WO2014205846A1 - Data transmission method, machine type communication terminal and addressing server - Google Patents

Data transmission method, machine type communication terminal and addressing server Download PDF

Info

Publication number
WO2014205846A1
WO2014205846A1 PCT/CN2013/078509 CN2013078509W WO2014205846A1 WO 2014205846 A1 WO2014205846 A1 WO 2014205846A1 CN 2013078509 W CN2013078509 W CN 2013078509W WO 2014205846 A1 WO2014205846 A1 WO 2014205846A1
Authority
WO
WIPO (PCT)
Prior art keywords
mtc terminal
addressing
data
identity information
server
Prior art date
Application number
PCT/CN2013/078509
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
段为明
房明
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2013/078509 priority Critical patent/WO2014205846A1/en
Priority to CN201380000726.9A priority patent/CN104521255B/en
Publication of WO2014205846A1 publication Critical patent/WO2014205846A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]

Definitions

  • the present invention relates to communication technologies, and in particular, to a data transmission method, a machine type communication terminal, and an address server. Background technique
  • MTC Machine Type Communication
  • RAN radio access network
  • the MTC terminal in order to meet the requirements of small data transmission characteristics, the MTC terminal periodically wakes up and sends small data to the radio access network through little message interaction. After the small data is sent, the MTC terminal re-enters the sleep state. . In this way, the power consumption of the MTC terminal can be minimized, thereby making the MTC terminal have an extremely long life cycle.
  • the embodiment of the invention provides a data transmission method, a machine type communication terminal and an address server, which directly transmit data transmitted by the MTC terminal to the corresponding application server via the wireless access network.
  • an embodiment of the present invention provides a data transmission method, including:
  • the machine type communication MTC terminal generates data for carrying the identity information of the MTC terminal for the target application server, where the data includes at least application data and addressing information;
  • the MTC terminal transmits the data to an addressing server via an access network to cause the addressing server to transmit the data to the target application server based on the addressing information.
  • the machine type communication MTC terminal is The target application server generates data carrying identity information, including:
  • the machine type communication MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server.
  • the MTC terminal generates, by the target application server, data that carries the identity information of the MTC terminal, including:
  • the MTC terminal sends the data to an addressing server via an access network After that, including:
  • the MTC terminal Receiving, by the MTC terminal, the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is that the addressing server is the MTC according to a preset policy. Generated by the terminal;
  • the MTC terminal decrypts the second temporary identity information and saves the second temporary identity information.
  • the method includes:
  • the MTC terminal deletes the first temporary identity information, and generates data carrying the permanent identity information for the target application server;
  • the MTC terminal transmits data carrying the permanent identity information to the addressing server via the access network.
  • the MTC terminal generates, by the target application server, data that carries the first temporary identity information, including:
  • the MTC terminal protects data carrying the first temporary identity information and generates protected data for the target application server.
  • the MTC terminal saves a key corresponding to the permanent identity information, where the MTC terminal Protecting data carrying the first temporary identity information, and generating protected data for the target application server, including:
  • the MTC terminal protects the application data and the addressing information by using the key.
  • the MTC terminal is configured to carry the data of the permanent identity information Protection is performed to generate protected data for the target application server.
  • the MTC terminal saves a public key and a key corresponding to the permanent identity information, where The MTC terminal protects the data carrying the permanent identity information, and generates protected data for the target application server, including:
  • the MTC terminal encrypts the permanent identity information by using the public key, and protects the application data and the addressing information by using the key;
  • the MTC terminal encrypts the permanent identity information and the addressing information by using the public key, and protects the application data by using the key;
  • the MTC terminal protects the application data and the addressing information by using the dense molybdenum.
  • the MTC terminal saves a public key and a key corresponding to the permanent identity information
  • the MTC terminal encrypts the data carrying the permanent identity information, and before generating the protected data for the target application server, the method includes:
  • the MTC terminal calculates an integrity protection key according to the key
  • the MTC terminal calculates a message check code MAC according to the integrity protection key
  • the MTC terminal protects the data carrying the permanent identity information, and generates protected data for the target application server, including:
  • the MTC terminal uses the public key pair to identify the identity information, the addressing information, and the application Data and the MAC encryption.
  • the MTC terminal uses the key to protect the application data and the addressing information , including:
  • the MTC terminal calculates the encryption key and the integrity key by using the key
  • the MTC terminal encrypts the application data and the addressing information by using the encryption key, and uses the integrity key to perform integrity protection on the application data and the addressing information.
  • the method further includes:
  • the MTC terminal adds anti-replay information to the protected data, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
  • an embodiment of the present invention provides a data transmission method, including:
  • Addressing server receiver class communication data transmitted by the MTC terminal via the access network and carrying the identity information of the MTC terminal, the data including at least application data and addressing information;
  • the addressing server transmits the data to the target application server based on the addressing information.
  • the addressing server receiver class communication data sent by the MTC terminal via the access network and carrying the identity information of the MTC terminal includes:
  • the addressing server receives the MTC terminal to generate data for the target application server to carry the first temporary identity information.
  • the addressing server receiver class communication data sent by the MTC terminal via the access network and carrying the identity information of the MTC terminal includes:
  • the addressing server receives the MTC terminal to generate data carrying the permanent identity information for the target application server.
  • the addressing server receives the MTC terminal and generates the carrying After the data of a temporary identity information, including:
  • the addressing server receives data carrying the persistent identity information sent by the MTC terminal via the access network.
  • Addressing information before sending the data to the target application server, includes:
  • the addressing server generates and encrypts the second temporary identity information for the MTC terminal according to a preset policy.
  • the addressing server transmits the second temporary identity information to the MTC terminal via the access network.
  • the addressing server receives the MTC terminal and generates the target application server
  • the data carrying the permanent identity information includes:
  • the addressing server receives the protected data sent by the MTC terminal, and the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
  • the method includes:
  • the addressing server determines a key corresponding to the permanent identity information
  • the addressing server decrypts and performs integrity verification on the application data according to the key.
  • the method includes:
  • the addressing server decrypts and completes the addressing information according to the key.
  • the addressing server according to the addressing information, the data is sent to the target application server, including:
  • the addressing server transmits the protected data carrying the security protection information to the target application server according to the addressing information.
  • the method includes:
  • a home addressing server Determining, by the addressing server, a home addressing server according to the permanent identity information or the first temporary identity information, where the home addressing server is an address that holds a private key corresponding to a public key of the MTC terminal server.
  • the addressing server receives the received by the MTC terminal Protected data, including:
  • the addressing server receives protected data that adds anti-replay information, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
  • the addressing server performs an anti-replay check on the protected data based on the anti-replay information.
  • an embodiment of the present invention provides a data transmission method, including:
  • the access network receives the addressing data of the addressing server receiving device type communication and the MTC terminal carrying the identity information of the MTC terminal, where the data includes at least application data and addressing information;
  • the access network transmits the data to an addressing server to cause the addressing server to transmit the data to a target application server based on the addressing information.
  • the access network receives, by the addressing server, the receiver-type communication MTC terminal, the data that carries the identity information of the MTC terminal, and includes:
  • the access network receives data that is sent by the MTC terminal and carries the first temporary identity information.
  • the access network receives data that is sent by the addressing server, the receiver type communication MTC terminal, and carries the identity information of the MTC terminal, and includes:
  • the access network receives data that carries the permanent identity information sent by the MTC terminal.
  • an embodiment of the present invention provides a machine type communication MTC terminal, including: a processing module, configured to generate, by using a target application server, data that carries identity information of the MTC terminal, where the data includes at least application data, Address information; And a sending module, configured to send the data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
  • the processing module is configured to: generate data for carrying the permanent identity information of the MTC terminal for the target application server.
  • the MTC terminal further includes: a determining module, configured to determine whether the first temporary identity information of the MTC terminal exists locally; and the processing module is configured to: The determining module determines that the first temporary identity information exists locally, and generates data that carries the first temporary identity information for the target application server; if the determining module determines that the local does not exist, The first temporary identity information is used to generate data carrying permanent identity information for the target application server.
  • the MTC terminal further includes:
  • a receiving module configured to receive the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is the addressing server according to a preset policy, Generated by the MTC terminal;
  • the processing module is configured to decrypt the second temporary identity information, and save the second temporary identity information.
  • the determining module determines that the first temporary identity information of the MTC terminal exists locally,
  • the receiving module is configured to:
  • the processing module is configured to delete the first temporary identity information, and generate data that carries the permanent identity information for the target application server;
  • the sending module is configured to send data carrying the persistent identity information to the addressing server via the access network.
  • the processing module is configured to carry the first The data of the temporary identity information is protected, and the protected data is generated for the target application server.
  • the processing module is configured to use the key to pair the application data with the Address information protection.
  • the processing module is configured to carry the permanent identity
  • the data of the information is protected to generate protected data for the target application server.
  • the MTC terminal further includes:
  • a storage module configured to store a public key and a key corresponding to the permanent identity information, where the processing module is configured to encrypt the permanent identity information by using the public key, and use the key to the application Data and the addressing information are protected;
  • the processing module is configured to encrypt the permanent identity information and the addressing information by using the public key, and protect the application data by using the key;
  • the processing module is configured to protect the application data and the addressing information by using the dense molybdenum.
  • the MTC terminal further includes:
  • a storage module configured to store a public key and a key corresponding to the permanent identity information
  • the processing module configured to calculate an integrity protection key according to the key; according to the integrity protection key, Calculating a message check code MAC; encrypting the identity information, the addressing information, the application data, and the MAC by using the public key.
  • the processing module is configured to calculate an encryption key and integrity using the key And encrypting the application data and the addressing information by using the encryption key, and using the integrity key to perform integrity protection on the application data and the addressing information.
  • the processing module is configured to The data adds anti-replay information, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
  • an embodiment of the present invention provides an addressing server, including: a receiving module, configured to receive data of the identity information of the MTC terminal sent by the MTC terminal via the access network, where the data includes at least application data and addressing information;
  • a sending module configured to send the data to the target application server according to the addressing information.
  • the receiving module is configured to receive, by the MTC terminal, data that is used by the target application server to carry the first temporary identity information.
  • the receiving module is configured to receive, by the MTC terminal, data that is used by the target application server to carry the permanent identity information.
  • the addressing server further includes:
  • a determining module configured to determine, according to the first temporary identity information, whether the MTC terminal is identifiable
  • the sending module is configured to: when the determining module is unable to identify the MTC terminal according to the first temporary identity information, send a failure indication to the MTC terminal by using the access network; And configured to receive data that is sent by the MTC terminal and sent by the access network to carry the permanent identity information.
  • the addressing server further includes: a processing module, configured to generate and encrypt second temporary identity information for the MTC terminal according to a preset policy;
  • the sending module is configured to send the second temporary identity information to the MTC terminal via the access network.
  • the receiving module is configured to receive the protected sent by the MTC terminal Data, the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
  • the processing module is configured to determine a key corresponding to the permanent identity information, Declaring the key, decrypting and verifying the application data.
  • the processing module is configured to solve the addressing information according to the key Secret and integrity verification.
  • the sending module is configured to use, according to the addressing information , Send protected data carrying security information to the target application server.
  • the processing module is configured to use the permanent identity information or the first temporary identity information Determining a home addressing server, which is an addressing server that holds a private key corresponding to the public key of the MTC terminal.
  • the receiving module is further configured to receive an anti-replay
  • the protected data of the information, the anti-replay information includes: one of current time information, two-way current value information, serial number information, or a combination thereof;
  • the processing module is configured to perform anti-replay checking on the protected data according to the anti-replay information.
  • an embodiment of the present invention provides an access network, including:
  • a receiving module configured to receive data that is sent by the MTC terminal that is addressed by the server, and that carries the identity information of the MTC terminal, where the data includes at least application data and addressing information, and a sending module, where the data is sent to Addressing the server to cause the addressing server to transmit the data to the target application server based on the addressing information.
  • the receiving module is configured to receive data that is sent by the MTC terminal and that carries the first temporary identity information.
  • the receiving module is configured to receive data that is sent by the MTC terminal and that carries permanent identity information.
  • an embodiment of the present invention provides a machine type communication MTC terminal, including: a processor and a memory, where the memory stores an execution instruction, when the MTC terminal is running, between the processor and the memory In communication, the processor executing the execution instruction causes the MTC terminal to perform any of the first to eleventh possible implementations of the first aspect, the first aspect.
  • an embodiment of the present invention provides an addressing server, including: a processor and a memory, where the memory stores an execution instruction, when the addressing server is running, the processor and the Communicating between the memories, the processor executing the execution instructions to cause the addressing server to perform any of the first to tenth possible implementations of the second aspect, the second aspect.
  • an embodiment of the present invention provides an access network, including: a processor and a memory, where the memory stores an execution instruction, and when the access network is running, the processor and the memory communicate And executing, by the processor, the execution instruction, so that the access network performs the first or second possible implementation manner of the third aspect, the second aspect, or the second aspect.
  • the MTC terminal sends the data that is generated by the target application server and carries the identity information of the MTC terminal to the access network, and the access network receives the received data.
  • the data is forwarded directly to the addressing server without any processing, thereby realizing the purpose of directly transmitting the data sent by the MTC terminal to the corresponding application server via the wireless access network.
  • Embodiment 2 is a flowchart of Embodiment 2 of a data transmission method according to the present invention
  • Embodiment 3 is a flowchart of Embodiment 3 of a data transmission method according to the present invention.
  • Embodiment 4 is a signaling diagram of Embodiment 4 of a data transmission method according to the present invention.
  • FIG. 5 is a signaling diagram of Embodiment 5 of a data transmission method according to the present invention.
  • FIG. 6 is a first schematic structural diagram of protected data of the present invention.
  • Embodiment 7 is a signaling diagram of Embodiment 6 of a data transmission method according to the present invention.
  • Figure 8 is a second schematic structural view of protected data of the present invention.
  • Embodiment 9 is a signaling diagram of Embodiment 7 of a data transmission method according to the present invention.
  • Embodiment 1 of an MTC terminal according to the present invention is a schematic structural diagram of Embodiment 1 of an MTC terminal according to the present invention.
  • Embodiment 11 is a schematic structural diagram of Embodiment 2 of an MTC terminal according to the present invention.
  • Embodiment 1 of an addressing server according to the present invention.
  • FIG. 13 is a schematic structural diagram of Embodiment 2 of an addressing server according to the present invention
  • FIG. 14 is a first embodiment of an access network according to the present invention
  • FIG. 1 is a flowchart of Embodiment 1 of a data transmission method according to the present invention.
  • the execution subject of this embodiment is a machine type communication MTC terminal, which is suitable for a scenario in which data is directly transmitted to a target application server via an access network. Specifically, this embodiment includes the following steps:
  • the MTC terminal generates data for carrying the identity information of the MTC terminal for the target application server, and the data includes at least application data and addressing information.
  • the MTC terminal device generates data for carrying the MTC terminal identity information for the target application server, for example, data carrying the permanent identity (PID) information of the MTC terminal or the Temporary Identity (TID) information carrying the MTC terminal.
  • the data also includes application data (data), addressing information (Addressing Info), and the like.
  • the addressing information may be independent information, such as a Fully Qualified Domain Name (FQDN), an Internet Protocol (IP) address, etc. of the target application server carried in the application data; or, there may be no independent
  • the addressing information includes the corresponding addressing information in the identity information of the MTC terminal, that is, part of the identity information can be used for addressing.
  • each MTC terminal has a fixed target application server, and the identity information corresponding to the target application server is included in the identity information of the MTC terminal.
  • the MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server.
  • the first temporary identity information is before the data is sent, Save local temporary identity information.
  • the MTC terminal needs to determine whether the first temporary identity information of the MTC terminal exists locally; if yes, generate, by the target application server, the first temporary identity information. Data; otherwise, if not present, generate data carrying permanent identity information for the target application server.
  • the MTC terminal sends data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
  • the MTC terminal sends the generated data to the access network, such as a radio network controller (RNC), a base station controller (BSC), etc., and the access network does not perform any processing on the received data.
  • the access network such as a radio network controller (RNC), a base station controller (BSC), etc.
  • RNC radio network controller
  • BSC base station controller
  • the access network does not perform any processing on the received data.
  • the addressing server After receiving the data, the addressing server sends the data to the target application server based on the addressing information.
  • the MTC terminal further stores a public key Kpub and a key K corresponding to the permanent identity information, and correspondingly, corresponding to the public key.
  • the private key Kpri is stored on the addressing server, and the mapping server also stores the permanent identity information of the MTC terminal and the corresponding relationship of the corresponding key K.
  • the addressing server is only responsible for finding the target application server based on the addressing information and verifying the data. Etc., generally does not have a decryption operation. Therefore, the key server can be set, the above-mentioned private key Kpri can be set on the key server, the identity information is decrypted by the key server, etc.; or, the above-mentioned private key Kpri is still set on the addressing server. , decryption of identity information by the addressing server, and the like. For the sake of clarity, if the following is not emphasized, the correspondence between the above permanent identity information and the corresponding key K is essentially stored on the key server.
  • a plurality of address servers may share a key server, for example, integrating a key server at an address server, or separately setting a key server for the plurality of address servers.
  • the key server stores the correspondence between the permanent identity information of all MTC terminals within the range governed by the addressing servers and the corresponding key K.
  • the key server stores the identity information and key correspondence of all MTC terminals in Shanghai and Beijing.
  • the key server set up for the addressing server in Beijing only stores the identity information of the MTC terminal in Beijing and the correspondence between the keys.
  • the key server set for the addressing server in Shanghai only stores the identity information of the MTC terminal in Shanghai. The correspondence of the keys.
  • the MTC terminal sends the data that carries the identity information of the MTC terminal generated by the target application server to the access network, and the access network does not perform any processing on the received data, and directly forwards the data to the access network.
  • the server is addressed to achieve the purpose of directly transmitting data sent by the MTC terminal to the corresponding application server via the wireless access network.
  • the MTC terminal after the MTC terminal sends data to the addressing server via the access network, the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, and the second temporary identity information is The addressing server generates the MTC terminal according to the preset policy; the MTC terminal decrypts the second temporary identity information, and saves the second temporary identity information.
  • the addressing server verifies whether the data is correct, and generates new temporary identity information, that is, the second temporary identity information, for the MTC terminal according to the preset policy, and Encrypting the second temporary identity information, such as encrypting the second temporary identity information by using a shared key between the addressing server and the MTC terminal, and transmitting the encrypted second temporary identity information to the MTC via the access network.
  • the shared key is obtained, for example, by processing the key K corresponding to the permanent identity information according to a preset policy.
  • the MTC terminal After receiving the encrypted second temporary identity information, the MTC terminal decrypts the second temporary identity information and saves the same, and deletes the first temporary identity information, so that the second temporary identity information is sent during the subsequent resending of the data. It can be used as the first temporary identity information stored locally by the MTC terminal.
  • the addressing server also needs to save the correspondence between the second temporary identity information and the permanent identity information, that is, the addressing server stores the correspondence between the first temporary identity information and the permanent identity information, and the second temporary identity information of the MTC terminal. Correspondence with permanent identity information. In this way, when the MTC terminal does not receive the second temporary identity information, the first temporary identity information may continue to be carried in the data and sent to the addressing server via the access network, so that the addressing server can identify by using the first temporary identity information. MTC terminal.
  • the MTC terminal determines that the first temporary identity letter of the MTC terminal exists locally
  • the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network
  • the MTC terminal receives the addressing server and sends the information through the access network.
  • the failure indication is that the failure indication is generated by the MTC terminal when the addressing server cannot identify the MTC terminal according to the first temporary identity information, and the MTC terminal deletes the first temporary identity information, and generates data carrying the permanent identity information for the target application server, MTC.
  • the terminal transmits data carrying permanent identity information to the addressing server via the access network.
  • the MTC terminal determines that the first temporary identity information of the MTC terminal exists locally, after the MTC terminal sends the data to the addressing server via the access network, the addressing server determines, according to the first temporary identity information, whether the MTC can be identified. If the terminal is identifiable, verify that the data is correct, and generate a second temporary identity information for the MTC terminal according to the preset policy; otherwise, if the addressing server cannot identify the MTC terminal according to the first temporary identity information, Then, a failure indication is sent to the MTC terminal via the access network, and the reason for the failure of the MTC terminal is notified.
  • the MTC terminal After receiving the failure indication, the MTC terminal finds that the failure reason is that the addressing server cannot identify the first temporary identity information, and then deletes the first temporary identity information, and generates data carrying permanent identity information for the target application server, and re-accesses the access network. Send to the addressing server.
  • the MTC terminal generates data carrying the first temporary identity information for the target application server, including: the MTC terminal protects data carrying the first temporary identity information, and generates protected data for the target application server. .
  • the MTC terminal stores a key corresponding to the permanent identity information, and uses the key to protect the data and the addressing information. For example, based on the key, the integrity protection key and the encryption key are calculated, the application data and the addressing information are encrypted by the encryption key, and the integrity key is used to protect the integrity of the data and the addressing information.
  • the MTC terminal generates data carrying the permanent identity information for the target application server, including: the MTC terminal protects the data carrying the permanent identity information, and generates the protected data for the target application server.
  • the MTC terminal can protect data carrying permanent identity information by:
  • Method 1 The MTC terminal encrypts the permanent identity information by using the public key, and protects the application data and the addressing information by using the key.
  • Manner 2 The MTC terminal encrypts the permanent identity information and the addressing information by using the public key, and protects the application data by using the key.
  • Manner 3 The MTC terminal calculates an integrity protection key according to the key, and calculates a message authentication code (MAC) according to the integrity protection key. The MTC terminal then encrypts the identity information, addressing information, application data, and MAC using the public key.
  • MAC message authentication code
  • the MTC terminal stores a key corresponding to the permanent identity information, and uses the key to protect the data and the addressing information. For example, based on the key, the integrity protection key and the encryption key are calculated, the application data and the addressing information are encrypted by the encryption key, and the integrity key is used to protect the integrity of the data and the addressing information. In this way, there is no need to encrypt the permanent identity. Since in most cases the MTC terminal will send a temporary identity and the probability of sending a permanent identity is low, the security risk is acceptable in some scenarios.
  • the addressing information can be encrypted by using the public key together with the permanent identity information; or the addressing information can be protected by the key together with the application data.
  • the addressing information, the application data, and the permanent identity information may also be encrypted together by using a public key.
  • the identity information may not be encrypted, but only the addressing information and the application data.
  • the MTC terminal calculates the encryption key and the integrity key by using the key. then,
  • the MTC terminal encrypts the application data and the addressing information by using the encryption key, and uses the integrity key to integrity protect the application data and the addressing information.
  • the MTC terminal may further add anti-replay information to the protected data, and the anti-replay information includes: current time information, bidirectional current value information, and serial number information. One of the information or a combination thereof.
  • FIG. 2 is a flowchart of Embodiment 2 of a data transmission method according to the present invention.
  • the execution body of this embodiment is an addressing server, which is suitable for a scenario in which data is directly transmitted to a target application server via an access network. Specifically, this embodiment includes the following steps:
  • the data of the MTC terminal carrying the identity information of the MTC terminal sent by the MTC terminal, and the data includes at least application data and addressing information.
  • the addressing information may be independent information, or the corresponding addressing information may be included in the identity information of the MTC terminal, that is, part of the identity information can be used for addressing.
  • the addressing server receives the MTC terminal to generate data for carrying the first temporary identity information for the target application server.
