WO2016110093A1 - D2d模式b发现的安全方法、终端和系统、存储介质 - Google Patents

D2d模式b发现的安全方法、终端和系统、存储介质 Download PDF

Info

Publication number
WO2016110093A1
WO2016110093A1 PCT/CN2015/086231 CN2015086231W WO2016110093A1 WO 2016110093 A1 WO2016110093 A1 WO 2016110093A1 CN 2015086231 W CN2015086231 W CN 2015086231W WO 2016110093 A1 WO2016110093 A1 WO 2016110093A1
Authority
WO
WIPO (PCT)
Prior art keywords
prose
response
discovery
terminal
query
Prior art date
Application number
PCT/CN2015/086231
Other languages
English (en)
French (fr)
Inventor
彭锦
游世林
梁爽
林兆骥
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to EP15876597.4A priority Critical patent/EP3229435B1/en
Priority to US15/542,081 priority patent/US10405363B2/en
Publication of WO2016110093A1 publication Critical patent/WO2016110093A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/005Discovery of network devices, e.g. terminals

Definitions

  • the present invention relates to mobile communication technologies, and in particular, to a device-to-device (D2D) mode B discovery security method, terminal and system, and storage medium.
  • D2D device-to-device
  • the third generation mobile communication system In order to maintain the competitiveness of the third generation mobile communication system in the field of communication, and to provide users with faster, less delayed, more personalized mobile communication services, and at the same time, in order to reduce the operator's operating costs, the third generation of cooperation
  • the Standards Working Group of the 3GPP (3rd Generation Partnership Project) is working on the Evolved Packet System (EPS).
  • EPS Evolved Packet System
  • the entire EPS includes an E-UTRAN (Evolved Universal Terrestrial Radio Access Network) and an Evolved Packet Core Networking (EPC), where the EPC includes a Home Subscriber Server (HSS), mobile MME (Mobility Management Entity), Serving GPRS Support Node (SGSN), Policy and Charging Rule Function (PCRF), Service Gateway (S-GW, Serving Gateway), Packet Data Gateway (P-GW, PDN Gateway) and Packet Data Network (PDN).
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • SGSN Serving GPRS Support Node
  • PCRF Policy and Charging Rule Function
  • S-GW Serving Gateway
  • P-GW Packet Data Gateway
  • PDN Gateway Packet Data Network
  • D2D device-to-device
  • the D2D service is also called distance-based.
  • Business Proximity-based Services
  • the commonly used D2D service has a D2D discovery service, and the communication architecture of the D2D discovery service is as shown in FIG. 1.
  • the two UEs accessed by the D2D can only access the EPC through the E-UTRAN, and both UEs can belong to one common land mobile.
  • the network (PLMN, Public Land Mobile Network) is divided into two PLMNs; for one UE, the PLMN can be divided into a home PLMN (HPLMN, Home PLMN) and a visited PLMN when the UE accesses from other PLMNs ( VPLMN, Visited PLMN), the PLMN for the region in which the UE is currently located may be collectively referred to as a local public land mobile network (LPLMN, Local PLMN), whether the local PLMN is a HPLMN or a VPLMN.
  • LLMN local public land mobile network
  • the D2D discovery service not only the EPS but also the ProSe Application Server that deploys the D2D discovery service can be deployed on the carrier side.
  • the ProSe application server can be provided by the service provider that operates the D2D service, or can be operated by the service provider.
  • the network operator of the EPS provides a ProSe Function entity in different PLMNs. For the two UEs of the ProSe service, one of the UEs obtains the service identifier from the ProSe function entity, and then obtains the broadcastable service code from the ProSe function entity.
  • the UE is used as the broadcast UE (A-UE, Announcing UE), and the other The UE then accepts the broadcast of the A-UE, and then performs matching with the ProSe functional entity of the UE. If the matching is successful, the ProSe service is performed with the A-UE.
  • This non-broadcast UE becomes a monitoring UE (M-UE, Monitoring UE).
  • the interface with the ProSe application server is a PC1 interface, and provides related authentication functions.
  • the interface between the UE and the UE is the PC5, and is configured to perform mutual discovery and communication between the UEs.
  • the interface between the UE and the ProSe functional entity is the PC3, and is configured to perform authentication through the network.
  • the interface between the ProSe functional entity and the existing EPC is PC4, which includes a user plane interface with the P-GW and a control plane interface with the HSS, configured as D2D discovery service discovery authentication.
  • ProSe function The interface between the body and the ProSe application server is PC2, which is configured as an application implementation of the D2D discovery service.
  • the ProSe function entity and the ProSe function entity have PC6 and PC7 interfaces respectively, and are configured as the UE in the roaming and non-roaming situations respectively.
  • the UE roams as the PC7 interface, and when the UE is not roaming, it is the PC6 interface.
  • the two interfaces are configured as When the UE performs the D2D discovery service, the information interaction between the two ProSe functional entities is performed.
  • the D2D discovery service can be divided into two modes: mode A and mode B.
  • the discovery service of mode B includes four processes: a passive terminal process, an active terminal process, a query process, and a matching process.
  • the discovery response message for the passive terminal, the discovery response message of the active terminal, the query request message sent by the active terminal to the passive terminal, the query response message sent by the passive terminal to the active terminal, and the matching report message of the active terminal are all Without integrity protection, there is a threat of replay attacks by attackers.
  • the embodiments of the present invention mainly provide a security method, a terminal, a system, and a storage medium for D2D mode B discovery.
  • an embodiment of the present invention provides a security method for D2D mode B discovery, where the method includes:
  • the ProSe functional entity in the passive terminal home network sends back the ProSe response code and the ProSe response key to the passive terminal;
  • the passive terminal receives the ProSe response code and the ProSe response key.
  • the ProSe functional entity in the passive terminal home network sends a ProSe response code and a ProSe response key to the passive terminal, including: the ProSe functional entity in the passive terminal home network receives the passive terminal discovery And requesting a message, performing an authentication process on the passive terminal, and sending a discovery response message to the passive terminal, where the discovery response message includes: a ProSe response code and a ProSe response key.
  • the discovery response message further includes: a current time and a maximum offset value.
  • the discovery response message further includes: a mode, a discovery filter, and an expiration date.
  • an embodiment of the present invention provides a security method for D2D mode B discovery, where the method includes:
  • the ProSe function entity of the active terminal home network receives the ProSe query code, the ProSe query key, the ProSe response code, and the ProSe response key sent by the ProSe functional entity of the other network;
  • the ProSe function entity of the active terminal home network sends a ProSe query code and a ProSe query key to the active terminal.
  • the ProSe function entity of the active terminal home network receives the ProSe query code, the ProSe query key, the ProSe response code, and the ProSe response key sent by the ProSe functional entity of the other network, including:
  • the ProSe function entity of the terminal home network receives the first discovery response message sent by the ProSe function entity of the other network, where the first discovery response message includes: a ProSe query code, a ProSe query key, a ProSe response code, and a ProSe response key.
  • the first discovery response message further includes: a ProSe query code and a discovery filter.
  • the ProSe function entity of the active terminal home network sends a ProSe query code, a ProSe query key, a current time, and a maximum offset value to the active terminal, including: ProSe function of the active terminal home network.
  • the entity After the entity performs the broadcast authentication with the ProSe function entity in the visited network that is currently registered by the active terminal, the entity sends a second discovery response message to the active terminal, where the second discovery response message includes: a ProSe query code, a ProSe query key, a current time, and Maximum offset value.
  • the second discovery response message further includes: a current time and a maximum offset value.
  • the second discovery response message further includes: a mode, a discovery filter, and an expiration date.
  • an embodiment of the present invention provides a security method for D2D mode B discovery, where the method includes:
  • the active terminal calculates a query message integrity protection code (MIC), and sends a ProSe query code, a query MIC, and a time calibration value to the passive terminal;
  • MIC query message integrity protection code
  • the active terminal receives the ProSe response code and the response MIC of the passive terminal loopback.
  • HMAC hash function message authentication code
  • SHA-256 hash function message authentication code
  • an embodiment of the present invention provides a security method for D2D mode B discovery, where the method includes:
  • the passive terminal receives the ProSe query code sent by the active terminal, queries the MIC and the time calibration value;
  • the passive terminal sends a ProSe query code, a query MIC, and a counter value based on the UTC time to the ProSe functional entity in the home network, and the query MIC is checked by the ProSe functional entity of the home network of the passive terminal;
  • the passive terminal calculates the response MIC and sends back the ProSe response code and response MIC to the active terminal.
  • an embodiment of the present invention provides a security method for D2D mode B discovery, where the method includes:
  • the active terminal sends a ProSe response code, a response MIC, and a counter value based on UTC time to a ProSe functional entity in its own home network;
  • the ProSe functional entity of the home network receives the ProSe response code, the response MIC, and the UTC time based counter value, analyzes the ProSe response code, and checks the response MIC.
  • the sending, by the active terminal, the ProSe response code, the response MIC, and the UTC time-based counter value to the ProSe functional entity in the home network includes: the active terminal to the ProSe in its own home network.
  • the functional entity sends a match report message including: ProSe response code, response MIC, and UTC time based counter value.
  • the matching report message further includes a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • the present invention provides a security system for D2D mode B discovery, which includes: a ProSe functional entity and a passive terminal in a passive terminal home network;
  • the ProSe function entity in the passive terminal home network is configured to send a ProSe response code and a ProSe response key to the passive terminal;
  • the passive terminal is configured to receive the ProSe response code and the ProSe response key.
  • the ProSe functional entity in the home network of the passive terminal is configured to receive a discovery request message of the passive terminal, perform authentication processing on the passive terminal, and send a discovery to the passive terminal.
  • the discovery response message includes: a ProSe response code, a ProSe response key.
  • the discovery response message further includes: a current time and a maximum offset value.
  • the seventh aspect of the present invention provides a ProSe functional entity of a passive terminal home network, where the ProSe functional entity includes: a request receiving module and a response loopback module;
  • the request receiving module is configured to receive a discovery request message of the passive terminal
  • the loopback module configured to send a discovery response message to the passive terminal, where the discovery response message includes: a ProSe response code, a ProSe response key.
  • an embodiment of the present invention provides a ProSe functional entity of a home network of an active terminal, where the ProSe functional entity includes: a first receiving module and a first sending module;
  • a first receiving module configured to receive a ProSe query code, a ProSe query key, a ProSe response code, and a ProSe response key sent by a ProSe functional entity of another network;
  • the first sending module is configured to send back a ProSe query code and a ProSe query key to the active terminal.
  • the first receiving module is configured to receive a first discovery response message sent by a ProSe functional entity of another network, where the first discovery response message includes: a ProSe query code, a ProSe query. Key, ProSe response code, and ProSe response key.
  • the first sending module is configured to send a second discovery response message to the active terminal after performing broadcast authentication on the ProSe functional entity in the visited network that is currently registered by the active terminal.
  • the second discovery response message includes: a ProSe query code, and a ProSe query key.
  • the second discovery response message further includes: a current time and a maximum offset value.
  • the embodiment of the present invention provides an active terminal, where the active terminal includes: a second sending module and a second receiving module;
  • a second sending module configured to calculate a query MIC, send a ProSe query code to the passive terminal, query a MIC, and a time calibration value;
  • the second receiving module is configured to receive the ProSe response code and the response MIC sent back by the passive terminal.
  • the embodiment of the present invention provides a passive terminal, where the passive terminal includes: a third receiving module, a third sending module, and a fourth sending module, where
