步驟 105 , SGSN/VLR接收并保存 HLR/AuC发送的多组认证向量五元 组;  Step 105: The SGSN/VLR receives and saves multiple sets of authentication vector quintuets sent by the HLR/AuC.
步驟 106 , SGSN/VLR从该多组认证向量中选择一组,将其中的 RAND、 AUTN发送至发送接入请求的终端; Step 106: The SGSN/VLR selects a group from the multiple sets of authentication vectors, and sets the RAND, The AUTN sends to the terminal that sends the access request;
步驟 107, 终端中 USIM卡检查 AUTN可否接受, 如可以接受则执行 步驟 108;  Step 107, the USIM card in the terminal checks whether the AUTN can accept, if yes, step 108 is performed;
具体的, 所述检查 AUTN可否接受, 例如: AUTN是否由有效的认证 令牌组成。 终端接收 SGSN/VLR的认证消息, 首先计算认证消息中的消息 认证码 XMAC, 并将 XMAC与 AUTN中的 MAC进行比较, 如果不同, 则 拒绝认证,并放弃认证过程;如果相同,则终端验证接收到的序列号(SQN ) 是否在有效范围内, 若不在有效范围内, 则向 SGSN/VLR发送同步失败消 息, 并放弃认证过程, 如果 XMAC与 AUTN中的 MAC相同、 且验证 SQN 在有效范围内, 执行步驟 108。  Specifically, the checking whether the AUTN can be accepted, for example: whether the AUTN is composed of a valid authentication token. The terminal receives the authentication message of the SGSN/VLR, first calculates the message authentication code XMAC in the authentication message, and compares the XMAC with the MAC in the AUTN. If different, the authentication is rejected and the authentication process is abandoned; if the same, the terminal verifies the reception. Whether the sequence number (SQN) is within the valid range, if not within the valid range, send a synchronization failure message to the SGSN/VLR, and abandon the authentication process, if the XMAC is the same as the MAC in the AUTN, and the SQN is verified to be within the valid range. , go to step 108.
步驟 108, 终端计算出响应值 RES, 并发送给 SGSN/VLR; SGSN/VLR 比较终端发送的 RES和 HLR/AuC发送的 XRES是否一致, 如果一致, 则 认证通过, 否则认证失败; 在认证通过的情况下, 终端的 USIM卡同时计 算出 IK和 CK, 用于后续数据发送时的机密性和完整性保护。 这样, 便完 成了终端和网络之间安全信道的建立。  Step 108: The terminal calculates the response value RES and sends it to the SGSN/VLR. The SGSN/VLR compares the RES sent by the terminal with the XRES sent by the HLR/AuC. If they are consistent, the authentication passes, otherwise the authentication fails. In this case, the USIM card of the terminal calculates IK and CK at the same time, which is used for confidentiality and integrity protection in subsequent data transmission. In this way, the establishment of a secure channel between the terminal and the network is completed.
现有移动网络都是为人与人 ( human-to-human )设计的,对于机器与机 器、 机器与人、 人与机器之间的通信并非最佳。 随着 M2M技术的发展, 终 端数量将呈现极大的增长, 据估计, 将至少比 human-to-human通信的终端 高两个数量级, 由此而产生的信令、 数据对现有移动网络将产生极大的沖 击。 如果每个终端都单独地执行认证, 那么网络由于认证所承载的信令负 荷也会随着终端数量的增长而呈几何级数的增长, 甚至导致网络拥塞, 进 而影响到网络的服务质量和用户的业务体验。  Existing mobile networks are designed for human-to-human and are not optimal for communication between machines and machines, machines and people, people and machines. With the development of M2M technology, the number of terminals will increase greatly. It is estimated that it will be at least two orders of magnitude higher than the terminal of human-to-human communication, and the resulting signaling and data will be available to existing mobile networks. It has a great impact. If each terminal performs authentication separately, the signaling load carried by the network due to the authentication will increase geometrically with the number of terminals, and even cause network congestion, which in turn affects the service quality and users of the network. Business experience.
为了解决上述问题, 优选的方案是进行组认证。 在第三代合作伙伴计 划 ( 3rd Generation Partnership Project, 3GPP )标准组织中, 针对组认证的 安全威胁和需求, 出现过以下两种技术方案。 1、 基于 MTC增强( Enhancement for MTC, MTCe )场景中的 MTC终 端网关 (MTC Gateway Device )进行组认证, 提出认证分为两个部分: 第 一部分是: MTC Gateway Device和核心网 ( Core Network, CN )之间的双 向认证,例如, AKA认证。第二部分是: MTC Gateway Device和 MTC Device 之间的双向认证, MTC Gateway Device再向 CN通告它和 MTC Device的 认证结果。 具体的, 如果两部分认证都通过, 则认为 MTC Device和 CN之 间认证成功通过, 并提出基于 MTC Gateway Device和 CN之间协商的密钥 来生成不同的会话密钥给 MTC Devices。方案 1中添加了 Editor Note: 即针 对不同的会话密钥还需要深入研究。 In order to solve the above problem, a preferred solution is to perform group authentication. In the 3rd Generation Partnership Project (3GPP) standards organization, the following two technical solutions have emerged for the security threats and requirements of group authentication. 1. The group authentication is performed based on the MTC Gateway Device in the MTCe (MTCe) scenario. The authentication is divided into two parts: The first part is: MTC Gateway Device and Core Network (Core Network, CN Two-way authentication between, for example, AKA certification. The second part is: Two-way authentication between the MTC Gateway Device and the MTC Device, and the MTC Gateway Device notifies the CN of the authentication result of the MTC Device and the MTC Device. Specifically, if both parts of the authentication are passed, the authentication between the MTC Device and the CN is successfully passed, and a key negotiated between the MTC Gateway Device and the CN is proposed to generate a different session key to the MTC Devices. Editor Note added in Scenario 1: That is, further research is needed for different session keys.
2、基于 MTC代理( MTC Delegate )的组认证,提出组内的 MTC Devices 至少有一个相同的属性, CN独立存储组内成员的身份;组内的 MTC Devices 之间通过私有协议通信, 可以不在 3GPP范围内。组内所有的 MTC Devices 转发密钥材料给 MTC Delegate, MTC Delegate计算组密钥, 并代替所有的 MTC Devices和 CN进行认证。 进一步的 MTC Delegate可变。  2. Based on the MTC Delegate group authentication, it is proposed that the MTC Devices in the group have at least one identical attribute, the identity of the members in the CN independent storage group; the MTC Devices in the group communicate through a proprietary protocol, which may not be in 3GPP. Within the scope. All MTC Devices in the group forward key material to MTC Delegate, MTC Delegate compute group key, and replace all MTC Devices and CN for authentication. Further MTC Delegate is variable.
针对上述两个方案同样还存在一些缺陷。针对方案 1 , 其中只涉及方案 的概要描述,不涉及方案细节,并且 MTC Gateway Device派生 MTC Device 和 CN之间的会话密钥, 并发送给 MTC Device和 CN, 这样不能保证 MTC Device和 CN之间端到端的安全。 同时 MTC Gateway Device可能属于不同 的运营商,如果 MTC Device和 MTC Gateway Device之间是非 3GPP网络, 那么认证方法超出了 3GPP研究范围。  There are also some shortcomings in the above two scenarios. For scenario 1, it only involves a brief description of the solution, and does not involve the details of the solution, and the MTC Gateway Device derives the session key between the MTC Device and the CN, and sends it to the MTC Device and the CN, so that the MTC Device and the CN cannot be guaranteed. End-to-end security. At the same time, the MTC Gateway Device may belong to different operators. If the MTC Device and the MTC Gateway Device are non-3GPP networks, the authentication method is beyond the scope of 3GPP research.
针对方案 2, 其中仍然存在太多的未知因素。 方案 2的优点在于 MTC Device不需要知道 Kg就可以完成组认证。 缺点在于 Ki从哪里来的并未规 定, CN如何知道 Ki也未作规定, 并且该方案中的每次组认证仅限于在线 的 MTC Device, 如果有攻击者恶意对 MTC Device频繁干扰, 导致其不停 的进入组、退出组等,将对系统产生严重影响,此外,如果有一个 MTC Device 由于未知原因发送了错误的 Ki, 那么将导致整个密钥材料的推导失败, 且For scenario 2, there are still too many unknown factors. The advantage of Option 2 is that the MTC Device can complete group authentication without knowing Kg. The disadvantage is that where Ki comes from does not stipulate, how does CN know that Ki is not specified, and each group authentication in this scheme is limited to online MTC Device. If an attacker maliciously interferes with MTC Device, it will not cause it. Stop entering the group, exiting the group, etc., will have a serious impact on the system. In addition, if there is an MTC Device If the wrong Ki is sent for unknown reasons, it will cause the derivation of the entire key material to fail, and