  • the addressing server receives the MTC terminal and generates a permanent identity for the target application server.
  • Informational data is also included in the MTC terminal.
  • the addressing server sends the data to the target application server according to the addressing information.
  • the addressing server implements according to the addressing information
  • the data sent by the MTC terminal is directly transmitted to the corresponding application server via the wireless access network.
  • the addressing server if the data received by the addressing server is the data carrying the first temporary identity information, after receiving the data carrying the first temporary identity information, the addressing server is configured according to the first temporary identity. Information, to determine whether the MTC terminal can be identified.
  • the addressing server If the addressing server is unable to identify the MTC terminal according to the first temporary identity information, sending a failure indication to the MTC terminal via the access network, and informing the MTC terminal of the reason for the failure, so that the MTC terminal deletes the first temporary identity information according to the failure indication.
  • the data carrying the permanent identity information is re-generated for the target application server, sent to the addressing server via the access network, and the addressing server receives the regenerated data.
  • the addressing server can identify the MTC terminal based on the first temporary identity information, then verify that the data is correct and sent to the target application server.
  • the addressing server After receiving the data sent by the MTC, for example, the data carrying the first temporary identity information, the data carrying the permanent identity information, or the retransmitted data carrying the permanent identity information, Before the data is sent to the target application server, the addressing server generates a second temporary identity information for the MTC terminal according to the preset policy, and encrypts, and saves the correspondence between the second temporary identity information and the permanent identity information, and the second temporary The identity information is sent to the MTC terminal via the access network.
  • the addressing server receives the data that the MTC terminal generates for the target application server to carry the first temporary identity information
  • the method includes: the addressing server receives the protected data sent by the MTC terminal, and the protected data is the MTC.
  • the terminal generates the data that protects the data carrying the first temporary identity information.
  • the addressing server receives the data that the MTC terminal generates the permanent identity information for the target application server, and the method includes: the addressing server receives the protected data sent by the MTC terminal, and the protected data is the MTC terminal pair. Protect data with permanent identity information After the build.
  • the addressing server receives the protected data sent by the MTC terminal, the key corresponding to the permanent identity information is determined, and the application data is decrypted and integrity verified according to the key.
  • the addressing server determines a key corresponding to the permanent identity information, and decrypts and integrity verifies the addressing information according to the key.
  • the addressing server is protected according to the addressing information.
  • the security protection information is added to the data, and the security protection information indicates whether the identity information in the data is protected, whether the application data is protected, and whether the addressing information is protected, so that the application server can determine the received data according to a preset policy. Whether proper protection is carried out and whether it is safety data.
  • the addressing server determines the home addressing server according to the permanent identity information, and the home addressing server is configured to store the key K with the MTC terminal. Address server.
  • the address server corresponding to the permanent identity information of the MTC terminal may not be saved on the addressing server currently visited by the MTC terminal, that is, the currently visited homing
  • the address server is not the home server of the MTC terminal.
  • the addressing server needs to determine the home server of the MTC terminal.
  • the home server of the MTC terminal may be determined according to the first temporary identity or permanent identity reported by the MTC terminal.
  • the permanent identity information is protected by public key cryptography, the content of the permanent identity information used to address the home server portion should be sent to the visited addressing server in clear text.
  • the protected server that receives the protected data sent by the MTC terminal may be protected data that adds anti-replay information, and the anti-replay information includes: current time information, bidirectional current value information, One of the serial number information or a combination thereof.
  • the address server can also perform anti-replay check on the protected data based on the anti-replay information.
  • FIG. 3 is a flowchart of Embodiment 3 of a data transmission method according to the present invention.
  • the execution entity of this embodiment is an access network, and is applicable to a scenario in which data is directly transmitted to a target application server via an access network. Specifically, the embodiment includes the following steps:
  • the access network receives the addressing server and receives the MTC from the MTC terminal.
  • the data of the identity information of the terminal, and the data includes at least application data and addressing information.
  • the access network will receive all data sent by the MTC terminal, and perform no processing on the received data, and directly forward to the addressing server.
  • the access network receives the data that is sent by the MTC terminal and carries the first temporary identity information.
  • the access network receives data that is sent by the MTC terminal and carries permanent identity information.
  • the access network sends the data to the addressing server, so that the addressing server sends the data to the target application server according to the addressing information.
  • the access network receives all data sent by the MTC terminal, performs no processing on the received data, and directly forwards to the addressing server, so that the addressing server implements the MTC according to the addressing information.
  • the data sent by the terminal is directly transmitted to the corresponding application server via the wireless access network.
  • FIG. 4 is a signaling diagram of Embodiment 4 of a data transmission method according to the present invention.
  • the data is not securely protected, that is, the identity information, the application data, the addressing information, and the like in the data are not encrypted.
  • the embodiment includes the following steps:
  • the MTC terminal sends data carrying the addressing information to the access network.
  • the access network sends data carrying the addressing information to the addressing server.
  • the access network side device such as RNC, BSC, etc., does not process any data sent by the received MTC terminal and sends it to the fixed addressing server.
  • the fixed addressing server is, for example, an addressing server having a separate key server; or it may be an addressing server that shares a key server with other addressing servers.
  • the addressing server determines the target application server according to the addressing information.
  • the addressing server sends data carrying the addressing information to the target application server.
  • FIG. 5 is a signaling diagram of Embodiment 5 of a data transmission method according to the present invention.
  • the MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server, and uses the current time information as anti-replay information.
  • multiple addressing servers share a key server, and the MTC terminal stores a public key Kpub and corresponding to the permanent identity information PID.
  • the key K such as Time, Kpub ⁇ PID, K ⁇ , has a Time stored on the addressing server, and the key server stores the permanent identity information of all MTC terminals within the scope of the address server and the corresponding secret.
  • the correspondence of the key K, the clock Time, and the private key Kpri corresponding to the public key such as ⁇ PID1, Kl ⁇ , ⁇ PID2, K2 ⁇ , ⁇ PID3, ⁇ 3 ⁇ .
  • the embodiment includes the following steps:
  • the MTC terminal generates protected data for the target application server.
  • a clock is set on the MTC terminal, which can accurately record the current time information, and the clock is synchronized with each clock set on the addressing server and the key server.
  • keeping the synchronization means that the current time information of each clock does not need to be particularly precise, and there may be an allowable error, for example, there is a minute level error.
  • this step includes the following substeps:
  • the current time information Time is also used as an encryption input parameter.
  • the MTC terminal uses the key to secure the application data, including encryption protection and integrity protection. To prevent replay, the current time information can also be used as a security input parameter.
  • the addressing information can be encrypted with the public key Kpub, or with the application data, using the key K. Therefore, step 5013 can be performed simultaneously with 5011.
  • the protected data can be represented as Kpub ⁇ PIDII[Addressing Info], Time ⁇ ; or, step 5013 can be performed simultaneously with 5012, at this time, the protected data is K ⁇ [Address Info] II data, Time ⁇ .
  • Figure 6 is a first schematic diagram of the protected data of the present invention.
  • the cryptographic algorithm for the PID adopts RSA
  • the security protection for the addressing information and the application data includes encryption protection and integrity protection, wherein the encryption protection algorithm is AES-CTR (128 bits), and the integrity protection is adopted.
  • the encryption protection algorithm is AES-CTR (128 bits)
  • the integrity protection is adopted.
  • HMAC-SHA256 the cryptographic algorithm for key K is AES-CTR (128 bits).
  • the encryption protection for the PID is specifically:
  • the 1-bit identification bit 1 indicates whether the security information for the PID is encrypted, for example, the identifier bit 1 is 0, indicating that the PID is not Encryption is performed, and the flag bit 1 is 1, indicating that the PID is encrypted.
  • the MTC terminal obtains the encrypted plaintext P based on the current time information and the PID.
  • the current time information is the time recorded by the clock of the MTC terminal, which is accurate to the second, and is represented by 14 numbers of 10 (year, month, day, minute, and second, 4+2+2+2+2+2).
  • the PID is in the International Mobile Subscriber Identity (IMSI) format and is represented by 15 decimal digits.
  • IMSI International Mobile Subscriber Identity
  • the plaintext P is the current time information of the PIDII, that is, 29 decimal numbers, and each decimal number is recorded by 4 bits, a total of 116 bits, and the 116 bits are the plaintext P to be encrypted.
  • the security protection for the application data and the addressing information is specifically:
  • the identifier bit 2 indicates whether the application data and the addressing information are ciphered for security protection information
  • the identifier bit 3 indicates Whether the security information of the integrity protection of the application data and the addressing information is 2, 3 is 1, indicating that the application data and the addressing information are encrypted and integrity protected, and the identifier bits 2 and 3 are 0. Indicates that application data and addressing information are not encrypted and integrity protected.
  • the MTC terminal calculates the encryption key Kc and the integrity protection key Ki based on the key K (128 bits) and the current time.
  • the MTC terminal uses Kc to encrypt the addressing information and application data.
  • the encryption algorithm is AES-CTR algorithm, and the key is the first 128 bits of Kc.
  • the first 64 bits of the 128-bit counter (COUNT) required by the AES-CTR algorithm are the first 64 bits of HMAC-SHA256 (K, "0x02" IIP), the last 64 bits are incremented from 0, and the encrypted ciphertext length and addressing are obtained.
  • the information II application data has the same length, and the encryption is used to ensure that the addressing information and the application data are not eavesdropped by an attacker.
  • the MTC terminal utilizes Ki to perform integrity protection operations on the addressing information and the application data.
  • the output length of the HMAC-SHA256 algorithm is 256 bits, and the first X bits of 256 bits can be used as the MAC as needed, for example, the first 32 bits are selected as the MAC.
  • the MAC is 0; otherwise, if integrity protection is performed, the MAC is 1.
  • the length of the MAC is 32 bits, and the ciphertext of the addressing information and the application data is not falsified by the MAC.
  • the MTC terminal sends the protected data to the access network.
  • the access network sends the protected data to the addressing server.
  • the access network does not perform any processing on the received data and directly sends the data to the addressing server.
  • the addressing server sends the encrypted PID to the key server.
  • the addressing server sends the encrypted PID in the received protected data to the Key Server.
  • the Key Server decrypts the encrypted PID by using the private key kpri.
  • the Key Server decrypts the PID of the MTC terminal and the time information during encryption by using the private key kpri, and obtains the corresponding key K according to the PID search.
  • the Key Server sends the PID and the ⁇ to the addressing server.
  • the Key Server sends the decrypted PID, time information, etc. to the addressing server.
  • the Key Server may not send the key K to the addressing server, but deduct the same key used for decryption or verification as the MTC terminal, and send the derived key to the addressing server.
  • the Key Server also needs to send the decrypted addressing information to the addressing server.
  • the addressing server uses K to decrypt and verify the application data.
  • the addressing server If the addressing information is also protected by the key K, the addressing server also decrypts and verifies the addressing information. The addressing server compares the time information when encrypting and the time information of the addressing server to determine whether the data is playback data.
  • the addressing server sends data to the application server.
  • the addressing server constructs the decrypted protected data and transmits the decrypted data to the target application server based on the addressing information (the target application server is not shown).
  • the addressing server can also send the security protection information of the data to the target application server, as shown in Figure 6, the identification bit 1, the identification bit 2 or the identification bit.
  • the information of 3 causes the target application server to determine whether the received data is properly protected according to the preset policy and the security protection information.
  • the MTC terminal, the addressing server, and the key service are used.
  • the clock is set on the device, and the time information is used for anti-replay check.
  • anti-replay can also be implemented by using a bidirectional nonce.
  • the length of the Nonce is 32 to 128 bits, which can be used in the MTC terminal and the addressing server.
  • the transmission is performed by signaling.
  • FIG. 7 is a signaling diagram of Embodiment 6 of a data transmission method according to the present invention.
  • the addressing server stores the private key kpri, the decryption of the PID by the addressing server, and the like. Specifically, the embodiment includes the following steps:
  • the MTC terminal generates protected data for the target application server.
  • the MTC terminal calculates the integrity protection key Ki.
  • the Ki is calculated by using the key K or Ki is derived based on the current time information, and the message check code MAC is calculated by using Ki.
  • the public key Kpub is used to encrypt "PIDII Addressing Information II Application Data II Current Time Information IIMAC" to obtain protected data.
  • Figure 8 is a schematic diagram showing the second structure of the protected data of the present invention.
  • the identifiers, the time information, and the MAC refer to Figure 6 above, and details are not described herein.
  • the MTC terminal sends the protected data to the access network.
  • the access network sends the protected data to the addressing server.
  • the addressing server decrypts the protected data by using a private key kpri.
  • the addressing server uses kpri to decrypt the received protected disappearance, and obtains the plain text "PIDII Addressing Information II Application Data II Current Time Information IIMAC"
  • the addressing server sends the PID and the current time information to the Key Server.
  • the Key Server performs an anti-replay check and recalculates Ki.
  • the Key Server sends the new Ki to the addressing server.
  • the addressing server uses Ki to perform an anti-replay check.
  • the addressing server uses the new ki received to perform current time and MAC verification.
  • the addressing server sends data to the application server.
  • the MTC terminal can only use the permanent identity information, and in order to protect the data, the current time information and the like are introduced, so that the length of the data is increased.
  • the present invention is not limited thereto.
  • the MTC terminal may also use temporary identity information, and only the message check code MAC is added to the data security protection. Specifically, see Figure 9 Example VII.
  • FIG. 9 is a signaling diagram of Embodiment 7 of a data transmission method according to the present invention.
  • the MTC terminal uses a temporary identity mechanism. Specifically, the embodiment includes the following steps:
  • the MTC terminal sends a channel request information (Channel Request) to the access network.
  • Channel Request channel request information
  • the MTC terminal receives an immediate assignment information sent by the access network.
  • the MTC terminal determines whether the first temporary identity information exists locally.
  • first temporary identity information exists locally, generate data carrying the first temporary identity information for the target application server, and perform step 703; otherwise, if the first temporary identity information does not exist locally, generate the permanent identity for the target application server.
  • data of the information refer to the embodiment shown in Figure 5 or Figure 7, and no further details are provided here.
  • the MTC terminal sends data that carries the first temporary identity information to the access network.
  • the MTC terminal can protect the application data and the addressing information by using a key corresponding to the permanent identity information. Specifically, the MTC terminal calculates the integrity protection key and the encryption key according to the key, encrypts the application data and the addressing information by using the encryption key, and performs integrity protection on the application data and the addressing information by using the integrity key. .
  • the access network sends data that carries the first temporary identity information to the addressing server.
  • the addressing server determines whether the MTC terminal is identifiable.
  • the addressing server searches for the permanent identity information corresponding to the first temporary identity information according to the first temporary identity information. If the identifier is not found, the addressing server cannot identify the MTC terminal, and step 706 is performed; otherwise, if , the address server can identify the MTC terminal, and step 709 is performed.
  • the addressing server sends a failure indication to the MTC terminal via the access network.
  • this step includes the following sub-steps:
  • the addressing server sends a failure indication to the access network.
  • the access network sends a failure indication to the MTC terminal.
  • the MTC terminal deletes the first temporary identity information, and generates data that carries the permanent identity information for the target application server. 708.
  • the MTC terminal sends data carrying permanent identity information to the addressing server via the access network. Specifically, this step includes the following sub-steps:
  • the MTC terminal sends data carrying permanent identity information to the access network
  • the access network sends data carrying permanent identity information to the addressing server.
  • the MTC terminal may use any one of the methods 1 to 4 to protect the data carrying the permanent identity information by using the MTC terminal.
  • the addressing server verifies that the data is correct, generates and sends a second temporary identity information to the target application server.
  • the addressing server further generates new temporary identity information, ie, second temporary identity information, for the MTC terminal according to a preset policy, and encrypts the second temporary identity information, for example, a key derived according to the key K.
  • the second temporary identity information is encrypted.
  • the addressing server sends the decrypted second temporary identity information to the MTC terminal via the access network.
  • the step includes the following sub-steps;
  • the addressing server sends the encrypted second temporary identity information to the access network.
  • the access network sends the encrypted second temporary identity information to the MTC terminal.
  • the MTC terminal decrypts and saves the second temporary identity information.
  • FIG. 10 is a schematic structural diagram of Embodiment 1 of an MTC terminal according to the present invention.
  • the MTC terminal provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 1 of the present invention, and the specific implementation process is not described herein.
  • the MTC terminal 100 provided in this embodiment specifically includes:
  • the processing module 11 is configured to generate data for carrying the identity information of the MTC terminal for the target application server, where the data includes at least application data and addressing information;
  • the sending module 12 is configured to send data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
  • the MTC terminal provided by the embodiment of the present invention sends data for carrying the identity information of the MTC terminal generated by the target application server to the access network, and the access network does not perform any processing on the received data, and directly forwards the data to the address server. Thereby, the purpose of transmitting the data sent by the MTC terminal directly to the corresponding application server via the wireless access network is achieved. Further, the processing module 11 is configured to generate data for carrying the permanent identity information of the MTC terminal for the target application server.
  • FIG. 11 is a schematic structural diagram of Embodiment 2 of an MTC terminal according to the present invention. As shown in FIG. 11, the MTC terminal 200 of this embodiment is based on the device structure of FIG. 10, and further includes:
  • the determining module 13 is configured to determine whether the first temporary identity information of the MTC terminal exists locally.
  • the processing module 11 is configured to: if the determining module 13 determines that the first temporary identity information exists locally, generate the first temporary identity for the target application server. The data of the information; otherwise, if the judging module 13 judges that the first temporary identity information does not exist locally, the data that carries the permanent identity information is generated for the target application server.
  • the MTC terminal 100 further includes:
  • the receiving module 14 is configured to receive the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is generated by the addressing server according to a preset policy, for the MTC terminal;
  • the processing module 11 is configured to decrypt the second temporary identity information, and save the second temporary identity information. Further, if the determining module 13 determines that the first temporary identity information of the MTC terminal exists locally, the receiving module 14 is configured to receive a failure indication sent by the addressing server via the access network, where the failure indication is that the addressing server is according to the first temporary When the identity information cannot identify the MTC terminal, it is generated for the MTC terminal;
  • the processing module 11 is configured to delete the first temporary identity information, and generate data that carries the permanent identity information for the target application server;
  • the sending module 12 is configured to send data carrying permanent identity information to the addressing server via the access network.
  • processing module 11 is configured to protect data carrying the first temporary identity information and generate protected data for the target application server.
  • processing module 11 is configured to protect application data and addressing information by using a key pair. Further, the processing module 11 is configured to protect data carrying permanent identity information and generate protected data for the target application server.
  • the MTC terminal 200 further includes:
  • the storage module 15 is configured to save a public key and a key corresponding to the permanent identity information.
  • the processing module 11 is configured to encrypt the permanent identity information by using the public key, and use the key pair application data. With addressing information protection; or,
  • the processing module 11 is configured to encrypt the permanent identity information and the addressing information by using the public key, and protect the application data by using the key; or
  • the processing module 11 is configured to protect application data and addressing information by using dense molybdenum.
  • the storage module 15 is configured to save a public key and a key corresponding to the permanent identity information
  • the processing module 11 is configured to calculate an integrity protection key according to the key, calculate a message check code MAC according to the integrity protection key, and encrypt the identity information, the addressing information, the application data, and the MAC by using the public key.
  • the processing module 11 is configured to calculate an encryption key and an integrity key by using a key, encrypt application data and addressing information by using an encryption key, and apply application data and addressing information by using an integrity key. Integrity protection.
  • the processing module is configured to add anti-replay information to the protected data, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
  • FIG. 12 is a schematic structural diagram of Embodiment 1 of the addressing server of the present invention.
  • the addressing server provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 2 of the present invention, and the specific implementation process is not described herein.
  • the addressing server 300 provided in this embodiment specifically includes:
  • the receiving module 21 is configured to receive data of the identity information of the MTC terminal sent by the MTC terminal via the access network, where the data includes at least application data and addressing information;
  • the sending module 22 is configured to send data to the target application server according to the addressing information.
  • the addressing server provided by the embodiment of the present invention achieves the purpose of directly transmitting data sent by the MTC terminal to the corresponding application server via the wireless access network according to the addressing information.
  • the receiving module 21 is configured to receive, by the MTC terminal, data for carrying the first temporary identity information for the target application server.
  • the receiving module 21 is configured to receive, by the MTC terminal, data for carrying the permanent identity information for the target application server.
  • FIG. 13 is a schematic structural diagram of Embodiment 2 of an addressing server according to the present invention.
  • the addressing server 400 of the present embodiment is based on the device structure of FIG. 12.
  • the addressing server 400 further includes: The determining module 23 is configured to determine, according to the first temporary identity information, whether the MTC terminal is identifiable, and the sending module 22, configured to: when the determining module cannot identify the MTC terminal according to the first temporary identity information, to the MTC terminal via the access network Send failure indication;
  • the receiving module 21 is configured to receive data that carries the permanent identity information sent by the MTC terminal via the access network.
  • the addressing server 400 further includes:
  • the processing module 24 is configured to generate and encrypt the second temporary identity information for the MTC terminal according to the preset policy.
  • the sending module 22 is configured to send the second temporary identity information to the MTC terminal via the access network. Further, the receiving module 21 is configured to receive the protected data sent by the MTC terminal, and the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
  • processing module 24 is configured to determine a key corresponding to the permanent identity information, and perform decryption and integrity verification on the application data according to the key.
  • processing module 24 is configured to perform decryption and integrity verification on the addressing information according to the key.
  • the sending module 22 is configured to send the protected data carrying the security protection information to the target application server according to the addressing information.
  • the processing module 24 is configured to determine, according to the permanent identity information or the first temporary identity information, the home addressing server, where the home addressing server is an address server that stores a private key corresponding to the public key of the MTC terminal.
  • the receiving module 21 is further configured to receive protected data that adds anti-replay information, where the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof;
  • FIG. 14 is a schematic structural diagram of Embodiment 1 of an access network according to the present invention.
  • the access network provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 3 of the present invention, and the specific implementation process is not described herein again.
  • the access network 500 provided in this embodiment specifically includes:
  • the receiving module 31 is configured to receive, by the addressing server, the receiver type communication, the data of the identity information carried by the MTC terminal and the MTC terminal, where the data includes at least application data and addressing information;
  • a sending module 32 configured to send data to the addressing server, so that the addressing server is based on the addressing letter Information, send data to the target application server.
  • the access network receives all the data sent by the MTC terminal, performs no processing on the received data, and directly forwards the data to the addressing server, so that the addressing server implements the MTC according to the addressing information.
  • the data sent by the terminal is directly transmitted to the corresponding application server via the wireless access network.
  • the receiving module 31 is configured to receive data that is sent by the MTC terminal and that carries the first temporary identity information.
  • the receiving module 31 is configured to receive data that carries the permanent identity information sent by the MTC terminal.
  • FIG. 15 is a schematic structural diagram of Embodiment 3 of an MTC terminal according to the present invention.
  • the MTC terminal 600 provided in this embodiment includes a processor 61 and a memory 62.
  • the MTC terminal 600 can also include a transmitter 63 and a receiver 64. Transmitter 63 and receiver 64 can be coupled to processor 61.
  • the memory 62 stores execution instructions. When the MTC terminal 600 is running, the processor 61 communicates with the memory 62.
  • the processor 61 calls the execution instructions in the memory 62 for executing the method embodiment shown in FIG. Similar to the technical effect, it will not be described here.
  • the addressing server 700 provided in this embodiment includes a processor 71 and a memory 72.
  • the addressing server 700 can also include a transmitter 73, a receiver 74. Transmitter 73 and receiver 74 can be coupled to processor 71.
  • the memory 72 stores execution instructions.
  • the processor 71 communicates with the memory 72.
  • the processor 71 calls the execution instructions in the memory 72 for executing the method embodiment shown in FIG. 2, which is implemented. The principle and technical effects are similar and will not be described here.
  • FIG. 17 is a schematic structural diagram of Embodiment 2 of an access network according to the present invention.
  • the access network 800 provided in this embodiment includes a processor 81 and a memory 82.
  • the access network 800 can also include a transmitter 83, a receiver 84. Transmitter 83 and receiver 84 can be coupled to processor 81.
  • the memory 82 stores execution instructions.
  • the processor 81 communicates with the memory 82, and the processor 81 calls the execution instructions in the memory 82 for executing the method embodiment shown in FIG.
  • the principle and technical effects are similar and will not be described here.
  • the storage medium includes: a ROM, a RAM, a magnetic disk, or an optical disk, and the like, which can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the present invention provides a data transmission method, machine type communication (MTC) terminal and addressing server, the method comprising: for a target application server, the machine type communication (MTC) terminal generating data carrying the identity information of the MTC terminal, the data at least comprising application data and addressing information; and the MTC terminal sending the data to the addressing server via an access network so that the addressing server sends the data to the target application server according to the addressing information; thus, the purpose that the data sent by the MTC terminal is directly transmitted to the corresponding application server via the wireless access network is realized.