  • a third receiving module configured to receive a ProSe query code sent by the active terminal, query a MIC, and a time calibration value
  • a third sending module configured to send a ProSe query code, a query MIC, and a UTC time-based counter value to a ProSe functional entity in the home network, and check the query MIC by the ProSe functional entity of the home network of the passive terminal;
  • the fourth sending module is configured to calculate the response MIC and send back the ProSe response code and the response MIC to the active terminal.
  • the present invention provides a security system for D2D mode B discovery, which includes: an active terminal, a ProSe functional entity of a home network of an active terminal;
  • An active terminal configured to send a ProSe response code, a response MIC, and a UTC time-based counter value to a ProSe functional entity in a home network of the active terminal;
  • the ProSe functional entity of the active terminal's home network is configured to receive the ProSe response code and ring
  • the ProSe response code is analyzed and the response MIC is checked against the MIC and UTC time based counter values.
  • the active terminal is specifically configured to send a matching report message to a ProSe functional entity in its own home network, where the matching report message includes: a ProSe response code, a response MIC, and a UTC based time. Counter value.
  • the matching report message further includes a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions for performing the first to fourth embodiments of the present invention.
  • the present invention provides a D2D mode B discovery security method, a terminal and a system, and a storage medium.
  • a ProSe functional entity in a home network sends a ProSe response code and a ProSe response key to a passive terminal;
  • the ProSe function entity of the other network sends the ProSe query code, the ProSe query key, the ProSe response code, and the ProSe response key to the ProSe function entity of the home network, and the ProSe function entity of the home network sends the ProSe query code to the active terminal, ProSe.
  • the active terminal calculates the Query Message Integrity Code (MIC), sends the ProSe query code to the passive terminal, queries the MIC and the time calibration value, and the passive terminal goes to its own home network.
  • the ProSe function entity sends a ProSe query code, queries the MIC, and a Coordinated Universal Time (UTC) time based counter value, and the ProSe functional entity of the passive terminal's home network checks the query MIC; the passive terminal calculates the response MIC to send the ProSe response code and response to the active terminal.
  • UTC Coordinated Universal Time
  • the e-function entity sends the ProSe response code, the response MIC, and the UTC time-based counter value, and the ProSe functional entity of the home network analyzes the ProSe response code and checks the response MIC; thus, in the four processes of the D2D mode B discovery service, the passive
  • the discovery response message of the terminal, the discovery response message of the active terminal, the query request message sent by the active terminal to the passive terminal, the query response message sent by the passive terminal to the active terminal, and the matching of the active terminal Report messages are integrity protected, eliminating the threat of replay attacks by attackers.
  • 1 is a schematic diagram of a communication architecture of a D2D discovery service
  • FIG. 3 is a schematic flowchart of a process of an existing active terminal
  • FIG. 5 is a schematic flow chart of an existing matching process
  • FIG. 6 is a schematic flowchart of a security method for implementing D2D mode B discovery according to an embodiment of the present invention
  • FIG. 7 is a schematic flowchart of a security method for implementing D2D mode B discovery according to Embodiment 2 of the present invention.
  • FIG. 8 is a schematic flowchart of a security method for implementing D2D mode B discovery according to Embodiment 3 of the present invention.
  • FIG. 9 is a schematic flowchart of a security method for implementing D2D mode B discovery according to Embodiment 4 of the present invention.
  • FIG. 10 is a schematic flowchart of a security method for implementing D2D mode B discovery according to Embodiment 5 of the present invention.
  • FIG. 11 is a schematic structural diagram of a security system for implementing D2D mode B discovery according to Embodiment 6 of the present invention.
  • FIG. 12 is a schematic structural diagram of a ProSe functional entity of a passive terminal home network according to Embodiment 7 of the present invention.
  • FIG. 13 is a schematic structural diagram of a ProSe functional entity of an active terminal home network according to Embodiment 8 of the present invention.
  • FIG. 14 is a schematic structural diagram of an active terminal according to Embodiment 9 of the present invention.
  • FIG. 15 is a schematic structural diagram of a passive terminal according to Embodiment 10 of the present invention.
  • FIG. 16 is a schematic structural diagram of a security system discovered by D2D mode B according to Embodiment 11 of the present invention.
  • FIG. 17 is a schematic flowchart of a process of a passive terminal according to an embodiment of the present invention.
  • FIG. 18 is a schematic flowchart of a process of an active terminal according to an embodiment of the present invention.
  • FIG. 19 is a schematic flowchart of a query process according to an embodiment of the present invention.
  • FIG. 20 is a schematic flowchart of a matching process according to an embodiment of the present invention.
  • Step 201 The passive terminal configures the ProSe restriction to discover the application layer user identifier.
  • Step 202 The passive terminal sends a discovery request message to the ProSe functional entity in the home network, where the message includes a mode (the value is set to B), a discovery type, a restriction discovery application layer user identifier, a terminal identifier, and a command ( Its value is set to ProSe response) and application identification parameters;
  • Step 203 The ProSe functional entity interacts with the home user server to perform discovery and authentication.
  • Step 204 The ProSe function entity sends an authentication request message to the ProSe application server, where the message includes parameters such as a ProSe restriction discovery application layer user identifier and an indicator.
  • Step 205 The ProSe application server sends an authentication response message to the ProSe function entity, where the message includes parameters such as a ProSe discovery terminal identifier and an indicator.
  • Step 206 The ProSe function entity allocates a ProSe response code and a discovery filter.
  • Step 207 The ProSe function entity sends a broadcast authentication message to the ProSe function entity in the visited network that is currently registered by the passive terminal, where the message includes a ProSe restriction discovery application layer user identifier, a ProSe response code, a validity period, and a terminal identifier.
  • Step 208 The ProSe function entity in the visited network sends a broadcast authentication response message to the ProSe function entity in the home network.
  • Step 209 The ProSe function entity in the home network sends a discovery response message to the passive terminal, where the message includes a mode (the value is set to B), a discovery filter, a ProSe response code, and a validity period.
  • Step 210 The passive terminal configures the radio resource.
  • FIG. 3 is an implementation process of a prior art active terminal process:
  • Step 301 The active terminal configures the ProSe restriction to discover the application layer user identifier.
  • Step 302 The active terminal sends a discovery request message to the ProSe functional entity in its home network, where the message includes a mode (the value is set to B), a discovery type, a ProSe restriction discovery application layer user identifier, a terminal identifier, and a command (its value) Set to ProSe query), application identification and application transparent container parameters;
  • Step 303 The ProSe functional entity of the home network interacts with the home user server to perform discovery authentication.
  • Step 304 The ProSe function entity of the home network sends an authentication request message to the ProSe application server, where the message includes parameters such as a ProSe restriction discovery application layer user identifier, an indicator, and an application transparent container.
  • Step 305 The ProSe application server sends an authentication response message to the ProSe functional entity of the home network, where the message includes the ProSe discovery terminal identifier, the indicator, and the corresponding relationship between the target ProSe discovery terminal identifier and the target ProSe restriction discovery application layer user identifier. ;
  • Step 306 The ProSe function entity of the home network sends a discovery request message to the ProSe function entity of the other network, where the message includes the ProSe restriction discovery application layer user identifier, the terminal identifier, the target ProSe discovery terminal identifier, the application identifier, and the target ProSe restriction discovery application layer.
  • the message includes the ProSe restriction discovery application layer user identifier, the terminal identifier, the target ProSe discovery terminal identifier, the application identifier, and the target ProSe restriction discovery application layer.
  • Step 307 The ProSe function entity of the other network sends an authentication request message to the ProSe application server, where the message includes a ProSe restriction discovery application layer user identifier, an indicator, and a target ProSe restriction discovery application layer user identifier.
  • Step 308 The ProSe application server sends an authentication response message to the ProSe functional entity of the other network, where the message includes a ProSe discovery terminal identifier, an indicator, and a target ProSe discovery terminal identifier.
  • Step 309 the ProSe function entity of the other network sends a discovery response message to the ProSe function entity of the home network, where the message includes parameters such as a ProSe query code and a discovery filter.
  • Step 310 The ProSe function entity of the home network sends a broadcast authentication message to the ProSe function entity in the visited network that is currently registered by the active terminal, where the message includes parameters such as a ProSe application identifier, a ProSe query code, and a terminal identifier.
  • Step 311 The ProSe functional entity of the visited network sends a broadcast authentication response message to the ProSe functional entity of the home network.
  • Step 312 The ProSe function entity of the home network sends a discovery response message to the active terminal, where the message includes a mode (the value is set to B), a discovery filter, a ProSe query code, and a validity period.
  • step 313 the active terminal configures the radio resource.
  • Figure 4 shows the implementation process of the prior art query process
  • Step 401 The active terminal sends a query request message to the passive terminal, where the message includes a ProSe query code parameter.
  • Step 402 The passive terminal checks the ProSe query code, and if it passes the check, sends a query response message to the active terminal, where the message includes the ProSe response code parameter.
  • Figure 5 shows the implementation process of the prior art matching process
  • Step 501 The active terminal sends a matching report message to the ProSe functional entity in the home network, where the message includes a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, an application identifier, and a ProSe response code.
  • Step 502 The ProSe functional entity of the home network performs discovery authentication.
  • Step 503 The ProSe functional entity of the home network analyzes the ProSe response code.
  • Step 504 The ProSe function entity of the home network sends an authentication request message to the ProSe application server, where the message includes parameters such as a ProSe restriction discovery application layer user identifier, a target ProSe restriction discovery application layer user identifier, and an indicator.
  • Step 505 The ProSe application server performs processing.
  • Step 506 the ProSe application server sends back an authentication response to the ProSe functional entity of the home network.
  • the message includes a ProSe discovery terminal identifier, a target ProSe discovery terminal identifier, an indicator, and the like, and optionally, a metadata parameter.
  • Step 507 The ProSe functional entity of the home network verifies the ProSe discovery terminal identifier.
  • Step 508 The ProSe function entity of the home network sends a matching report response message to the active terminal, where the message includes the application identifier, the target ProSe restriction discovery application layer user identifier, and the validity period, and may optionally include a metadata parameter.
  • Step 509 The ProSe function entity of the home network sends a matching report information message to the ProSe function entity of the other network, where the message includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a ProSe response code, and a discovery type.
  • the message includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a ProSe response code, and a discovery type.
  • the discovery response message of the passive terminal the discovery response message of the active terminal, the query request message sent by the active terminal to the passive terminal, the query response message sent by the passive terminal to the active terminal, and the matching report message of the active terminal are not available.
  • integrity protection there is a threat of attack by the attacker.
  • the embodiment of the invention implements a security method for D2D mode B discovery. As shown in FIG. 6, the method includes the following steps:
  • Step 601 In the passive terminal process, the ProSe functional entity in the passive terminal home network sends a ProSe response code and a ProSe response key to the passive terminal.