MTC Delegate无法知道是哪个 MTC Device导致的失败。 发明内容 MTC Delegate cannot know which MTC Device failed. Summary of the invention
有鉴于此,本发明实施例的主要目的在于提供一种 M2M通信中组认证 的方法、 系统及网关, 能够减轻由于 MTC终端单独认证而带来的大量信令 负荷, 并解决上述可能存在的安全威胁, 满足相应的安全需求。  In view of this, the main purpose of the embodiments of the present invention is to provide a method, a system, and a gateway for group authentication in M2M communication, which can reduce a large amount of signaling load caused by individual authentication of an MTC terminal, and solve the above-mentioned possible security. Threats to meet the corresponding security needs.
为解决上述技术问题, 本发明实施例的技术方案是这样实现的: 本发明实施例提供了一种 M2M通信中组认证的方法, 所述方法包括: 机器类通信( MTC )终端网关与核心网 ( CN )进行双向认证, 并计算 密钥材料;  To solve the above technical problem, the technical solution of the embodiment of the present invention is implemented as follows: The embodiment of the present invention provides a method for group authentication in M2M communication, where the method includes: a machine type communication (MTC) terminal gateway and a core network (CN) performs two-way authentication and calculates key material;
MTC终端网关与 MTC终端进行双向认证,认证通过后向 MTC终端发 送密钥材料,使 MTC终端根据接收到的密钥材料和自身根密钥的哈希值生 成认证后的通信密钥;  The MTC terminal gateway performs mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the root key.
通知 CN所述通过认证的 MTC终端, 使 CN根据密钥材料和所述通过 认证的 MTC终端的根密钥的哈希值生成认证后的通信密钥。  Notifying the authenticated MTC terminal of the CN, the CN generates the authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal.
其中, 所述 MTC终端网关与 CN进行双向认证之前, 还包括: 所述 MTC终端网关覆盖下同一个地点属于同一个 MTC 用户的低移动 性 MTC终端签约为同一个 MTC组。  Before the MTC terminal gateway performs the mutual authentication with the CN, the method further includes: the low mobility MTC terminal that belongs to the same MTC user in the same location covered by the MTC terminal gateway is signed by the same MTC group.
其中, 所述 MTC终端网关与 CN进行双向认证, 包括:  The MTC terminal gateway performs mutual authentication with the CN, including:
MTC 终端网关向接入安全管理设备(ASME )发起接入请求; ASME 根据接收到的请求, 向归属用户服务器 /归属位置寄存器(HSS/HLR )请求 认证向量; HSS/HLR根据签约数据生成认证向量, 以及与该 MTC终端网 关相关联的 MTC 终端根密钥的哈希值,并返回给 ASME进行保存; ASME 和 MTC终端网关利用认证向量进行认证,通过后计算密钥材料并建立安全 信道。 其中, 所述密钥材料具体为: 由机密性密钥和完整性密钥计算得到的 密钥材料。 The MTC terminal gateway initiates an access request to the Access Security Management Device (ASME); the ASME requests an authentication vector from the Home Subscriber Server/Home Location Register (HSS/HLR) according to the received request; the HSS/HLR generates an authentication vector based on the subscription data. And a hash value of the MTC terminal root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway authenticate using the authentication vector, and then calculate the key material and establish a secure channel. The key material is specifically: a key material calculated by a confidentiality key and an integrity key.
其中, 所述 MTC终端网关与 MTC终端进行双向认证的过程中, 还包 括:  In the process of performing mutual authentication between the MTC terminal gateway and the MTC terminal, the method further includes:
MTC终端网关判断该 MTC终端是否经过认证, MTC终端网关自身是 否存在密钥材料, 如果该 MTC终端没有被认证, 则所述 MTC终端网关和 MTC终端进行双向认证, 通过后将密钥材料发送给 MTC终端; 如果已经 被认证但不存在密钥材料, 则重新进行 MTC终端网关和 CN的双向认证, 计算密钥材料并发送给 MTC终端; 如果已认证且存在密钥材料, 则直接向 MTC终端发送密钥材料。  The MTC terminal gateway determines whether the MTC terminal is authenticated, and whether the MTC terminal gateway has the key material. If the MTC terminal is not authenticated, the MTC terminal gateway and the MTC terminal perform mutual authentication, and then send the key material to MTC terminal; if it has been authenticated but no key material exists, re-perform the MTC terminal gateway and the CN for mutual authentication, calculate the key material and send it to the MTC terminal; if it is authenticated and the key material exists, directly to the MTC terminal Send key material.
其中, 所述 MTC终端网关与 CN进行双向认证的方法包括: AKA认 证;  The method for performing mutual authentication between the MTC terminal gateway and the CN includes: AKA authentication;
所述 MTC终端网关与 MTC终端进行双向认证包括: 根据 Internet协 议安全性(IPSec )、 安全传输层协议(TLS )、 公钥基础设施 ( PKI )证书或 者本地接入技术进行双向认证。  The MTC terminal gateway performs mutual authentication with the MTC terminal, including: performing mutual authentication according to Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificate, or local access technology.
本发明实施例还提供了一种 M2M 通信中组认证的系统, 所述系统包 括:  The embodiment of the invention further provides a system for group authentication in M2M communication, the system comprising:
MTC终端网关、 CN和 MTC终端, 其中,  MTC terminal gateway, CN and MTC terminal, wherein
所述 MTC终端网关, 用于和 CN进行双向认证, 并计算密钥材料, 和 MTC终端进行双向认证, 认证通过后向 MTC终端发送密钥材料, 并通知 CN所述通过认证的 MTC终端;  The MTC terminal gateway is configured to perform mutual authentication with the CN, calculate key material, and perform mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, and the MTC terminal that passes the authentication is notified to the CN.
所述 CN, 用于根据密钥材料和所述通过认证的 MTC终端的根密钥的 哈希值生成认证后的通信密钥;  The CN is configured to generate an authenticated communication key according to a key material and a hash value of the root key of the authenticated MTC terminal;
所述 MTC终端,用于接收到的根据密钥材料和自身根密钥的哈希值生 成认证后的通信密钥。 其中, 所述 MTC终端网关, 还用于将其自身覆盖下同一个地点属于同 一个 MTC 用户的低移动性 MTC终端签约为同一个 MTC组。 The MTC terminal is configured to generate a verified communication key according to a hash value of the key material and the root key. The MTC terminal gateway is further configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
其中, 所述 CN中还包括: ASME和 HSS/HLR, 其中,  The CN further includes: an ASME and an HSS/HLR, where
所述 ASME, 用于在所述 MTC终端网关和 CN双向认证过程中, 从 HSS/HLR中获取所述 MTC终端网关相关联的 MTC终端根密钥的哈希值, 保存在所述 ASME中。  The ASME is configured to obtain, in the MTC terminal gateway and the CN mutual authentication process, a hash value of the MTC terminal root key associated with the MTC terminal gateway from the HSS/HLR, and save the value in the ASME.
其中, 所述 MTC终端网关, 还用于在和 MTC终端进行双向认证的过 程中, 判断该 MTC终端是否经过认证, MTC终端网关自身是否存在密钥 材料, 如果该 MTC终端没有被认证, 则所述 MTC终端网关和 MTC终端 进行双向认证, 通过后将密钥材料发送给 MTC终端; 如果已经被认证但不 存在密钥材料, 则重新进行 MTC终端网关和 CN的双向认证, 计算密钥材 料并发送给 MTC终端; 如果已认证且存在密钥材料, 则直接向 MTC终端 发送密钥材料。  The MTC terminal gateway is further configured to determine, in the process of performing mutual authentication with the MTC terminal, whether the MTC terminal is authenticated, whether the MTC terminal gateway has a key material, and if the MTC terminal is not authenticated, The MTC terminal gateway and the MTC terminal perform two-way authentication, and then send the key material to the MTC terminal; if it has been authenticated but does not have the key material, the two-way authentication of the MTC terminal gateway and the CN is performed again, and the key material is calculated. Sent to the MTC terminal; if the key material is authenticated and present, the key material is sent directly to the MTC terminal.
一种 MTC终端网关, 所述 MTC终端网关包括:  An MTC terminal gateway, where the MTC terminal gateway includes:
CN双向认证模块和终端双向认证模块, 其中,  CN two-way authentication module and terminal two-way authentication module, wherein
所述 CN双向认证模块用于与 CN进行双向认证, 并计算密钥材料; 所述终端双向认证模块用于与 MTC终端进行双向认证,认证通过后向 MTC终端发送密钥材料, 使 MTC终端根据接收到的密钥材料和自身根密 钥的哈希值生成认证后的通信密钥,并通知 CN所述通过认证的 MTC终端, 使 CN根据密钥材料和所述通过认证的 MTC终端的根密钥的哈希值生成认 证后的通信密钥。  The CN two-way authentication module is configured to perform mutual authentication with the CN and calculate a key material; the terminal two-way authentication module is configured to perform mutual authentication with the MTC terminal, and after the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal is configured according to the MTC terminal. Receiving the authenticated communication key by the received key material and the hash value of the own root key, and notifying the CN of the authenticated MTC terminal, so that the CN according to the key material and the root of the authenticated MTC terminal The hash value of the key generates the authenticated communication key.
所述 MTC终端网关还包括:  The MTC terminal gateway further includes:
签约模块, 用于将其自身覆盖下同一个地点属于同一个 MTC 用户的 低移动性 MTC终端签约为同一个 MTC组。  The contracting module is used to cover the same MTC group with the low mobility MTC terminal that belongs to the same MTC user in the same location.
所述终端双向认证模块, 还用于在与 MTC 终端进行双向认证的过程 中, 判断该 MTC终端是否经过认证, MTC终端网关自身是否存在密钥材 料 Kg, 如果该 MTC终端没有被认证, 则与 MTC终端 63进行双向认证, 通过后将密钥材料发送给 MTC 终端, 如果已经被认证但不存在密钥材料 Kg, 则触发 CN双向认证模块重新进行与 CN62的双向认证, 计算密钥材 料并发送给 MTC终端; 如果已认证且存在密钥材料 Kg, 则直接向 MTC终 端发送密钥材料。 The terminal two-way authentication module is also used in the process of performing mutual authentication with the MTC terminal. If the MTC terminal is authenticated, the MTC terminal gateway has the key material Kg. If the MTC terminal is not authenticated, the MTC terminal 63 performs mutual authentication with the MTC terminal 63, and then sends the key material to the MTC terminal. If the key material Kg is already authenticated but the key material Kg is not present, the CN mutual authentication module is triggered to re-authenticate with the CN62, and the key material is calculated and sent to the MTC terminal. If the key material Kg is authenticated and directly exists, the MTC terminal is directly sent to the MTC terminal. Send key material.
本发明实施例所提供的 M2M通信中组认证的方法、系统及网关, MTC 终端网关与 CN进行双向认证, 并计算密钥材料; MTC终端网关与 MTC 终端进行双向认证, 认证通过后向 MTC终端发送密钥材料, 使 MTC终端 根据接收到的密钥材料和自身根密钥的哈希值生成认证后的通信密钥; 通 知 CN所述通过认证的 MTC终端, 使 CN根据密钥材料和所述通过认证的 MTC终端的根密钥的哈希值生成认证后的通信密钥。 这样不需要同组的所 有的 MTC终端都分别与 CN进行认证, 将极大地减轻 MTC终端和核心网 之间的信令负荷, 提高 MTC终端接入的认证效率。 同时, MTC终端和 CN 各自分别利用密钥材料和 MTC终端根密钥的哈希值生成通信密钥,避免了 由 MTC终端网关派生会话密钥发送给 MTC终端和 CN,保证了 MTC终端 和 CN之间端到端的安全。 附图说明  The method, system and gateway for group authentication in the M2M communication provided by the embodiment of the present invention, the MTC terminal gateway performs mutual authentication with the CN, and calculates the key material; the MTC terminal gateway performs mutual authentication with the MTC terminal, and the authentication passes the backward MTC terminal. Sending a key material, causing the MTC terminal to generate an authenticated communication key according to the received key material and a hash value of the own root key; notifying the CN to pass the authenticated MTC terminal, so that the CN according to the key material and the The authenticated communication key is generated by the hash value of the root key of the authenticated MTC terminal. In this way, all the MTC terminals in the same group are not required to be authenticated with the CN, which greatly reduces the signaling load between the MTC terminal and the core network, and improves the authentication efficiency of the MTC terminal access. At the same time, the MTC terminal and the CN respectively generate the communication key by using the key material and the hash value of the MTC terminal root key, thereby avoiding the sending of the session key by the MTC terminal gateway to the MTC terminal and the CN, and ensuring the MTC terminal and the CN. End-to-end security. DRAWINGS
图 1为现有 UMTS、 EPS等系统中的现有认证技术和流程示意图; 图 2为本发明实施例所涉及的网元架构示意图;  1 is a schematic diagram of an existing authentication technology and a process in a system such as a UMTS and an EPS; FIG. 2 is a schematic diagram of a network element structure according to an embodiment of the present invention;
图 3为本发明实施例一种 M2M通信中组认证的方法流程示意图; 图 4为本发明实施例 MTC终端网关和 CN进行双向认证的流程示意图; 图 5为本发明实施例 MTC终端网关和 MTC终端进行双向认证的流程 示意图;  3 is a schematic flowchart of a method for group authentication in an M2M communication according to an embodiment of the present invention; FIG. 4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention; FIG. 5 is a schematic diagram of an MTC terminal gateway and an MTC according to an embodiment of the present invention; Schematic diagram of the process of performing mutual authentication in the terminal;
图 6为本发明实施例一种 M2M通信中组认证的系统结构示意图。 具体实施方式 FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention. detailed description
本发明实施例的基本思想是: MTC终端网关和核心网( CN )进行双向 认证, 并计算密钥材料; MTC终端网关和 MTC终端进行双向认证, 认证 通过后向 MTC终端发送密钥材料,并通知 CN所述通过认证的 MTC终端; MTC终端根据接收到的密钥材料和自身根密钥的哈希值生成认证后的通信 密钥, 同时, CN根据密钥材料和所述通过认证的 MTC终端的根密钥的哈 希值生成认证后的通信密钥。  The basic idea of the embodiment of the present invention is: the MTC terminal gateway and the core network (CN) perform mutual authentication and calculate the key material; the MTC terminal gateway and the MTC terminal perform mutual authentication, and after the authentication passes, the key material is sent to the MTC terminal, and Notifying the CN of the authenticated MTC terminal; the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the own root key, and at the same time, the CN according to the key material and the authenticated MTC The hash value of the root key of the terminal generates an authenticated communication key.
下面结合附图和具体实施例对本发明的技术方案进一步详细阐述。 为了更好的理解本发明实施例, 首先介绍一下本发明实施例所涉及的 网元架构。 图 2为本发明实施例所涉及的网元架构示意图, 如图 2所示, 所述架构包括: MTC 终端 201 , 其连接 MTC终端网关 202; MTC终端网 关 202连接了 M2M系统中的接入安全管理设备 ( ASME ) 203; ASME203 则连接了归属用户服务器 /归属位置寄存器( HSS/HLR )204。其中, ASME203 和 HSS/HLR204同属于核心网侧。  The technical solutions of the present invention are further elaborated below in conjunction with the accompanying drawings and specific embodiments. For a better understanding of the embodiments of the present invention, the network element architecture involved in the embodiments of the present invention is first introduced. 2 is a schematic diagram of a network element architecture according to an embodiment of the present invention. As shown in FIG. 2, the architecture includes: an MTC terminal 201 connected to an MTC terminal gateway 202; and an MTC terminal gateway 202 connected to an access security in an M2M system. The Management Equipment (ASME) 203; ASME 203 is connected to the Home Subscriber Server/Home Location Register (HSS/HLR) 204. Among them, ASME203 and HSS/HLR204 belong to the core network side.
图 3为本发明实施例一种 M2M通信中组认证的方法流程示意图,如图 3所示, 所述方法包括:  FIG. 3 is a schematic flowchart of a method for group authentication in M2M communication according to an embodiment of the present invention. As shown in FIG. 3, the method includes:
步驟 301 , MTC终端网关和 CN进行双向认证, 并计算密钥材料; 具体的, 所述 MTC终端网关和 CN进行双向认证的方法包括: AKA 认证。 所述密钥材料具体为: 由机密性密钥 CK和完整性密钥 IK计算得到 的密钥材料。 其中, 所述密钥材料 Kg=CKIIIK, 具体的计算方法和过程采用 现有技术, 这里不再赘述。  Step 301: The MTC terminal gateway and the CN perform mutual authentication, and calculate a key material. Specifically, the method for performing mutual authentication by the MTC terminal gateway and the CN includes: AKA authentication. The key material is specifically: a key material calculated by the confidentiality key CK and the integrity key IK. The key material Kg=CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again.
进一步的, 所述步驟 301之前, 还包括: 所述 MTC终端网关覆盖下同 一个地点属于同一个 MTC 用户的低移动性 MTC Devices 签约为同一个 MTC 组。  Further, before the step 301, the method further includes: the MTC terminal gateway covers a low mobility MTC device that belongs to the same MTC user in the same location and is contracted to the same MTC group.
进一步的, 所述双向认证过程中, 还包括: 从 HSS/HLR 中获取所述 MTC终端网关相关联的 MTC Device根密钥的哈希值, 保存在接入安全管 理设备 ( ASME ) 中; 其中, 所述 MTC终端网关相关联的 MTC Device根 密钥的哈希值具体为: 所述 MTC 终端网关覆盖下同一个 MTC组的所有 MTC Device根密钥的哈希值。 Further, the two-way authentication process further includes: obtaining the foregoing from the HSS/HLR The hash value of the MTC Device root key associated with the MTC terminal gateway is stored in the Access Security Management Device (ASME). The hash value of the MTC Device root key associated with the MTC terminal gateway is specifically: The MTC terminal gateway covers the hash value of all MTC Device root keys of the same MTC group.
所述 MTC终端网关和 CN进行双向认证具体包括: MTC终端网关向 ASME发起接入请求; ASME根据接收到的请求, 向 HSS/HLR请求认证向 量; HSS/HLR根据签约数据生成认证向量 AV ( 1... ... n ), 以及与该 MTC 终端网关相关联的 MTC Device根密钥的哈希值, 并返回给 ASME进行保 存; ASME和 MTC终端网关利用认证向量进行认证, 认证通过后计算密钥 材料并建立安全信道。 其中, 所述建立安全信道具体是指: ASME选择和 MTC终端网关相对应的机密性密钥 CK和完整性密钥 IK, 用于随后通信的 机密性和完整性保护。  The two-way authentication by the MTC terminal gateway and the CN specifically includes: the MTC terminal gateway initiates an access request to the ASME; the ASME requests an authentication vector from the HSS/HLR according to the received request; and the HSS/HLR generates an authentication vector AV according to the subscription data (1) ... n ), and the hash value of the MTC Device root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway use the authentication vector for authentication, and the authentication is passed after calculation Key material and establish a secure channel. The establishing the security channel specifically refers to: the ASME selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway, and uses the confidentiality and integrity protection for subsequent communication.
步驟 302, MTC终端网关和 MTC Device进行双向认证, 认证通过后 向 MTC Device发送密钥材料, 并通知 CN所述通过认证的 MTC Device; 具体的, 所述 MTC终端网关和 MTC Device进行双向认证包括: 根据 Internet协议安全性( IPSec )、安全传输层协议 ( TLS )、公钥基础设施 ( PKI ) 证书或者本地接入技术进行双向认证。  Step 302: The MTC terminal gateway and the MTC device perform mutual authentication. After the authentication is passed, the key material is sent to the MTC device, and the MTC device that is authenticated by the CN is notified. Specifically, the MTC terminal gateway and the MTC Device perform mutual authentication. : Two-way authentication based on Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), Public Key Infrastructure (PKI) certificates, or local access technologies.
所述 MTC终端网关和 MTC Device进行双向认证的过程中 , 还包括: MTC终端网关判断该 MTC Device是否经过认证, MTC终端网关自身是否 存在密钥材料 Kg,如果该 MTC Device没有被认证,则所述 MTC终端网关 和 MTC Device进行双向认证, 通过后将密钥材料发送给 MTC Device; 如 果已经被认证但不存在密钥材料 Kg,则返回步驟 301 ,重新进行 MTC终端 网关和 CN的双向认证, 计算密钥材料并发送给 MTC终端; 如果已认证且 存在密钥材料 Kg, 则直接向 MTC Device发送密钥材料。  In the process of performing the mutual authentication of the MTC terminal gateway and the MTC device, the method further includes: determining, by the MTC terminal gateway, whether the MTC device is authenticated, whether the MTC terminal gateway has the key material Kg, and if the MTC Device is not authenticated, The MTC terminal gateway and the MTC Device perform bidirectional authentication, and then send the key material to the MTC Device; if it has been authenticated but does not have the key material Kg, return to step 301 to re-authenticate the MTC terminal gateway and the CN. The key material is calculated and sent to the MTC terminal; if the key material Kg is authenticated and present, the key material is sent directly to the MTC Device.
步驟 303, MTC Device根据接收到的密钥材料和自身根密钥的哈希值 生成认证后的通信密钥, 同时, CN根据密钥材料和所述通过认证的 MTC Device的根密钥的哈希值生成认证后的通信密钥。 Step 303: The MTC Device obtains a hash value according to the received key material and its own root key. The authenticated communication key is generated, and at the same time, the CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device.
具体的,所述 MTC Device根据接收到的密钥材料和自身根密钥的哈希 值生成认证后的通信密钥具体为: MTC Device根据接收到的密钥材料 Kg 以及自身根密钥的哈希值, 生成对应自身的机密性密钥 CKi和完整性密钥 IKi, 用于随后的机密性和完整性保护。 所述 CN根据密钥材料和所述通过 认证的 MTC Device的根密钥的哈希值生成认证后的通信密钥具体为: CN 中的 ASME接收到 MTC终端网关通告的通过认证的 MTC Device的身份 后, 根据密钥材料 Kg以及该 MTC Device对应的根密钥的哈希值, 生成机 密性密钥 CKi和完整性密钥 IKi, 用于随后的机密性和完整性保护。  Specifically, the MTC Device generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC Device according to the received key material Kg and the root key thereof. The hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection. The CN generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC Device, where the ASME receives the authenticated MTC Device advertised by the MTC terminal gateway. After the identity, the secret key CKi and the integrity key IKi are generated according to the key material Kg and the hash value of the root key corresponding to the MTC Device for subsequent confidentiality and integrity protection.
需要说明的是 CN中计算密钥材料的机密性密钥 CK和完整性密钥 IK, 是在步驟 301中 MTC终端网关和 CN进行双向认证的过程中,从 HSS/HLR 中获取的。  It should be noted that the confidentiality key CK and the integrity key IK for calculating the key material in the CN are obtained from the HSS/HLR in the process of performing the mutual authentication between the MTC terminal gateway and the CN in step 301.
图 4为本发明实施例 MTC终端网关和 CN进行双向认证的流程示意图, 如图 4所示, 所述认证包括以下步驟:  4 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and a CN according to an embodiment of the present invention. As shown in FIG. 4, the authentication includes the following steps:
步驟 401 , MTC终端网关( MTC Gateway Device )向 ASME发起接入 请求;  Step 401: The MTC Gateway Device initiates an access request to the ASME.
具体的, 所述接入请求中包含 MTC Gateway Device的身份标识。  Specifically, the access request includes an identity of the MTC Gateway Device.
步驟 402, ASME根据接收到的请求, 向 HSS/HLR请求认证向量; 步驟 403, HSS/HLR检查 MTC Gateway Device签约数据,确认该 MTC Step 402: The ASME requests an authentication vector from the HSS/HLR according to the received request. Step 403: The HSS/HLR checks the MTC Gateway Device subscription data to confirm the MTC.
Gateway Device是签约为一组 MTC Device的代理, 则生成认证向量 AV ( 1... ... n )、以及与该 MTC Gateway Device相关联的 MTC Device根密钥的 哈希值; The Gateway Device is an agent that subscribes to a group of MTC Devices, and generates an authentication vector AV (1....n) and a hash value of the MTC Device root key associated with the MTC Gateway Device;
步驟 404, HSS/HLR向 ASME发送认证数据响应消息;  Step 404: The HSS/HLR sends an authentication data response message to the ASME.
具体的, 响应消息中包含步驟 403中上述认证向量、 以及 MTC Device 根密钥的哈希值。 Specifically, the response message includes the foregoing authentication vector in step 403, and the MTC Device. The hash value of the root key.