Description

数据传输方法、 机器类通信终端及寻址服务器 技术领域  Data transmission method, machine type communication terminal and addressing server
本发明涉及通信技术, 尤其涉及一种数据传输方法、 机器类通信终端及 寻址服务器。 背景技术  The present invention relates to communication technologies, and in particular, to a data transmission method, a machine type communication terminal, and an address server. Background technique
小数据传输 (Small Data Transmission) 的特性适用于发送或接收小量数 据的机器类通信 (Machine Type Communication, MTC) 终端。 为提高 MTC 终端的寿命,小数据传输过程中,要求 MTC终端为非常低功耗的 MTC终端, 无线接入网(Radio Access Network , RAN)侧检测并控制 MTC终端的行为, 例如, 在取消服务时关闭该 MTC终端。  The characteristics of Small Data Transmission apply to Machine Type Communication (MTC) terminals that send or receive small amounts of data. In order to improve the lifetime of the MTC terminal, the MTC terminal is required to be a very low-power MTC terminal in the process of small data transmission, and the radio access network (RAN) side detects and controls the behavior of the MTC terminal, for example, in canceling the service. The MTC terminal is closed.
现有技术中, 为满足小数据传输特性的需求, MTC终端周期性的唤醒, 并通过极少的消息交互将小数据发送到无线接入网,小数据发送完毕后, MTC 终端重新进入休眠状态。通过这种方式, 能够使得 MTC终端的耗电量达到最 小, 进而使得 MTC终端具有极长的生命周期。  In the prior art, in order to meet the requirements of small data transmission characteristics, the MTC terminal periodically wakes up and sends small data to the radio access network through little message interaction. After the small data is sent, the MTC terminal re-enters the sleep state. . In this way, the power consumption of the MTC terminal can be minimized, thereby making the MTC terminal have an extremely long life cycle.
然而, MTC终端发送的数据,最终还是需要传输到对应的应用服务器的。 而上述小数据的传输方法中,只考虑了 MTC终端与接入网间的空口传输, 并 没有考虑将小数据从接入网发送到应用服务器的方案。 发明内容  However, the data sent by the MTC terminal eventually needs to be transmitted to the corresponding application server. In the above method for transmitting small data, only the air interface transmission between the MTC terminal and the access network is considered, and the scheme of transmitting small data from the access network to the application server is not considered. Summary of the invention
本发明实施例提供一种数据传输方法、 机器类通信终端及寻址服务器, 实现将 MTC终端发送的数据经由无线接入网直接传输至对应的应用服务器。  The embodiment of the invention provides a data transmission method, a machine type communication terminal and an address server, which directly transmit data transmitted by the MTC terminal to the corresponding application server via the wireless access network.
第一个方面, 本发明实施例提供一种数据传输方法, 包括:  In a first aspect, an embodiment of the present invention provides a data transmission method, including:
机器类通信 MTC终端为目标应用服务器生成携带所述 MTC终端的身份 信息的数据, 所述数据至少包括应用数据、 寻址信息;  The machine type communication MTC terminal generates data for carrying the identity information of the MTC terminal for the target application server, where the data includes at least application data and addressing information;
所述 MTC终端经由接入网向寻址服务器发送所述数据,以使得所述寻址 服务器根据所述寻址信息, 将所述数据发送至所述目标应用服务器。  The MTC terminal transmits the data to an addressing server via an access network to cause the addressing server to transmit the data to the target application server based on the addressing information.
在第一个方面的第一种可能的实现方式中,所述机器类通信 MTC终端为 目标应用服务器生成携带身份信息的数据, 包括: In a first possible implementation manner of the first aspect, the machine type communication MTC terminal is The target application server generates data carrying identity information, including:
所述机器类通信 MTC终端为所述目标应用服务器生成携带所述 MTC终 端的永久身份信息的数据。  The machine type communication MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server.
在第一个方面的第二种可能的实现方式中,所述 MTC终端为目标应用服 务器生成携带所述 MTC终端的身份信息的数据, 包括:  In a second possible implementation manner of the first aspect, the MTC terminal generates, by the target application server, data that carries the identity information of the MTC terminal, including:
所述 MTC终端判断本地是否存在所述 MTC终端的第一临时身份信息; 若存在, 则为所述目标应用服务器生成携带所述第一临时身份信息的数 据; 否则, 若不存在, 则为所述目标应用服务器生成携带永久身份信息的数 据。  Determining, by the MTC terminal, whether the first temporary identity information of the MTC terminal exists locally; if yes, generating, by the target application server, data carrying the first temporary identity information; otherwise, if not, The target application server generates data carrying permanent identity information.
结合第一个方面或第一个方面的第二种可能的实现方式, 在第一个方面 的第三种可能的实现方式中,所述 MTC终端经由接入网向寻址服务器发送所 述数据之后, 包括:  In conjunction with the first aspect or the second possible implementation of the first aspect, in a third possible implementation of the first aspect, the MTC terminal sends the data to an addressing server via an access network After that, including:
所述 MTC 终端接收所述寻址服务器经由所述接入网发送的加密后的第 二临时身份信息,所述第二临时身份信息为所述寻址服务器根据预设的策略, 为所述 MTC终端生成的;  Receiving, by the MTC terminal, the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is that the addressing server is the MTC according to a preset policy. Generated by the terminal;
所述 MTC 终端解密所述第二临时身份信息, 保存所述第二临时身份信 息。  The MTC terminal decrypts the second temporary identity information and saves the second temporary identity information.
结合第一个方面的第三种可能的实现方式, 在第一个方面的第四种可能 的实现方式中, 若所述 MTC终端判断出本地存在所述 MTC终端的第一临时 身份信息,则所述 MTC终端经由接入网向寻址服务器发送所述数据之后,所 述 MTC 终端接收所述寻址服务器经由所述接入网发送的加密后的第二临时 身份信息之前, 包括:  With the third possible implementation of the first aspect, in a fourth possible implementation manner of the first aspect, if the MTC terminal determines that the first temporary identity information of the MTC terminal exists locally, After the MTC terminal sends the data to the address server via the access network, before the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, the method includes:
所述 MTC终端接收所述寻址服务器经由所述接入网发送的失败指示,所 述失败指示为所述寻址服务器根据所述第一临时身份信息无法识别所述 MTC终端时, 为所述 MTC终端生成的;  Receiving, by the MTC terminal, a failure indication sent by the addressing server via the access network, where the failure indication is that the addressing server cannot identify the MTC terminal according to the first temporary identity information, Generated by the MTC terminal;
所述 MTC终端删除所述第一临时身份信息,为所述目标应用服务器生成 携带所述永久身份信息的数据;  The MTC terminal deletes the first temporary identity information, and generates data carrying the permanent identity information for the target application server;
所述 MTC 终端经由所述接入网向所述寻址服务器发送携带所述永久身 份信息的数据。  The MTC terminal transmits data carrying the permanent identity information to the addressing server via the access network.
结合第一个方面的第二种、 第三种或第四种可能的实现方式, 在第一个 方面的第五种可能的实现方式中,所述 MTC终端为所述目标应用服务器生成 携带所述第一临时身份信息的数据, 包括: Combining the second, third or fourth possible implementation of the first aspect, in the first In a fifth possible implementation manner, the MTC terminal generates, by the target application server, data that carries the first temporary identity information, including:
所述 MTC终端对携带所述第一临时身份信息的数据进行保护,为所述目 标应用服务器生成受保护的数据。  The MTC terminal protects data carrying the first temporary identity information and generates protected data for the target application server.
结合第一个方面的第五种可能的实现方式, 在第一个方面的第六种可能 的实现方式中,所述 MTC终端保存有与所述永久身份信息对应的密钥,所述 MTC终端对携带所述第一临时身份信息的数据进行保护, 为所述目标应用服 务器生成受保护的数据, 包括:  With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the MTC terminal saves a key corresponding to the permanent identity information, where the MTC terminal Protecting data carrying the first temporary identity information, and generating protected data for the target application server, including:
所述 MTC终端利用所述密钥对所述应用数据与所述寻址信息保护。 结合第一个方面的第一种至第四种中任一种可能的实现方式, 在第一个 方面的第七种可能的实现方式中,所述 MTC终端对携带所述永久身份信息的 数据进行保护, 为所述目标应用服务器生成受保护的数据。  The MTC terminal protects the application data and the addressing information by using the key. With reference to any one of the first to fourth possible implementations of the first aspect, in a seventh possible implementation of the first aspect, the MTC terminal is configured to carry the data of the permanent identity information Protection is performed to generate protected data for the target application server.
结合第一个方面的第七种可能的实现方式, 在第一个方面的第八种可能 的实现方式中,所述 MTC终端保存一个公钥以及与所述永久身份信息对应的 密钥,所述 MTC终端对所述携带永久身份信息的数据进行保护,为所述目标 应用服务器生成受保护的数据, 包括:  With reference to the seventh possible implementation of the first aspect, in an eighth possible implementation manner of the first aspect, the MTC terminal saves a public key and a key corresponding to the permanent identity information, where The MTC terminal protects the data carrying the permanent identity information, and generates protected data for the target application server, including:
所述 MTC终端利用所述公钥对所述永久身份信息加密、利用所述密钥对 所述应用数据与所述寻址信息保护; 或者,  The MTC terminal encrypts the permanent identity information by using the public key, and protects the application data and the addressing information by using the key; or
所述 MTC终端利用所述公钥对所述永久身份信息与所述寻址信息加密、 利用所述密钥对所述应用数据进行保护; 或者,  The MTC terminal encrypts the permanent identity information and the addressing information by using the public key, and protects the application data by using the key; or
所述 MTC终端利用所述密鉬对所述应用数据和所述寻址信息进行保护。 结合第一个方面的第七种可能的实现方式, 在第一个方面的第九种可能 的实现方式,所述 MTC终端保存一个公钥以及与所述永久身份信息对应的密 钥,所述 MTC终端对所述携带永久身份信息的数据进行加密,为所述目标应 用服务器生成受保护数据之前, 包括:  The MTC terminal protects the application data and the addressing information by using the dense molybdenum. With reference to the seventh possible implementation of the first aspect, in a ninth possible implementation manner of the first aspect, the MTC terminal saves a public key and a key corresponding to the permanent identity information, The MTC terminal encrypts the data carrying the permanent identity information, and before generating the protected data for the target application server, the method includes:
所述 MTC终端根据所述密钥, 计算完整性保护密钥;  The MTC terminal calculates an integrity protection key according to the key;
所述 MTC终端根据所述完整性保护密钥, 计算消息校验码 MAC;  The MTC terminal calculates a message check code MAC according to the integrity protection key;
所述 MTC终端对所述携带永久身份信息的数据进行保护,为所述目标应 用服务器生成受保护的数据, 包括:  The MTC terminal protects the data carrying the permanent identity information, and generates protected data for the target application server, including:
所述 MTC终端利用所述公钥对所述身份信息、所述寻址信息、所述应用 数据以及所述 MAC加密。 The MTC terminal uses the public key pair to identify the identity information, the addressing information, and the application Data and the MAC encryption.
结合第一个方面的第八种可能的实现方式, 在第一个方面的第十种可能 的实现方式中,所述 MTC终端利用所述密钥对所述应用数据与所述寻址信息 保护, 包括:  In conjunction with the eighth possible implementation of the first aspect, in a tenth possible implementation manner of the first aspect, the MTC terminal uses the key to protect the application data and the addressing information , including:
所述 MTC终端利用所述密钥, 计算加密密钥与完整性密钥;  The MTC terminal calculates the encryption key and the integrity key by using the key;
所述 MTC 终端利用所述加密密钥对所述应用数据与所述寻址信息进行 加密,利用所述完整性密钥对所述应用数据与所述寻址信息进行完整性保护。  And the MTC terminal encrypts the application data and the addressing information by using the encryption key, and uses the integrity key to perform integrity protection on the application data and the addressing information.
结合第一个方面的第五种至第十种中任一种可能的实现方式, 在第一个 方面的第十一种可能的实现方式中, 该方法还包括:  With reference to the possible implementation of any one of the fifth to the tenth aspects of the first aspect, in an eleventh possible implementation manner of the first aspect, the method further includes:
所述 MTC终端对所述受保护的数据添加抗重放信息,所述抗重放信息包 括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合。  The MTC terminal adds anti-replay information to the protected data, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
第二个方面, 本发明实施例提供一种数据传输方法, 包括:  In a second aspect, an embodiment of the present invention provides a data transmission method, including:
寻址服务器接收机器类通信 MTC终端经由接入网发送的携带所述 MTC 终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息;  Addressing server receiver class communication data transmitted by the MTC terminal via the access network and carrying the identity information of the MTC terminal, the data including at least application data and addressing information;
所述寻址服务器根据所述寻址信息,将所述数据发送至目标应用服务器。 在第二个方面的第一种可能的实现方式中, 所述寻址服务器接收机器类 通信 MTC终端经由接入网发送的携带所述 MTC终端的身份信息的数据, 包 括:  The addressing server transmits the data to the target application server based on the addressing information. In a first possible implementation manner of the second aspect, the addressing server receiver class communication data sent by the MTC terminal via the access network and carrying the identity information of the MTC terminal includes:
所述寻址服务器接收所述 MTC 终端为所述目标应用服务器生成携带所 述第一临时身份信息的数据。  The addressing server receives the MTC terminal to generate data for the target application server to carry the first temporary identity information.
在第二个方面的第二种可能的实现方式中, 所述寻址服务器接收机器类 通信 MTC终端经由接入网发送的携带所述 MTC终端的身份信息的数据, 包 括:  In a second possible implementation of the second aspect, the addressing server receiver class communication data sent by the MTC terminal via the access network and carrying the identity information of the MTC terminal includes:
所述寻址服务器接收所述 MTC 终端为所述目标应用服务器生成携带所 述永久身份信息的数据。  The addressing server receives the MTC terminal to generate data carrying the permanent identity information for the target application server.
结合第二个方面的第一种可能的实现方式, 在第二个方面的第三种可能 的实现方式中,所述寻址服务器接收所述 MTC终端为所述目标应用服务器生 成携带所述第一临时身份信息的数据之后, 包括:  In conjunction with the first possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the addressing server receives the MTC terminal and generates the carrying After the data of a temporary identity information, including:
所述寻址服务器根据所述第一临时身份信息,判断是否可识别所述 MTC 终端; 若所述寻址服务器根据所述第一临时身份信息, 无法识别所述 MTC 终 端, 则经由所述接入网向所述 MTC终端发送失败指示; Determining, by the addressing server, whether the MTC terminal can be identified according to the first temporary identity information; If the addressing server cannot identify the MTC terminal according to the first temporary identity information, send a failure indication to the MTC terminal via the access network;
所述寻址服务器接收所述 MTC 终端经由所述接入网发送的携带所述永 久身份信息的数据。  The addressing server receives data carrying the persistent identity information sent by the MTC terminal via the access network.
结合第二个方面、 第二个方面的第一种、 第二种或第三种可能的实现方 式, 在第二个方面的第四种可能的实现方式中, 所述寻址服务器根据所述寻 址信息, 将所述数据发送至目标应用服务器之前, 包括:  With reference to the second aspect, the first, the second, or the third possible implementation of the second aspect, in a fourth possible implementation of the second aspect, Addressing information, before sending the data to the target application server, includes:
所述寻址服务器根据预设的策略,为所述 MTC终端生成并加密第二临时 身份信息;  The addressing server generates and encrypts the second temporary identity information for the MTC terminal according to a preset policy.
所述寻址服务器经由所述接入网向所述 MTC 终端发送所述第二临时身 份信息。  The addressing server transmits the second temporary identity information to the MTC terminal via the access network.
结合第二个方面的第二种或第三种可能的实现方式, 在第二个方面的第 五种可能的实现方式中,所述寻址服务器接收所述 MTC终端为所述目标应用 服务器生成携带所述永久身份信息的数据, 包括:  In conjunction with the second or third possible implementation of the second aspect, in a fifth possible implementation of the second aspect, the addressing server receives the MTC terminal and generates the target application server The data carrying the permanent identity information includes:
所述寻址服务器接收所述 MTC终端发送的受保护的数据,所述受保护的 数据为所述 MTC终端对携带所述永久身份信息的数据进行保护后生成的。  The addressing server receives the protected data sent by the MTC terminal, and the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
结合第二个方面的第五种可能的实现方式, 在第二个方面的第六种可能 的实现方式中, 所述寻址服务器接收所述 MTC 终端发送的受保护的数据之 后, 包括:  With the fifth possible implementation of the second aspect, in a sixth possible implementation manner of the second aspect, after the receiving, by the addressing server, the protected data sent by the MTC terminal, the method includes:
所述寻址服务器确定与所述永久身份信息对应的密钥;  The addressing server determines a key corresponding to the permanent identity information;
所述寻址服务器根据所述密钥,对所述应用数据进行解密及完整性验证。 结合第二个方面的第六种可能的实现方式, 在第二个方面的第七种可能 的实现方式中, 所述寻址服务器确定与所述永久身份信息对应的密钥之后, 包括:  The addressing server decrypts and performs integrity verification on the application data according to the key. With reference to the sixth possible implementation of the second aspect, in a seventh possible implementation of the second aspect, after the addressing server determines the key corresponding to the permanent identity information, the method includes:
所述寻址服务器根据所述密钥,对所述寻址信息进行解密及完整性验证。 结合第二个方面的第五种、 第六种或第七种可能的实现方式, 在第二个 方面的第八种可能的实现方式中, 所述寻址服务器根据所述寻址信息, 将所 述数据发送至目标应用服务器, 包括:  The addressing server decrypts and completes the addressing information according to the key. With reference to the fifth, sixth or seventh possible implementation of the second aspect, in an eighth possible implementation manner of the second aspect, the addressing server, according to the addressing information, The data is sent to the target application server, including:
所述寻址服务器根据所述寻址信息, 将携带安全保护信息的受保护的数 据发送至目标应用服务器。 结合第二个方面的第五种可能的实现方式, 在第二个方面的第九种可能 的实现方式中, 所述寻址服务器接收所述 MTC 终端发送的受保护的数据之 后, 包括: The addressing server transmits the protected data carrying the security protection information to the target application server according to the addressing information. With the fifth possible implementation of the second aspect, in a ninth possible implementation manner of the second aspect, after the receiving, by the addressing server, the protected data sent by the MTC terminal, the method includes:
所述寻址服务器根据所述永久身份信息或所述第一临时身份信息, 确定 归属寻址服务器,所述归属寻址服务器为保存有与所述 MTC终端的公钥对应 的私钥的寻址服务器。  Determining, by the addressing server, a home addressing server according to the permanent identity information or the first temporary identity information, where the home addressing server is an address that holds a private key corresponding to a public key of the MTC terminal server.
结合第二个方面的第五种至第九种中任一种可能的实现方式, 在第二个 方面的第十种可能的实现方式中,所述寻址服务器接收所述 MTC终端发送的 受保护的数据, 包括:  With reference to any one of the fifth to the ninth possible implementation manners of the second aspect, in the tenth possible implementation manner of the second aspect, the addressing server receives the received by the MTC terminal Protected data, including:
所述寻址服务器接收添加抗重放信息的受保护的数据, 所述抗重放信息 包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组 合.  The addressing server receives protected data that adds anti-replay information, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
所述寻址服务器根据所述抗重放信息, 对所述受保护的数据进行抗重放 检查。  The addressing server performs an anti-replay check on the protected data based on the anti-replay information.
第三个方面, 本发明实施例提供一种数据传输方法, 包括:  In a third aspect, an embodiment of the present invention provides a data transmission method, including:
接入网接收寻址服务器接收机器类通信 MTC终端发送的携带所述 MTC 终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息;  The access network receives the addressing data of the addressing server receiving device type communication and the MTC terminal carrying the identity information of the MTC terminal, where the data includes at least application data and addressing information;
所述接入网将所述数据发送至寻址服务器, 以使所述寻址服务器根据所 述寻址信息, 将所述数据发送至目标应用服务器。  The access network transmits the data to an addressing server to cause the addressing server to transmit the data to a target application server based on the addressing information.
在第三个方面的第一种可能的实现方式中, 所述接入网接收寻址服务器 接收机器类通信 MTC终端发送的携带所述 MTC终端的身份信息的数据, 包 括:  In a first possible implementation manner of the third aspect, the access network receives, by the addressing server, the receiver-type communication MTC terminal, the data that carries the identity information of the MTC terminal, and includes:
所述接入网接收所述 MTC终端发送的携带第一临时身份信息的数据。 在第三个方面的第二种可能的实现方式中, 所述接入网接收寻址服务器 接收机器类通信 MTC终端发送的携带所述 MTC终端的身份信息的数据, 包 括:  The access network receives data that is sent by the MTC terminal and carries the first temporary identity information. In a second possible implementation manner of the third aspect, the access network receives data that is sent by the addressing server, the receiver type communication MTC terminal, and carries the identity information of the MTC terminal, and includes:
所述接入网接收所述 MTC终端发送的携带永久身份信息的数据。  The access network receives data that carries the permanent identity information sent by the MTC terminal.
第四个方面, 本发明实施例提供一种机器类通信 MTC终端, 包括: 处理模块,用于为目标应用服务器生成携带所述 MTC终端的身份信息的 数据, 所述数据至少包括应用数据、 寻址信息; 发送模块, 用于经由接入网向寻址服务器发送所述数据, 以使得所述寻 址服务器根据所述寻址信息, 将所述数据发送至所述目标应用服务器。 In a fourth aspect, an embodiment of the present invention provides a machine type communication MTC terminal, including: a processing module, configured to generate, by using a target application server, data that carries identity information of the MTC terminal, where the data includes at least application data, Address information; And a sending module, configured to send the data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
在第四个方面的第一种可能的实现方式中, 所述处理模块用于: 为所述目标应用服务器生成携带所述 MTC终端的永久身份信息的数据。 在第四个方面的第二种可能的实现方式中, 所述 MTC终端还包括: 判断模块, 用于判断本地是否存在所述 MTC终端的第一临时身份信息; 所述处理模块, 用于若所述判断模块判断出本地存在所述第一临时身份 信息, 则为所述目标应用服务器生成携带所述第一临时身份信息的数据; 否 贝 IJ , 若所述判断模块判断出本地不存在所述第一临时身份信息, 则为所述目 标应用服务器生成携带永久身份信息的数据。  In a first possible implementation manner of the fourth aspect, the processing module is configured to: generate data for carrying the permanent identity information of the MTC terminal for the target application server. In a second possible implementation manner of the fourth aspect, the MTC terminal further includes: a determining module, configured to determine whether the first temporary identity information of the MTC terminal exists locally; and the processing module is configured to: The determining module determines that the first temporary identity information exists locally, and generates data that carries the first temporary identity information for the target application server; if the determining module determines that the local does not exist, The first temporary identity information is used to generate data carrying permanent identity information for the target application server.
结合第四个方面或第四个方面的第二种可能的实现方式, 在第四个方面 的第三种可能的实现方式中, 所述 MTC终端还包括:  With reference to the fourth aspect, or the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, the MTC terminal further includes:
接收模块, 用于接收所述寻址服务器经由所述接入网发送的加密后的第 二临时身份信息,所述第二临时身份信息为所述寻址服务器根据预设的策略, 为所述 MTC终端生成的;  a receiving module, configured to receive the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is the addressing server according to a preset policy, Generated by the MTC terminal;
所述处理模块, 用于解密所述第二临时身份信息, 保存所述第二临时身 份信息。  The processing module is configured to decrypt the second temporary identity information, and save the second temporary identity information.