  • the ProSe function entity in the passive terminal home network receives the discovery request message of the passive terminal, performs authentication processing on the passive terminal, and sends a discovery response message to the passive terminal, where the discovery response message includes: a ProSe response Code, ProSe response key;
  • the discovery response message further includes: a current time and a maximum offset value
  • the discovery response message further includes: a parameter (the value is set to B), a discovery filter, and an expiration date.
  • the ProSe response key is generated by the ProSe functional entity by a key generator; the current time is a current time at which the ProSe functional entity reads its own clock; the maximum offset value is set by the ProSe functional entity. .
  • Step 602 The passive terminal receives the ProSe response code and the ProSe response key.
  • the passive terminal receives the discovery response message, where the discovery response message includes: a ProSe response code, a ProSe response key;
  • the discovery response message further includes: a current time and a maximum offset value
  • the discovery response message further includes: a parameter (the value is set to B), a discovery filter, and an expiration date.
  • the passive terminal further configures the radio resource according to the discovery response.
  • the embodiment of the present invention implements a security method for D2D mode B discovery. As shown in FIG. 7, the method includes the following steps:
  • Step 701 In the process of the active terminal, the ProSe function entity of the active terminal home network receives the ProSe query code, the ProSe query key, the ProSe response code, and the ProSe response key sent by the ProSe functional entity of the other network.
  • the ProSe function entity of the active terminal home network receives the first discovery response message sent by the ProSe function entity of the other network, where the first discovery response message includes: a ProSe query code, a ProSe query key, a ProSe response code, and a ProSe response. Key
  • the first discovery response message further includes: a parameter such as a ProSe query code and a discovery filter.
  • the ProSe query key is similar to the ProSe response key, and is generated by the ProSe functional entity by using a key generator.
  • Step 702 The ProSe function entity of the active terminal home network sends a ProSe query code and a ProSe query key to the active terminal.
  • the second discovery response message is sent back to the active terminal, where the second discovery response message includes: ProSe query. Code, ProSe query key;
  • the second discovery response message further includes: a current time and a maximum offset value
  • the second discovery response message further includes: a mode (the value is set to B), a discovery filter, and an expiration date and the like.
  • the embodiment of the present invention implements a security method for D2D mode B discovery. As shown in FIG. 8, the method includes the following steps:
  • Step 801 During the query process, the active terminal calculates the query MIC, and sends the ProSe query code, the query MIC, and the time calibration value to the passive terminal.
  • L2 FC
  • L2 a fixed length algorithm type
  • P1 the ProSe query code
  • FC FC
  • L2 the message type length
  • P1 is the ProSe query code length
  • P2 is the counter value based on UTC time
  • L2 is the counter value length
  • the query is sent to the passive terminal.
  • the request message includes: a ProSe query code
  • Step 802 The active terminal receives the ProSe response code and the response MIC sent back by the passive terminal.
  • the active terminal receives the query response message sent by the passive terminal, where the query response message includes: a ProSe response code and a response MIC calculated by the passive terminal.
  • the query response message further includes: a time calibration value provided by the passive terminal, and the time calibration value may be a lower 4 bits of the UTC time based counter value of the passive terminal, expressed in binary.
  • the embodiment of the invention implements a security method for D2D mode B discovery. As shown in FIG. 9, the method includes the following steps:
  • Step 901 The passive terminal receives the ProSe query code, the query MIC, and the time calibration value sent by the active terminal during the query process.
  • the passive terminal receives the query request message sent by the active terminal, where the query request message includes: a ProSe query code, a query MIC, and a time calibration value, where the time calibration value may be a low UTC time-based counter value of the active terminal. 4 bits, expressed in binary.
  • Step 902 The passive terminal sends a ProSe query code, a query MIC, and a UTC time-based counter value to the ProSe functional entity in the home network, and the ProSe functional entity of the home network of the passive terminal checks the query MIC.
  • the passive terminal sends an authentication request message to the ProSe functional entity in the home network, where the authentication request message includes: a ProSe query code, a query MIC, and a counter value based on the UTC time.
  • Step 903 The passive terminal calculates a response MIC, and returns a ProSe response code and a response MIC to the active terminal.
  • the query response message further includes: a time calibration value provided by the passive terminal, and the like, and the time calibration value may be a lower 4 digits of the counter value of the UTC time based on the passive terminal, using the binary System representation.
  • the embodiment of the present invention implements a security method for D2D mode B discovery. As shown in FIG. 10, the method includes the following steps:
  • Step 1001 In the matching process, the active terminal sends a ProSe response code, a response MIC, and a UTC time-based counter value to a ProSe functional entity in its home network.
  • the active terminal sends a matching report message to the ProSe functional entity in the home network, where the matching report message includes: a ProSe response code, a response MIC, and a counter value based on the UTC time;
  • the matching report message further includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • Step 1002 The ProSe functional entity of the home network receives the ProSe response code, the response MIC, and the counter value based on the UTC time, analyzes the ProSe response code, and checks the response MIC;
  • the ProSe functional entity of the home network receives the matching report message, where the matching report message includes: a ProSe response code, a response MIC, and a counter value based on UTC time;
  • the matching report message further includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • the embodiments of the four processes of the discovery service of the D2D mode B of the present invention may be implemented in combination for the discovery response message of the passive terminal, the discovery response message of the active terminal, and the query request sent by the active terminal to the passive terminal.
  • the message, the query response message sent by the passive terminal to the active terminal, and the matching report message of the active terminal perform integrity protection.
  • the embodiment of the present invention implements a D2D mode B discovery security system.
  • the system includes: a ProSe functional entity 11 and a passive terminal 12 in a passive terminal home network;
  • the ProSe functional entity 11 in the passive terminal home network is configured to send the ProSe response code and the ProSe response key to the passive terminal 12 during the passive terminal of the discovery service of the D2D mode B.
  • the passive terminal 12 is configured to receive the ProSe response code and a ProSe response key
  • the ProSe function entity 11 in the passive terminal home network receives the discovery request message of the passive terminal 12, performs authentication processing on the passive terminal 12, and sends a discovery response message to the passive terminal 12, the discovery response message.
  • the discovery response message Including: ProSe response code, ProSe response key;
  • the discovery response message further includes: a current time and a maximum offset value
  • the discovery response message further includes: a parameter (the value is set to B), a discovery filter, and an expiration date.
  • the passive terminal 12 receives the above discovery response message.
  • the passive terminal 12 also configures radio resources according to the discovery response.
  • the embodiment of the present invention implements a ProSe functional entity of a passive terminal home network.
  • the ProSe functional entity includes: a request receiving module 111 and a response loopback module 112.
  • the request receiving module 111 is configured to receive a discovery request message of the passive terminal
  • the response loopback module 112 is configured to send a discovery response message to the passive terminal, where the discovery response message includes: a ProSe response code, a ProSe response key.
  • the discovery response message further includes: a current time and a maximum offset value
  • the discovery response message further includes: a parameter (the value is set to B), a discovery filter, and an expiration date.
  • the embodiment of the invention implements a ProSe functional entity of the active terminal home network, as shown in FIG. 13 .
  • the ProSe functional entity includes: a first receiving module 21, a first sending module 22;
  • the first receiving module 21 may be implemented by an interface between a ProSe functional entity of the home network and a ProSe functional entity of another network, configured to receive ProSe sent back by the ProSe functional entity of the other network in the active terminal process of the discovery service of the D2D mode B.
  • Query code ProSe query key, ProSe response code and ProSe response key;
  • the first sending module 22 can be implemented by the interface between the ProSe functional entity of the home network and the active terminal, and configured to send the ProSe query code and the ProSe query key to the active terminal.
  • the first receiving module 21 receives a first discovery response message sent by a ProSe functional entity of another network, where the first discovery response message includes: a ProSe query code, a ProSe query key, a ProSe response code, and a ProSe response secret. key;
  • the first discovery response message further includes: a parameter such as a ProSe query code and a discovery filter.
  • the first sending module 22 After the first sending module 22 performs broadcast authentication with the ProSe function entity in the visited network that is currently registered by the active terminal, the first discovery response message is sent to the active terminal, where the second discovery response message includes: ProSe query code, ProSe query. Key
  • the second discovery response message further includes: a current time and a maximum offset value
  • the second discovery response message further includes: a mode (the value is set to B), a discovery filter, and an expiration date and the like.
  • an embodiment of the present invention implements an active terminal.
  • the active terminal includes: a second sending module 31 and a second receiving module 32;
  • the second sending module 31 can be implemented by the processor in combination with the interface, configured to calculate the query MIC, send the ProSe query code, query the MIC and the time calibration value to the passive terminal during the query process of the discovery service of the D2D mode B;
  • the second receiving module 32 can be implemented by an interface, and configured to receive the ProSe sent back by the passive terminal. Response code and response MIC;
  • L2 is composed, where FC is a fixed length algorithm type, P0 is a message type, its value is set to PC5_DISCOVERY, L0 is the message type length, P1 is ProSe query code, L1 Querying the code length for ProSe, P2 is a counter value based on UTC time, L2 is a counter value length, and sends a query request message to the passive terminal, the query request message includes: a ProSe query code, a query MIC, and a time calibration value, the time The calibration value can be the lower 4 bits of the counter value, expressed in binary.
  • the second receiving module 32 receives a query response message sent back by the passive terminal, where the query response message includes: a ProSe response code and a response MIC calculated by the passive terminal.
  • the query response message further includes: a time calibration value provided by the passive terminal, and the time calibration value may be a lower 4 bits of the UTC time based counter value of the passive terminal, expressed in binary.
  • the embodiment of the present invention implements a passive terminal.
  • the passive terminal includes: a third receiving module 41, a third sending module 42, and a fourth sending module 43, where
  • the third receiving module 41 can be implemented by the interface, and configured to receive the ProSe query code, the query MIC, and the time calibration value sent by the active terminal during the query process of the D2D mode B.
  • the third sending module 42 may be implemented by an interface, configured to send a ProSe query code, a query MIC, and a UTC time-based counter value to a ProSe functional entity in the home network, and check the query by the ProSe functional entity of the passive terminal's home network.
  • the fourth sending module 43 can be implemented by the processor in combination with the interface, configured to calculate the response MIC, and send the ProSe response code and the response MIC to the active terminal;
  • the third receiving module 41 receives the query request message sent by the active terminal, where
  • the query request message includes: a ProSe query code, a query MIC, and a time calibration value, which may be the lower 4 bits of the UTC time-based counter value of the active terminal, expressed in binary.
  • the third sending module 42 sends an authentication request message to the ProSe function entity in the home network, where the authentication request message includes: a ProSe query code, a query MIC, and a counter value based on UTC time.