步驟 405 , ASME保存 HSS/HLR发送过来的认证向量、以及 MTC Device 根密钥的哈希值;  Step 405: The ASME saves the authentication vector sent by the HSS/HLR and the hash value of the MTC Device root key.
步驟 406, ASME向 MTC Gateway Device发起认证请求, 请求消息中 携带随机数( Rand )、 鉴权令牌( AUTN );  Step 406: The ASME initiates an authentication request to the MTC Gateway Device, where the request message carries a random number (Rand) and an authentication token (AUTN);
步驟 407, MTC Gateway Device根据 Rand和 AUTN认证网络, 计算 认证响应 (RES )、 以及机密性密钥 CK、 完整性密钥 IK;  Step 407, the MTC Gateway Device calculates an authentication response (RES), a confidentiality key CK, and an integrity key IK according to the Rand and AUTN authentication networks;
步驟 408, MTC Gateway Device向 ASME返回 RES;  Step 408, the MTC Gateway Device returns an RES to the ASME;
步驟 409, ASME验证 RES和 XRES是否一致。 如果一致, 则认证通 过, 选择相应的机密性密钥 CK和完整性密钥 IK, 用于随后的计算密钥材 料, 进而实现机密性和完整性保护; 如果不一致, 则认证失败;  In step 409, the ASME verifies whether the RES and the XRES are consistent. If they are consistent, the authentication passes, and the corresponding confidentiality key CK and integrity key IK are selected for subsequent calculation of the key material, thereby achieving confidentiality and integrity protection; if not, the authentication fails;
步驟 410 , MTC Gateway Device和网络之间建立安全信道。  Step 410: Establish a safety channel between the MTC Gateway Device and the network.
步驟 411 , MTC Gateway Device根据机密性密钥 CK和完整性密钥 IK, 计算该组的密钥材料 Kg, Kg=CKIIIK, 具体的计算方法和过程采用现有技 术, 这里不再赘述;  Step 411: The MTC Gateway Device calculates the key material Kg, Kg=CKIIIK of the group according to the confidentiality key CK and the integrity key IK. The specific calculation method and process adopt the prior art, and details are not described herein.
步驟 412, ASME根据 MTC Gateway Device的机密性密钥 CK和完整 性密钥 IK, 计算该组的密钥材料 Kg, Kg=CKIIIK, 具体的计算方法和过程 采用现有技术, 这里不再赘述。  Step 412: The ASME calculates the key material Kg, Kg=CKIIIK of the group according to the confidentiality key CK and the integrity key IK of the MTC Gateway Device. The specific calculation method and process are not described herein.
图 5为本发明实施例 MTC终端网关和 MTC终端进行双向认证的流程 示意图, 如图 5所示, 所述流程包括以下步驟:  FIG. 5 is a schematic flowchart of a two-way authentication performed by an MTC terminal gateway and an MTC terminal according to an embodiment of the present invention. As shown in FIG. 5, the process includes the following steps:
步驟 501 , MTC Device向 MTC Gateway Device发起接入请求,请求中 包含该 MTC Device的身份标识;  Step 501: The MTC Device initiates an access request to the MTC Gateway Device, where the request includes the identity of the MTC Device.
步驟 502, MTC Gateway Device判断该 MTC Device是否经过认证, MTC Gateway Device自身是否存在密钥材料 Kg, 如果该 MTC Device没有 被认证, 则执行步驟 503, 如果已经被认证但不存在密钥材料 Kg, 则执行 步驟 504重新建立 MTC Gateway Device和 CN之间的安全信道, 如果已认 证且存在密钥材料 Kg, 则执行步驟 505; Step 502: The MTC Gateway Device determines whether the MTC Device is authenticated, and whether the MTC Gateway Device has the key material Kg. If the MTC Device is not authenticated, step 503 is performed. If the key material Kg is not present, Execute Step 504 re-establishes the secure channel between the MTC Gateway Device and the CN. If the key material Kg is authenticated and exists, step 505 is performed;
步驟 503, MTC Gateway Device和 MTC Device之间进行双向认证, 并 建立安全信道;  Step 503: Perform mutual authentication between the MTC Gateway Device and the MTC Device, and establish a secure channel.
具体的, 所述双向认证具体为: 通过 IPSec、 TLS、 PKI证书或者本地 接入技术等进行双向认证。  Specifically, the two-way authentication is specifically: performing two-way authentication by using an IPSec, a TLS, a PKI certificate, or a local access technology.
进一步的,执行完步驟 503 , MTC Gateway Device和 MTC Device之间 进行双向认证, 并建立安全信道后, 如果 MTC Gateway Device中不存在密 钥材料 Kg, 则执行步驟 504; 如果 MTC Gateway Device中已经存在密钥材 料 Kg, 则跳过步驟 504, 执行步驟 505。  After the step 503 is performed, the MTC Gateway Device and the MTC Device perform the mutual authentication, and after the security channel is established, if the key material Kg does not exist in the MTC Gateway Device, step 504 is performed; if the MTC Gateway Device already exists The key material Kg is skipped to step 504, and step 505 is performed.
步驟 504, MTC Gateway Device和 CN之间建立安全信道;  Step 504: Establish a secure channel between the MTC Gateway Device and the CN.
步驟 505 , MTC Gateway Device向 MTC Device发送接入响应, 响应消 息中包含密钥材料 Kg、 以及密钥材料 Kg的生命周期 key lifetime;  Step 505: The MTC Gateway Device sends an access response to the MTC Device, where the response message includes the key material Kg and the key lifetime of the key material Kg;
步驟 506, 同时, MTC Gateway Device向 ASME通告该 MTC Device 的身份标识(如 Device ID ), 表明该 MTC Device通过组内认证;  Step 506: At the same time, the MTC Gateway device advertises the identity of the MTC Device (such as the Device ID) to the ASME, indicating that the MTC Device passes the intra-group authentication.
步驟 507, MTC Device根据接收到的密钥材料 Kg以及自身根密钥的 哈希值, 生成机密性密钥 CKi和完整性密钥 IKi, 用于随后的机密性和完整 性保护;  Step 507: The MTC Device generates a confidentiality key CKi and an integrity key IKi according to the received key material Kg and a hash value of the own root key, for subsequent confidentiality and integrity protection;
步驟 508, ASME接收到 MTC Gateway Device通告的该 MTC Device 的身份后, 根据 Kg以及该 MTC Device对应的根密钥的哈希值, 生成机密 性密钥 CKi和完整性密钥 IKi, 用于随后的机密性和完整性保护;  Step 508: After receiving the identity of the MTC Device advertised by the MTC Gateway Device, the ASME generates a confidentiality key CKi and an integrity key IKi according to the hash value of the Kg and the root key corresponding to the MTC Device, for subsequent Confidentiality and integrity protection;
步驟 509, MTC Device和核心网中 ASME基于上述的机密性密钥 CKi 和完整性密钥 IKi建立安全信道。  Step 509: The MTC Device and the ASME in the core network establish a secure channel based on the confidentiality key CKi and the integrity key IKi described above.
图 6为本发明实施例一种 M2M通信中组认证的系统结构示意图,如图 6所示, 所述系统包括: MTC终端网关 61、 CN62和 MTC终端 63, 其中, 所述 MTC终端网关 61 ,用于和 CN62进行双向认证,并计算密钥材料, 和 MTC终端 63进行双向认证,认证通过后向 MTC终端 63发送密钥材料, 并通知 CN62所述通过认证的 MTC终端 63; FIG. 6 is a schematic structural diagram of a system for group authentication in M2M communication according to an embodiment of the present invention. As shown in FIG. 6, the system includes: an MTC terminal gateway 61, a CN62, and an MTC terminal 63, where The MTC terminal gateway 61 is configured to perform mutual authentication with the CN62, calculate key material, and perform mutual authentication with the MTC terminal 63. After the authentication is passed, the key material is sent to the MTC terminal 63, and the MTC that passes the authentication is notified to the CN62. Terminal 63;
具体的, 所述 MTC终端网关 61和 CN62进行双向认证的方法包括: ΑΚΑ认证。所述密钥材料具体为: 由机密性密钥 CK和完整性密钥 ΙΚ计算 得到的密钥材料。 其中, 所述密钥材料 Kg=CKIIIK, 具体的计算方法和过程 采用现有技术, 这里不再赘述。 所述 MTC终端网关 61和 MTC终端 63进 行双向认证包括: 根据 IPSec、 TLS、 PKI证书或者本地接入技术等进行双 向认证。  Specifically, the method for performing mutual authentication by the MTC terminal gateway 61 and the CN62 includes: ΑΚΑ authentication. The key material is specifically: a key material calculated by the confidentiality key CK and the integrity key ΙΚ. The key material Kg=CKIIIK, the specific calculation method and process adopt the prior art, and details are not described herein again. The two-way authentication of the MTC terminal gateway 61 and the MTC terminal 63 includes: performing two-way authentication according to IPSec, TLS, PKI certificate or local access technology.