结合第四个方面的第三种可能的实现方式, 在第四个方面的第四种可能 的实现方式中,若所述判断模块判断出本地存在所述 MTC终端的第一临时身 份信息, 则所述接收模块用于:  With reference to the third possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, if the determining module determines that the first temporary identity information of the MTC terminal exists locally, The receiving module is configured to:
接收所述寻址服务器经由所述接入网发送的失败指示, 所述失败指示为 所述寻址服务器根据所述第一临时身份信息无法识别所述 MTC终端时,为所 述 MTC终端生成的;  Receiving a failure indication sent by the addressing server via the access network, where the failure indication is generated by the addressing server for the MTC terminal when the MTC terminal cannot be identified according to the first temporary identity information. ;
所述处理模块, 用于删除所述第一临时身份信息, 为所述目标应用服务 器生成携带所述永久身份信息的数据;  The processing module is configured to delete the first temporary identity information, and generate data that carries the permanent identity information for the target application server;
所述发送模块, 用于经由所述接入网向所述寻址服务器发送携带所述永 久身份信息的数据。  The sending module is configured to send data carrying the persistent identity information to the addressing server via the access network.
结合第四个方面的第二种、 第三种或第四种可能的实现方式, 在第四个 方面的第五种可能的实现方式中, 所述处理模块, 用于对携带所述第一临时 身份信息的数据进行保护, 为所述目标应用服务器生成受保护的数据。 结合第四个方面的第五种可能的实现方式, 在第四个方面的第六种可能 的实现方式中, 所述处理模块, 用于利用所述密钥对所述应用数据与所述寻 址信息保护。 With reference to the second, third, or fourth possible implementation of the fourth aspect, in a fifth possible implementation manner of the fourth aspect, the processing module is configured to carry the first The data of the temporary identity information is protected, and the protected data is generated for the target application server. With reference to the fifth possible implementation manner of the fourth aspect, in a sixth possible implementation manner of the fourth aspect, the processing module is configured to use the key to pair the application data with the Address information protection.
结合第四个方面的第一种至第四种中任一种可能的实现方式, 在第四个 方面的第七种可能的实现方式中, 所述处理模块, 用于对携带所述永久身份 信息的数据进行保护, 为所述目标应用服务器生成受保护的数据。  With reference to the possible implementation of any one of the first to fourth aspects of the fourth aspect, in a seventh possible implementation of the fourth aspect, the processing module is configured to carry the permanent identity The data of the information is protected to generate protected data for the target application server.
结合第四个方面的第七种可能的实现方式, 在第四个方面的第八种可能 的实现方式中, 所述 MTC终端还包括:  With reference to the seventh possible implementation of the fourth aspect, in an eighth possible implementation manner of the fourth aspect, the MTC terminal further includes:
存储模块, 用于保存一个公钥以及与所述永久身份信息对应的密钥; 所述处理模块, 用于利用所述公钥对所述永久身份信息加密、 利用所述 密钥对所述应用数据与所述寻址信息保护; 或者,  a storage module, configured to store a public key and a key corresponding to the permanent identity information, where the processing module is configured to encrypt the permanent identity information by using the public key, and use the key to the application Data and the addressing information are protected; or
所述处理模块, 用于利用所述公钥对所述永久身份信息与所述寻址信息 加密、 利用所述密钥对所述应用数据进行保护; 或者,  The processing module is configured to encrypt the permanent identity information and the addressing information by using the public key, and protect the application data by using the key; or
所述处理模块, 用于利用所述密鉬对所述应用数据和所述寻址信息进行 保护。  The processing module is configured to protect the application data and the addressing information by using the dense molybdenum.
结合第四个方面的第七种可能的实现方式, 在第四个方面的第九种可能 的实现方式, 所述 MTC终端还包括:  With reference to the seventh possible implementation of the fourth aspect, in a ninth possible implementation manner of the fourth aspect, the MTC terminal further includes:
存储模块, 用于保存一个公钥以及与所述永久身份信息对应的密钥; 所述处理模块, 用于根据所述密钥, 计算完整性保护密钥; 根据所述完 整性保护密钥, 计算消息校验码 MAC; 利用所述公钥对所述身份信息、 所述 寻址信息、 所述应用数据以及所述 MAC加密。  a storage module, configured to store a public key and a key corresponding to the permanent identity information; the processing module, configured to calculate an integrity protection key according to the key; according to the integrity protection key, Calculating a message check code MAC; encrypting the identity information, the addressing information, the application data, and the MAC by using the public key.
结合第四个方面的第八种可能的实现方式, 在第四个方面的第十种可能 的实现方式中, 所述处理模块, 用于利用所述密钥, 计算加密密钥与完整性 密钥; 用所述加密密钥对所述应用数据与所述寻址信息进行加密, 利用所述 完整性密钥对所述应用数据与所述寻址信息进行完整性保护。  In conjunction with the eighth possible implementation of the fourth aspect, in a tenth possible implementation manner of the fourth aspect, the processing module is configured to calculate an encryption key and integrity using the key And encrypting the application data and the addressing information by using the encryption key, and using the integrity key to perform integrity protection on the application data and the addressing information.
结合第四个方面的第五种至第十种任一种可能的实现方式, 在第四个方 面的第十一种可能的实现方式中, 所述处理模块, 用于对所述受保护的数据 添加抗重放信息, 所述抗重放信息包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合。  With reference to the fifth to tenth possible implementation manners of the fourth aspect, in an eleventh possible implementation manner of the fourth aspect, the processing module is configured to The data adds anti-replay information, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
第五个方面, 本发明实施例提供一种寻址服务器, 包括: 接收模块, 用于接收机器类通信 MTC 终端经由接入网发送的携带所述 MTC终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; In a fifth aspect, an embodiment of the present invention provides an addressing server, including: a receiving module, configured to receive data of the identity information of the MTC terminal sent by the MTC terminal via the access network, where the data includes at least application data and addressing information;
发送模块, 用于根据所述寻址信息, 将所述数据发送至目标应用服务器。 在第五个方面的第一种可能的实现方式中, 所述接收模块, 用于接收所 述 MTC终端为所述目标应用服务器生成携带所述第一临时身份信息的数据。  And a sending module, configured to send the data to the target application server according to the addressing information. In a first possible implementation manner of the fifth aspect, the receiving module is configured to receive, by the MTC terminal, data that is used by the target application server to carry the first temporary identity information.
在第五个方面的第二种可能的实现方式中, 所述接收模块, 用于接收所 述 MTC终端为所述目标应用服务器生成携带所述永久身份信息的数据。  In a second possible implementation manner of the fifth aspect, the receiving module is configured to receive, by the MTC terminal, data that is used by the target application server to carry the permanent identity information.
结合第五个方面的第一种可能的实现方式, 在第五个方面的第三种可能 的实现方式中, 所述寻址服务器还包括:  In conjunction with the first possible implementation of the fifth aspect, in a third possible implementation of the fifth aspect, the addressing server further includes:
判断模块, 用于根据所述第一临时身份信息, 判断是否可识别所述 MTC 终端;  a determining module, configured to determine, according to the first temporary identity information, whether the MTC terminal is identifiable;
所述发送模块, 用于若所述判断模块根据所述第一临时身份信息, 无法 识别所述 MTC终端时, 则经由所述接入网向所述 MTC终端发送失败指示; 所述接收模块,用于接收所述 MTC终端经由所述接入网发送的携带所述 永久身份信息的数据。  The sending module is configured to: when the determining module is unable to identify the MTC terminal according to the first temporary identity information, send a failure indication to the MTC terminal by using the access network; And configured to receive data that is sent by the MTC terminal and sent by the access network to carry the permanent identity information.
结合第五个方面、 第五个方面的第一种、 第二种或第三种可能的实现方 式, 在第五个方面的第四种可能的实现方式中, 所述寻址服务器还包括: 处理模块,用于根据预设的策略,为所述 MTC终端生成并加密第二临时 身份信息;  With reference to the fifth aspect, the first, the second or the third possible implementation manner of the fifth aspect, in a fourth possible implementation manner of the fifth aspect, the addressing server further includes: a processing module, configured to generate and encrypt second temporary identity information for the MTC terminal according to a preset policy;
所述发送模块,用于经由所述接入网向所述 MTC终端发送所述第二临时 身份信息。  The sending module is configured to send the second temporary identity information to the MTC terminal via the access network.
结合第五个方面的第二种或第三种可能的实现方式, 在第五个方面的第 五种可能的实现方式中,所述接收模块,用于接收所述 MTC终端发送的受保 护的数据,所述受保护的数据为所述 MTC终端对携带所述永久身份信息的数 据进行保护后生成的。  With reference to the second or third possible implementation of the fifth aspect, in a fifth possible implementation manner of the fifth aspect, the receiving module is configured to receive the protected sent by the MTC terminal Data, the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
结合第五个方面的第五种可能的实现方式, 在第五个方面的第六种可能 的实现方式中, 所述处理模块, 用于确定与所述永久身份信息对应的密钥, 根据所述密钥, 对所述应用数据进行解密及完整性验证。  With reference to the fifth possible implementation manner of the fifth aspect, in a sixth possible implementation manner of the fifth aspect, the processing module is configured to determine a key corresponding to the permanent identity information, Declaring the key, decrypting and verifying the application data.
结合第五个方面的第六种可能的实现方式, 在第五个方面的第七种可能 的实现方式中, 所述处理模块, 用于根据所述密钥, 对所述寻址信息进行解 密及完整性验证。 With reference to the sixth possible implementation manner of the fifth aspect, in a seventh possible implementation manner of the fifth aspect, the processing module is configured to solve the addressing information according to the key Secret and integrity verification.
结合第五个方面的第五种、 第六种或第七种可能的实现方式, 在第五个 方面的第八种可能的实现方式中, 所述发送模块, 用于根据所述寻址信息, 将携带安全保护信息的受保护的数据发送至目标应用服务器。  With reference to the fifth, sixth, or seventh possible implementation manner of the fifth aspect, in an eighth possible implementation manner of the fifth aspect, the sending module is configured to use, according to the addressing information , Send protected data carrying security information to the target application server.
结合第五个方面的第五种可能的实现方式, 在第五个方面的第九种可能 的实现方式中, 所述处理模块, 用于根据所述永久身份信息或所述第一临时 身份信息, 确定归属寻址服务器, 所述归属寻址服务器为保存有与所述 MTC 终端的公钥对应的私钥的寻址服务器。  With reference to the fifth possible implementation manner of the fifth aspect, in a ninth possible implementation manner of the fifth aspect, the processing module is configured to use the permanent identity information or the first temporary identity information Determining a home addressing server, which is an addressing server that holds a private key corresponding to the public key of the MTC terminal.
结合第五个方面的第五种至第九种中任一种可能的实现方式, 在第五个 方面的第十种可能的实现方式中, 所述接收模块, 还用于接收添加抗重放信 息的受保护的数据, 所述抗重放信息包括: 当前的时间信息、 双向当前值信 息、 序列号信息中的一种信息或其组合;  With reference to any one of the fifth to the ninth possible implementation manners of the fifth aspect, in a tenth possible implementation manner of the fifth aspect, the receiving module is further configured to receive an anti-replay The protected data of the information, the anti-replay information includes: one of current time information, two-way current value information, serial number information, or a combination thereof;
所述处理模块, 用于根据所述抗重放信息, 对所述受保护的数据进行抗 重放检查。  The processing module is configured to perform anti-replay checking on the protected data according to the anti-replay information.
第六个方面, 本发明实施例提供一种接入网, 包括:  In a sixth aspect, an embodiment of the present invention provides an access network, including:
接收模块,用于接收寻址服务器接收机器类通信 MTC终端发送的携带所 述 MTC终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; 发送模块, 用于所述数据发送至寻址服务器, 以使所述寻址服务器根据 所述寻址信息, 将所述数据发送至目标应用服务器。  a receiving module, configured to receive data that is sent by the MTC terminal that is addressed by the server, and that carries the identity information of the MTC terminal, where the data includes at least application data and addressing information, and a sending module, where the data is sent to Addressing the server to cause the addressing server to transmit the data to the target application server based on the addressing information.
在第六个方面的第一种可能的实现方式中, 所述接收模块, 用于接收所 述 MTC终端发送的携带第一临时身份信息的数据。  In a first possible implementation manner of the sixth aspect, the receiving module is configured to receive data that is sent by the MTC terminal and that carries the first temporary identity information.
在第六个方面的第二种可能的实现方式中, 所述接收模块, 用于接收所 述 MTC终端发送的携带永久身份信息的数据。  In a second possible implementation manner of the sixth aspect, the receiving module is configured to receive data that is sent by the MTC terminal and that carries permanent identity information.
第七个方面, 本发明实施例提供一种机器类通信 MTC终端, 包括: 处理 器和存储器, 所述存储器存储执行指令, 当所述 MTC终端运行时, 所述处理 器与所述存储器之间通信,所述处理器执行所述执行指令使得所述 MTC终端 执行如上第一个方面、 第一个方面的第一种至第十一种中任一种可能的实现 方式。  According to a seventh aspect, an embodiment of the present invention provides a machine type communication MTC terminal, including: a processor and a memory, where the memory stores an execution instruction, when the MTC terminal is running, between the processor and the memory In communication, the processor executing the execution instruction causes the MTC terminal to perform any of the first to eleventh possible implementations of the first aspect, the first aspect.
第八个方面, 本发明实施例提供一种寻址服务器, 包括: 处理器和存储 器, 所述存储器存储执行指令, 当所述寻址服务器运行时, 所述处理器与所 述存储器之间通信, 所述处理器执行所述执行指令使得所述寻址服务器执行 如上第二个方面、 第二个方面的第一种至第十种中任一种可能的实现方式。 According to an eighth aspect, an embodiment of the present invention provides an addressing server, including: a processor and a memory, where the memory stores an execution instruction, when the addressing server is running, the processor and the Communicating between the memories, the processor executing the execution instructions to cause the addressing server to perform any of the first to tenth possible implementations of the second aspect, the second aspect.
第九个方面, 本发明实施例提供一种接入网, 包括: 处理器和存储器, 所述存储器存储执行指令, 当所述接入网运行时, 所述处理器与所述存储器 之间通信, 所述处理器执行所述执行指令使得所述接入网执行如上第三个方 面、 第二个方面的第一种或第二种可能的实现方式。  According to a ninth aspect, an embodiment of the present invention provides an access network, including: a processor and a memory, where the memory stores an execution instruction, and when the access network is running, the processor and the memory communicate And executing, by the processor, the execution instruction, so that the access network performs the first or second possible implementation manner of the third aspect, the second aspect, or the second aspect.
本发明实施例提供的数据传输方法、 机器类通信终端及寻址服务器, MTC终端将为目标应用服务器生成的携带该 MTC终端的身份信息的数据发 送至接入网, 接入网对接收到的数据不做任何处理, 直接转发至寻址服务器, 从而实现将 MTC终端发送的数据经由无线接入网直接传输至对应的应用服 务器的目的。 附图说明  The data transmission method, the machine type communication terminal, and the address server provided by the embodiment of the present invention, the MTC terminal sends the data that is generated by the target application server and carries the identity information of the MTC terminal to the access network, and the access network receives the received data. The data is forwarded directly to the addressing server without any processing, thereby realizing the purpose of directly transmitting the data sent by the MTC terminal to the corresponding application server via the wireless access network. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明数据传输方法实施例一的流程图;  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor. 1 is a flowchart of Embodiment 1 of a data transmission method according to the present invention;
图 2为本发明数据传输方法实施例二的流程图;  2 is a flowchart of Embodiment 2 of a data transmission method according to the present invention;
图 3为本发明数据传输方法实施例三流程图;  3 is a flowchart of Embodiment 3 of a data transmission method according to the present invention;
图 4为本发明数据传输方法实施例四的信令图;  4 is a signaling diagram of Embodiment 4 of a data transmission method according to the present invention;
图 5为本发明数据传输方法实施例五的信令图;  FIG. 5 is a signaling diagram of Embodiment 5 of a data transmission method according to the present invention;
图 6为本发明受保护的数据的第一结构示意图;  6 is a first schematic structural diagram of protected data of the present invention;
图 7为本发明数据传输方法实施例六的信令图;  7 is a signaling diagram of Embodiment 6 of a data transmission method according to the present invention;
图 8为本发明受保护的数据的第二结构示意图;  Figure 8 is a second schematic structural view of protected data of the present invention;
图 9为本发明数据传输方法实施例七的信令图;  9 is a signaling diagram of Embodiment 7 of a data transmission method according to the present invention;
图 10为本发明 MTC终端实施例一的结构示意图;  10 is a schematic structural diagram of Embodiment 1 of an MTC terminal according to the present invention;
图 11为本发明 MTC终端实施例二的结构示意图;  11 is a schematic structural diagram of Embodiment 2 of an MTC terminal according to the present invention;
图 12为本发明寻址服务器实施例一的结构示意图;  12 is a schematic structural diagram of Embodiment 1 of an addressing server according to the present invention;
图 13为本发明寻址服务器实施例二的结构示意图; 图 14为本发明接入网实施例一的 13 is a schematic structural diagram of Embodiment 2 of an addressing server according to the present invention; FIG. 14 is a first embodiment of an access network according to the present invention;
图 15  Figure 15
图 16
Figure imgf000014_0001
Figure 16
Figure imgf000014_0001
图 17是本发明接入网实施例二的 具体实施方式 为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本 发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然,所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出创造性劳动前提 下所获得的所有其他实施例, 都属于本发明保护的范围。  17 is a specific embodiment of the access network embodiment of the present invention. The purpose, technical solutions, and advantages of the embodiments of the present invention will be more apparent. The following is a description of the embodiments of the present invention. The present invention is clearly and completely described, and it is obvious that the described embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图 1为本发明数据传输方法实施例一的流程图。本实施例的执行主体 为机器类通信 MTC终端,适用于将数据经由接入网直接传输至目标应用服务 器的场景。 具体的, 本实施例包括以下步骤:  FIG. 1 is a flowchart of Embodiment 1 of a data transmission method according to the present invention. The execution subject of this embodiment is a machine type communication MTC terminal, which is suitable for a scenario in which data is directly transmitted to a target application server via an access network. Specifically, this embodiment includes the following steps:
101、 机器类通信 MTC终端为目标应用服务器生成携带 MTC终端的 身份信息的数据, 数据至少包括应用数据、 寻址信息。  101. Machine type communication The MTC terminal generates data for carrying the identity information of the MTC terminal for the target application server, and the data includes at least application data and addressing information.
MTC终端设备为目标应用服务器生成携带该 MTC终端身份信息的数 据, 例如, 携带该 MTC终端的永久身份 (Permanent identity, PID) 信息 的数据或携带该 MTC终端的临时身份(Temporary Identity, TID)信息的 数据。 该数据还包括应用数据 (data) 、 寻址信息 (Addressing Info ) 等。 其中, 寻址信息可以为独立的信息, 如携带在应用数据中的目标应用服务 器的正式域名( Fully Qualified Domain Name, FQDN )、互联网协议( Internet Protocol, IP ) 地址等; 或者, 也可以没有独立的寻址信息, 而在该 MTC 终端的身份信息中包含对应的寻址信息, 即身份信息中的部分内容能被用 来寻址。 例如, 每一 MTC终端有固定的目标应用服务器, 在该 MTC终端 的身份信息中包含目标应用服务器对应的寻址信息。  The MTC terminal device generates data for carrying the MTC terminal identity information for the target application server, for example, data carrying the permanent identity (PID) information of the MTC terminal or the Temporary Identity (TID) information carrying the MTC terminal. The data. The data also includes application data (data), addressing information (Addressing Info), and the like. The addressing information may be independent information, such as a Fully Qualified Domain Name (FQDN), an Internet Protocol (IP) address, etc. of the target application server carried in the application data; or, there may be no independent The addressing information includes the corresponding addressing information in the identity information of the MTC terminal, that is, part of the identity information can be used for addressing. For example, each MTC terminal has a fixed target application server, and the identity information corresponding to the target application server is included in the identity information of the MTC terminal.
可选的, 若 MTC终端上仅保存了永久身份信息, 或者, 即使 MTC终 端上既保存了永久身份信息,又保存了第一临时身份信息,若预设 MTC终端 设备仅能使用永久身份信息, 则 MTC终端为目标应用服务器生成携带 MTC 终端的永久身份信息的数据。 其中, 第一临时身份信息为未发送该数据前, 保存在本地的临时身份信息。 Optionally, if only the permanent identity information is saved on the MTC terminal, or if the permanent identity information is saved on the MTC terminal, and the first temporary identity information is saved, if the preset MTC terminal device can only use the permanent identity information, Then, the MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server. Wherein, the first temporary identity information is before the data is sent, Save local temporary identity information.
可选的, 若 MTC终端未预设身份信息的使用方式, 则 MTC终端需要判 断本地是否存在该 MTC终端的第一临时身份信息;若存在,则为目标应用服 务器生成携带第一临时身份信息的数据; 否则, 若不存在, 则为目标应用服 务器生成携带永久身份信息的数据。  Optionally, if the MTC terminal does not preset the usage manner of the identity information, the MTC terminal needs to determine whether the first temporary identity information of the MTC terminal exists locally; if yes, generate, by the target application server, the first temporary identity information. Data; otherwise, if not present, generate data carrying permanent identity information for the target application server.
102、 MTC 终端经由接入网向寻址服务器发送数据, 以使得寻址服务器 根据寻址信息, 将数据发送至目标应用服务器。  102. The MTC terminal sends data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
MTC 终端将生成的数据发送至接入网, 如无线网络控制器 ( (Radio Network Controller, RNC) 、 基站控制器(Base Station Controller, BSC)等, 接入网对接收到的数据不做任何处理, 直接转发至寻址服务器。 寻址服务器 接收到数据后, 根据寻址信息, 将该数据发送至目标应用服务器。  The MTC terminal sends the generated data to the access network, such as a radio network controller (RNC), a base station controller (BSC), etc., and the access network does not perform any processing on the received data. Directly forwarded to the addressing server. After receiving the data, the addressing server sends the data to the target application server based on the addressing information.
需要说明的是, 上述过程中, 若 MTC终端上保存有永久身份信息, 则 该 MTC终端上还保存一个公钥 Kpub以及与该永久身份信息对应的密钥 K, 相应的, 与该公钥对应的私钥 Kpri保存在寻址服务器上, 寻址服务器上还保 存 MTC终端的永久身份信息以及对应的密钥 K的对应关系。  It should be noted that, in the foregoing process, if the permanent identity information is stored on the MTC terminal, the MTC terminal further stores a public key Kpub and a key K corresponding to the permanent identity information, and correspondingly, corresponding to the public key. The private key Kpri is stored on the addressing server, and the mapping server also stores the permanent identity information of the MTC terminal and the corresponding relationship of the corresponding key K.