  • L2 is composed, where FC is a fixed-length algorithm type, P0 is a message type, its value is set to PC5_DISCOVERY, L0 is the message type length, P1 is the ProSe response code, and L1 is the ProSe response.
  • the code length, P2 is a counter value based on the UTC time, and L2 is a counter value length, and the query response message is sent back to the active terminal, where the query response message includes: a ProSe response code and a response MIC;
  • the query response message further includes parameters such as a time calibration value provided by the passive terminal, and the time calibration value may be a lower 4 bits of the UTC time based counter value of the passive terminal, expressed in binary.
  • the embodiment of the present invention implements a security system for D2D mode B discovery.
  • the system includes: an active terminal 51, and a ProSe functional entity 52 of the active terminal home network;
  • the active terminal 51 is configured to send a ProSe response code, a response MIC, and a UTC time-based counter value to the ProSe functional entity in the home network in the matching process of the discovery service of the D2D mode B;
  • a ProSe functional entity 52 of the home network configured to receive a ProSe response code, a response MIC, and a UTC time based counter value, analyze the ProSe response code, and check the response MIC;
  • the active terminal 51 is to the ProSe functional entity 52 in its own home network.
  • Sending a matching report message the matching report message includes: a ProSe response code, a response MIC, and a counter value based on UTC time;
  • the matching report message further includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • the ProSe functional entity 52 of the home network receives the matching report, and the matching report message includes: a ProSe response code, a response MIC, and a counter value based on UTC time;
  • the matching report message further includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a discovery type, and an application identifier.
  • Step 1101 The passive terminal configures the ProSe restriction to discover the application layer user identifier.
  • Step 1102 The passive terminal sends a discovery request message to the ProSe functional entity in its home network, where the message includes a mode (the value is set to B), a discovery type, a restriction discovery application layer user identifier, a terminal identifier, and a command (its value setting) Parameters for ProSe response) and application identification;
  • Step 1103 The ProSe functional entity interacts with the home user server to perform discovery and authentication.
  • Step 1104 The ProSe function entity sends an authentication request message to the ProSe application server, where the message includes parameters such as a ProSe restriction discovery application layer user identifier and an indicator.
  • Step 1105 The ProSe application server sends an authentication response message to the ProSe function entity, where the message includes parameters such as a ProSe discovery terminal identifier and an indicator.
  • Step 1106 the ProSe function entity allocates a ProSe response code and a discovery filter.
  • Step 1107 The ProSe function entity sends a broadcast authentication message to the ProSe function entity in the visited network that is currently registered by the passive terminal, where the message includes a ProSe restriction discovery application layer user identifier, a ProSe response code, a validity period, and a terminal identifier.
  • Step 1108 The ProSe functional entity in the visited network returns to the functional entity in the home network. Send a broadcast authentication response message;
  • Step 1109 The ProSe functional entity in the home network sends a discovery response message to the passive terminal, where the message includes a mode (the value is set to B), a discovery filter, a ProSe response code, a validity period, a ProSe response key, a current time, and a maximum bias. Parameter such as shift value;
  • Step 1110 The passive terminal configures the radio resource.
  • Step 1201 The active terminal configures the ProSe restriction to discover the application layer user identifier.
  • Step 1202 The active terminal sends a discovery request message to the ProSe functional entity in its home network, where the message includes a mode (the value is set to B), a discovery type, a restriction discovery application layer user identifier, a terminal identifier, and a command (its value setting) Parameters for ProSe), application identification, and application transparent containers;
  • Step 1203 The ProSe functional entity interacts with the home user server to perform discovery and authentication.
  • Step 1204 The ProSe function entity sends an authentication request message to the ProSe application server, where the message includes parameters such as a ProSe restriction discovery application layer user identifier, an indicator, and an application transparent container.
  • Step 1205 The ProSe application server sends an authentication response message to the ProSe function entity, where the message includes a ProSe discovery terminal identifier, an indicator, and a plurality of parameters corresponding to the target ProSe discovery terminal identifier and the target ProSe restriction discovery application layer user identifier.
  • Step 1206 The ProSe function entity of the home network sends a discovery request message to the ProSe function entity of the other network, where the message includes the ProSe restriction discovery application layer user identifier, the terminal identifier, the target ProSe discovery terminal identifier, the application identifier, and the target ProSe restriction discovery application layer.
  • the message includes the ProSe restriction discovery application layer user identifier, the terminal identifier, the target ProSe discovery terminal identifier, the application identifier, and the target ProSe restriction discovery application layer.
  • Step 1207 The ProSe function entity of the other network sends an authentication request message to the ProSe application server, where the message includes a ProSe restriction discovery application layer user identifier, an indicator, and a target ProSe restriction discovery application layer user identifier.
  • Step 1208 the ProSe application server sends back an authentication response to the ProSe functional entity of the other network.
  • the message includes the ProSe discovery terminal identifier, the indicator, and the target ProSe discovery terminal identifier;
  • Step 1209 The ProSe function entity of the other network sends a discovery response message to the ProSe function entity of the home network, where the message includes parameters such as a ProSe query code, a discovery filter, a ProSe query key, a ProSe response code, and a ProSe response key.
  • Step 1210 The ProSe function entity of the home network sends a broadcast authentication message to the ProSe function entity in the visited network that is currently registered by the active terminal, where the message includes parameters such as a ProSe application identifier, a ProSe query code, and a terminal identifier.
  • Step 1211 The ProSe functional entity of the visited network sends a broadcast authentication response message to the ProSe functional entity of the home network.
  • Step 1212 The ProSe function entity of the home network sends a discovery response message to the active terminal, where the message includes a mode (the value is set to B), a discovery filter, a ProSe query code, a ProSe query key, a current time, a maximum offset value, and Valid period and other parameters;
  • step 1213 the active terminal configures the radio resource.
  • Step 1301 the active terminal calculates a query MIC
  • FC is a fixed length algorithm type
  • P0 is a message type
  • its value is set to PC5_DISCOVERY
  • L0 is the message type length
  • P1 ProSe query code
  • L1 ProSe Query code length
  • P2 is the counter value based on UTC time
  • L2 is the counter value length.
  • Step 1302 The active terminal sends a query request message to the passive terminal, where the message includes a ProSe query code, a query MIC, and a minimum 4 digits (secondary system) of the counter value.
  • Step 1303 The passive terminal sends an authentication request to the ProSe functional entity in its home network. Requesting a message, the message includes parameters such as a ProSe query code, a query MIC, and a counter value based on UTC time;
  • Step 1304 the ProSe functional entity of the home network of the passive terminal checks the query MIC;
  • Step 1305 The ProSe functional entity of the home network of the passive terminal sends an authentication response message to the passive terminal.
  • FC is a fixed-length algorithm type
  • P0 is a message type
  • its value is set to PC5_DISCOVERY
  • L0 is the message type length
  • P1 is the ProSe response code
  • L1 ProSe Response code length
  • P2 is the counter value based on UTC time
  • L2 is the counter value length.
  • Step 1307 The passive terminal checks the ProSe query code, and if it passes the check, sends a query response message to the active terminal, where the message includes a ProSe response code, a response MIC, and a minimum 4-bit (secondary) parameter of the counter value.
  • Step 1401 The active terminal sends a matching report message to the ProSe functional entity in the home network, where the message includes the ProSe restriction discovery application layer user identifier, the terminal identifier, the discovery type, the application identifier, the ProSe response code, the ProSe response MIC, and the UTC based Time counter value and other parameters;
  • Step 1402 The ProSe functional entity of the home network performs discovery authentication.
  • Step 1403 the ProSe functional entity of the home network analyzes the ProSe response code and checks the response MIC;
  • Step 1404 The ProSe function entity of the home network sends an authentication request message to the ProSe application server, where the message includes the ProSe restriction discovery application layer user identifier and the target ProSe restriction. Now the application layer user identification and indicators and other parameters;
  • Step 1405 the ProSe application server performs processing
  • the ProSe application server sends an authentication response message to the ProSe function entity of the home network, where the message includes parameters such as a ProSe discovery terminal identifier, a target ProSe discovery terminal identifier, an indicator, and the like, and may also include a metadata parameter.
  • Step 1407 The ProSe functional entity of the home network verifies the ProSe discovery terminal identifier.
  • Step 1408 The ProSe function entity of the home network sends a matching report response message to the active terminal, where the message includes the application identifier, and the target ProSe limits the parameters such as the application layer user identifier and the validity period, and optionally includes the metadata parameter.
  • Step 1409 The ProSe function entity of the home network sends a matching report information message to the ProSe function entity of the other network, where the message includes parameters such as a ProSe restriction discovery application layer user identifier, a terminal identifier, a ProSe response code, and a discovery type.
  • the request receiving module and the response loopback module in the ProSe functional entity of the passive terminal home network provided by the embodiment of the present invention can be implemented by the processor in the ProSe functional entity of the passive terminal home network; the active terminal provided by the embodiment of the present invention
  • the first receiving module and the first sending module of the ProSe functional entity of the home network may be implemented by a processor in the ProSe functional entity of the home network of the active terminal; the second of the active terminals provided by the embodiment of the present invention
  • the sending module and the second receiving module are all implemented by the processor in the active terminal; the third receiving module, the third sending module, and the fourth sending module in the passive terminal provided by the embodiment of the present invention can all pass the passive terminal.
  • the processor to achieve
  • processors can also be implemented by specific logic circuits; in the process of the specific embodiment, the processor can be a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP) or Field programmable gate array (FPGA), etc.
  • CPU central processing unit
  • MPU microprocessor
  • DSP digital signal processor
  • FPGA Field programmable gate array
  • the security method of the D2D mode B discovery described above is implemented in the form of a software function module, and is sold or used as an independent product, Stored in a computer readable storage medium.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • program codes such as a USB flash drive, a mobile hard disk, a read only memory (ROM), a magnetic disk, or an optical disk.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the D2D mode B discovery security method in the embodiment of the present invention.
  • the discovery response message to the passive terminal, the discovery response message of the active terminal, and the query request message sent by the active terminal to the passive terminal are added by adding corresponding parameters.
  • the integrity response protection is performed by the passive terminal sending the query response message sent to the active terminal and the matching report message of the active terminal; thus, in the four processes of the discovery service of the D2D mode B, the discovery response message to the passive terminal and the active terminal.
  • the discovery response message, the query request message sent by the active terminal to the passive terminal, the query response message sent by the passive terminal to the active terminal, and the matching report message of the active terminal are integrity-protected, and the threat of the attacker's replay attack is eliminated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明实施例公开了一种D2D模式B发现的安全方法,在D2D模式B的发现业务的四个过程中,通过增加相应的参数,对被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息进行完整性保护;本发明还公开了一种D2D模式B发现的安全系统、终端、存储介质。