进一步的, 所述 MTC终端网关 61 , 还用于将其自身覆盖下同一个地 点属于同一个 MTC 用户的低移动性 MTC终端签约为同一个 MTC组。  Further, the MTC terminal gateway 61 is further configured to sign a low mobility MTC terminal that belongs to the same MTC user with the same location and the same MTC group.
进一步的, 所述 MTC终端网关 61 , 还用于在和 MTC终端 63进行双 向认证的过程中, 判断该 MTC终端 63是否经过认证, MTC终端网关 61 自身是否存在密钥材料 Kg,如果该 MTC终端 63没有被认证,则所述 MTC 终端网关 61和 MTC终端 63进行双向认证,通过后将密钥材料发送给 MTC 终端 63 , 如果已经被认证但不存在密钥材料 Kg , 则重新进行 MTC终端网 关 61和 CN62的双向认证, 计算密钥材料并发送给 MTC终端 63; 如果已 认证且存在密钥材料 Kg, 则直接向 MTC终端 63发送密钥材料。  Further, the MTC terminal gateway 61 is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 has the key material Kg itself, if the MTC terminal If the authentication is not performed, the MTC terminal gateway 61 and the MTC terminal 63 perform mutual authentication, and the key material is sent to the MTC terminal 63 after passing. If the key material Kg is not authenticated, the MTC terminal gateway is re-executed. The mutual authentication of 61 and CN62, the key material is calculated and sent to the MTC terminal 63; if the key material Kg is authenticated and the key material Kg is present, the key material is directly transmitted to the MTC terminal 63.
所述 MTC终端网关 61包括: CN双向认证模块和终端双向认证模块, 其中, CN双向认证模块用于与 CN62进行双向认证, 并计算密钥材料; 终 端双向认证模块用于与 MTC终端 63进行双向认证,认证通过后向 MTC终 端 63发送密钥材料,使 MTC终端 63根据接收到的密钥材料和自身根密钥 的哈希值生成认证后的通信密钥, 并通知 CN62所述通过认证的 MTC终端 63, 使 CN62根据密钥材料和所述通过认证的 MTC终端 63的根密钥的哈 希值生成认证后的通信密钥。 所述 MTC终端网关 61还包括: 签约模块, 用于将其自身覆盖下同一 个地点属于同一个 MTC 用户的低移动性 MTC 终端签约为同一个 MTC 组。 The MTC terminal gateway 61 includes: a CN two-way authentication module and a terminal two-way authentication module, wherein the CN two-way authentication module is configured to perform mutual authentication with the CN62 and calculate a key material; and the terminal two-way authentication module is configured to perform bidirectional with the MTC terminal 63. After the authentication is passed, the key material is sent to the MTC terminal 63, and the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, and notifies the CN62 of the authentication. The MTC terminal 63 causes the CN 62 to generate an authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal 63. The MTC terminal gateway 61 further includes: a subscription module, configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
所述终端双向认证模块, 还用于在和 MTC终端 63进行双向认证的过 程中, 判断该 MTC终端 63是否经过认证, MTC终端网关 61 自身是否存 在密钥材料 Kg,如果该 MTC终端 63没有被认证, 则与 MTC终端 63进行 双向认证, 通过后将密钥材料发送给 MTC终端 63, 如果已经被认证但不 存在密钥材料 Kg,则触发 CN双向认证模块重新进行与 CN62的双向认证, 计算密钥材料并发送给 MTC终端 63; 如果已认证且存在密钥材料 Kg, 则 直接向 MTC终端 63发送密钥材料。  The terminal mutual authentication module is further configured to determine whether the MTC terminal 63 is authenticated during the two-way authentication with the MTC terminal 63, and whether the MTC terminal gateway 61 itself has the key material Kg, if the MTC terminal 63 is not If the authentication is performed, the MTC terminal 63 performs mutual authentication, and the key material is sent to the MTC terminal 63. If the key material Kg is not authenticated, the CN mutual authentication module is triggered to perform the mutual authentication with the CN62. The key material is sent to the MTC terminal 63; if the key material Kg is authenticated and present, the key material is sent directly to the MTC terminal 63.
所述 CN62,用于根据密钥材料和所述通过认证的 MTC终端 63的根密 钥的哈希值生成认证后的通信密钥;  The CN62 is configured to generate an authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63;
进一步的, 所述 CN62中还包括: ASME64和 HSS/HLR65, 其中, 所述 ASME64, 用于在所述 MTC终端网关 61和 CN62双向认证过程 中, 从 HSS/HLR65中获取所述 MTC终端网关 61相关联的 MTC终端 63 根密钥的哈希值, 保存在所述 ASME64中。  Further, the CN62 further includes: an ASME64 and an HSS/HLR 65, where the ASME64 is configured to acquire the MTC terminal gateway 61 from the HSS/HLR 65 in the mutual authentication process of the MTC terminal gateway 61 and the CN62. The hash value of the associated MTC terminal 63 root key is stored in the ASME64.
具体的, 所述 MTC终端网关 61相关联的 MTC终端 63根密钥的哈希 值具体为: 所述 MTC终端网关 61覆盖下同一个 MTC组的所有 MTC终端 63根密钥的哈希值。  Specifically, the hash value of the MTC terminal 63 key of the MTC terminal gateway 61 is specifically: the MTC terminal gateway 61 covers the hash value of the 63 keys of all the MTC terminals of the same MTC group.
所述 MTC终端网关 61和 CN62进行双向认证具体包括: MTC终端网 关 61 向 ASME64 发起接入请求; ASME64 根据接收到的请求, 向 HSS/HLR65 请求认证向量; HSS/HLR65 根据签约数据生成认证向量 AV ( 1... ... n ),以及与该 MTC终端网关 61相关联的 MTC终端 63根密钥的哈 希值, 并返回给 ASME64进行保存; ASME64和 MTC终端网关 61利用认 证向量进行认证, 通过后计算密钥材料 Kg并建立安全信道。 其中, 所述建 立安全信道具体是指: ASME64选择和 MTC终端网关 61相对应的机密性 密钥 CK和完整性密钥 IK, 用于随后通信的机密性和完整性保护。 The MTC terminal gateway 61 and the CN62 performing the mutual authentication specifically include: the MTC terminal gateway 61 initiates an access request to the ASME64; the ASME64 requests an authentication vector from the HSS/HLR 65 according to the received request; and the HSS/HLR 65 generates an authentication vector AV according to the subscription data. (1...n), and the hash value of the MTC terminal 63 root key associated with the MTC terminal gateway 61, and returned to the ASME64 for saving; the ASME64 and the MTC terminal gateway 61 authenticate using the authentication vector After the key material Kg is calculated and a secure channel is established. Wherein, the construction The security channel specifically refers to: ASME 64 selects the confidentiality key CK and the integrity key IK corresponding to the MTC terminal gateway 61 for confidentiality and integrity protection of subsequent communication.
所述 CN62根据密钥材料和所述通过认证的 MTC终端 63的根密钥的 哈希值生成认证后的通信密钥具体为: CN62中的 ASME64接收到 MTC终 端网关 61通告的通过认证的 MTC终端 63的身份后, 根据密钥材料 Kg以 及该 MTC终端 63对应的根密钥的哈希值, 生成机密性密钥 CKi和完整性 密钥 IKi, 用于随后的机密性和完整性保护。  The CN62 generates the authenticated communication key according to the key material and the hash value of the root key of the authenticated MTC terminal 63. Specifically, the ASME 64 in the CN62 receives the authenticated MTC notified by the MTC terminal gateway 61. After the identity of the terminal 63, the confidentiality key CKi and the integrity key IKi are generated based on the key material Kg and the hash value of the root key corresponding to the MTC terminal 63 for subsequent confidentiality and integrity protection.
所述 MTC终端 63 , 用于根据接收到的密钥材料和自身根密钥的哈希 值生成认证后的通信密钥。  The MTC terminal 63 is configured to generate an authenticated communication key according to the received key material and a hash value of the root key.
具体的, 所述 MTC终端 63根据接收到的密钥材料和自身根密钥的哈 希值生成认证后的通信密钥具体为: MTC终端 63根据接收到的密钥材料 Kg以及自身根密钥的哈希值,生成对应自身的机密性密钥 CKi和完整性密 钥 IKi, 用于随后的机密性和完整性保护。  Specifically, the MTC terminal 63 generates the authenticated communication key according to the received key material and the hash value of the own root key, specifically: the MTC terminal 63 according to the received key material Kg and its own root key. The hash value is generated to correspond to its own secret key CKi and integrity key IKi for subsequent confidentiality and integrity protection.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Claims