另外, 还需要说明的是, 由于公钥 Kpub、 私钥 Kpri以及密钥 K等的设 置是为了对数据进行安全保护, 而寻址服务器只负责根据寻址信息查找目标 应用服务器、 对数据进行验证等, 一般不具有解密操作。 因此, 可设置密钥 服务器, 上述的私钥 Kpri可设置在密钥服务器上, 由密钥服务器进行身份信 息的解密等; 或者, 上述的私钥 Kpri也依旧设置在寻址服务器上, 此时, 由 寻址服务器进行身份信息的解密等。 为清楚起见, 若以下未做强调, 则上述 的永久身份信息以及对应的密钥 K 的对应关系实质上是保存在密钥服务器 上。  In addition, it should be noted that since the public key Kpub, the private key Kpri, and the key K are set for security protection, the addressing server is only responsible for finding the target application server based on the addressing information and verifying the data. Etc., generally does not have a decryption operation. Therefore, the key server can be set, the above-mentioned private key Kpri can be set on the key server, the identity information is decrypted by the key server, etc.; or, the above-mentioned private key Kpri is still set on the addressing server. , decryption of identity information by the addressing server, and the like. For the sake of clarity, if the following is not emphasized, the correspondence between the above permanent identity information and the corresponding key K is essentially stored on the key server.
具体的, 可以多个寻址服务器共享一个密钥服务器, 例如, 在某个寻址 服务器集成一个密钥服务器, 或者, 为该些多个寻址服务器独立设置一个密 钥服务器等。 此时, 密钥服务器保存有该些寻址服务器所管辖的范围内的所 有 MTC终端的永久身份信息以及对应的密钥 K的对应关系。 例如, 为北京 和上海的寻址服务器设置一个密钥服务器, 则密钥服务器保存上海和北京所 有 MTC终端的身份信息及密钥的对应关系。  Specifically, a plurality of address servers may share a key server, for example, integrating a key server at an address server, or separately setting a key server for the plurality of address servers. At this time, the key server stores the correspondence between the permanent identity information of all MTC terminals within the range governed by the addressing servers and the corresponding key K. For example, to set up a key server for the addressing servers in Beijing and Shanghai, the key server stores the identity information and key correspondence of all MTC terminals in Shanghai and Beijing.
另外, 也可以为每个寻址服务器设置一个独立的密钥服务器, 例如, 在 每个寻址服务器上集成一个密钥服务器, 或者, 密钥服务器也可以与与其对 应的寻址服务器独立设置等。此时,每个密钥服务器上仅保存部分的 MTC终 端的永久身份信息以及对应的密钥 K的对应关系。 例如, 为北京的寻址服务 器设置的密钥服务器仅保存北京的 MTC终端的身份信息及密钥的对应关系, 为上海的寻址服务器设置的密钥服务器仅保存上海的 MTC 终端的身份信息 及密钥的对应关系。 Alternatively, you can set up a separate key server for each addressing server, for example, A key server is integrated on each addressing server, or the key server can be set independently with its corresponding addressing server. At this time, only the permanent identity information of a part of the MTC terminal and the corresponding relationship of the corresponding key K are saved on each key server. For example, the key server set up for the addressing server in Beijing only stores the identity information of the MTC terminal in Beijing and the correspondence between the keys. The key server set for the addressing server in Shanghai only stores the identity information of the MTC terminal in Shanghai. The correspondence of the keys.
本发明实施例提供的数据传输方法, MTC终端将为目标应用服务器生成 的携带该 MTC终端的身份信息的数据发送至接入网,接入网对接收到的数据 不做任何处理,直接转发至寻址服务器,从而实现将 MTC终端发送的数据经 由无线接入网直接传输至对应的应用服务器的目的。  In the data transmission method provided by the embodiment of the present invention, the MTC terminal sends the data that carries the identity information of the MTC terminal generated by the target application server to the access network, and the access network does not perform any processing on the received data, and directly forwards the data to the access network. The server is addressed to achieve the purpose of directly transmitting data sent by the MTC terminal to the corresponding application server via the wireless access network.
进一步的, 上述实施例一中, MTC终端经由接入网向寻址服务器发送数 据之后, MTC终端接收寻址服务器经由接入网发送的加密后的第二临时身份 信息,第二临时身份信息为寻址服务器根据预设的策略,为 MTC终端生成的; MTC终端解密第二临时身份信息, 保存第二临时身份信息。  Further, in the first embodiment, after the MTC terminal sends data to the addressing server via the access network, the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, and the second temporary identity information is The addressing server generates the MTC terminal according to the preset policy; the MTC terminal decrypts the second temporary identity information, and saves the second temporary identity information.
具体的, MTC终端经由接入网向寻址服务器发送数据之后, 寻址服务器 验证该数据是否正确,根据预设的策略,为 MTC终端生成新的临时身份信息, 即第二临时身份信息, 并对该第二临时身份信息进行加密, 如利用寻址服务 器与 MTC终端之间的共享密钥对该第二临时身份信息进行加密,将加密后的 第二临时身份信息经由接入网发送至 MTC终端。其中,共享密钥例如为根据 预设的策略, 对永久身份信息对应的密钥 K进行处理得到的。  Specifically, after the MTC terminal sends the data to the addressing server via the access network, the addressing server verifies whether the data is correct, and generates new temporary identity information, that is, the second temporary identity information, for the MTC terminal according to the preset policy, and Encrypting the second temporary identity information, such as encrypting the second temporary identity information by using a shared key between the addressing server and the MTC terminal, and transmitting the encrypted second temporary identity information to the MTC via the access network. terminal. The shared key is obtained, for example, by processing the key K corresponding to the permanent identity information according to a preset policy.
MTC终端接收到该加密后的第二临时身份信息后,解密该第二临时身份 信息并保存, 同时, 删除第一临时身份信息, 使得后续再发送数据的过程中, 将该第二临时身份信息即可作为 MTC终端本地存储的第一临时身份信息。  After receiving the encrypted second temporary identity information, the MTC terminal decrypts the second temporary identity information and saves the same, and deletes the first temporary identity information, so that the second temporary identity information is sent during the subsequent resending of the data. It can be used as the first temporary identity information stored locally by the MTC terminal.
另外, 寻址服务器也需要保存该第二临时身份信息与永久身份信息的对 应关系,即寻址服务器保存有第一临时身份信息与永久身份信息的对应关系, 以及 MTC 终端的第二临时身份信息与永久身份信息的对应关系。 这样, 当 MTC终端没有接收到第二临时身份信息时,可继续将第一临时身份信息携带 在数据中经由接入网发送给寻址服务器, 使得寻址服务器可以通过该第一临 时身份信息识别 MTC终端。  In addition, the addressing server also needs to save the correspondence between the second temporary identity information and the permanent identity information, that is, the addressing server stores the correspondence between the first temporary identity information and the permanent identity information, and the second temporary identity information of the MTC terminal. Correspondence with permanent identity information. In this way, when the MTC terminal does not receive the second temporary identity information, the first temporary identity information may continue to be carried in the data and sent to the addressing server via the access network, so that the addressing server can identify by using the first temporary identity information. MTC terminal.
更进一步的, 若 MTC终端判断出本地存在 MTC终端的第一临时身份信 息, 则 MTC终端经由接入网向寻址服务器发送数据之后, MTC终端接收寻 址服务器经由接入网发送的加密后的第二临时身份信息之前, MTC终端接收 寻址服务器经由接入网发送的失败指示, 失败指示为寻址服务器根据第一临 时身份信息无法识别 MTC终端时, 为 MTC终端生成的, MTC终端删除第 一临时身份信息, 为目标应用服务器生成携带永久身份信息的数据, MTC终 端经由接入网向寻址服务器发送携带永久身份信息的数据。 Further, if the MTC terminal determines that the first temporary identity letter of the MTC terminal exists locally After the MTC terminal sends the data to the addressing server via the access network, the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, and the MTC terminal receives the addressing server and sends the information through the access network. The failure indication is that the failure indication is generated by the MTC terminal when the addressing server cannot identify the MTC terminal according to the first temporary identity information, and the MTC terminal deletes the first temporary identity information, and generates data carrying the permanent identity information for the target application server, MTC. The terminal transmits data carrying permanent identity information to the addressing server via the access network.
具体的, 若 MTC终端判断出本地存在 MTC终端的第一临时身份信息, 则 MTC终端经由接入网向寻址服务器发送数据之后,寻址服务器根据该第一 临时身份信息判断是否可识别该 MTC终端,若可识别,则验证该数据是否正 确, 并根据预设的策略, 为 MTC终端生第二临时身份信息; 否则, 若寻址服 务器根据该第一临时身份信息无法可识别该 MTC终端,则经由接入网向 MTC 终端发送失败指示, 告知 MTC终端失败的原因。  Specifically, if the MTC terminal determines that the first temporary identity information of the MTC terminal exists locally, after the MTC terminal sends the data to the addressing server via the access network, the addressing server determines, according to the first temporary identity information, whether the MTC can be identified. If the terminal is identifiable, verify that the data is correct, and generate a second temporary identity information for the MTC terminal according to the preset policy; otherwise, if the addressing server cannot identify the MTC terminal according to the first temporary identity information, Then, a failure indication is sent to the MTC terminal via the access network, and the reason for the failure of the MTC terminal is notified.
MTC终端接收到失败指示后,发现失败原因为寻址服务器无法识别该第 一临时身份信息, 则删除该第一临时身份信息, 为目标应用服务器生成携带 永久身份信息的数据, 重新经由接入网发送至寻址服务器。  After receiving the failure indication, the MTC terminal finds that the failure reason is that the addressing server cannot identify the first temporary identity information, and then deletes the first temporary identity information, and generates data carrying permanent identity information for the target application server, and re-accesses the access network. Send to the addressing server.
进一步的, 上述实施例一中, MTC终端为目标应用服务器生成携带第一 临时身份信息的数据, 包括: MTC终端对携带第一临时身份信息的数据进行 保护, 为目标应用服务器生成受保护的数据。  Further, in the first embodiment, the MTC terminal generates data carrying the first temporary identity information for the target application server, including: the MTC terminal protects data carrying the first temporary identity information, and generates protected data for the target application server. .
具体的, MTC终端保存有与永久身份信息对应的密钥, 利用该密钥对应 用数据与寻址信息进行保护。 例如, 根据密钥, 计算完整性保护密钥和加密 密钥, 利用加密密钥对应用数据与寻址信息进行加密, 利用完整性密钥对应 用数据与寻址信息进行完整性保护。  Specifically, the MTC terminal stores a key corresponding to the permanent identity information, and uses the key to protect the data and the addressing information. For example, based on the key, the integrity protection key and the encryption key are calculated, the application data and the addressing information are encrypted by the encryption key, and the integrity key is used to protect the integrity of the data and the addressing information.
进一步的, 上述实施例一中, MTC终端为目标应用服务器生成携带永久 身份信息的数据, 包括: MTC终端对携带永久身份信息的数据进行保护, 为 目标应用服务器生成受保护的数据。 具体的, MTC终端可通过如下方式对携 带永久身份信息的数据进行保护:  Further, in the first embodiment, the MTC terminal generates data carrying the permanent identity information for the target application server, including: the MTC terminal protects the data carrying the permanent identity information, and generates the protected data for the target application server. Specifically, the MTC terminal can protect data carrying permanent identity information by:
方式一、 MTC终端利用公钥对永久身份信息加密、 利用密钥对应用数据 与寻址信息进行保护。  Method 1: The MTC terminal encrypts the permanent identity information by using the public key, and protects the application data and the addressing information by using the key.
方式二、 MTC终端利用公钥对永久身份信息与寻址信息加密、 利用密钥 对应用数据进行保护。 方式三、 MTC终端根据密钥, 计算完整性保护密钥, 根据该完整性保护 密钥, 计算消息校验码 (Message Authentication Code, MAC) 。 然后, MTC 终端利用公钥对身份信息、 寻址信息、 应用数据以及 MAC加密。 Manner 2: The MTC terminal encrypts the permanent identity information and the addressing information by using the public key, and protects the application data by using the key. Manner 3: The MTC terminal calculates an integrity protection key according to the key, and calculates a message authentication code (MAC) according to the integrity protection key. The MTC terminal then encrypts the identity information, addressing information, application data, and MAC using the public key.
方式四、 MTC终端保存有与永久身份信息对应的密钥, 利用该密钥对应 用数据与寻址信息进行保护。 例如, 根据密钥, 计算完整性保护密钥和加密 密钥, 利用加密密钥对应用数据与寻址信息进行加密, 利用完整性密钥对应 用数据与寻址信息进行完整性保护。 在这种方式中, 无需对永久身份进行加 密保护。 由于在大多数情况下, MTC终端将发送临时身份, 发送永久身份的 概率很低, 因此安全风险在某些场景下是可以接受的。  In the fourth method, the MTC terminal stores a key corresponding to the permanent identity information, and uses the key to protect the data and the addressing information. For example, based on the key, the integrity protection key and the encryption key are calculated, the application data and the addressing information are encrypted by the encryption key, and the integrity key is used to protect the integrity of the data and the addressing information. In this way, there is no need to encrypt the permanent identity. Since in most cases the MTC terminal will send a temporary identity and the probability of sending a permanent identity is low, the security risk is acceptable in some scenarios.
由上述方式一和方式二可知: 寻址信息可以和永久身份信息一起, 采用 公钥进行加密; 或者, 寻址信息也可以和应用数据一起, 采用密钥进行保护。 由上述方式三可知: 寻址信息、 应用数据、 永久身份信息也可一起采用公钥 进行加密; 另外, 由上述方式四可知, 也可以不对身份信息进行加密, 而仅 对寻址信息和应用数据进行保护。  It can be known from the foregoing manners 1 and 2: The addressing information can be encrypted by using the public key together with the permanent identity information; or the addressing information can be protected by the key together with the application data. According to the foregoing method 3, the addressing information, the application data, and the permanent identity information may also be encrypted together by using a public key. In addition, as described in the foregoing manner 4, the identity information may not be encrypted, but only the addressing information and the application data. Protect.
其中,方式一中, MTC终端利用密钥计算加密密钥与完整性密钥。然后, In the first method, the MTC terminal calculates the encryption key and the integrity key by using the key. then,
MTC终端利用加密密钥对应用数据与寻址信息进行加密,利用完整性密钥对 应用数据与寻址信息进行完整性保护。 The MTC terminal encrypts the application data and the addressing information by using the encryption key, and uses the integrity key to integrity protect the application data and the addressing information.
进一步的, MTC终端为目标应用服务器生成受保护的数据的过程中, 还 可以对受保护的数据添加抗重放信息, 抗重放信息包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合。  Further, in the process of generating the protected data for the target application server, the MTC terminal may further add anti-replay information to the protected data, and the anti-replay information includes: current time information, bidirectional current value information, and serial number information. One of the information or a combination thereof.
图 2为本发明数据传输方法实施例二的流程图。本实施例的执行主体 为寻址服务器,适用于将数据经由接入网直接传输至目标应用服务器的场景。 具体的, 本实施例包括以下步骤:  FIG. 2 is a flowchart of Embodiment 2 of a data transmission method according to the present invention. The execution body of this embodiment is an addressing server, which is suitable for a scenario in which data is directly transmitted to a target application server via an access network. Specifically, this embodiment includes the following steps:
201、寻址服务器接收机器类通信 MTC终端经由接入网发送的携带 MTC 终端的身份信息的数据, 数据至少包括应用数据、 寻址信息。  201. Addressing Server Receiver Class Communication The data of the MTC terminal carrying the identity information of the MTC terminal sent by the MTC terminal, and the data includes at least application data and addressing information.
本步骤中, 寻址信息可以为独立的信息, 也可以在 MTC终端的身份 信息中包含对应的寻址信息, 即身份信息中的部分内容能被用来寻址。  In this step, the addressing information may be independent information, or the corresponding addressing information may be included in the identity information of the MTC terminal, that is, part of the identity information can be used for addressing.
可选的,寻址服务器接收 MTC终端为目标应用服务器生成携带第一临时 身份信息的数据。  Optionally, the addressing server receives the MTC terminal to generate data for carrying the first temporary identity information for the target application server.
可选的,寻址服务器接收 MTC终端为目标应用服务器生成携带永久身份 信息的数据。 Optionally, the addressing server receives the MTC terminal and generates a permanent identity for the target application server. Informational data.
202、 寻址服务器根据寻址信息, 将数据发送至目标应用服务器。  202. The addressing server sends the data to the target application server according to the addressing information.
本实施例中关于身份信息、 寻址信息等的描述可参见图 1所示实施例, 在此不再赘述。  For the description of the identity information, the addressing information, and the like in this embodiment, refer to the embodiment shown in FIG. 1 , and details are not described herein again.
本发明实施例提供的数据传输方法, 寻址服务器根据寻址信息, 实现将 The data transmission method provided by the embodiment of the present invention, the addressing server implements according to the addressing information
MTC终端发送的数据经由无线接入网直接传输至对应的应用服务器的目的。 The data sent by the MTC terminal is directly transmitted to the corresponding application server via the wireless access network.
进一步的, 上述实施例二中, 若寻址服务器接收到的数据为携带第一临 时身份信息的数据, 则在接收到该携带第一临时身份信息的数据之后, 寻址 服务器根据第一临时身份信息, 判断是否可识别 MTC终端。  Further, in the foregoing Embodiment 2, if the data received by the addressing server is the data carrying the first temporary identity information, after receiving the data carrying the first temporary identity information, the addressing server is configured according to the first temporary identity. Information, to determine whether the MTC terminal can be identified.
若根据第一临时身份信息,寻址服务器无法识别 MTC终端,则经由接入 网向 MTC终端发送失败指示, 告知 MTC终端失败的原因, 使得 MTC终端 根据该失败指示, 删除第一临时身份信息, 重新为目标应用服务器生成携带 永久身份信息的数据, 经由接入网发送至寻址服务器, 寻址服务器接收该重 新生成的数据。  If the addressing server is unable to identify the MTC terminal according to the first temporary identity information, sending a failure indication to the MTC terminal via the access network, and informing the MTC terminal of the reason for the failure, so that the MTC terminal deletes the first temporary identity information according to the failure indication. The data carrying the permanent identity information is re-generated for the target application server, sent to the addressing server via the access network, and the addressing server receives the regenerated data.
若根据第一临时身份信息,寻址服务器可识别 MTC终端,则验证该数据 是否正确并向目标应用服务器发送。  If the addressing server can identify the MTC terminal based on the first temporary identity information, then verify that the data is correct and sent to the target application server.
进一步的, 上述实施例二中, 寻址服务器在接收到 MTC发送的数据后, 例如, 携带第一临时身份信息的数据、 携带永久身份信息的数据或者重新发 送的携带永久身份信息的数据后, 将数据发送至目标应用服务器之前, 寻址 服务器根据预设的策略,为 MTC终端生成第二临时身份信息并加密,保存该 第二临时身份信息与永久身份信息的对应关系, 将该第二临时身份信息经由 接入网发送至 MTC终端。  Further, in the foregoing Embodiment 2, after receiving the data sent by the MTC, for example, the data carrying the first temporary identity information, the data carrying the permanent identity information, or the retransmitted data carrying the permanent identity information, Before the data is sent to the target application server, the addressing server generates a second temporary identity information for the MTC terminal according to the preset policy, and encrypts, and saves the correspondence between the second temporary identity information and the permanent identity information, and the second temporary The identity information is sent to the MTC terminal via the access network.
具体的, 可参见上述实施例一, 此处不再赘述。  For details, refer to the foregoing Embodiment 1, and details are not described herein again.
进一步的,上述实施例二中,寻址服务器接收 MTC终端为目标应用服务 器生成携带第一临时身份信息的数据,包括:寻址服务器接收 MTC终端发送 的受保护的数据,受保护的数据为 MTC终端对携带第一临时身份信息的数据 进行保护后生成的。  Further, in the foregoing embodiment, the addressing server receives the data that the MTC terminal generates for the target application server to carry the first temporary identity information, and the method includes: the addressing server receives the protected data sent by the MTC terminal, and the protected data is the MTC. The terminal generates the data that protects the data carrying the first temporary identity information.
进一步的,上述实施例二中,寻址服务器接收 MTC终端为目标应用服务 器生成携带永久身份信息的数据,包括:寻址服务器接收 MTC终端发送的受 保护的数据,受保护的数据为 MTC终端对携带永久身份信息的数据进行保护 后生成的。 Further, in the foregoing Embodiment 2, the addressing server receives the data that the MTC terminal generates the permanent identity information for the target application server, and the method includes: the addressing server receives the protected data sent by the MTC terminal, and the protected data is the MTC terminal pair. Protect data with permanent identity information After the build.
更进一步的,寻址服务器接收 MTC终端发送的受保护的数据之后,确定 与永久身份信息对应的密钥, 根据密钥, 对应用数据进行解密及完整性验证。  Further, after the addressing server receives the protected data sent by the MTC terminal, the key corresponding to the permanent identity information is determined, and the application data is decrypted and integrity verified according to the key.
更进一步的,寻址服务器接收 MTC终端发送的受保护的数据之后,寻址 服务器确定与永久身份信息对应的密钥, 根据密钥, 对寻址信息进行解密及 完整性验证。  Further, after the addressing server receives the protected data sent by the MTC terminal, the addressing server determines a key corresponding to the permanent identity information, and decrypts and integrity verifies the addressing information according to the key.
进一步的, 上述实施例二中, 在对受保护的数据进行解密及完整性验证 等后, 为了防止攻击者将未保护的数据发送给目标应用服务器, 寻址服务器 根据寻址信息, 在受保护的数据中添加安全保护信息, 该安全保护信息指示 数据中的身份信息是否被保护、应用数据是否被保护、 寻址信息是否被保护, 使得应用服务器可根据预设的策略, 判断接收到的数据是否进行了合适的保 护, 是否为安全数据。  Further, in the foregoing Embodiment 2, after the protected data is decrypted and the integrity verification is performed, in order to prevent the attacker from transmitting the unprotected data to the target application server, the addressing server is protected according to the addressing information. The security protection information is added to the data, and the security protection information indicates whether the identity information in the data is protected, whether the application data is protected, and whether the addressing information is protected, so that the application server can determine the received data according to a preset policy. Whether proper protection is carried out and whether it is safety data.
进一步的,上述实施例二中,寻址服务器接收 MTC终端发送的受保护的 数据之后, 根据永久身份信息, 确定归属寻址服务器, 归属寻址服务器为保 存有与 MTC终端的密钥 K的寻址服务器。  Further, in the foregoing embodiment 2, after receiving the protected data sent by the MTC terminal, the addressing server determines the home addressing server according to the permanent identity information, and the home addressing server is configured to store the key K with the MTC terminal. Address server.
具体的,若每个寻址服务器都有一个独立的密钥服务器,则 MTC终端当 前拜访的寻址服务器上可能并没有保存该 MTC 终端的永久身份信息对应的 密钥 K, 即当前拜访的寻址服务器不是 MTC终端的归属服务器。此时, 寻址 服务器需要确定 MTC终端的归属服务器。  Specifically, if each of the addressing servers has a separate key server, the address server corresponding to the permanent identity information of the MTC terminal may not be saved on the addressing server currently visited by the MTC terminal, that is, the currently visited homing The address server is not the home server of the MTC terminal. At this point, the addressing server needs to determine the home server of the MTC terminal.
具体的, 可以根据 MTC终端上报的第一临时身份或永久身份确定 MTC 终端的归属服务器。 当永久身份信息被利用公钥加密保护时, 应将永久身份 信息中用于寻址归属服务器部分的内容以明文方式发送给拜访寻址服务器。  Specifically, the home server of the MTC terminal may be determined according to the first temporary identity or permanent identity reported by the MTC terminal. When the permanent identity information is protected by public key cryptography, the content of the permanent identity information used to address the home server portion should be sent to the visited addressing server in clear text.