Description

D2D模式B发现的安全方法、终端和系统、存储介质 技术领域
本发明涉及移动通信技术,尤其涉及一种设备到设备(D2D)模式B发现的安全方法、终端和系统、存储介质。
背景技术
为了保持第三代移动通信系统在通信领域的竞争力,并为用户提供速率更快、时延更低、更加个性化的移动通信服务,同时,为了降低运营商的运营成本,第三代合作伙伴计划(3GPP,3rd Generation Partnership Project)标准工作组正致力于演进分组系统(EPS,Evolved Packet System)的研究。整个EPS包括无线接入网(E-UTRAN,Evolved Universal Terrestrial Radio Access Network)和演进分组核心网(EPC,Evolved Packet Core Networking),其中,EPC包含了归属用户服务器(HSS,Home Subscriber Server)、移动性管理实体(MME,Mobility Management Entity)、服务GPRS支持节点(SGSN,Serving GPRS Support Node)、策略计费规则功能(PCRF,Policy and Charging Rule Function)、服务网关(S-GW,Serving Gateway)、分组数据网关(P-GW,PDN Gateway)和分组数据网络(PDN,Packet Data Network)。
当两个用户设备(UE,User Equipment)通过EPS进行通信时,两个UE需要分别与EPS建立承载。但是考虑到UE以及各种移动互联网业务的快速发展,很多业务希望能够发现临近的UE并且进行通信,因此催生了设备到设备(D2D,Device to Device)业务,D2D业务还被称为基于距离的业务(ProSe,Proximity-based Services)。在D2D业务中,当两个UE位置比较接近的时候,可以直接通信,其连接的数据路径可以不绕回到核心网, 这样,一方面可以减少数据路由的迂回,另一方面也能够减少网络数据负荷。因此,D2D业务已得到了很多运营商的重视。
目前,常用的D2D业务有D2D发现业务,D2D发现业务的通信架构如图1所示,D2D接入的两个UE只能通过E-UTRAN接入EPC,两个UE可以都属于一个公用陆地移动网络(PLMN,Public Land Mobile Network)或者分属于两个PLMN;对于一个UE,PLMN可以分为归属的PLMN(HPLMN,Home PLMN)和当所述UE从其他的PLMN接入时的拜访的PLMN(VPLMN,Visited PLMN),对于UE当前所处区域的PLMN可以统称为本地的公用陆地移动网络(LPLMN,Local PLMN),无论该本地的PLMN是HPLMN还是VPLMN。为了实现D2D发现业务,在运营商侧不仅仅部署了EPS,还包括部署D2D发现业务的ProSe应用服务器(ProSe Application Server),ProSe应用服务器可以由运营D2D业务的业务提供商提供,也可以由运营EPS的网络运营商提供,在不同PLMN还部署了ProSe功能实体(ProSe Function)。对于ProSe业务的两个UE,其中一个UE从ProSe功能实体获取业务标识后,再向ProSe功能实体获取能够广播的业务码,这个UE被成为广播UE(A-UE,Announcing UE),而另外一个UE则接受A-UE的广播,然后与所述UE的ProSe功能实体进行匹配,如果匹配成功后,则和A-UE进行ProSe业务。这个非广播UE成为监听UE(M-UE,Monitoring UE)。
在D2D发现业务通信架构中,由于UE提供相关的ProSe应用(APP,Application),其和ProSe应用服务器的接口为PC1接口,提供相关认证功能。UE与UE之间的接口为PC5,配置为UE之间的相互直接发现和通信,而UE与ProSe功能实体之间的接口是PC3,配置为通过网络的发现认证。ProSe功能实体与现有EPC之间的接口是PC4,包含与P-GW的用户面接口和与HSS的控制面接口,配置为D2D发现业务发现认证。ProSe功能实 体与ProSe应用服务器的接口为PC2,配置为D2D发现业务的应用实现。ProSe功能实体与ProSe功能实体分别有PC6和PC7接口,分别配置为UE在漫游和非漫游的两种情况,UE漫游时为PC7接口,UE非漫游时是为PC6接口,这两个接口配置为UE进行D2D发现业务时执行两个ProSe功能实体之间的信息交互。
D2D发现业务可以分为模式A和模式B两种模式。模式B的发现业务包括被动终端过程、主动终端过程、查询过程和匹配过程四个流程。这四个流程中对于被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息都没有进行完整性保护,存在被攻击者重放攻击的威胁。
发明内容
为解决现有存在的技术问题,本发明实施例主要提供一种D2D模式B发现的安全方法、终端和系统、存储介质。
本发明实施例的技术方案是这样实现的:
第一方面,本发明实施例提供一种D2D模式B发现的安全方法,该方法包括:
被动终端归属网络中的ProSe功能实体向被动终端回送ProSe响应码、ProSe响应密钥;
被动终端接收所述ProSe响应码、ProSe响应密钥。
在本发明的一种实施例中,所述被动终端归属网络中的ProSe功能实体向被动终端回送ProSe响应码、ProSe响应密钥,包括:被动终端归属网络中的ProSe功能实体接收被动终端的发现请求消息,对所述被动终端进行认证处理,向所述被动终端发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
在本发明的一种实施例中,所述发现响应消息还包括:当前时间和最大偏移值。
在本发明的一种实施例中,所述发现响应消息还包括:模式、发现过滤器和有效期。
第二方面,本发明实施例提供一种D2D模式B发现的安全方法,该方法包括:
主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
主动终端归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥。
在本发明的一种实施例中,所述主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥,包括:主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的第一发现响应消息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥。
在本发明的一种实施例中,所述第一发现响应消息还包括:ProSe查询码和发现过滤器。
在本发明的一种实施例中,所述主动终端归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥、当前时间和最大偏移值,包括:主动终端归属网络的ProSe功能实体与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥、当前时间和最大偏移值。
在本发明的一种实施例中,所述第二发现响应消息还包括:当前时间和最大偏移值。
在本发明的一种实施例中,所述第二发现响应消息还包括:模式、发现过滤器和有效期。
第三方面,本发明实施例提供一种D2D模式B发现的安全方法,该方法包括:
主动终端计算查询消息完整性保护码(MIC),向被动终端发送ProSe查询码、查询MIC和时间校准值;
主动终端接收被动终端回送的ProSe响应码和响应MIC。
在本发明的一种实施例中,所述主动终端计算查询MIC包括:主动终端使用基于哈希函数消息认证码(HMAC)-安全散列算法(SHA-256)计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于协调世界时(UTC)时间的计数器值,L2为计数器值长度。
第四方面,本发明实施例提供一种D2D模式B发现的安全方法,该方法包括:
被动终端接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
被动终端向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
被动终端计算响应MIC,并向主动终端回送ProSe响应码和响应MIC。
在本发明的一种实施例中,所述被动终端计算响应MIC包括:被动终端使用HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为 PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
第五方面,本发明实施例提供一种D2D模式B发现的安全方法,该方法包括:
主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
归属网络的ProSe功能实体接收ProSe响应码、响应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC。
在本发明的一种实施例中,所述主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值包括:主动终端向自身的归属网络中的ProSe功能实体发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值。
在本发明的一种实施例中,所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识。
第六方面,本发明提供一种D2D模式B发现的安全系统,该系统包括:被动终端归属网络中的ProSe功能实体、被动终端;其中,
被动终端归属网络中的ProSe功能实体,配置为向被动终端回送ProSe响应码、ProSe响应密钥;
被动终端,配置为接收所述ProSe响应码、ProSe响应密钥。
在本发明的一种实施例中,所述被动终端的归属网络中的ProSe功能实体,具体配置为接收被动终端的发现请求消息,对所述被动终端进行认证处理,向所述被动终端发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
在本发明的一种实施例中,所述发现响应消息还包括:当前时间和最大偏移值。
第七方面,本发明实施例提供一种被动终端归属网络的ProSe功能实体,该ProSe功能实体包括:请求接收模块、响应回送模块;其中,
请求接收模块,配置为接收被动终端的发现请求消息;
响应回送模块,配置为向所述被动终端回送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
第八方面,本发明实施例提供一种主动终端的归属网络的ProSe功能实体,该ProSe功能实体包括:第一接收模块、第一发送模块;其中,
第一接收模块,配置为接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
第一发送模块,配置为向主动终端回送ProSe查询码、ProSe查询密钥。
在本发明的一种实施例中,所述第一接收模块,具体配置为接收其他网络的ProSe功能实体回送的第一发现响应消息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥。
在本发明的一种实施例中,所述第一发送模块,具体配置为与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥。
在本发明的一种实施例中,所述第二发现响应消息还包括:当前时间和最大偏移值。
第九方面,本发明实施例提供一种主动终端,该主动终端包括:第二发送模块、第二接收模块;其中,
第二发送模块,配置为计算查询MIC,向被动终端发送ProSe查询码、查询MIC和时间校准值;
第二接收模块,配置为接收被动终端回送的ProSe响应码和响应MIC。
在本发明的一种实施例中,所述第二发送模块,具体配置为使用 HMAC-SHA-256计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
第十方面,本发明实施例提供一种被动终端,该被动终端包括:第三接收模块、第三发送模块、第四发送模块,其中,
第三接收模块,配置为接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
第三发送模块,配置为向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
第四发送模块,配置为计算响应MIC,并向主动终端回送ProSe响应码和响应MIC。
在本发明的一种实施例中,所述第四发送模块,具体配置为使用HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
第十一方面,本发明提供一种D2D模式B发现的安全系统,该系统包括:主动终端、主动终端的归属网络的ProSe功能实体;其中,
主动终端,配置为向主动终端的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
主动终端的归属网络的ProSe功能实体,配置为接收ProSe响应码、响 应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC。
在本发明的一种实施例中,所述主动终端,具体配置为向自身的归属网络中的ProSe功能实体发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值。
在本发明的一种实施例中,所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识。
第十二方面,本发明实施例提供一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令用于执行本发明第一方面至第四方面实施例提供的D2D模式B发现的安全方法。
本发明提供了一种D2D模式B发现的安全方法、终端和系统、存储介质,在被动终端过程中,归属网络中的ProSe功能实体向被动终端回送ProSe响应码、ProSe响应密钥;在主动终端过程中,其他网络的ProSe功能实体向归属网络的ProSe功能实体回送ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥,归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥;在查询过程中,主动终端计算查询消息完整性保护码(MIC,Message Integrity Code),向被动终端发送ProSe查询码、查询MIC和时间校准值,被动终端向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于协调世界时(UTC)时间的计数器值,被动终端的归属网络的ProSe功能实体检查查询MIC;被动终端计算响应MIC向主动终端回送ProSe响应码和响应MIC;在匹配过程中,主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值,归属网络的ProSe功能实体分析ProSe响应码并检查响应MIC;如此,在D2D模式B的发现业务的四个过程中,对被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配 报告消息进行了完整性保护,消除了被攻击者重放攻击的威胁。