1、 一种机器到机器(M2M )通信中组认证的方法, 其特征在于, 所述 方法包括: A method for group authentication in machine-to-machine (M2M) communication, characterized in that the method comprises:
机器类通信(MTC )终端网关与核心网 (CN )进行双向认证, 并计算 密钥材料;  The machine type communication (MTC) terminal gateway performs mutual authentication with the core network (CN) and calculates key materials;
MTC终端网关与 MTC终端进行双向认证,认证通过后向 MTC终端发 送密钥材料,使 MTC终端根据接收到的密钥材料和自身根密钥的哈希值生 成认证后的通信密钥;  The MTC terminal gateway performs mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal generates the authenticated communication key according to the received key material and the hash value of the root key.
通知 CN所述通过认证的 MTC终端, 使 CN根据密钥材料和所述通过 认证的 MTC终端的根密钥的哈希值生成认证后的通信密钥。  Notifying the authenticated MTC terminal of the CN, the CN generates the authenticated communication key based on the key material and the hash value of the root key of the authenticated MTC terminal.
2、 根据权利要求 1所述的方法, 其特征在于, 所述 MTC终端网关与 CN进行双向认证之前, 还包括:  The method according to claim 1, wherein before the MTC terminal gateway performs mutual authentication with the CN, the method further includes:
所述 MTC终端网关覆盖下同一个地点属于同一个 MTC 用户的低移动 性 MTC终端签约为同一个 MTC组。  The low mobility MTC terminal that belongs to the same MTC user in the same location over the MTC terminal gateway is signed by the same MTC group.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述 MTC终端网 关与 CN进行双向认证, 包括:  The method according to claim 1 or 2, wherein the MTC terminal gateway performs mutual authentication with the CN, including:
MTC 终端网关向接入安全管理设备(ASME )发起接入请求; ASME 根据接收到的请求, 向归属用户服务器 /归属位置寄存器(HSS/HLR )请求 认证向量; HSS/HLR根据签约数据生成认证向量, 以及与该 MTC终端网 关相关联的 MTC 终端根密钥的哈希值,并返回给 ASME进行保存; ASME 和 MTC终端网关利用认证向量进行认证,通过后计算密钥材料并建立安全 信道。  The MTC terminal gateway initiates an access request to the Access Security Management Device (ASME); the ASME requests an authentication vector from the Home Subscriber Server/Home Location Register (HSS/HLR) according to the received request; the HSS/HLR generates an authentication vector based on the subscription data. And a hash value of the MTC terminal root key associated with the MTC terminal gateway, and returned to the ASME for saving; the ASME and the MTC terminal gateway authenticate using the authentication vector, and then calculate the key material and establish a secure channel.
4、 根据权利要求 1或 2所述的方法, 其特征在于, 所述密钥材料具体 为: 由机密性密钥和完整性密钥计算得到的密钥材料。  The method according to claim 1 or 2, wherein the key material is: a key material calculated by a confidentiality key and an integrity key.
5、 根据权利要求 1或 2所述的方法, 其特征在于, 所述 MTC终端网 关与 MTC终端进行双向认证的过程中, 还包括: The method according to claim 1 or 2, wherein the MTC terminal network In the process of performing mutual authentication with the MTC terminal, the method further includes:
MTC终端网关判断该 MTC终端是否经过认证, MTC终端网关自身是 否存在密钥材料, 如果该 MTC终端没有被认证, 则所述 MTC终端网关和 MTC终端进行双向认证, 通过后将密钥材料发送给 MTC终端; 如果已经 被认证但不存在密钥材料 , 则重新进行 MTC终端网关和 CN的双向认证 , 计算密钥材料并发送给 MTC终端; 如果已认证且存在密钥材料, 则直接向 MTC终端发送密钥材料。  The MTC terminal gateway determines whether the MTC terminal is authenticated, and whether the MTC terminal gateway has the key material. If the MTC terminal is not authenticated, the MTC terminal gateway and the MTC terminal perform mutual authentication, and then send the key material to MTC terminal; if it has been authenticated but no key material exists, re-perform the MTC terminal gateway and the CN for mutual authentication, calculate the key material and send it to the MTC terminal; if it is authenticated and the key material exists, directly to the MTC terminal Send key material.
6、 根据权利要求 1或 2所述的方法, 其特征在于,  6. A method according to claim 1 or 2, characterized in that
所述 MTC终端网关与 CN进行双向认证的方法包括: AKA认证; 所述 MTC终端网关与 MTC终端进行双向认证包括: 根据 Internet协 议安全性(IPSec )、 安全传输层协议(TLS )、 公钥基础设施 ( PKI )证书或 者本地接入技术进行双向认证。  The method for performing bidirectional authentication by the MTC terminal gateway and the CN includes: AKA authentication; the MTC terminal gateway and the MTC terminal performing mutual authentication include: according to Internet Protocol Security (IPSec), Secure Transport Layer Protocol (TLS), and public key basis A facility (PKI) certificate or local access technology for mutual authentication.
7、 一种 M2M通信中组认证的系统, 其特征在于, 所述系统包括: MTC终端网关、 CN和 MTC终端, 其中,  A system for group authentication in M2M communication, wherein the system comprises: an MTC terminal gateway, a CN, and an MTC terminal, where
所述 MTC终端网关, 用于和 CN进行双向认证, 并计算密钥材料, 和 MTC终端进行双向认证, 认证通过后向 MTC终端发送密钥材料, 并通知 CN所述通过认证的 MTC终端;  The MTC terminal gateway is configured to perform mutual authentication with the CN, calculate key material, and perform mutual authentication with the MTC terminal. After the authentication is passed, the key material is sent to the MTC terminal, and the MTC terminal that passes the authentication is notified to the CN.
所述 CN, 用于根据密钥材料和所述通过认证的 MTC终端的根密钥的 哈希值生成认证后的通信密钥;  The CN is configured to generate an authenticated communication key according to a key material and a hash value of the root key of the authenticated MTC terminal;
所述 MTC终端,用于接收到的根据密钥材料和自身根密钥的哈希值生 成认证后的通信密钥。  The MTC terminal is configured to generate a verified communication key according to a hash value of the key material and the own root key.
8、 根据权利要求 7所述的系统, 其特征在于, 所述 MTC终端网关, 还用于将其自身覆盖下同一个地点属于同一个 MTC 用户的低移动性 MTC 终端签约为同一个 MTC组。  The system according to claim 7, wherein the MTC terminal gateway is further configured to sign a low mobility MTC terminal that belongs to the same MTC user in the same location to the same MTC group.
9、根据权利要求 7或 8所述的系统, 其特征在于, 所述 CN中还包括: ASME和 HSS/HLR, 其中, The system according to claim 7 or 8, wherein the CN further comprises: ASME and HSS/HLR, where
所述 ASME, 用于在所述 MTC终端网关和 CN双向认证过程中, 从 HSS/HLR中获取所述 MTC终端网关相关联的 MTC终端根密钥的哈希值, 保存在所述 ASME中。  The ASME is configured to obtain, in the MTC terminal gateway and the CN mutual authentication process, a hash value of the MTC terminal root key associated with the MTC terminal gateway from the HSS/HLR, and save the value in the ASME.
10、 根据权利要求 7或 8所述的系统, 其特征在于, 所述 MTC终端网 关, 还用于在和 MTC终端进行双向认证的过程中, 判断该 MTC终端是否 经过认证, MTC终端网关自身是否存在密钥材料, 如果该 MTC终端没有 被认证, 则所述 MTC终端网关和 MTC终端进行双向认证, 通过后将密钥 材料发送给 MTC 终端; 如果已经被认证但不存在密钥材料, 则重新进行 MTC终端网关和 CN的双向认证, 计算密钥材料并发送给 MTC终端; 如 果已认证且存在密钥材料, 则直接向 MTC终端发送密钥材料。  The system according to claim 7 or 8, wherein the MTC terminal gateway is further configured to determine whether the MTC terminal is authenticated during the two-way authentication with the MTC terminal, and whether the MTC terminal gateway itself There is a key material. If the MTC terminal is not authenticated, the MTC terminal gateway and the MTC terminal perform mutual authentication, and then send the key material to the MTC terminal; if it has been authenticated but no key material exists, then Perform bidirectional authentication of the MTC terminal gateway and the CN, calculate the key material and send it to the MTC terminal; if the key material is authenticated and present, send the key material directly to the MTC terminal.
11、 一种 MTC终端网关, 其特征在于, 所述 MTC终端网关包括: CN双向认证模块和终端双向认证模块, 其中,  An MTC terminal gateway, the MTC terminal gateway includes: a CN two-way authentication module and a terminal two-way authentication module, where
所述 CN双向认证模块用于与 CN进行双向认证, 并计算密钥材料; 所述终端双向认证模块用于与 MTC终端进行双向认证,认证通过后向 MTC终端发送密钥材料, 使 MTC终端根据接收到的密钥材料和自身根密 钥的哈希值生成认证后的通信密钥,并通知 CN所述通过认证的 MTC终端, 使 CN根据密钥材料和所述通过认证的 MTC终端的根密钥的哈希值生成认 证后的通信密钥。  The CN two-way authentication module is configured to perform mutual authentication with the CN and calculate a key material; the terminal two-way authentication module is configured to perform mutual authentication with the MTC terminal, and after the authentication is passed, the key material is sent to the MTC terminal, so that the MTC terminal is configured according to the MTC terminal. Receiving the authenticated communication key by the received key material and the hash value of the own root key, and notifying the CN of the authenticated MTC terminal, so that the CN according to the key material and the root of the authenticated MTC terminal The hash value of the key generates the authenticated communication key.
12、 根据权利要求 11所述的 MTC终端网关, 其特征在于, 所述 MTC 终端网关还包括:  The MTC terminal gateway according to claim 11, wherein the MTC terminal gateway further comprises:
签约模块, 用于将其自身覆盖下同一个地点属于同一个 MTC 用户的 低移动性 MTC终端签约为同一个 MTC组。  The contracting module is used to cover the same MTC group with the low mobility MTC terminal that belongs to the same MTC user in the same location.
13、 根据权利要求 11或 12所述的 MTC终端网关, 其特征在于, 所述终端双向认证模块, 还用于在与 MTC 终端进行双向认证的过程 中, 判断该 MTC终端是否经过认证, MTC终端网关自身是否存在密钥材 料 Kg, 如果该 MTC终端没有被认证, 则与 MTC终端 63进行双向认证, 通过后将密钥材料发送给 MTC 终端, 如果已经被认证但不存在密钥材料 Kg, 则触发 CN双向认证模块重新进行与 CN62的双向认证, 计算密钥材 料并发送给 MTC终端; 如果已认证且存在密钥材料 Kg, 则直接向 MTC终 端发送密钥材料。 The MTC terminal gateway according to claim 11 or 12, wherein the terminal two-way authentication module is further configured to perform a two-way authentication process with the MTC terminal. If the MTC terminal is authenticated, the MTC terminal gateway has the key material Kg. If the MTC terminal is not authenticated, the MTC terminal 63 performs mutual authentication with the MTC terminal 63, and then sends the key material to the MTC terminal. If the key material Kg is already authenticated but the key material Kg is not present, the CN mutual authentication module is triggered to re-authenticate with the CN62, and the key material is calculated and sent to the MTC terminal. If the key material Kg is authenticated and directly exists, the MTC terminal is directly sent to the MTC terminal. Send key material.
PCT/CN2012/075475 2011-06-21 2012-05-14 Group authentication method, system and gateway in machine-to-machine communication WO2012174959A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110167280.1 2011-06-21
CN201110167280.1A CN102843233B (en) 2011-06-21 2011-06-21 The method and system of certification is organized in a kind of machine to machine communication