进一步的,上述实施例二中,寻址服务器接收 MTC终端发送的受保护的 数据可以为添加抗重放信息的受保护的数据, 抗重放信息包括: 当前的时间 信息、 双向当前值信息、 序列号信息中的一种信息或其组合。 此时, 寻址服 务器还可根据抗重放信息, 对受保护的数据进行抗重放检查。  Further, in the foregoing Embodiment 2, the protected server that receives the protected data sent by the MTC terminal may be protected data that adds anti-replay information, and the anti-replay information includes: current time information, bidirectional current value information, One of the serial number information or a combination thereof. At this time, the address server can also perform anti-replay check on the protected data based on the anti-replay information.
图 3为本发明数据传输方法实施例三流程图。 本实施例的执行主体为 接入网, 适用于将数据经由接入网直接传输至目标应用服务器的场景。 具体 的, 本实施例包括以下步骤:  FIG. 3 is a flowchart of Embodiment 3 of a data transmission method according to the present invention. The execution entity of this embodiment is an access network, and is applicable to a scenario in which data is directly transmitted to a target application server via an access network. Specifically, the embodiment includes the following steps:
301、接入网接收寻址服务器接收机器类通信 MTC终端发送的携带 MTC 终端的身份信息的数据, 数据至少包括应用数据、 寻址信息。 301. The access network receives the addressing server and receives the MTC from the MTC terminal. The data of the identity information of the terminal, and the data includes at least application data and addressing information.
具体的,接入网将接收 MTC终端发送的所有数据,对接收到的数据不做 任何处理, 直接转发至寻址服务器。  Specifically, the access network will receive all data sent by the MTC terminal, and perform no processing on the received data, and directly forward to the addressing server.
可选的, 接入网接收 MTC终端发送的携带第一临时身份信息的数据。 可选的, 接入网接收 MTC终端发送的携带永久身份信息的数据。  Optionally, the access network receives the data that is sent by the MTC terminal and carries the first temporary identity information. Optionally, the access network receives data that is sent by the MTC terminal and carries permanent identity information.
302、 接入网将数据发送至寻址服务器, 以使寻址服务器根据寻址信息, 将数据发送至目标应用服务器。  302. The access network sends the data to the addressing server, so that the addressing server sends the data to the target application server according to the addressing information.
本实施例中关于身份信息、 寻址信息等的描述可参见图 1所示实施例, 在此不再赘述。  For the description of the identity information, the addressing information, and the like in this embodiment, refer to the embodiment shown in FIG. 1 , and details are not described herein again.
本发明实施例提供的数据传输方法,接入网接收 MTC终端发送的所有数 据, 对接收到的数据不做任何处理, 直接转发至寻址服务器, 使得寻址服务 器根据寻址信息,实现将 MTC终端发送的数据经由无线接入网直接传输至对 应的应用服务器的目的。  According to the data transmission method provided by the embodiment of the present invention, the access network receives all data sent by the MTC terminal, performs no processing on the received data, and directly forwards to the addressing server, so that the addressing server implements the MTC according to the addressing information. The data sent by the terminal is directly transmitted to the corresponding application server via the wireless access network.
下面,根据 MTC终端与接入网及寻址服务器之间的交互过程对本发明提 供的数据方法进行详细描述。  Next, the data method provided by the present invention will be described in detail based on the interaction process between the MTC terminal and the access network and the addressing server.
图 4为本发明数据传输方法实施例四的信令图。 本实施例中, 未对数据 进行安全保护, 即未对数据中的身份信息、 应用数据、 寻址信息等进行加密。 具体的, 本实施例包括如下步骤:  FIG. 4 is a signaling diagram of Embodiment 4 of a data transmission method according to the present invention. In this embodiment, the data is not securely protected, that is, the identity information, the application data, the addressing information, and the like in the data are not encrypted. Specifically, the embodiment includes the following steps:
401、 MTC终端向接入网发送携带寻址信息的数据。  401. The MTC terminal sends data carrying the addressing information to the access network.
402、 接入网向寻址服务器发送携带寻址信息的数据。  402. The access network sends data carrying the addressing information to the addressing server.
接入网侧设备如 RNC、 BSC等将接收到的 MTC终端发送的所有数据不 做任何处理, 发送给固定的寻址服务器。 该固定的寻址服务器例如是具有独 立密钥服务器的寻址服务器; 或者, 也可以为与其他寻址服务器共享密钥服 务器的寻址服务器。  The access network side device, such as RNC, BSC, etc., does not process any data sent by the received MTC terminal and sends it to the fixed addressing server. The fixed addressing server is, for example, an addressing server having a separate key server; or it may be an addressing server that shares a key server with other addressing servers.
403、 寻址服务器根据寻址信息, 确定目标应用服务器。  403. The addressing server determines the target application server according to the addressing information.
404、 寻址服务器向目标应用服务器发送携带寻址信息的数据。  404. The addressing server sends data carrying the addressing information to the target application server.
图 5为本发明数据传输方法实施例五的信令图。 本实施例中, MTC终 端为目标应用服务器生成携带 MTC终端的永久身份信息的数据,并将当前的 时间信息作为抗重放信息。 另外, 本实施例中, 多个寻址服务器共享一个密 钥服务器, MTC终端上保存一个公钥 Kpub以及与永久身份信息 PID对应的 密钥 K, 如 Time, Kpub{PID, K} , 寻址服务器上保存有 Time, 密钥服务器 上保存有该些寻址服务器所管辖的范围内的所有 MTC 终端的永久身份信息 以及对应的密钥 K的对应关系、 时钟 Time以及与公钥对应的私钥 Kpri, 如 {PIDl , Kl }、 {PID2, K2}、 {PID3 , Κ3}……。 具体的, 本实施例包括如下 步骤: FIG. 5 is a signaling diagram of Embodiment 5 of a data transmission method according to the present invention. In this embodiment, the MTC terminal generates data for carrying the permanent identity information of the MTC terminal for the target application server, and uses the current time information as anti-replay information. In addition, in this embodiment, multiple addressing servers share a key server, and the MTC terminal stores a public key Kpub and corresponding to the permanent identity information PID. The key K, such as Time, Kpub{PID, K}, has a Time stored on the addressing server, and the key server stores the permanent identity information of all MTC terminals within the scope of the address server and the corresponding secret. The correspondence of the key K, the clock Time, and the private key Kpri corresponding to the public key, such as {PID1, Kl}, {PID2, K2}, {PID3, Κ3}. Specifically, the embodiment includes the following steps:
501、 MTC终端为目标应用服务器生成受保护的数据。  501. The MTC terminal generates protected data for the target application server.
MTC 终端上设置一个时钟, 该时钟可以较为准确的记录当前的时间信 息, 且该时钟与设置在寻址服务器与密钥服务器上的各时钟保持同步。其中, 保持同步是指各个时钟当前的时间信息无需特别精确, 可存在允许的误差, 例如, 存在分钟级别的误差。 具体的, 本步骤包如下子步骤:  A clock is set on the MTC terminal, which can accurately record the current time information, and the clock is synchronized with each clock set on the addressing server and the key server. Among them, keeping the synchronization means that the current time information of each clock does not need to be particularly precise, and there may be an allowable error, for example, there is a minute level error. Specifically, this step includes the following substeps:
5011、 利用公钥 Kpub对 PID进行加密。  5011. Encrypt the PID by using the public key Kpub.
为保证每次加密结果不同,将当前的时间信息 Time也作为一个加密输入 参数。  To ensure that each encryption result is different, the current time information Time is also used as an encryption input parameter.
5012、 利用密钥对应用数据进行安全保护。  5012. Secure the application data by using a key.
MTC终端利用密钥对应用数据进行安全保护,包括加密保护和完整性保 护, 为防止重放, 将当前的时间信息也可以作为一个安全保护输入参数。  The MTC terminal uses the key to secure the application data, including encryption protection and integrity protection. To prevent replay, the current time information can also be used as a security input parameter.
5013、 对寻址信息进行安全保护。  5013. Secure the addressing information.
寻址信息可以与 PID—起, 利用公钥 Kpub进行加密, 也可以和应用数 据一起, 利用密钥 K进行安全保护。 因此, 步骤 5013可以与 5011同时执行, 此时, 受保护的数据可表示为 Kpub{PIDII[Addressing Info],Time} ; 或者, 步 骤 5013 也可以与 5012 同时执行, 此时, 受保护的数据为 K{ [Address Info] II data, Time}。  The addressing information can be encrypted with the public key Kpub, or with the application data, using the key K. Therefore, step 5013 can be performed simultaneously with 5011. At this time, the protected data can be represented as Kpub{PIDII[Addressing Info], Time}; or, step 5013 can be performed simultaneously with 5012, at this time, the protected data is K{ [Address Info] II data, Time}.
下面, 以寻址信息和应用数据一起, 利用密钥 K进行安全保护为例, 对 本发明进行详细阐述。  Hereinafter, the present invention will be described in detail by taking the addressing information together with the application data and using the key K for security protection as an example.
图 6为本发明受保护的数据的第一结构示意图。 本实施例中, 对 PID的 密码算法采用 RSA, 对寻址信息和应用数据的安全保护包括加密保护和完整 性保护, 其中, 加密保护的算法为 AES-CTR ( 128比特) , 完整性保护采用 HMAC-SHA256, 密钥 K的密码算法为 AES-CTR ( 128比特) 。  Figure 6 is a first schematic diagram of the protected data of the present invention. In this embodiment, the cryptographic algorithm for the PID adopts RSA, and the security protection for the addressing information and the application data includes encryption protection and integrity protection, wherein the encryption protection algorithm is AES-CTR (128 bits), and the integrity protection is adopted. HMAC-SHA256, the cryptographic algorithm for key K is AES-CTR (128 bits).
请参照图 6, 本实施例中, 对 PID的加密保护具体为: 1比特的标识位 1 表示是否为 PID进行加密的安全保护信息,例如标识位 1为 0,表示未对 PID 进行加密,标识位 1为 1,表示对 PID加密。 MTC终端上保存公钥 Kpub= (n, e) , 其中, n的长度为 2048比特, e通常为 65537。 MTC终端根据当前的时 间信息和 PID得到加密明文 P。当前的时间信息为 MTC终端的时钟记录的时 间, 精确到秒, 用 14个 10进行数表示 (年月日时分秒, 4+2+2+2+2+2) 。 PID采用国际移动用户识别码(International Mobile Subscriber Identity, IMSI) 格式, 用 15个 10进制数表示。 由此可得: 明文 P为 PIDII当前的时间信息, 即 29个十进制数, 每个 10进制数用 4个比特来记录, 共 116比特, 此 116 比特为待加密明文 P。 Referring to FIG. 6, in this embodiment, the encryption protection for the PID is specifically: The 1-bit identification bit 1 indicates whether the security information for the PID is encrypted, for example, the identifier bit 1 is 0, indicating that the PID is not Encryption is performed, and the flag bit 1 is 1, indicating that the PID is encrypted. The public key Kpub=(n, e) is stored on the MTC terminal, where n is 2048 bits in length and e is usually 65537. The MTC terminal obtains the encrypted plaintext P based on the current time information and the PID. The current time information is the time recorded by the clock of the MTC terminal, which is accurate to the second, and is represented by 14 numbers of 10 (year, month, day, minute, and second, 4+2+2+2+2+2). The PID is in the International Mobile Subscriber Identity (IMSI) format and is represented by 15 decimal digits. Thus, the plaintext P is the current time information of the PIDII, that is, 29 decimal numbers, and each decimal number is recorded by 4 bits, a total of 116 bits, and the 116 bits are the plaintext P to be encrypted.
MTC 终端对待加密明文 P 进行加密 (cipher ) 操作, 即计算密文 C = Pe mod(n) , 密文 C的长度为 2048比特。 The MTC terminal performs a cipher operation on the encrypted plaintext P, that is, the ciphertext C = P e mod(n) is calculated, and the length of the ciphertext C is 2048 bits.
再请参照图 6, 本实施例中, 对应用数据与寻址信息的安全保护具体为: 标识位 2表示是否对应用数据和寻址信息进行加密(cipher)的安全保护信息, 标识位 3表示是否对应用数据和寻址信息进行完整性(integrity)保护的安全 信息,标识为 2、 3为 1,表示对应用数据和寻址信息进行加密和完整性保护, 标识位 2、 3为 0,表示未对应用数据和寻址信息进行加密和完整性保护。 MTC 终端根据密钥 K ( 128比特)和当前时间计算加密密钥 Kc和完整性保护密钥 Ki。Kc=HMAC-SHA256(K, "OxOOIIT"), Ki= HMAC-SHA256CK, "ΟχΟΙΙΙΤ") , T为 MTC终端的时钟当前的时间信息,精确到秒,用 14个 10进行数表示(年 月日时分秒, 4+2+2+2+2+2) 。 每个 10进制数用 4个比特来表示, 共 56比 特, 该 56比特即为丁。  Referring to FIG. 6, in this embodiment, the security protection for the application data and the addressing information is specifically: The identifier bit 2 indicates whether the application data and the addressing information are ciphered for security protection information, and the identifier bit 3 indicates Whether the security information of the integrity protection of the application data and the addressing information is 2, 3 is 1, indicating that the application data and the addressing information are encrypted and integrity protected, and the identifier bits 2 and 3 are 0. Indicates that application data and addressing information are not encrypted and integrity protected. The MTC terminal calculates the encryption key Kc and the integrity protection key Ki based on the key K (128 bits) and the current time. Kc=HMAC-SHA256(K, "OxOOIIT"), Ki= HMAC-SHA256CK, "ΟχΟΙΙΙΤ") , T is the current time information of the clock of the MTC terminal, accurate to the second, expressed by 14 10 numbers (year, month and day) Time and minute, 4+2+2+2+2+2). Each decimal number is represented by 4 bits, a total of 56 bits, and the 56 bits are D.
MTC 终端利用 Kc 对寻址信息和应用数据进行加密操作。 加密算法为 AES-CTR算法, 密钥为 Kc的前 128比特。 AES-CTR算法需要的 128比特计 数器 (COUNT) 的前 64比特为 HMAC-SHA256 (K, "0x02" IIP) 的前 64 比特, 后 64比特从 0开始递增, 加密得到的密文长度和寻址信息 II应用数据 的长度相同, 通过加密来保证寻址信息和应用数据不被攻击者窃听。  The MTC terminal uses Kc to encrypt the addressing information and application data. The encryption algorithm is AES-CTR algorithm, and the key is the first 128 bits of Kc. The first 64 bits of the 128-bit counter (COUNT) required by the AES-CTR algorithm are the first 64 bits of HMAC-SHA256 (K, "0x02" IIP), the last 64 bits are incremented from 0, and the encrypted ciphertext length and addressing are obtained. The information II application data has the same length, and the encryption is used to ensure that the addressing information and the application data are not eavesdropped by an attacker.
MTC终端利用 Ki对寻址信息和应用数据进行完整性保护操作。 MTC终 端计算消息校验码 MAC=HMAC-SHA256 (Ki, "寻址信息和应用数据的密 文" ) 。 HMAC-SHA256算法的输出长度为 256比特, 可根据需要使用 256 比特的前 X比特作为 MAC, 如选择前 32比特作为 MAC。 如图 6中, 若未 进行完整性保护, 则 MAC为 0; 否则, 若进行了完整性保护, 则 MAC为 1, 且 MAC的长度为 32bit, 通过 MAC来保证寻址信息和应用数据的密文不被 篡改。 The MTC terminal utilizes Ki to perform integrity protection operations on the addressing information and the application data. The MTC terminal calculates the message check code MAC=HMAC-SHA256 (Ki, "addressing information and ciphertext of application data"). The output length of the HMAC-SHA256 algorithm is 256 bits, and the first X bits of 256 bits can be used as the MAC as needed, for example, the first 32 bits are selected as the MAC. As shown in Figure 6, if integrity protection is not performed, the MAC is 0; otherwise, if integrity protection is performed, the MAC is 1. The length of the MAC is 32 bits, and the ciphertext of the addressing information and the application data is not falsified by the MAC.
502、 MTC终端向接入网发送受保护的数据。  502. The MTC terminal sends the protected data to the access network.
503、 接入网向寻址服务器发送受保护的数据。  503. The access network sends the protected data to the addressing server.
步骤 502、 503中, 接入网对接收到的数据不进行任何处理, 直接发送至 寻址服务器。  In steps 502 and 503, the access network does not perform any processing on the received data and directly sends the data to the addressing server.
504、 寻址服务器向密钥服务器发送加密后的 PID。  504. The addressing server sends the encrypted PID to the key server.
寻址服务器将接收到的受保护的数据中的加密后的 PID发送给密钥服务 器 ( Key Server ) 。  The addressing server sends the encrypted PID in the received protected data to the Key Server.
505、 Key Server利用私钥 kpri对加密后的 PID进行解密。  505. The Key Server decrypts the encrypted PID by using the private key kpri.
Key Server利用私钥 kpri解密得到 MTC终端的 PID以及加密时的时间信 息, 根据 PID检索得到对应的密钥 K。  The Key Server decrypts the PID of the MTC terminal and the time information during encryption by using the private key kpri, and obtains the corresponding key K according to the PID search.
506、 Key Server将 PID与 Κ发送给寻址服务器。  506. The Key Server sends the PID and the Κ to the addressing server.
Key Server将解密得到的 PID、 时间信息等发送给寻址服务器。 另外, Key Server也可以不将密钥 K发送给寻址服务器,而是推演和 MTC终端相同 的用于解密或验证的密钥, 并将推演得到的密钥发送给寻址服务器。  The Key Server sends the decrypted PID, time information, etc. to the addressing server. In addition, the Key Server may not send the key K to the addressing server, but deduct the same key used for decryption or verification as the MTC terminal, and send the derived key to the addressing server.
需要说明的是, 若寻址信息也是通过公钥 Kpub加密, 则 Key Server也 需要将解密得到的寻址信息发送给寻址服务器。  It should be noted that if the addressing information is also encrypted by the public key Kpub, the Key Server also needs to send the decrypted addressing information to the addressing server.
507、 寻址服务器利用 K对应用数据进行解密和完整性验证。  507. The addressing server uses K to decrypt and verify the application data.
若寻址信息也通过密钥 K保护, 则寻址服务器也对寻址信息进行解密和 完整性验证。 寻址服务器比对加密时的时间信息以及寻址服务器当的时间信 息, 判断数据是否为重放数据。  If the addressing information is also protected by the key K, the addressing server also decrypts and verifies the addressing information. The addressing server compares the time information when encrypting and the time information of the addressing server to determine whether the data is playback data.
508、 寻址服务器向应用服务器发送数据。  508. The addressing server sends data to the application server.
寻址服务器构造解密后的受保护的数据, 并根据寻址信息将解密后的数 据发送给目标应用服务器 (图中未示出目标应用服务器) 。 为了防止攻击者 将未保护的数据发送给应用服务器, 寻址服务器还可以将数据是否被安全保 护的安全保护信息也发送给目标应用服务器, 如图 6 中标识位 1、 标识位 2 或标识位 3的信息,使得目标应用服务器根据预设的策略以及安全保护信息, 判断接收到的数据是否进行了合适的保护。  The addressing server constructs the decrypted protected data and transmits the decrypted data to the target application server based on the addressing information (the target application server is not shown). In order to prevent an attacker from sending unprotected data to the application server, the addressing server can also send the security protection information of the data to the target application server, as shown in Figure 6, the identification bit 1, the identification bit 2 or the identification bit. The information of 3 causes the target application server to determine whether the received data is properly protected according to the preset policy and the security protection information.
需要说明的是, 本实施例中, 是以 MTC终端、 寻址服务器以及密钥服务 器上设置时钟, 采用时间信息进行抗重放检查。 然而, 本发明并不以此为限 制, 在其他可能的实施方式中, 也可以通过使用双向 Nonce的方式实现抗重 放, Nonce的长度为 32~128比特, 其可在 MTC终端、 寻址服务器等之间通 过信令进行传输。另外, 还可以利用序列号来代替时间信息进行抗重放检查, 序列号在 MTC终端、 寻址服务器、 密钥服务器之间维护并保持同步。 It should be noted that, in this embodiment, the MTC terminal, the addressing server, and the key service are used. The clock is set on the device, and the time information is used for anti-replay check. However, the present invention is not limited thereto. In other possible implementation manners, anti-replay can also be implemented by using a bidirectional nonce. The length of the Nonce is 32 to 128 bits, which can be used in the MTC terminal and the addressing server. The transmission is performed by signaling. In addition, it is also possible to use the serial number instead of the time information for anti-replay checking, and the serial number is maintained and kept synchronized between the MTC terminal, the addressing server, and the key server.
图 7为本发明数据传输方法实施例六的信令图。 本实施例中, 寻址服务 器保存有私钥 kpri, 由寻址服务器进行 PID的解密等。 具体的, 本实施例包 括如下步骤:  FIG. 7 is a signaling diagram of Embodiment 6 of a data transmission method according to the present invention. In this embodiment, the addressing server stores the private key kpri, the decryption of the PID by the addressing server, and the like. Specifically, the embodiment includes the following steps:
601、 MTC终端为目标应用服务器生成受保护的数据。  601. The MTC terminal generates protected data for the target application server.
具体的, MTC终端计算完整性保护密钥 Ki, 例如, 利用密钥 K计算 Ki 或者根据当前的时间信息推演 Ki, 利用 Ki计算消息校验码 MAC。 然后, 利 用公钥 Kpub加密 "PIDII寻址信息 II应用数据 II当前的时间信息 IIMAC" , 从而 得到受保护的数据。  Specifically, the MTC terminal calculates the integrity protection key Ki. For example, the Ki is calculated by using the key K or Ki is derived based on the current time information, and the message check code MAC is calculated by using Ki. Then, the public key Kpub is used to encrypt "PIDII Addressing Information II Application Data II Current Time Information IIMAC" to obtain protected data.
图 8为本发明受保护的数据的第二结构示意图。 其中, 标识位、 时间信 息、 MAC等的描述可参见上述图 6, 此处不再赘述。  Figure 8 is a schematic diagram showing the second structure of the protected data of the present invention. For descriptions of the identifiers, the time information, and the MAC, refer to Figure 6 above, and details are not described herein.
602、 MTC终端向接入网发送受保护的数据。  602. The MTC terminal sends the protected data to the access network.
603、 接入网向寻址服务器发送受保护的数据。  603. The access network sends the protected data to the addressing server.
604、 寻址服务器利用私钥 kpri解密受保护的数据。  604. The addressing server decrypts the protected data by using a private key kpri.
寻址服务器利用 kpri解密接收到的受保护的消失, 得到明文 "PIDII寻址 信息 II应用数据 II当前的时间信息 IIMAC"  The addressing server uses kpri to decrypt the received protected disappearance, and obtains the plain text "PIDII Addressing Information II Application Data II Current Time Information IIMAC"
605、 寻址服务器将 PID和当前的时间信息发送给 Key Server。  605. The addressing server sends the PID and the current time information to the Key Server.
606、 Key Server进行抗重放检查并重新计算 Ki。  606. The Key Server performs an anti-replay check and recalculates Ki.
607、 Key Server将新的 Ki发送给寻址服务器。  607. The Key Server sends the new Ki to the addressing server.
608、 寻址服务器利用 Ki进行抗重放检查。  608. The addressing server uses Ki to perform an anti-replay check.
寻址服务器利用接收到的新的 ki进行当前时间及 MAC的验证。  The addressing server uses the new ki received to perform current time and MAC verification.
609、 寻址服务器向应用服务器发送数据。  609. The addressing server sends data to the application server.
上述实施例五和实施例六中, MTC终端仅能使用永久身份信息, 且为了 对数据进行保护, 引入了当前的时间信息等, 使得数据的长度增加。 然而, 本发明并不以此为限制, 在其他可能实施方式中, MTC终端也可以使用临时 身份信息, 对数据的安全保护仅增加消息校验码 MAC。 具体的, 可参见图 9 实施例七。 In the foregoing Embodiment 5 and Embodiment 6, the MTC terminal can only use the permanent identity information, and in order to protect the data, the current time information and the like are introduced, so that the length of the data is increased. However, the present invention is not limited thereto. In other possible implementation manners, the MTC terminal may also use temporary identity information, and only the message check code MAC is added to the data security protection. Specifically, see Figure 9 Example VII.
图 9为本发明数据传输方法实施例七的信令图。 本实施例中, MTC终端 使用临时身份机制。 具体的, 本实施例包括如下步骤:  FIG. 9 is a signaling diagram of Embodiment 7 of a data transmission method according to the present invention. In this embodiment, the MTC terminal uses a temporary identity mechanism. Specifically, the embodiment includes the following steps:
信道指派。 Channel assignment.
Figure imgf000026_0001
Figure imgf000026_0001
7011、 MTC终端向接入网发送信道请求信息 (Channel Request) 。  7011. The MTC terminal sends a channel request information (Channel Request) to the access network.
7012、 MTC终端接收接入网发送的立即指配 (immediate assignment)信 息。  7012. The MTC terminal receives an immediate assignment information sent by the access network.
702、 MTC终端判断本地是否存在第一临时身份信息。  702. The MTC terminal determines whether the first temporary identity information exists locally.