附图说明
图1为D2D发现业务的通信架构示意图;
图2为现有的被动终端过程的流程示意图;
图3为现有的主动终端过程的流程示意图;
图4为现有的查询过程的流程示意图;
图5为现有的匹配过程的流程示意图;
图6为本发明实施例一实现D2D模式B发现的安全方法的流程示意图;
图7为本发明实施例二实现D2D模式B发现的安全方法的流程示意图;
图8为本发明实施例三实现D2D模式B发现的安全方法的流程示意图;
图9为本发明实施例四实现D2D模式B发现的安全方法的流程示意图;
图10为本发明实施例五实现D2D模式B发现的安全方法的流程示意图;
图11为本发明实施例六实现D2D模式B发现的安全系统的结构示意图;
图12为本发明实施例七提供的被动终端归属网络的ProSe功能实体的结构示意图;
图13为本发明实施例八提供的主动终端归属网络的ProSe功能实体的结构示意图;
图14为本发明实施例九提供的主动终端的结构示意图;
图15为本发明实施例十提供的被动终端的结构示意图;
图16为本发明实施例十一提供的D2D模式B发现的安全系统的结构示意图;
图17为本发明实施例被动终端过程的具体流程示意图;
图18为本发明实施例主动终端过程的具体流程示意图;
图19为本发明实施例查询过程的具体流程示意图;
图20为本发明实施例匹配过程的具体流程示意图。
具体实施方式
图2为现有技术被动终端过程的实现流程:
步骤201,被动终端配置ProSe限制发现应用层用户标识;
步骤202,被动终端向自身的归属网络中的ProSe功能实体发送发现请求消息,消息中包括模式(其值设置为B)、发现类型、限制发现应用层用户标识、终端标识、命令(command)(其值设置为ProSe响应)和应用标识等参数;
步骤203,ProSe功能实体与归属用户服务器交互,进行发现认证;
步骤204,ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识和指示符等参数;
步骤205,ProSe应用服务器向ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识和指示符等参数;
步骤206,ProSe功能实体分配ProSe响应码与发现过滤器;
步骤207,ProSe功能实体向被动终端当前注册的拜访网络中的ProSe功能实体发送广播认证消息,消息中包括ProSe限制发现应用层用户标识、ProSe响应码、有效期和终端标识等参数;
步骤208,拜访网络中的ProSe功能实体向归属网络中的ProSe功能实体回送广播认证响应消息;
步骤209,归属网络中的ProSe功能实体向被动终端回送发现响应消息,消息中包括模式(其值设置为B)、发现过滤器、ProSe响应码和有效期等参数;
步骤210,被动终端配置无线资源。
图3为现有技术主动终端过程的实现流程:
步骤301,主动终端配置ProSe限制发现应用层用户标识;
步骤302,主动终端向它的归属网络中的ProSe功能实体发送发现请求消息,消息中包括模式(其值设置为B)、发现类型、ProSe限制发现应用层用户标识、终端标识、command(其值设置为ProSe查询)、应用标识和应用透明容器等参数;
步骤303,归属网络的ProSe功能实体与归属用户服务器交互,进行发现认证;
步骤304,归属网络的ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、指示符和应用透明容器等参数;
步骤305,ProSe应用服务器向归属网络的ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识、指示符和若干对目标ProSe发现终端标识与目标ProSe限制发现应用层用户标识的对应关系等参数;
步骤306,归属网络的ProSe功能实体向其他网络的ProSe功能实体发送发现请求消息,消息中包括ProSe限制发现应用层用户标识、终端标识、目标ProSe发现终端标识、应用标识、目标ProSe限制发现应用层用户标识等参数;
步骤307,其他网络的ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、指示符和目标ProSe限制发现应用层用户标识等参数;
步骤308,ProSe应用服务器向所述其他网络的ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识、指示符和目标ProSe发现终端标识;
步骤309,所述其他网络的ProSe功能实体向归属网络的ProSe功能实体回送发现响应消息,消息中包括ProSe查询码和发现过滤器等参数;
步骤310,归属网络的ProSe功能实体向主动终端当前注册的拜访网络中的ProSe功能实体发送广播认证消息,消息中包括ProSe应用标识、ProSe查询码和终端标识等参数;
步骤311,拜访网络的ProSe功能实体向归属网络的ProSe功能实体回送广播认证响应消息;
步骤312,归属网络的ProSe功能实体向主动终端回送发现响应消息,消息中包括模式(其值设置为B)、发现过滤器、ProSe查询码和有效期等参数;
步骤313,主动终端配置无线资源。
图4为现有技术查询过程的实现流程:
步骤401,主动终端向被动终端发送查询请求消息,消息中包括ProSe查询码参数;
步骤402,被动终端检查ProSe查询码,如果通过检查,向主动终端回送查询响应消息,消息中包括ProSe响应码参数。
图5为现有技术匹配过程的实现流程:
步骤501,主动终端向自身的归属网络中的ProSe功能实体发送匹配报告消息,消息中包括ProSe限制发现应用层用户标识、终端标识、发现类型、应用标识和ProSe响应码等参数;
步骤502,归属网络的ProSe功能实体进行发现认证;
步骤503,归属网络的ProSe功能实体分析ProSe响应码;
步骤504,归属网络的ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、目标ProSe限制发现应用层用户标识和指示符等参数;
步骤505,ProSe应用服务器进行处理;
步骤506,ProSe应用服务器向归属网络的ProSe功能实体回送认证响 应消息,消息中包括ProSe发现终端标识、目标ProSe发现终端标识、指示符等参数,可选地,也可以包括元数据参数;
步骤507,归属网络的ProSe功能实体验证ProSe发现终端标识;
步骤508,归属网络的ProSe功能实体向主动终端回送匹配报告响应消息,消息中包括应用标识、目标ProSe限制发现应用层用户标识和有效期等参数,可选地,也可以包括元数据参数;
步骤509,归属网络的ProSe功能实体向其他网络的ProSe功能实体发送匹配报告信息消息,消息中包括ProSe限制发现应用层用户标识、终端标识、ProSe响应码和发现类型等参数。
以上的流程中对于被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息都没有进行完整性保护,存在被攻击者重放攻击的威胁。
下面通过附图及具体实施例对本发明做进一步的详细说明。
实施例一
本发明实施例实现一种D2D模式B发现的安全方法,如图6所示,该方法包括以下几个步骤:
步骤601:在被动终端过程中,被动终端归属网络中的ProSe功能实体向被动终端回送ProSe响应码、ProSe响应密钥;
具体的,所述被动终端归属网络中的ProSe功能实体接收被动终端的发现请求消息,对所述被动终端进行认证处理,向所述被动终端发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥;
优选的,所述发现响应消息还包括:当前时间和最大偏移值;
优选的,所述发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
这里,所述ProSe响应密钥由所述ProSe功能实体通过密钥生成器产生;当前时间是所述ProSe功能实体读取自己时钟的当前时间;最大偏移值由所述ProSe功能实体自行设定。
步骤602:被动终端接收所述ProSe响应码、ProSe响应密钥;
具体的,被动终端接收发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥;
优选的,所述发现响应消息还包括:当前时间和最大偏移值;
优选的,所述发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
优选的,所述被动终端还根据发现响应配置无线资源。
实施例二
本发明实施例实现一种D2D模式B发现的安全方法,如图7所示,该方法包括以下几个步骤:
步骤701:在主动终端过程中,主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
具体的,主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的第一发现响应消息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
优选的,所述第一发现响应消息还包括:ProSe查询码和发现过滤器等参数。
其中,所述ProSe查询密钥同ProSe响应密钥类似,由所述ProSe功能实体通过密钥生成器产生。
步骤702:主动终端归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥;
具体的,主动终端归属网络的ProSe功能实体与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥;
优选的,所述第二发现响应消息还包括:当前时间和最大偏移值;
优选的,所述第二发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
实施例三
本发明实施例实现一种D2D模式B发现的安全方法,如图8所示,该方法包括以下几个步骤:
步骤801:在查询过程中,主动终端计算查询MIC,向被动终端发送ProSe查询码、查询MIC和时间校准值;
具体的,主动终端使用签名算法即基于哈希函数消息认证码(HMAC,Hash-based Message Authentication Code)-安全散列算法(SHA-256,Secure Hash Algorithm)计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于UTC时间的计数器值,L2为计数器值长度,向被动终端发送查询请求消息,所述查询请求消息包括:ProSe查询码、查询MIC和时间校准值,所述时间校准值可以为所述计数器值的低4位,用二进制表示。
步骤802:主动终端接收被动终端回送的ProSe响应码和响应MIC;
具体的,主动终端接收被动终端回送的查询响应消息,所述查询响应消息包括:ProSe响应码和被动终端计算的响应MIC。
所述查询响应消息还包括:被动终端提供的时间校准值,所述时间校准值可以为被动终端的基于UTC时间的计数器值的低4位,用二进制表示。
实施例四
本发明实施例实现一种D2D模式B发现的安全方法,如图9所示,该方法包括以下几个步骤:
步骤901:在查询过程中,被动终端接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
具体的,被动终端接收主动终端发送的查询请求消息,所述查询请求消息包括:ProSe查询码、查询MIC和时间校准值,所述时间校准值可以为主动终端的基于UTC时间的计数器值的低4位,用二进制表示。
步骤902:被动终端向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
具体的,被动终端向自身的归属网络中的ProSe功能实体发送认证请求消息,所述认证请求消息包括:ProSe查询码、查询MIC和自身基于UTC时间的计数器值。
步骤903:被动终端计算响应MIC,并向主动终端回送ProSe响应码和响应MIC;
具体的,被动终端使用签名算法即HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度,向主动终端回送查询响应消息,所述查询响应消息包括:ProSe响应码和响应MIC;
所述查询响应消息还包括:被动终端提供的时间校准值等参数,所述时间校准值可以为被动终端的基于UTC时间的计数器值的低4位,用二进 制表示。
实施例五
本发明实施例实现一种D2D模式B发现的安全方法,如图10所示,该方法包括以下几个步骤:
步骤1001:在匹配过程中,主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
具体的,主动终端向自身的归属网络中的ProSe功能实体发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值;
所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识等参数。
步骤1002:归属网络的ProSe功能实体接收ProSe响应码、响应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC;
具体的,归属网络的ProSe功能实体接收所述匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值;
所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识等参数。
本发明上述D2D模式B的发现业务的四个过程的实施例,可以结合在一起实现,用于同时对被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息进行完整性保护。
实施例六
为了实现上述方法,本发明实施例实现一种D2D模式B发现的安全系统,如图11所示,该系统包括:被动终端归属网络中的ProSe功能实体11、被动终端12;其中,
被动终端归属网络中的ProSe功能实体11,配置为在D2D模式B的发现业务的被动终端过程中,向被动终端12回送ProSe响应码、ProSe响应密钥;
被动终端12,配置为接收所述ProSe响应码、ProSe响应密钥;
具体的,所述被动终端归属网络中的ProSe功能实体11接收被动终端12的发现请求消息,对所述被动终端12进行认证处理,向所述被动终端12发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥;