Publications (1)

Publication Number Publication Date
WO2012174959A1 true WO2012174959A1 (en) 2012-12-27

Family

ID=47370313

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/075475 WO2012174959A1 (en) 2011-06-21 2012-05-14 Group authentication method, system and gateway in machine-to-machine communication

Country Status (2)

Country Link
CN (1) CN102843233B (en)
WO (1) WO2012174959A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10880332B2 (en) * 2017-04-24 2020-12-29 Unisys Corporation Enterprise security management tool
US11093598B2 (en) * 2015-12-28 2021-08-17 Huawei Technologies Co., Ltd. Identity authentication method and apparatus

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014109168A2 (en) * 2013-01-10 2014-07-17 Nec Corporation GROUP AUTHENTICATION IN BROADCASTING FOR MTC GROUP OF UEs
WO2014127255A1 (en) * 2013-02-15 2014-08-21 Convida Wireless LLC Service layer resource propagation across domains
JP6165483B2 (en) * 2013-03-27 2017-07-19 株式会社Nttドコモ COMMUNICATION SYSTEM, RELAY DEVICE, AND COMMUNICATION METHOD
CN103596167B (en) * 2013-10-25 2016-06-29 西安电子科技大学 Machine type communication Authentication and Key Agreement method based on agency
CN104754576B (en) * 2013-12-31 2018-07-31 华为技术有限公司 Device authentication method, user equipment and the network equipment
CN105681210A (en) * 2014-11-14 2016-06-15 中兴通讯股份有限公司 Group resource updating processing method, device and system as well as CSE (Common Service Entity)
CN105792095A (en) * 2014-12-23 2016-07-20 中兴通讯股份有限公司 Secret key negotiation method and system for MTC (Machine Type Communication) packet communication and network entity
CN104602236B (en) * 2015-02-04 2018-08-07 西安电子科技大学 Anonymous switching authentication method based on group in a kind of machine type communication
CN106034027A (en) * 2015-03-12 2016-10-19 中兴通讯股份有限公司 Method and system for realizing packet authentication
CN105187398B (en) * 2015-08-12 2018-01-30 四川神琥科技有限公司 A kind of authentication recognition methods
WO2018222132A2 (en) * 2017-05-29 2018-12-06 华为国际有限公司 Network authentication method, network device and core network device
CN110267351B (en) 2018-03-12 2022-07-22 华为云计算技术有限公司 Communication method and device
CN110366179A (en) * 2018-04-09 2019-10-22 中兴通讯股份有限公司 A kind of authentication method, equipment and computer readable storage medium
CN110324820A (en) * 2019-07-03 2019-10-11 易联众智能(厦门)科技有限公司 A kind of Internet of Things safety right appraisal method, system and readable medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080311906A1 (en) * 2007-03-21 2008-12-18 Samsung Electronics Co., Ltd. Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
CN101854629A (en) * 2010-05-21 2010-10-06 西安电子科技大学 Method of access authentication and recertification in home NodeB system of user terminal
CN101867928A (en) * 2010-05-21 2010-10-20 西安电子科技大学 Authentication method for accessing mobile subscriber to core network through femtocell
CN102088668A (en) * 2011-03-10 2011-06-08 西安电子科技大学 Group-based authentication method of machine type communication (MTC) devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080311906A1 (en) * 2007-03-21 2008-12-18 Samsung Electronics Co., Ltd. Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
CN101854629A (en) * 2010-05-21 2010-10-06 西安电子科技大学 Method of access authentication and recertification in home NodeB system of user terminal
CN101867928A (en) * 2010-05-21 2010-10-20 西安电子科技大学 Authentication method for accessing mobile subscriber to core network through femtocell
CN102088668A (en) * 2011-03-10 2011-06-08 西安电子科技大学 Group-based authentication method of machine type communication (MTC) devices

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11093598B2 (en) * 2015-12-28 2021-08-17 Huawei Technologies Co., Ltd. Identity authentication method and apparatus
US10880332B2 (en) * 2017-04-24 2020-12-29 Unisys Corporation Enterprise security management tool

Also Published As

Publication number Publication date
CN102843233A (en) 2012-12-26
CN102843233B (en) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
US10849191B2 (en) Unified authentication for heterogeneous networks
JP6371644B2 (en) Secure registration of a group of clients using a single registration procedure
US9270672B2 (en) Performing a group authentication and key agreement procedure
US8769647B2 (en) Method and system for accessing 3rd generation network
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
CN101931955B (en) Authentication method, device and system
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
WO2011127810A1 (en) Method and apparatus for authenticating communication devices
WO2011131052A1 (en) Method and system for group-based authentication in machine to machine communication systems
EP3614741B1 (en) Processing apparatus for terminal access to 3gpp network and communication system and corresponding system and computer program product
US20210297400A1 (en) Secured Authenticated Communication between an Initiator and a Responder
KR20100085185A (en) Inter-working function for a communication system
CN105027529A (en) Method and device for secure network access
EP1698197B1 (en) Authentication in a communication network
Basudan LEGA: a lightweight and efficient group authentication protocol for massive machine type communication in 5G networks
WO2007025484A1 (en) Updating negotiation method for authorization key and device thereof
KR101431214B1 (en) Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
WO2012151933A1 (en) Owned service authentication method and system
CN108282775B (en) Dynamic additional authentication method and system for mobile private network
Abdelkader et al. A novel advanced identity management scheme for seamless handoff in 4G wireless networks
Niranjani et al. Distributed security architecture for authentication in 4G networks
CN112039838B (en) Secondary authentication method and system suitable for different application scenes of mobile communication
Liu et al. The Wi-Fi device authentication method based on information hiding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12801851

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12801851

Country of ref document: EP

Kind code of ref document: A1