若本地存在第一临时身份信息, 则为目标应用服务器生成携带第一临时 身份信息的数据, 并执行步骤 703; 否则, 若本地不存在第一临时身份信息, 则为目标应用服务器生成携带永久身份信息的数据, 后续执行过程请参见图 5或图 7所示实施例, 此处不再赘述。  If the first temporary identity information exists locally, generate data carrying the first temporary identity information for the target application server, and perform step 703; otherwise, if the first temporary identity information does not exist locally, generate the permanent identity for the target application server. For the data of the information, refer to the embodiment shown in Figure 5 or Figure 7, and no further details are provided here.
703、 MTC终端向接入网发送携带第一临时身份信息的数据。  703. The MTC terminal sends data that carries the first temporary identity information to the access network.
可选的, 本步骤中, MTC终端可利用永久身份信息对应的密钥对应用数 据和寻址信息进行保护。 具体的, MTC终端根据密钥, 计算完整性保护密钥 和加密密钥, 利用加密密钥对应用数据与寻址信息进行加密, 利用完整性密 钥对应用数据与寻址信息进行完整性保护。  Optionally, in this step, the MTC terminal can protect the application data and the addressing information by using a key corresponding to the permanent identity information. Specifically, the MTC terminal calculates the integrity protection key and the encryption key according to the key, encrypts the application data and the addressing information by using the encryption key, and performs integrity protection on the application data and the addressing information by using the integrity key. .
704、 接入网向寻址服务器发送携带第一临时身份信息的数据。  704. The access network sends data that carries the first temporary identity information to the addressing server.
705、 寻址服务器判断是否可识别 MTC终端。  705. The addressing server determines whether the MTC terminal is identifiable.
寻址服务器根据第一临时身份信息, 查找与该第一临时身份信息对应的 永久身份信息, 若查找不到, 则说明寻址服务器无法识别该 MTC终端, 执行 步骤 706; 否则, 若能查找到, 则说明寻址服务器能够识别该 MTC终端, 执 行步骤 709。  The addressing server searches for the permanent identity information corresponding to the first temporary identity information according to the first temporary identity information. If the identifier is not found, the addressing server cannot identify the MTC terminal, and step 706 is performed; otherwise, if , the address server can identify the MTC terminal, and step 709 is performed.
706、 寻址服务器经由接入网向 MTC终端发送失败指示。  706. The addressing server sends a failure indication to the MTC terminal via the access network.
具体的, 本步骤包括如下子步骤:  Specifically, this step includes the following sub-steps:
7061、 寻址服务器向接入网发送失败指示。  7061. The addressing server sends a failure indication to the access network.
7062、 接入网向 MTC终端发送失败指示。  7062. The access network sends a failure indication to the MTC terminal.
707、 MTC 终端删除第一临时身份信息, 为目标应用服务器生成携带永 久身份信息的数据。 708、 MTC终端经由接入网向寻址服务器发送携带永久身份信息的数据。 具体的, 本步骤包括如下子步骤: 707. The MTC terminal deletes the first temporary identity information, and generates data that carries the permanent identity information for the target application server. 708. The MTC terminal sends data carrying permanent identity information to the addressing server via the access network. Specifically, this step includes the following sub-steps:
7081、 MTC终端向接入网发送携带永久身份信息的数据;  7081: The MTC terminal sends data carrying permanent identity information to the access network;
7082、 接入网向寻址服务器发送携带永久身份信息的数据。  7082. The access network sends data carrying permanent identity information to the addressing server.
可选的, 上述 7081和 7082中, MTC终端可利用上述 MTC终端对携带 永久身份信息的数据进行保护的方式一至方式四中的任一种方式进行保护。  Optionally, in the above 7081 and 7082, the MTC terminal may use any one of the methods 1 to 4 to protect the data carrying the permanent identity information by using the MTC terminal.
709、寻址服务器验证数据是否正确、 向目标应用服务器生成并发送第二 临时身份信息。  709. The addressing server verifies that the data is correct, generates and sends a second temporary identity information to the target application server.
本步骤中, 验证数据后, 若正确则向目标应用服务器 (图中未示出目标 应用服务器) 发送; 否则, 若不正确, 则丢弃该数据。 另外, 寻址服务器还 根据预设的策略,为 MTC终端生成新的临时身份信息,即第二临时身份信息, 对该第二临时身份信息进行加密, 例如, 根据密钥 K推演出的密钥对该第二 临时身份信息进行加密。  In this step, after verifying the data, if it is correct, it is sent to the target application server (the target application server is not shown in the figure); otherwise, if it is not correct, the data is discarded. In addition, the addressing server further generates new temporary identity information, ie, second temporary identity information, for the MTC terminal according to a preset policy, and encrypts the second temporary identity information, for example, a key derived according to the key K. The second temporary identity information is encrypted.
710、 寻址服务器经由接入网向 MTC终端发送解密后的第二临时身份信 息。  710. The addressing server sends the decrypted second temporary identity information to the MTC terminal via the access network.
具体的, 本步骤包括如下子步骤;  Specifically, the step includes the following sub-steps;
7101、 寻址服务器向接入网发送加密后的第二临时身份信息;  7101. The addressing server sends the encrypted second temporary identity information to the access network.
7102、 接入网向 MTC终端发送加密后的第二临时身份信息。  7102. The access network sends the encrypted second temporary identity information to the MTC terminal.
711、 MTC终端解密并保存第二临时身份信息。  711. The MTC terminal decrypts and saves the second temporary identity information.
图 10为本发明 MTC终端实施例一的结构示意图,本实施例提供的 MTC 终端, 是与本发明图 1实施例对应的装置实施例, 具体实现过程在此不再赘 述。 具体的, 本实施例提供的 MTC终端 100具体包括:  FIG. 10 is a schematic structural diagram of Embodiment 1 of an MTC terminal according to the present invention. The MTC terminal provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 1 of the present invention, and the specific implementation process is not described herein. Specifically, the MTC terminal 100 provided in this embodiment specifically includes:
处理模块 11, 用于为目标应用服务器生成携带 MTC终端的身份信息的 数据, 数据至少包括应用数据、 寻址信息;  The processing module 11 is configured to generate data for carrying the identity information of the MTC terminal for the target application server, where the data includes at least application data and addressing information;
发送模块 12, 用于经由接入网向寻址服务器发送数据, 以使得寻址服务 器根据寻址信息, 将数据发送至目标应用服务器。  The sending module 12 is configured to send data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
本发明实施例提供的 MTC终端,将为目标应用服务器生成的携带该 MTC 终端的身份信息的数据发送至接入网,接入网对接收到的数据不做任何处理, 直接转发至寻址服务器,从而实现将 MTC终端发送的数据经由无线接入网直 接传输至对应的应用服务器的目的。 进一步的, 处理模块 11, 用于为目标应用服务器生成携带 MTC终端的 永久身份信息的数据。 The MTC terminal provided by the embodiment of the present invention sends data for carrying the identity information of the MTC terminal generated by the target application server to the access network, and the access network does not perform any processing on the received data, and directly forwards the data to the address server. Thereby, the purpose of transmitting the data sent by the MTC terminal directly to the corresponding application server via the wireless access network is achieved. Further, the processing module 11 is configured to generate data for carrying the permanent identity information of the MTC terminal for the target application server.
图 11为本发明 MTC终端实施例二的结构示意图。如图 11所示,本实施 例的 MTC终端 200在图 10装置结构的基础上, 进一步的, 还包括:  FIG. 11 is a schematic structural diagram of Embodiment 2 of an MTC terminal according to the present invention. As shown in FIG. 11, the MTC terminal 200 of this embodiment is based on the device structure of FIG. 10, and further includes:
判断模块 13, 用于判断本地是否存在 MTC终端的第一临时身份信息; 处理模块 11, 用于若判断模块 13判断出本地存在第一临时身份信息, 则为目标应用服务器生成携带第一临时身份信息的数据; 否则, 若判断模块 13判断出本地不存在第一临时身份信息, 则为目标应用服务器生成携带永久 身份信息的数据。  The determining module 13 is configured to determine whether the first temporary identity information of the MTC terminal exists locally. The processing module 11 is configured to: if the determining module 13 determines that the first temporary identity information exists locally, generate the first temporary identity for the target application server. The data of the information; otherwise, if the judging module 13 judges that the first temporary identity information does not exist locally, the data that carries the permanent identity information is generated for the target application server.
再请参照图 11, 进一步的, MTC终端 100还包括:  Referring to FIG. 11, further, the MTC terminal 100 further includes:
接收模块 14, 用于接收寻址服务器经由接入网发送的加密后的第二临时 身份信息,第二临时身份信息为寻址服务器根据预设的策略,为 MTC终端生 成的;  The receiving module 14 is configured to receive the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is generated by the addressing server according to a preset policy, for the MTC terminal;
处理模块 11, 用于解密第二临时身份信息, 保存第二临时身份信息。 进一步的, 若判断模块 13判断出本地存在 MTC终端的第一临时身份信 息, 则接收模块 14, 用于接收寻址服务器经由接入网发送的失败指示, 失败 指示为寻址服务器根据第一临时身份信息无法识别 MTC终端时, 为 MTC终 端生成的;  The processing module 11 is configured to decrypt the second temporary identity information, and save the second temporary identity information. Further, if the determining module 13 determines that the first temporary identity information of the MTC terminal exists locally, the receiving module 14 is configured to receive a failure indication sent by the addressing server via the access network, where the failure indication is that the addressing server is according to the first temporary When the identity information cannot identify the MTC terminal, it is generated for the MTC terminal;
处理模块 11, 用于删除第一临时身份信息, 为目标应用服务器生成携带 永久身份信息的数据;  The processing module 11 is configured to delete the first temporary identity information, and generate data that carries the permanent identity information for the target application server;
发送模块 12, 用于经由接入网向寻址服务器发送携带永久身份信息的数 据。  The sending module 12 is configured to send data carrying permanent identity information to the addressing server via the access network.
进一步的,处理模块 11,用于对携带第一临时身份信息的数据进行保护, 为目标应用服务器生成受保护的数据。  Further, the processing module 11 is configured to protect data carrying the first temporary identity information and generate protected data for the target application server.
进一步的, 处理模块 11, 用于利用密钥对应用数据与寻址信息保护。 进一步的, 处理模块 11, 用于对携带永久身份信息的数据进行保护, 为 目标应用服务器生成受保护的数据。  Further, the processing module 11 is configured to protect application data and addressing information by using a key pair. Further, the processing module 11 is configured to protect data carrying permanent identity information and generate protected data for the target application server.
再请参照图 11, 进一步的, MTC终端 200还包括:  Referring to FIG. 11, further, the MTC terminal 200 further includes:
存储模块 15, 用于保存一个公钥以及与永久身份信息对应的密钥; 处理模块 11, 用于利用公钥对永久身份信息加密、 利用密钥对应用数据 与寻址信息保护; 或者, The storage module 15 is configured to save a public key and a key corresponding to the permanent identity information. The processing module 11 is configured to encrypt the permanent identity information by using the public key, and use the key pair application data. With addressing information protection; or,
处理模块 11, 用于利用公钥对永久身份信息与寻址信息加密、 利用密钥 对应用数据进行保护; 或者,  The processing module 11 is configured to encrypt the permanent identity information and the addressing information by using the public key, and protect the application data by using the key; or
处理模块 11, 用于利用密鉬对应用数据和寻址信息进行保护。  The processing module 11 is configured to protect application data and addressing information by using dense molybdenum.
进一步的, 存储模块 15, 用于保存一个公钥以及与永久身份信息对应的 密钥;  Further, the storage module 15 is configured to save a public key and a key corresponding to the permanent identity information;
处理模块 11, 用于根据密钥, 计算完整性保护密钥; 根据完整性保护密 钥, 计算消息校验码 MAC; 利用公钥对身份信息、 寻址信息、 应用数据以及 MAC加密。  The processing module 11 is configured to calculate an integrity protection key according to the key, calculate a message check code MAC according to the integrity protection key, and encrypt the identity information, the addressing information, the application data, and the MAC by using the public key.
进一步的, 处理模块 11, 用于利用密钥, 计算加密密钥与完整性密钥; 用加密密钥对应用数据与寻址信息进行加密, 利用完整性密钥对应用数据与 寻址信息进行完整性保护。  Further, the processing module 11 is configured to calculate an encryption key and an integrity key by using a key, encrypt application data and addressing information by using an encryption key, and apply application data and addressing information by using an integrity key. Integrity protection.
进一步的, 处理模块, 用于对受保护的数据添加抗重放信息, 抗重放信 息包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其 组合。  Further, the processing module is configured to add anti-replay information to the protected data, and the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
图 12为本发明寻址服务器实施例一的结构示意图,本实施例提供的寻址 服务器是与本发明图 2实施例对应的装置实施例, 具体实现过程在此不再赘 述。 具体的, 本实施例提供的寻址服务器 300具体包括:  FIG. 12 is a schematic structural diagram of Embodiment 1 of the addressing server of the present invention. The addressing server provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 2 of the present invention, and the specific implementation process is not described herein. Specifically, the addressing server 300 provided in this embodiment specifically includes:
接收模块 21, 用于接收机器类通信 MTC 终端经由接入网发送的携带 MTC终端的身份信息的数据, 数据至少包括应用数据、 寻址信息;  The receiving module 21 is configured to receive data of the identity information of the MTC terminal sent by the MTC terminal via the access network, where the data includes at least application data and addressing information;
发送模块 22, 用于根据寻址信息, 将数据发送至目标应用服务器。 本发明实施例提供的寻址服务器,根据寻址信息,实现将 MTC终端发送 的数据经由无线接入网直接传输至对应的应用服务器的目的。  The sending module 22 is configured to send data to the target application server according to the addressing information. The addressing server provided by the embodiment of the present invention achieves the purpose of directly transmitting data sent by the MTC terminal to the corresponding application server via the wireless access network according to the addressing information.
进一步的, 接收模块 21, 用于接收 MTC终端为目标应用服务器生成携 带第一临时身份信息的数据。  Further, the receiving module 21 is configured to receive, by the MTC terminal, data for carrying the first temporary identity information for the target application server.
进一步的, 接收模块 21, 用于接收 MTC终端为目标应用服务器生成携 带永久身份信息的数据。  Further, the receiving module 21 is configured to receive, by the MTC terminal, data for carrying the permanent identity information for the target application server.
图 13为本发明寻址服务器实施例二的结构示意图。 如图 13所示, 本实 施例的寻址服务器 400在图 12装置结构的基础上, 进一步的, 寻址服务器 400还包括: 判断模块 23, 用于根据第一临时身份信息, 判断是否可识别 MTC终端; 发送模块 22, 用于若判断模块根据第一临时身份信息, 无法识别 MTC 终端时, 则经由接入网向 MTC终端发送失败指示; FIG. 13 is a schematic structural diagram of Embodiment 2 of an addressing server according to the present invention. As shown in FIG. 13, the addressing server 400 of the present embodiment is based on the device structure of FIG. 12. Further, the addressing server 400 further includes: The determining module 23 is configured to determine, according to the first temporary identity information, whether the MTC terminal is identifiable, and the sending module 22, configured to: when the determining module cannot identify the MTC terminal according to the first temporary identity information, to the MTC terminal via the access network Send failure indication;
接收模块 21, 用于接收 MTC终端经由接入网发送的携带永久身份信息 的数据。  The receiving module 21 is configured to receive data that carries the permanent identity information sent by the MTC terminal via the access network.
再请参照图 13, 进一步的, 寻址服务器 400还包括:  Referring to FIG. 13, further, the addressing server 400 further includes:
处理模块 24, 用于根据预设的策略, 为 MTC终端生成并加密第二临时 身份信息;  The processing module 24 is configured to generate and encrypt the second temporary identity information for the MTC terminal according to the preset policy.
发送模块 22, 用于经由接入网向 MTC终端发送第二临时身份信息。 进一步的, 接收模块 21, 用于接收 MTC终端发送的受保护的数据, 受 保护的数据为 MTC终端对携带永久身份信息的数据进行保护后生成的。  The sending module 22 is configured to send the second temporary identity information to the MTC terminal via the access network. Further, the receiving module 21 is configured to receive the protected data sent by the MTC terminal, and the protected data is generated by the MTC terminal protecting the data carrying the permanent identity information.
进一步的, 处理模块 24, 用于确定与永久身份信息对应的密钥, 根据密 钥, 对应用数据进行解密及完整性验证。  Further, the processing module 24 is configured to determine a key corresponding to the permanent identity information, and perform decryption and integrity verification on the application data according to the key.
进一步的, 处理模块 24, 用于根据密钥, 对寻址信息进行解密及完整性 验证。  Further, the processing module 24 is configured to perform decryption and integrity verification on the addressing information according to the key.
进一步的, 发送模块 22, 用于根据寻址信息, 将携带安全保护信息的受 保护的数据发送至目标应用服务器。  Further, the sending module 22 is configured to send the protected data carrying the security protection information to the target application server according to the addressing information.
进一步的, 处理模块 24, 用于根据永久身份信息或第一临时身份信息, 确定归属寻址服务器,归属寻址服务器为保存有与 MTC终端的公钥对应的私 钥的寻址服务器。  Further, the processing module 24 is configured to determine, according to the permanent identity information or the first temporary identity information, the home addressing server, where the home addressing server is an address server that stores a private key corresponding to the public key of the MTC terminal.
进一步的, 接收模块 21, 还用于接收添加抗重放信息的受保护的数据, 抗重放信息包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种 信息或其组合;  Further, the receiving module 21 is further configured to receive protected data that adds anti-replay information, where the anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof;
处理模块 24, 用于根据抗重放信息, 对受保护的数据进行抗重放检查。 图 14为本发明接入网实施例一的结构示意图。 本实施例提供的接入网, 是与本发明图 3实施例对应的装置实施例, 具体实现过程在此不再赘述。 具 体的, 本实施例提供的接入网 500具体包括:  The processing module 24 is configured to perform anti-replay checking on the protected data according to the anti-replay information. FIG. 14 is a schematic structural diagram of Embodiment 1 of an access network according to the present invention. The access network provided in this embodiment is an apparatus embodiment corresponding to the embodiment of FIG. 3 of the present invention, and the specific implementation process is not described herein again. Specifically, the access network 500 provided in this embodiment specifically includes:
接收模块 31, 用于接收寻址服务器接收机器类通信 MTC终端发送的携 带 MTC终端的身份信息的数据, 数据至少包括应用数据、 寻址信息;  The receiving module 31 is configured to receive, by the addressing server, the receiver type communication, the data of the identity information carried by the MTC terminal and the MTC terminal, where the data includes at least application data and addressing information;
发送模块 32, 用于数据发送至寻址服务器, 以使寻址服务器根据寻址信 息, 将数据发送至目标应用服务器。 a sending module 32, configured to send data to the addressing server, so that the addressing server is based on the addressing letter Information, send data to the target application server.
本发明实施例提供的接入网,接入网接收 MTC终端发送的所有数据,对 接收到的数据不做任何处理, 直接转发至寻址服务器, 使得寻址服务器根据 寻址信息,实现将 MTC终端发送的数据经由无线接入网直接传输至对应的应 用服务器的目的。  In the access network provided by the embodiment of the present invention, the access network receives all the data sent by the MTC terminal, performs no processing on the received data, and directly forwards the data to the addressing server, so that the addressing server implements the MTC according to the addressing information. The data sent by the terminal is directly transmitted to the corresponding application server via the wireless access network.
进一步的, 接收模块 31, 用于接收 MTC终端发送的携带第一临时身份 信息的数据。  Further, the receiving module 31 is configured to receive data that is sent by the MTC terminal and that carries the first temporary identity information.
进一步的, 接收模块 31, 用于接收 MTC终端发送的携带永久身份信息 的数据。  Further, the receiving module 31 is configured to receive data that carries the permanent identity information sent by the MTC terminal.
图 15是本发明 MTC终端实施例三的结构示意图。如图 15所示,本实施 例提供的 MTC终端 600包括处理器 61和存储器 62。 MTC终端 600还可以 包括发射器 63、 接收器 64。 发射器 63和接收器 64可以和处理器 61相连。 其中, 存储器 62存储执行指令, 当 MTC终端 600运行时, 处理器 61与存储 器 62之间通信, 处理器 61调用存储器 62中的执行指令, 用于执行图 1所示 方法实施例, 其实现原理和技术效果类似, 此处不再赘述。  FIG. 15 is a schematic structural diagram of Embodiment 3 of an MTC terminal according to the present invention. As shown in FIG. 15, the MTC terminal 600 provided in this embodiment includes a processor 61 and a memory 62. The MTC terminal 600 can also include a transmitter 63 and a receiver 64. Transmitter 63 and receiver 64 can be coupled to processor 61. The memory 62 stores execution instructions. When the MTC terminal 600 is running, the processor 61 communicates with the memory 62. The processor 61 calls the execution instructions in the memory 62 for executing the method embodiment shown in FIG. Similar to the technical effect, it will not be described here.
图 16是本发明寻址服务器实施例三的结构示意图。 如图 16所示, 本实 施例提供的寻址服务器 700包括处理器 71和存储器 72。 寻址服务器 700还 可以包括发射器 73、 接收器 74。 发射器 73和接收器 74可以和处理器 71相 连。 其中, 存储器 72存储执行指令, 当寻址服务器 700运行时, 处理器 71 与存储器 72之间通信, 处理器 71调用存储器 72中的执行指令, 用于执行图 2所示方法实施例, 其实现原理和技术效果类似, 此处不再赘述。  16 is a schematic structural diagram of Embodiment 3 of an addressing server according to the present invention. As shown in FIG. 16, the addressing server 700 provided in this embodiment includes a processor 71 and a memory 72. The addressing server 700 can also include a transmitter 73, a receiver 74. Transmitter 73 and receiver 74 can be coupled to processor 71. The memory 72 stores execution instructions. When the addressing server 700 is running, the processor 71 communicates with the memory 72. The processor 71 calls the execution instructions in the memory 72 for executing the method embodiment shown in FIG. 2, which is implemented. The principle and technical effects are similar and will not be described here.
图 17是本发明接入网实施例二的结构示意图。 如图 17所示, 本实施例 提供的接入网 800包括处理器 81和存储器 82。 接入网 800还可以包括发射 器 83、 接收器 84。 发射器 83和接收器 84可以和处理器 81相连。 其中, 存 储器 82存储执行指令, 当接入网 800运行时, 处理器 81与存储器 82之间通 信, 处理器 81调用存储器 82中的执行指令, 用于执行图 2所示方法实施例, 其实现原理和技术效果类似, 此处不再赘述。  FIG. 17 is a schematic structural diagram of Embodiment 2 of an access network according to the present invention. As shown in FIG. 17, the access network 800 provided in this embodiment includes a processor 81 and a memory 82. The access network 800 can also include a transmitter 83, a receiver 84. Transmitter 83 and receiver 84 can be coupled to processor 81. The memory 82 stores execution instructions. When the access network 800 is running, the processor 81 communicates with the memory 82, and the processor 81 calls the execution instructions in the memory 82 for executing the method embodiment shown in FIG. The principle and technical effects are similar and will not be described here.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的介 质。 A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. Including the steps of the above method embodiments; The storage medium includes: a ROM, a RAM, a magnetic disk, or an optical disk, and the like, which can store program codes.
最后应说明的是: 以上各实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述各实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其中部分或者全部技术特征进行等同替换; 而这些修改或者替换, 并 不使相应技术方案的本质脱离本发明各实施例技术方案的范围。  Finally, it should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting thereof; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. range.