优选的,所述发现响应消息还包括:当前时间和最大偏移值;
优选的,所述发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
被动终端12接收上述发现响应消息。
优选的,所述被动终端12还根据发现响应配置无线资源。
实施例七
本发明实施例实现一种被动终端归属网络的ProSe功能实体,如图12所示,该ProSe功能实体包括:请求接收模块111、响应回送模块112;其中,
请求接收模块111,配置为接收被动终端的发现请求消息;
响应回送模块112,配置为向所述被动终端回送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
优选的,所述发现响应消息还包括:当前时间和最大偏移值;
优选的,所述发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
实施例八
本发明实施例实现一种主动终端归属网络的ProSe功能实体,如图13 所示,该ProSe功能实体包括:第一接收模块21、第一发送模块22;其中,
第一接收模块21,可以由归属网络的ProSe功能实体与其他网络的ProSe功能实体的接口实现,配置为在D2D模式B的发现业务的主动终端过程中,接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
第一发送模块22,可以由归属网络的ProSe功能实体与主动终端的接口实现,配置为向主动终端回送ProSe查询码、ProSe查询密钥;
具体的,所述第一接收模块21接收其他网络的ProSe功能实体回送的第一发现响应消息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
优选的,所述第一发现响应消息还包括:ProSe查询码和发现过滤器等参数。
所述第一发送模块22与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥;
优选的,所述第二发现响应消息还包括:当前时间和最大偏移值;
优选的,所述第二发现响应消息还包括:模式(其值设置为B)、发现过滤器和有效期等参数。
实施例九
本发明实施例实现一种主动终端,如图14所示,该主动终端包括:第二发送模块31、第二接收模块32;其中,
第二发送模块31,可以由处理器结合接口实现,配置为在D2D模式B的发现业务的查询过程中,计算查询MIC,向被动终端发送ProSe查询码、查询MIC和时间校准值;
第二接收模块32,可以由接口实现,配置为接收被动终端回送的ProSe 响应码和响应MIC;
具体的,所述第二发送模块31使用HMAC-SHA-256计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于UTC时间的计数器值,L2为计数器值长度,向被动终端发送查询请求消息,所述查询请求消息包括:ProSe查询码、查询MIC和时间校准值,所述时间校准值可以为所述计数器值的低4位,用二进制表示。
所述第二接收模块32接收被动终端回送的查询响应消息,所述查询响应消息包括:ProSe响应码和被动终端计算的响应MIC。
所述查询响应消息还包括:被动终端提供的时间校准值,所述时间校准值可以为被动终端的基于UTC时间的计数器值的低4位,用二进制表示。
实施例十
本发明实施例实现一种被动终端,如图15所示,该被动终端包括:第三接收模块41、第三发送模块42、第四发送模块43,其中,
第三接收模块41,可以由接口实现,配置为在D2D模式B的发现业务的查询过程中,接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
第三发送模块42,可以由接口实现,配置为向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
第四发送模块43,可以由处理器结合接口实现,配置为计算响应MIC,并向主动终端回送ProSe响应码和响应MIC;
具体的,所述第三接收模块41接收主动终端发送的查询请求消息,所 述查询请求消息包括:ProSe查询码、查询MIC和时间校准值,所述时间校准值可以为主动终端的基于UTC时间的计数器值的低4位,用二进制表示。
所述第三发送模块42向自身的归属网络中的ProSe功能实体发送认证请求消息,所述认证请求消息包括:ProSe查询码、查询MIC和自身基于UTC时间的计数器值。
所述第四发送模块43使用HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度,向主动终端回送查询响应消息,所述查询响应消息包括:ProSe响应码和响应MIC;
所述查询响应消息还包括:被动终端提供的时间校准值等参数,所述时间校准值可以为被动终端的基于UTC时间的计数器值的低4位,用二进制表示。
实施例十一
本发明实施例实现一种D2D模式B发现的安全系统,如图16所示,该系统包括:主动终端51、主动终端归属网络的ProSe功能实体52;其中,
主动终端51,配置为在D2D模式B的发现业务的匹配过程中,向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
归属网络的ProSe功能实体52,配置为接收ProSe响应码、响应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC;
具体的,所述主动终端51向自身的归属网络中的ProSe功能实体52 发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值;
所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识等参数。
归属网络的ProSe功能实体52接收所述匹配报告,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值;
所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识等参数。
下面通过几个具体的示例对本发明的4个过程进行进一步说明。
被动终端过程的实现流程,如图17所示:
步骤1101,被动终端配置ProSe限制发现应用层用户标识;
步骤1102,被动终端向自身的归属网络中的ProSe功能实体发送发现请求消息,消息中包括模式(其值设置为B)、发现类型、限制发现应用层用户标识、终端标识、command(其值设置为ProSe响应)和应用标识等参数;
步骤1103,ProSe功能实体与归属用户服务器交互,进行发现认证;
步骤1104,ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识和指示符等参数;
步骤1105,ProSe应用服务器向ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识和指示符等参数;
步骤1106,ProSe功能实体分配ProSe响应码与发现过滤器;
步骤1107,ProSe功能实体向被动终端当前注册的拜访网络中的ProSe功能实体发送广播认证消息,消息中包括ProSe限制发现应用层用户标识、ProSe响应码、有效期和终端标识等参数;
步骤1108,拜访网络中的ProSe功能实体向归属网络中的功能实体回 送广播认证响应消息;
步骤1109,归属网络中的ProSe功能实体向被动终端回送发现响应消息,消息中包括模式(其值设置为B)、发现过滤器、ProSe响应码、有效期、ProSe响应密钥、当前时间和最大偏移值等参数;
步骤1110,被动终端配置无线资源。
主动终端过程的实现流程,如图18所示:
步骤1201,主动终端配置ProSe限制发现应用层用户标识;
步骤1202,主动终端向它的归属网络中的ProSe功能实体发送发现请求消息,消息中包括模式(其值设置为B)、发现类型、限制发现应用层用户标识、终端标识、command(其值设置为ProSe查询)、应用标识和应用透明容器等参数;
步骤1203,ProSe功能实体与归属用户服务器交互,进行发现认证;
步骤1204,ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、指示符和应用透明容器等参数;
步骤1205,ProSe应用服务器向ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识、指示符和若干对目标ProSe发现终端标识与目标ProSe限制发现应用层用户标识的对应关系等参数;
步骤1206,归属网络的ProSe功能实体向其他网络的ProSe功能实体发送发现请求消息,消息中包括ProSe限制发现应用层用户标识、终端标识、目标ProSe发现终端标识、应用标识、目标ProSe限制发现应用层用户标识等参数;
步骤1207,其他网络的ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、指示符和目标ProSe限制发现应用层用户标识等参数;
步骤1208,ProSe应用服务器向其他网络的ProSe功能实体回送认证响 应消息,消息中包括ProSe发现终端标识、指示符和目标ProSe发现终端标识;
步骤1209,其他网络的ProSe功能实体向归属网络的ProSe功能实体回送发现响应消息,消息中包括ProSe查询码、发现过滤器、ProSe查询密钥、ProSe响应码和ProSe响应密钥等参数;
步骤1210,归属网络的ProSe功能实体向主动终端当前注册的拜访网络中的ProSe功能实体发送广播认证消息,消息中包括ProSe应用标识、ProSe查询码和终端标识等参数;
步骤1211,拜访网络的ProSe功能实体向归属网络的ProSe功能实体回送广播认证响应消息;
步骤1212,归属网络的ProSe功能实体向主动终端回送发现响应消息,消息中包括模式(其值设置为B)、发现过滤器、ProSe查询码、ProSe查询密钥、当前时间、最大偏移值和有效期等参数;
步骤1213,主动终端配置无线资源。
查询过程的实现流程,如图19所示:
步骤1301,主动终端计算查询MIC;
这里,所述查询MIC使用签名算法即HMAC-SHA-256计算所得,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
步骤1302,主动终端向被动终端发送查询请求消息,消息中包括ProSe查询码、查询MIC和计数器值的最低4位(二级制)等参数;
步骤1303,被动终端向它的归属网络中的ProSe功能实体发送认证请 求消息,消息中包括ProSe查询码、查询MIC和基于UTC时间的计数器值等参数;
步骤1304,被动终端的归属网络的ProSe功能实体检查查询MIC;
步骤1305,被动终端的归属网络的ProSe功能实体向被动终端回送认证响应消息;
步骤1306,被动终端计算响应MIC;
这里,所述响应MIC使用签名算法即HMAC-SHA-256计算所得,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
步骤1307,被动终端检查ProSe查询码,如果通过检查,向主动终端回送查询响应消息,消息中包括ProSe响应码、响应MIC和计数器值的最低4位(二级制)参数。
匹配过程的实现流程,如图20所示:
步骤1401,主动终端向自身的归属网络中的ProSe功能实体发送匹配报告消息,消息中包括ProSe限制发现应用层用户标识、终端标识、发现类型、应用标识、ProSe响应码、ProSe响应MIC和基于UTC时间的计数器值等参数;
步骤1402,归属网络的ProSe功能实体进行发现认证;
步骤1403,归属网络的ProSe功能实体分析ProSe响应码并检查响应MIC;
步骤1404,归属网络的ProSe功能实体向ProSe应用服务器发送认证请求消息,消息中包括ProSe限制发现应用层用户标识、目标ProSe限制发 现应用层用户标识和指示符等参数;
步骤1405,ProSe应用服务器进行处理;
步骤1406,ProSe应用服务器向归属网络的ProSe功能实体回送认证响应消息,消息中包括ProSe发现终端标识、目标ProSe发现终端标识、指示符等参数,可选地,也可以包括元数据参数;
步骤1407,归属网络的ProSe功能实体验证ProSe发现终端标识;
步骤1408,归属网络的ProSe功能实体向主动终端回送匹配报告响应消息,消息中包括应用标识,目标ProSe限制发现应用层用户标识和有效期等参数,可选地,也可以包括元数据参数;
步骤1409,归属网络的ProSe功能实体向其他网络的ProSe功能实体发送匹配报告信息消息,消息中包括ProSe限制发现应用层用户标识、终端标识、ProSe响应码和发现类型等参数。
本发明实施例提供的被动终端归属网络的ProSe功能实体中的请求接收模块、响应回送模块,都可以通过被动终端归属网络的ProSe功能实体中的处理器来实现;本发明实施例提供的主动终端的归属网络的ProSe功能实体中的第一接收模块、第一发送模块,都可以通过主动终端的归属网络的ProSe功能实体中的处理器来实现;本发明实施例提供的主动终端中的第二发送模块、第二接收模块,都可以通过主动终端中的处理器来实现;本发明实施例提供的被动终端中的第三接收模块、第三发送模块、第四发送模块,都可以通过被动终端中的处理器来实现;
当然上述处理器完成的功能也可通过具体的逻辑电路实现;在具体实施例的过程中,处理器可以为中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)或现场可编程门阵列(FPGA)等。
需要说明的是,本发明实施例中,如果以软件功能模块的形式实现上述的D2D模式B发现的安全方法,并作为独立的产品销售或使用时,也可 以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read Only Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本发明实施例不限制于任何特定的硬件和软件结合。
相应地,本发明实施例再提供一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令用于执行本发明实施例中的D2D模式B发现的安全方法。
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。
工业实用性
本发明实施例中,在D2D模式B的发现业务的四个过程中,通过增加相应的参数,对被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息进行完整性保护;如此,在D2D模式B的发现业务的四个过程中,对被动终端的发现响应消息、主动终端的发现响应消息、主动终端发送给被动终端的查询请求消息、被动终端发送给主动终端的查询响应消息、以及主动终端的匹配报告消息进行了完整性保护,消除了被攻击者重放攻击的威胁。