Claims

权 利 要 求 书 claims
1、 一种数据传输方法, 其特征在于, 包括: 1. A data transmission method, characterized by including:
机器类通信 MTC终端为目标应用服务器生成携带所述 MTC终端的身份 信息的数据, 所述数据至少包括应用数据、 寻址信息; The machine type communication MTC terminal generates data carrying the identity information of the MTC terminal for the target application server. The data at least includes application data and addressing information;
所述 MTC终端经由接入网向寻址服务器发送所述数据,以使得所述寻址 服务器根据所述寻址信息, 将所述数据发送至所述目标应用服务器。 The MTC terminal sends the data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
2、 根据权利要求 1所述的方法, 其特征在于, 所述机器类通信 MTC终 端为目标应用服务器生成携带身份信息的数据, 包括: 2. The method according to claim 1, characterized in that the machine type communication MTC terminal generates data carrying identity information for the target application server, including:
所述机器类通信 MTC终端为所述目标应用服务器生成携带所述 MTC终 端的永久身份信息的数据。 The machine type communication MTC terminal generates data carrying the permanent identity information of the MTC terminal for the target application server.
3、 根据权利要求 1所述的方法, 其特征在于, 所述 MTC终端为目标应 用服务器生成携带所述 MTC终端的身份信息的数据, 包括: 3. The method according to claim 1, characterized in that the MTC terminal generates data carrying the identity information of the MTC terminal for the target application server, including:
所述 MTC终端判断本地是否存在所述 MTC终端的第一临时身份信息; 若存在, 则为所述目标应用服务器生成携带所述第一临时身份信息的数 据; 否则, 若不存在, 则为所述目标应用服务器生成携带永久身份信息的数 据。 The MTC terminal determines whether the first temporary identity information of the MTC terminal exists locally; if it exists, generate data carrying the first temporary identity information for the target application server; otherwise, if it does not exist, then generate the data for the target application server; The target application server generates data carrying permanent identity information.
4、 根据权利要求 1或 3所述的方法, 其特征在于, 所述 MTC终端经由 接入网向寻址服务器发送所述数据之后, 包括: 4. The method according to claim 1 or 3, characterized in that, after the MTC terminal sends the data to the addressing server via the access network, it includes:
所述 MTC 终端接收所述寻址服务器经由所述接入网发送的加密后的第 二临时身份信息,所述第二临时身份信息为所述寻址服务器根据预设的策略, 为所述 MTC终端生成的; The MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, and the second temporary identity information is the MTC for the addressing server according to a preset policy. generated by the terminal;
所述 MTC 终端解密所述第二临时身份信息, 保存所述第二临时身份信 息。 The MTC terminal decrypts the second temporary identity information and saves the second temporary identity information.
5、 根据权利要求 4所述的方法, 其特征在于, 若所述 MTC终端判断出 本地存在所述 MTC终端的第一临时身份信息, 则所述 MTC终端经由接入网 向寻址服务器发送所述数据之后,所述 MTC终端接收所述寻址服务器经由所 述接入网发送的加密后的第二临时身份信息之前, 包括: 5. The method according to claim 4, wherein if the MTC terminal determines that the first temporary identity information of the MTC terminal exists locally, the MTC terminal sends the information to the addressing server via the access network. After the above data, before the MTC terminal receives the encrypted second temporary identity information sent by the addressing server via the access network, it includes:
所述 MTC终端接收所述寻址服务器经由所述接入网发送的失败指示,所 述失败指示为所述寻址服务器根据所述第一临时身份信息无法识别所述 MTC终端时, 为所述 MTC终端生成的; 所述 MTC终端删除所述第一临时身份信息,为所述目标应用服务器生成 携带所述永久身份信息的数据; The MTC terminal receives a failure indication sent by the addressing server via the access network, and the failure indication is when the addressing server cannot identify the MTC terminal based on the first temporary identity information. Generated by MTC terminal; The MTC terminal deletes the first temporary identity information and generates data carrying the permanent identity information for the target application server;
所述 MTC 终端经由所述接入网向所述寻址服务器发送携带所述永久身 份信息的数据。 The MTC terminal sends data carrying the permanent identity information to the addressing server via the access network.
6、 根据权利要求 3~5任一项所述的方法, 其特征在于, 所述 MTC终端 为所述目标应用服务器生成携带所述第一临时身份信息的数据, 包括: 6. The method according to any one of claims 3 to 5, characterized in that the MTC terminal generates data carrying the first temporary identity information for the target application server, including:
所述 MTC终端对携带所述第一临时身份信息的数据进行保护,为所述目 标应用服务器生成受保护的数据。 The MTC terminal protects the data carrying the first temporary identity information and generates protected data for the target application server.
7、 根据权利要求 6所述的方法, 其特征在于, 所述 MTC终端保存有与 所述永久身份信息对应的密钥,所述 MTC终端对携带所述第一临时身份信息 的数据进行保护, 为所述目标应用服务器生成受保护的数据, 包括: 7. The method according to claim 6, wherein the MTC terminal stores a key corresponding to the permanent identity information, and the MTC terminal protects the data carrying the first temporary identity information, Generate protected data for the target application server, including:
所述 MTC终端利用所述密钥对所述应用数据与所述寻址信息保护。 The MTC terminal uses the key to protect the application data and the addressing information.
8、 根据权利要求 2~5任一项所述的方法, 其特征在于, 所述 MTC终端 为所述目标应用服务器生成携带所述永久身份信息的数据, 包括: 8. The method according to any one of claims 2 to 5, characterized in that the MTC terminal generates data carrying the permanent identity information for the target application server, including:
所述 MTC终端对携带所述永久身份信息的数据进行保护,为所述目标应 用服务器生成受保护的数据。 The MTC terminal protects the data carrying the permanent identity information and generates protected data for the target application server.
9、 根据权利要求 8所述的方法, 其特征在于, 所述 MTC终端保存一个 公钥以及与所述永久身份信息对应的密钥,所述 MTC终端对所述携带永久身 份信息的数据进行保护, 为所述目标应用服务器生成受保护的数据, 包括: 所述 MTC终端利用所述公钥对所述永久身份信息加密、利用所述密钥对 所述应用数据与所述寻址信息保护; 或者, 9. The method according to claim 8, characterized in that the MTC terminal stores a public key and a key corresponding to the permanent identity information, and the MTC terminal protects the data carrying the permanent identity information. , generating protected data for the target application server, including: the MTC terminal using the public key to encrypt the permanent identity information, and using the key to protect the application data and the addressing information; or,
所述 MTC终端利用所述公钥对所述永久身份信息与所述寻址信息加密、 利用所述密钥对所述应用数据进行保护; 或者, The MTC terminal uses the public key to encrypt the permanent identity information and the addressing information, and uses the key to protect the application data; or,
所述 MTC终端利用所述密鉬对所述应用数据和所述寻址信息进行保护。 The MTC terminal uses the encryption to protect the application data and the addressing information.
10、根据权利要求 8所述的方法, 其特征在于, 所述 MTC终端保存一个 公钥以及与所述永久身份信息对应的密钥,所述 MTC终端对所述携带永久身 份信息的数据进行加密, 为所述目标应用服务器生成受保护数据之前, 包括: 所述 MTC终端根据所述密钥, 计算完整性保护密钥; 10. The method according to claim 8, characterized in that, the MTC terminal stores a public key and a key corresponding to the permanent identity information, and the MTC terminal encrypts the data carrying the permanent identity information. , before generating protected data for the target application server, including: the MTC terminal calculates the integrity protection key based on the key;
所述 MTC终端根据所述完整性保护密钥, 计算消息校验码 MAC; The MTC terminal calculates the message check code MAC based on the integrity protection key;
所述 MTC终端对所述携带永久身份信息的数据进行保护,为所述目标应 用服务器生成受保护的数据, 包括: The MTC terminal protects the data carrying permanent identity information and responds to the target Use the server to generate protected data, including:
所述 MTC终端利用所述公钥对所述身份信息、所述寻址信息、所述应用 数据以及所述 MAC加密。 The MTC terminal uses the public key to encrypt the identity information, the addressing information, the application data and the MAC.
11、根据权利要求 9所述的方法, 其特征在于, 所述 MTC终端利用所述 密钥对所述应用数据与所述寻址信息保护, 包括: 11. The method according to claim 9, characterized in that the MTC terminal uses the key to protect the application data and the addressing information, including:
所述 MTC终端利用所述密钥, 计算加密密钥与完整性密钥; The MTC terminal uses the key to calculate the encryption key and the integrity key;
所述 MTC 终端利用所述加密密钥对所述应用数据与所述寻址信息进行 加密,利用所述完整性密钥对所述应用数据与所述寻址信息进行完整性保护。 The MTC terminal uses the encryption key to encrypt the application data and the addressing information, and uses the integrity key to perform integrity protection on the application data and the addressing information.
12、 根据权利要求 6~11任一项所述的方法, 其特征在于, 还包括: 所述 MTC终端对所述受保护的数据添加抗重放信息,所述抗重放信息包 括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合。 12. The method according to any one of claims 6 to 11, further comprising: the MTC terminal adding anti-replay information to the protected data, the anti-replay information including: current One or a combination of time information, bidirectional current value information, sequence number information.
13、 一种数据传输方法, 其特征在于, 包括: 13. A data transmission method, characterized by including:
寻址服务器接收机器类通信 MTC终端经由接入网发送的携带所述 MTC 终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; The addressing server receives data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal via the access network, where the data at least includes application data and addressing information;
所述寻址服务器根据所述寻址信息,将所述数据发送至目标应用服务器。 The addressing server sends the data to the target application server according to the addressing information.
14、 根据权利要求 13所述的方法, 其特征在于, 所述寻址服务器接收机 器类通信 MTC 终端经由接入网发送的携带所述 MTC终端的身份信息的数 据, 包括: 14. The method according to claim 13, wherein the addressing server receives data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal via the access network, including:
所述寻址服务器接收所述 MTC 终端为所述目标应用服务器生成携带所 述第一临时身份信息的数据。 The addressing server receives the MTC terminal and generates data carrying the first temporary identity information for the target application server.
15、 根据权利要求 13所述的方法, 其特征在于, 所述寻址服务器接收机 器类通信 MTC 终端经由接入网发送的携带所述 MTC终端的身份信息的数 据, 包括: 15. The method according to claim 13, characterized in that the addressing server receives data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal via the access network, including:
所述寻址服务器接收所述 MTC 终端为所述目标应用服务器生成携带所 述永久身份信息的数据。 The addressing server receives the MTC terminal and generates data carrying the permanent identity information for the target application server.
16、 根据权利要求 14所述的方法, 其特征在于, 所述寻址服务器接收所 述 MTC 终端为所述目标应用服务器生成携带所述第一临时身份信息的数据 之后, 包括: 16. The method according to claim 14, characterized in that, after the addressing server receives the data carrying the first temporary identity information generated by the MTC terminal for the target application server, it includes:
所述寻址服务器根据所述第一临时身份信息,判断是否可识别所述 MTC 终端; 若所述寻址服务器根据所述第一临时身份信息, 无法识别所述 MTC 终 端, 则经由所述接入网向所述 MTC终端发送失败指示; The addressing server determines whether the MTC terminal can be identified based on the first temporary identity information; If the addressing server cannot identify the MTC terminal based on the first temporary identity information, then sends a failure indication to the MTC terminal via the access network;
所述寻址服务器接收所述 MTC 终端经由所述接入网发送的携带所述永 久身份信息的数据。 The addressing server receives the data carrying the permanent identity information sent by the MTC terminal via the access network.
17、 根据权利要求 13~16任一项所述的方法, 其特征在于, 所述寻址服 务器根据所述寻址信息, 将所述数据发送至目标应用服务器之前, 包括: 所述寻址服务器根据预设的策略,为所述 MTC终端生成并加密第二临时 身份信息; 17. The method according to any one of claims 13 to 16, characterized in that, before the addressing server sends the data to the target application server according to the addressing information, it includes: the addressing server Generate and encrypt second temporary identity information for the MTC terminal according to the preset policy;
所述寻址服务器经由所述接入网向所述 MTC 终端发送所述第二临时身 份信息。 The addressing server sends the second temporary identity information to the MTC terminal via the access network.
18、 根据权利要求 15或 16所述的方法, 其特征在于, 所述寻址服务器 接收所述 MTC 终端为所述目标应用服务器生成携带所述永久身份信息的数 据, 包括: 18. The method according to claim 15 or 16, characterized in that the addressing server receives the data generated by the MTC terminal carrying the permanent identity information for the target application server, including:
所述寻址服务器接收所述 MTC终端发送的受保护的数据,所述受保护的 数据为所述 MTC终端对携带所述永久身份信息的数据进行保护后生成的。 The addressing server receives the protected data sent by the MTC terminal, and the protected data is generated by the MTC terminal after protecting the data carrying the permanent identity information.
19、 根据权利要求 18所述的方法, 其特征在于, 所述寻址服务器接收所 述 MTC终端发送的受保护的数据之后, 包括: 19. The method according to claim 18, characterized in that, after the addressing server receives the protected data sent by the MTC terminal, it includes:
所述寻址服务器确定与所述永久身份信息对应的密钥; The addressing server determines a key corresponding to the permanent identity information;
所述寻址服务器根据所述密钥,对所述应用数据进行解密及完整性验证。 The addressing server decrypts and verifies the integrity of the application data based on the key.
20、 根据权利要求 19所述的方法, 其特征在于, 所述寻址服务器确定与 所述永久身份信息对应的密钥之后, 包括: 20. The method according to claim 19, characterized in that, after the addressing server determines the key corresponding to the permanent identity information, it includes:
所述寻址服务器根据所述密钥,对所述寻址信息进行解密及完整性验证。 The addressing server decrypts and verifies the integrity of the addressing information based on the key.
21、 根据权利要求 18~20任一项所述的方法, 其特征在于, 所述寻址服 务器根据所述寻址信息, 将所述数据发送至目标应用服务器, 包括: 21. The method according to any one of claims 18 to 20, characterized in that the addressing server sends the data to the target application server according to the addressing information, including:
所述寻址服务器根据所述寻址信息, 将携带安全保护信息的受保护的数 据发送至目标应用服务器。 The addressing server sends protected data carrying security protection information to the target application server according to the addressing information.
22、 根据权利要求 18所述的方法, 其特征在于, 所述寻址服务器接收所 述 MTC终端发送的受保护的数据之后, 包括: 22. The method according to claim 18, characterized in that, after the addressing server receives the protected data sent by the MTC terminal, it includes:
所述寻址服务器根据所述永久身份信息或所述第一临时身份信息, 确定 归属寻址服务器,所述归属寻址服务器为保存有与所述 MTC终端的公钥对应 的私钥的寻址服务器。 The addressing server determines a home addressing server based on the permanent identity information or the first temporary identity information. The home addressing server stores a public key corresponding to the MTC terminal. The private key of the addressing server.
23、 根据权利要求 18~22任一项所述的方法, 其特征在于, 所述寻址服 务器接收所述 MTC终端发送的受保护的数据, 包括: 23. The method according to any one of claims 18 to 22, characterized in that the addressing server receives the protected data sent by the MTC terminal, including:
所述寻址服务器接收添加抗重放信息的受保护的数据, 所述抗重放信息 包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组 合. The addressing server receives protected data with added anti-replay information. The anti-replay information includes: one of current time information, bidirectional current value information, serial number information, or a combination thereof.
所述寻址服务器根据所述抗重放信息, 对所述受保护的数据进行抗重放 检查。 The addressing server performs an anti-replay check on the protected data based on the anti-replay information.
24、 一种数据传输方法, 其特征在于, 包括: 24. A data transmission method, characterized by including:
接入网接收寻址服务器接收机器类通信 MTC终端发送的携带所述 MTC 终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; The access network receiving addressing server receives data sent by the machine type communication MTC terminal carrying the identity information of the MTC terminal, where the data at least includes application data and addressing information;
所述接入网将所述数据发送至寻址服务器, 以使所述寻址服务器根据所 述寻址信息, 将所述数据发送至目标应用服务器。 The access network sends the data to the addressing server, so that the addressing server sends the data to the target application server according to the addressing information.
25、 根据权利要求 24所述的方法, 其特征在于, 所述接入网接收寻址服 务器接收机器类通信 MTC终端发送的携带所述 MTC终端的身份信息的数 据, 包括: 25. The method according to claim 24, characterized in that the access network receiving addressing server receives the data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal, including:
所述接入网接收所述 MTC终端发送的携带第一临时身份信息的数据。 The access network receives the data carrying the first temporary identity information sent by the MTC terminal.
26、 根据权利要求 24所述的方法, 其特征在于, 所述接入网接收寻址服 务器接收机器类通信 MTC终端发送的携带所述 MTC终端的身份信息的数 据, 包括: 26. The method according to claim 24, characterized in that the access network receiving addressing server receives the data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal, including:
所述接入网接收所述 MTC终端发送的携带永久身份信息的数据。 The access network receives data carrying permanent identity information sent by the MTC terminal.
27、 一种机器类通信 MTC终端, 其特征在于, 包括: 27. A machine type communication MTC terminal, characterized by including:
处理模块,用于为目标应用服务器生成携带所述 MTC终端的身份信息的 数据, 所述数据至少包括应用数据、 寻址信息; A processing module configured to generate data carrying the identity information of the MTC terminal for the target application server, where the data at least includes application data and addressing information;
发送模块, 用于经由接入网向寻址服务器发送所述数据, 以使得所述寻 址服务器根据所述寻址信息, 将所述数据发送至所述目标应用服务器。 A sending module, configured to send the data to the addressing server via the access network, so that the addressing server sends the data to the target application server according to the addressing information.
28、 根据权利要求 27所述的 MTC终端, 其特征在于, 所述处理模块用 于: 28. The MTC terminal according to claim 27, characterized in that the processing module is used for:
为所述目标应用服务器生成携带所述 MTC终端的永久身份信息的数据。 Generate data carrying permanent identity information of the MTC terminal for the target application server.
29、 根据权利要求 27所述的 MTC终端, 其特征在于, 所述 MTC终端 还包括: 29. The MTC terminal according to claim 27, characterized in that, the MTC terminal Also includes:
判断模块, 用于判断本地是否存在所述 MTC终端的第一临时身份信息; 所述处理模块, 用于若所述判断模块判断出本地存在所述第一临时身份 信息, 则为所述目标应用服务器生成携带所述第一临时身份信息的数据; 否 贝 lj, 若所述判断模块判断出本地不存在所述第一临时身份信息, 则为所述目 标应用服务器生成携带永久身份信息的数据。 The judgment module is used to judge whether the first temporary identity information of the MTC terminal exists locally; the processing module is used to determine whether the first temporary identity information exists locally. If the judgment module judges that the first temporary identity information exists locally, it is the target application. The server generates data carrying the first temporary identity information; otherwise, if the determination module determines that the first temporary identity information does not exist locally, generate data carrying permanent identity information for the target application server.
30、 根据权利要求 27或 29所述的 MTC终端, 其特征在于, 所述 MTC 终端还包括: 30. The MTC terminal according to claim 27 or 29, characterized in that the MTC terminal further includes:
接收模块, 用于接收所述寻址服务器经由所述接入网发送的加密后的第 二临时身份信息,所述第二临时身份信息为所述寻址服务器根据预设的策略, 为所述 MTC终端生成的; A receiving module configured to receive the encrypted second temporary identity information sent by the addressing server via the access network, where the second temporary identity information is the addressing server according to a preset policy. Generated by MTC terminal;
所述处理模块, 用于解密所述第二临时身份信息, 保存所述第二临时身 份信息。 The processing module is used to decrypt the second temporary identity information and save the second temporary identity information.
31、 根据权利要求 30所述的 MTC终端, 其特征在于, 若所述判断模块 判断出本地存在所述 MTC终端的第一临时身份信息, 则所述接收模块用于: 接收所述寻址服务器经由所述接入网发送的失败指示, 所述失败指示为 所述寻址服务器根据所述第一临时身份信息无法识别所述 MTC终端时,为所 述 MTC终端生成的; 31. The MTC terminal according to claim 30, wherein if the determination module determines that the first temporary identity information of the MTC terminal exists locally, the receiving module is configured to: receive from the addressing server A failure indication sent via the access network, the failure indication being generated for the MTC terminal when the addressing server cannot identify the MTC terminal based on the first temporary identity information;
所述处理模块, 用于删除所述第一临时身份信息, 为所述目标应用服务 器生成携带所述永久身份信息的数据; The processing module is used to delete the first temporary identity information and generate data carrying the permanent identity information for the target application server;
所述发送模块, 用于经由所述接入网向所述寻址服务器发送携带所述永 久身份信息的数据。 The sending module is configured to send data carrying the permanent identity information to the addressing server via the access network.
32、根据权利要求 29~31任一项所述的 MTC终端, 其特征在于, 所述处 理模块, 用于对携带所述第一临时身份信息的数据进行保护, 为所述目标应 用服务器生成受保护的数据。 32. The MTC terminal according to any one of claims 29 to 31, characterized in that, the processing module is used to protect the data carrying the first temporary identity information, and generate a protected message for the target application server. Protected data.
33、 根据权利要求 32所述的 MTC终端, 其特征在于, 所述处理模块, 用于利用所述密钥对所述应用数据与所述寻址信息保护。 33. The MTC terminal according to claim 32, wherein the processing module is configured to use the key to protect the application data and the addressing information.
34、根据权利要求 28~31任一项所述的 MTC终端, 其特征在于, 所述处 理模块, 用于对携带所述永久身份信息的数据进行保护, 为所述目标应用服 务器生成受保护的数据。 34. The MTC terminal according to any one of claims 28 to 31, characterized in that the processing module is used to protect the data carrying the permanent identity information and generate a protected data for the target application server. data.
35、 根据权利要求 34所述的 MTC终端, 其特征在于, 所述 MTC终端 还包括: 35. The MTC terminal according to claim 34, characterized in that, the MTC terminal further includes:
存储模块, 用于保存一个公钥以及与所述永久身份信息对应的密钥; 所述处理模块, 用于利用所述公钥对所述永久身份信息加密、 利用所述 密钥对所述应用数据与所述寻址信息保护; 或者, The storage module is used to store a public key and the key corresponding to the permanent identity information; the processing module is used to use the public key to encrypt the permanent identity information, and use the key to encrypt the application Protection of data and said addressing information; or,
所述处理模块, 用于利用所述公钥对所述永久身份信息与所述寻址信息 加密、 利用所述密钥对所述应用数据进行保护; 或者, The processing module is configured to use the public key to encrypt the permanent identity information and the addressing information, and use the key to protect the application data; or,
所述处理模块, 用于利用所述密鉬对所述应用数据和所述寻址信息进行 保护。 The processing module is configured to use the dense molybdenum to protect the application data and the addressing information.
36、 根据权利要求 34所述的 MTC终端, 其特征在于, 所述 MTC终端 还包括: 36. The MTC terminal according to claim 34, characterized in that, the MTC terminal further includes:
存储模块, 用于保存一个公钥以及与所述永久身份信息对应的密钥; 所述处理模块, 用于根据所述密钥, 计算完整性保护密钥; 根据所述完 整性保护密钥, 计算消息校验码 MAC; 利用所述公钥对所述身份信息、 所述 寻址信息、 所述应用数据以及所述 MAC加密。 The storage module is used to store a public key and the key corresponding to the permanent identity information; the processing module is used to calculate the integrity protection key based on the key; based on the integrity protection key, Calculate the message check code MAC; use the public key to encrypt the identity information, the addressing information, the application data and the MAC.
37、 根据权利要求 35所述的 MTC终端, 其特征在于, 所述处理模块, 用于利用所述密钥, 计算加密密钥与完整性密钥; 用所述加密密钥对所述应 用数据与所述寻址信息进行加密, 利用所述完整性密钥对所述应用数据与所 述寻址信息进行完整性保护。 37. The MTC terminal according to claim 35, characterized in that: the processing module is configured to use the key to calculate an encryption key and an integrity key; use the encryption key to encode the application data The application data and the addressing information are encrypted, and the integrity key is used to protect the integrity of the application data and the addressing information.
38、根据权利要求 32~37任一项所述的 MTC终端, 其特征在于, 所述处 理模块, 用于对所述受保护的数据添加抗重放信息, 所述抗重放信息包括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合。 38. The MTC terminal according to any one of claims 32 to 37, characterized in that: the processing module is used to add anti-replay information to the protected data, and the anti-replay information includes: currently time information, bidirectional current value information, sequence number information, or a combination thereof.
39、 一种寻址服务器, 其特征在于, 包括: 39. An addressing server, characterized by including:
接收模块, 用于接收机器类通信 MTC 终端经由接入网发送的携带所述 MTC终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; A receiving module configured to receive data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal via the access network, where the data at least includes application data and addressing information;
发送模块, 用于根据所述寻址信息, 将所述数据发送至目标应用服务器。 A sending module, configured to send the data to the target application server according to the addressing information.
40、 根据权利要求 39所述的寻址服务器, 其特征在于, 所述接收模块, 用于接收所述 MTC 终端为所述目标应用服务器生成携带所述第一临时身份 信息的数据。 40. The addressing server according to claim 39, characterized in that the receiving module is configured to receive the data carrying the first temporary identity information generated by the MTC terminal for the target application server.
41、 根据权利要求 39所述的寻址服务器, 其特征在于, 所述接收模块, 用于接收所述 MTC 终端为所述目标应用服务器生成携带所述永久身份信息 的数据。 41. The addressing server according to claim 39, characterized in that: the receiving module, Used to receive the MTC terminal and generate data carrying the permanent identity information for the target application server.
42、 根据权利要求 40所述的寻址服务器, 其特征在于, 所述寻址服务器 还包括: 42. The addressing server according to claim 40, characterized in that, the addressing server further includes:
判断模块, 用于根据所述第一临时身份信息, 判断是否可识别所述 MTC 终端; A judgment module, configured to judge whether the MTC terminal can be identified based on the first temporary identity information;
所述发送模块, 用于若所述判断模块根据所述第一临时身份信息, 无法 识别所述 MTC终端时, 则经由所述接入网向所述 MTC终端发送失败指示; 所述接收模块,用于接收所述 MTC终端经由所述接入网发送的携带所述 永久身份信息的数据。 The sending module is configured to send a failure indication to the MTC terminal via the access network if the judging module cannot identify the MTC terminal based on the first temporary identity information; the receiving module, Used to receive data carrying the permanent identity information sent by the MTC terminal via the access network.
43、 根据权利要求 39~42任一项所述的寻址服务器, 其特征在于, 所述 寻址服务器还包括: 43. The addressing server according to any one of claims 39 to 42, characterized in that the addressing server further includes:
处理模块,用于根据预设的策略,为所述 MTC终端生成并加密第二临时 身份信息; A processing module configured to generate and encrypt second temporary identity information for the MTC terminal according to a preset policy;
所述发送模块,用于经由所述接入网向所述 MTC终端发送所述第二临时 身份信息。 The sending module is configured to send the second temporary identity information to the MTC terminal via the access network.
44、 根据权利要求 41或 42所述的寻址服务器, 其特征在于, 所述接收 模块,用于接收所述 MTC终端发送的受保护的数据,所述受保护的数据为所 述 MTC终端对携带所述永久身份信息的数据进行保护后生成的。 44. The addressing server according to claim 41 or 42, characterized in that: the receiving module is configured to receive protected data sent by the MTC terminal, and the protected data is the pair of data sent by the MTC terminal. The data carrying the permanent identity information is generated after being protected.
45、 根据权利要求 44所述的寻址服务器, 其特征在于, 所述处理模块, 用于确定与所述永久身份信息对应的密钥, 根据所述密钥, 对所述应用数据 进行解密及完整性验证。 45. The addressing server according to claim 44, characterized in that the processing module is used to determine a key corresponding to the permanent identity information, and decrypt and decrypt the application data according to the key. Integrity verification.
46、 根据权利要求 45所述的寻址服务器, 其特征在于, 所述处理模块, 用于根据所述密钥, 对所述寻址信息进行解密及完整性验证。 46. The addressing server according to claim 45, characterized in that the processing module is used to decrypt and verify the integrity of the addressing information according to the key.
47、 根据权利要求 44~46任一项所述的寻址服务器, 其特征在于, 所述 发送模块, 用于根据所述寻址信息, 将携带安全保护信息的受保护的数据发 送至目标应用服务器。 47. The addressing server according to any one of claims 44 to 46, characterized in that the sending module is configured to send protected data carrying security protection information to the target application according to the addressing information. server.
48、 根据权利要求 44所述的寻址服务器, 其特征在于, 所述处理模块, 用于根据所述永久身份信息或所述第一临时身份信息,确定归属寻址服务器, 所述归属寻址服务器为保存有与所述 MTC 终端的公钥对应的私钥的寻址服 务器。 48. The addressing server according to claim 44, characterized in that, the processing module is configured to determine a home addressing server based on the permanent identity information or the first temporary identity information, the home addressing server The server is an addressing service that stores a private key corresponding to the public key of the MTC terminal. server.
49、 根据权利要求 44~48任一项所述的寻址服务器, 其特征在于, 所述 接收模块, 还用于接收添加抗重放信息的受保护的数据, 所述抗重放信息包 括: 当前的时间信息、 双向当前值信息、 序列号信息中的一种信息或其组合; 所述处理模块, 用于根据所述抗重放信息, 对所述受保护的数据进行抗 重放检查。 49. The addressing server according to any one of claims 44 to 48, characterized in that the receiving module is also used to receive protected data with anti-replay information added, and the anti-replay information includes: One of current time information, bidirectional current value information, serial number information, or a combination thereof; the processing module is configured to perform an anti-replay check on the protected data based on the anti-replay information.
50、 一种接入网, 其特征在于, 包括: 50. An access network, characterized by: including:
接收模块,用于接收寻址服务器接收机器类通信 MTC终端发送的携带所 述 MTC终端的身份信息的数据, 所述数据至少包括应用数据、 寻址信息; 发送模块, 用于所述数据发送至寻址服务器, 以使所述寻址服务器根据 所述寻址信息, 将所述数据发送至目标应用服务器。 The receiving module is used to receive the data carrying the identity information of the MTC terminal sent by the machine type communication MTC terminal received by the addressing server. The data at least includes application data and addressing information; the sending module is used to send the data to Addressing the server, so that the addressing server sends the data to the target application server according to the addressing information.
51、 根据权利要求 50所述的接入网, 其特征在于, 所述接收模块, 用于 接收所述 MTC终端发送的携带第一临时身份信息的数据。 51. The access network according to claim 50, wherein the receiving module is configured to receive data carrying the first temporary identity information sent by the MTC terminal.
52、 根据权利要求 50所述的方法, 其特征在于, 所述接收模块, 用于接 收所述 MTC终端发送的携带永久身份信息的数据。 52. The method according to claim 50, characterized in that the receiving module is configured to receive data carrying permanent identity information sent by the MTC terminal.
53、 一种机器类通信 MTC终端, 其特征在于, 包括: 处理器和存储器, 所述存储器存储执行指令, 当所述 MTC终端运行时,所述处理器与所述存储 器之间通信,所述处理器执行所述执行指令使得所述 MTC终端执行如权利要 求 1~12中任意一项所述的方法. 53. A machine type communication MTC terminal, characterized in that it includes: a processor and a memory. The memory stores execution instructions. When the MTC terminal is running, the processor communicates with the memory. The processor executes the execution instruction to cause the MTC terminal to execute the method described in any one of claims 1 to 12.
54、 一种寻址服务器, 其特征在于, 包括: 处理器和存储器, 所述存储 器存储执行指令, 当所述寻址服务器运行时, 所述处理器与所述存储器之间 通信, 所述处理器执行所述执行指令使得所述寻址服务器执行如权利要求 13-23中任意一项所述的方法。 54. An addressing server, characterized in that it includes: a processor and a memory, the memory stores execution instructions, and when the addressing server is running, there is communication between the processor and the memory, and the processing The processor executes the execution instructions to cause the addressing server to execute the method according to any one of claims 13-23.
55、 一种接入网, 其特征在于, 包括: 处理器和存储器, 所述存储器存 储执行指令, 当所述接入网运行时, 所述处理器与所述存储器之间通信, 所 述处理器执行所述执行指令使得所述接入网执行如权利要求 24~26中任意一 项所述的方法。 55. An access network, characterized in that it includes: a processor and a memory, the memory stores execution instructions, and when the access network is running, the processor communicates with the memory, and the processing The processor executes the execution instruction to cause the access network to execute the method according to any one of claims 24 to 26.
PCT/CN2013/078509 2013-06-29 2013-06-29 Data transmission method, machine type communication terminal and addressing server WO2014205846A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2013/078509 WO2014205846A1 (en) 2013-06-29 2013-06-29 Data transmission method, machine type communication terminal and addressing server
CN201380000726.9A CN104521255B (en) 2013-06-29 2013-06-29 Data transmission method, machine type communication terminal and addressable server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/078509 WO2014205846A1 (en) 2013-06-29 2013-06-29 Data transmission method, machine type communication terminal and addressing server

Publications (1)

Publication Number Publication Date
WO2014205846A1 true WO2014205846A1 (en) 2014-12-31

Family

ID=52140909

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/078509 WO2014205846A1 (en) 2013-06-29 2013-06-29 Data transmission method, machine type communication terminal and addressing server

Country Status (2)

Country Link
CN (1) CN104521255B (en)
WO (1) WO2014205846A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056140A (en) * 2009-11-06 2011-05-11 中兴通讯股份有限公司 Method and system for acquiring machine type communication terminal information
CN102238520A (en) * 2010-04-26 2011-11-09 中兴通讯股份有限公司 Method and system for transmitting small data packets
CN102244855A (en) * 2010-05-10 2011-11-16 华为技术有限公司 Position-based machine to machine communicating method, system and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101489259B (en) * 2009-02-24 2011-03-02 中兴通讯股份有限公司 Data service handling method, system and access network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056140A (en) * 2009-11-06 2011-05-11 中兴通讯股份有限公司 Method and system for acquiring machine type communication terminal information
CN102238520A (en) * 2010-04-26 2011-11-09 中兴通讯股份有限公司 Method and system for transmitting small data packets
CN102244855A (en) * 2010-05-10 2011-11-16 华为技术有限公司 Position-based machine to machine communicating method, system and device

Also Published As

Publication number Publication date
CN104521255A (en) 2015-04-15
CN104521255B (en) 2019-04-19

Similar Documents

Publication Publication Date Title
JP7048694B2 (en) Subscription concealment identifier
US12022287B2 (en) EAP-TLS authentication with concealed user identities and wireless networks
US11122428B2 (en) Transmission data protection system, method, and apparatus
US10091175B2 (en) Authenticating a device in a network
US8503376B2 (en) Techniques for secure channelization between UICC and a terminal
US8627092B2 (en) Asymmetric cryptography for wireless systems
CN108683510B (en) User identity updating method for encrypted transmission
JP2019169963A (en) Security configuration in communication between communication device and network device
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network
US20190007376A1 (en) Methods, network nodes, mobile entity, computer programs and computer program products for protecting privacy of a mobile entity
JP6764753B2 (en) Systems and methods for efficient and confidential symmetric encryption on channels with limited bandwidth
US20070192602A1 (en) Clone resistant mutual authentication in a radio communication network
US20020146127A1 (en) System and method for providing secure communications between wireless units using a common key
CN108323229B (en) Secure BLE broadcast system for location-based services
CN102685739B (en) Authentication method and system for Android enterprise applications
WO2022110083A1 (en) Communication method and apparatus
JP2024081663A (en) Key update method and related device
WO2020216047A1 (en) Authentication information processing method, terminal, and network device
WO2009012676A1 (en) A method and equipment for generating care of address and a method and system for improving route optimization security
WO2018076190A1 (en) Communication method, terminal, core network user plane device and access network device
US11838428B2 (en) Certificate-based local UE authentication
CN111835691B (en) Authentication information processing method, terminal and network equipment
KR101314435B1 (en) Method for security roaming of mobile node and foreign agent apparatus thereof and security roaming system
IL254758B2 (en) Method, equipment and computer program product for code encryption
CN111093193B (en) MAC layer secure communication method suitable for Lora network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13888385

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13888385

Country of ref document: EP

Kind code of ref document: A1