Claims (36)

  1. 一种设备到设备(D2D)模式B发现的安全方法,该方法包括:
    被动终端归属网络中的基于距离的业务(ProSe)功能实体向被动终端回送ProSe响应码、ProSe响应密钥;
    被动终端接收所述ProSe响应码、ProSe响应密钥。
  2. 根据权利要求1所述的安全方法,其中,所述被动终端归属网络中的ProSe功能实体向被动终端回送ProSe响应码、ProSe响应密钥,包括:被动终端归属网络中的ProSe功能实体接收被动终端的发现请求消息,对所述被动终端进行认证处理,向所述被动终端发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
  3. 根据权利要求2所述的安全方法,其中,所述发现响应消息还包括:当前时间和最大偏移值。
  4. 根据权利要求3所述的安全方法,其中,所述发现响应消息还包括:模式、发现过滤器和有效期。
  5. 一种D2D模式B发现的安全方法,该方法包括:
    主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
    主动终端归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥。
  6. 根据权利要求5所述的安全方法,其中,所述主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥,包括:主动终端归属网络的ProSe功能实体接收其他网络的ProSe功能实体回送的第一发现响应消息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥。
  7. 根据权利要求6所述的安全方法,其中,所述第一发现响应消息还包括:ProSe查询码和发现过滤器。
  8. 根据权利要求6所述的安全方法,其中,所述主动终端归属网络的ProSe功能实体向主动终端回送ProSe查询码、ProSe查询密钥、当前时间和最大偏移值,包括:主动终端归属网络的ProSe功能实体与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥、当前时间和最大偏移值。
  9. 根据权利要求8所述的安全方法,其中,所述第二发现响应消息还包括:当前时间和最大偏移值。
  10. 根据权利要求9所述的安全方法,其中,所述第二发现响应消息还包括:模式、发现过滤器和有效期。
  11. 一种D2D模式B发现的安全方法,该方法包括:
    主动终端计算查询消息完整性保护码(MIC),向被动终端发送ProSe查询码、查询MIC和时间校准值;
    主动终端接收被动终端回送的ProSe响应码和响应MIC。
  12. 根据权利要求11所述的安全方法,其中,所述主动终端计算查询MIC包括:主动终端使用基于哈希函数消息认证码(HMAC)-安全散列算法(SHA-256)计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于协调世界时(UTC)时间的计数器值,L2为计数器值长度。
  13. 一种D2D模式B发现的安全方法,该方法包括:
    被动终端接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
    被动终端向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
    被动终端计算响应MIC,并向主动终端回送ProSe响应码和响应MIC。
  14. 根据权利要求13所述的安全方法,其中,所述被动终端计算响应MIC包括:被动终端使用HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
  15. 一种D2D模式B发现的安全方法,该方法包括:
    主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
    归属网络的ProSe功能实体接收ProSe响应码、响应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC。
  16. 根据权利要求15所述的安全方法,其中,所述主动终端向自身的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值包括:主动终端向自身的归属网络中的ProSe功能实体发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值。
  17. 根据权利要求16所述的安全方法,其中,所述匹配报告消息还 包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识。
  18. 一种D2D模式B发现的安全系统,该系统包括:被动终端归属网络中的ProSe功能实体、被动终端;其中,
    被动终端归属网络中的ProSe功能实体,配置为向被动终端回送ProSe响应码、ProSe响应密钥;
    被动终端,配置为接收所述ProSe响应码、ProSe响应密钥。
  19. 根据权利要求18所述的安全系统,其中,所述被动终端的归属网络中的ProSe功能实体,具体配置为接收被动终端的发现请求消息,对所述被动终端进行认证处理,向所述被动终端发送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
  20. 根据权利要求19所述的安全系统,其中,所述发现响应消息还包括:当前时间和最大偏移值。
  21. 一种被动终端归属网络的ProSe功能实体,该ProSe功能实体包括:请求接收模块、响应回送模块;其中,
    请求接收模块,配置为接收被动终端的发现请求消息;
    响应回送模块,配置为向所述被动终端回送发现响应消息,所述发现响应消息包括:ProSe响应码、ProSe响应密钥。
  22. 一种主动终端的归属网络的ProSe功能实体,该ProSe功能实体包括:第一接收模块、第一发送模块;其中,
    第一接收模块,配置为接收其他网络的ProSe功能实体回送的ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥;
    第一发送模块,配置为向主动终端回送ProSe查询码、ProSe查询密钥。
  23. 根据权利要求22所述的ProSe功能实体,其中,所述第一接收模块,具体配置为接收其他网络的ProSe功能实体回送的第一发现响应消 息,所述第一发现响应消息包括:ProSe查询码、ProSe查询密钥、ProSe响应码和ProSe响应密钥。
  24. 根据权利要求23所述的ProSe功能实体,其中,所述第一发送模块,具体配置为与主动终端当前注册的拜访网络中的ProSe功能实体进行广播认证后,向主动终端回送第二发现响应消息,所述第二发现响应消息包括:ProSe查询码、ProSe查询密钥。
  25. 根据权利要求24所述的ProSe功能实体,其中,所述第二发现响应消息还包括:当前时间和最大偏移值。
  26. 一种主动终端,该主动终端包括:第二发送模块、第二接收模块;其中,
    第二发送模块,配置为计算查询MIC,向被动终端发送ProSe查询码、查询MIC和时间校准值;
    第二接收模块,配置为接收被动终端回送的ProSe响应码和响应MIC。
  27. 根据权利要求26所述的主动终端,其中,所述第二发送模块,具体配置为使用HMAC-SHA-256计算查询MIC,即MIC=HMAC-SHA-256(ProSe查询密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe查询码,L1为ProSe查询码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
  28. 一种被动终端,该被动终端包括:第三接收模块、第三发送模块、第四发送模块,其中,
    第三接收模块,配置为接收主动终端发送的ProSe查询码、查询MIC和时间校准值;
    第三发送模块,配置为向自身的归属网络中的ProSe功能实体发送ProSe查询码、查询MIC和基于UTC时间的计数器值,由被动终端的归属网络的ProSe功能实体检查查询MIC;
    第四发送模块,配置为计算响应MIC,并向主动终端回送ProSe响应码和响应MIC。
  29. 根据权利要求28所述的被动终端,其中,所述第四发送模块,具体配置为使用HMAC-SHA-256计算响应MIC,即MIC=HMAC-SHA-256(ProSe响应密钥,字符串S),所述字符串由S=FC||P0||L0||P1||L1||P2||L2组成,其中FC为固定长度的算法类型,P0为消息类型,其值设置为PC5_DISCOVERY,L0为消息类型长度,P1为ProSe响应码,L1为ProSe响应码长度,P2为基于UTC时间的计数器值,L2为计数器值长度。
  30. 一种D2D模式B发现的安全系统,该系统包括:主动终端、主动终端的归属网络的ProSe功能实体;其中,
    主动终端,配置为向主动终端的归属网络中的ProSe功能实体发送ProSe响应码、响应MIC和基于UTC时间的计数器值;
    主动终端的归属网络的ProSe功能实体,配置为接收ProSe响应码、响应MIC和基于UTC时间的计数器值,分析ProSe响应码并检查响应MIC。
  31. 根据权利要求30所述的安全系统,其中,所述主动终端,具体配置为向自身的归属网络中的ProSe功能实体发送匹配报告消息,所述匹配报告消息包括:ProSe响应码、响应MIC和基于UTC时间的计数器值。
  32. 根据权利要求31所述的安全系统,其中,所述匹配报告消息还包括ProSe限制发现应用层用户标识、终端标识、发现类型和应用标识。
  33. 一种计算机存储介质,所述计算机存储介质中存储有计算机可 执行指令,该计算机可执行指令用于执行权利要求1至4任一项所述的D2D模式B发现的安全方法。
  34. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令用于执行权利要求5至10任一项所述的D2D模式B发现的安全方法。
  35. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令用于执行权利要求11或12所述的D2D模式B发现的安全方法。
  36. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,该计算机可执行指令用于执行权利要求13或14所述的D2D模式B发现的安全方法。
PCT/CN2015/086231 2015-01-09 2015-08-06 D2d模式b发现的安全方法、终端和系统、存储介质 WO2016110093A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP15876597.4A EP3229435B1 (en) 2015-01-09 2015-08-06 D2d mode b discovery security method, and storage medium
US15/542,081 US10405363B2 (en) 2015-01-09 2015-08-06 D2D mode B discovery security method, terminal and system, and storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510013226.XA CN105828413B (zh) 2015-01-09 2015-01-09 一种d2d模式b发现的安全方法、终端和系统
CN201510013226.X 2015-01-09

Publications (1)

Publication Number Publication Date
WO2016110093A1 true WO2016110093A1 (zh) 2016-07-14

Family

ID=56355475

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/086231 WO2016110093A1 (zh) 2015-01-09 2015-08-06 D2d模式b发现的安全方法、终端和系统、存储介质

Country Status (4)

Country Link
US (1) US10405363B2 (zh)
EP (1) EP3229435B1 (zh)
CN (1) CN105828413B (zh)
WO (1) WO2016110093A1 (zh)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10602356B2 (en) 2015-04-13 2020-03-24 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for end device discovering another end device
US10638412B2 (en) 2016-01-25 2020-04-28 Telefonaktiebolaget Lm Ericsson (Publ) Implicit spatial replay protection
US11070631B2 (en) 2016-01-25 2021-07-20 Telefonaktiebolaget Lm Ericsson (Publ) Explicit spatial replay protection
WO2018165548A1 (en) * 2017-03-10 2018-09-13 Stojanovski Alexandre Saso Technology coordination for device-to-device discovery
KR102468390B1 (ko) * 2017-05-31 2022-11-18 삼성에스디에스 주식회사 토큰 관리 방법 및 이를 수행하기 위한 서버
US11133964B2 (en) 2017-06-16 2021-09-28 Telefonaktiebolaget Lm Ericsson (Publ) Frequency offset estimation
WO2019095128A1 (en) * 2017-11-15 2019-05-23 Nokia Technologies Oy Authorization of applications for direct discovery
US11418335B2 (en) 2019-02-01 2022-08-16 Hewlett-Packard Development Company, L.P. Security credential derivation
US20220032181A1 (en) * 2019-03-18 2022-02-03 Google Llc Cloud-based discovery service for end-user devices
CN110119269B (zh) * 2019-04-19 2023-07-21 北京大米科技有限公司 控制任务对象的方法、装置、服务器及存储介质
CN113556708B (zh) * 2020-04-03 2022-08-12 大唐移动通信设备有限公司 一种邻近发现标识的使用方法、装置及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014116083A1 (en) * 2013-01-28 2014-07-31 Samsung Electronics Co., Ltd. Method and apparatus for device to device communication
CN104066200A (zh) * 2013-03-21 2014-09-24 北京三星通信技术研究有限公司 一种ue间端到端通信的实现方法及用户设备
US20140344578A1 (en) * 2013-05-16 2014-11-20 Samsung Electronics Co., Ltd. Method and apparatus for performing discovery for device-to-device communication
CN104168629A (zh) * 2013-05-17 2014-11-26 电信科学技术研究院 邻近服务中继节点的发现方法、终端及邻近服务通信系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102214278B (zh) * 2010-04-06 2013-04-10 国民技术股份有限公司 一种计算机的可信性检测方法
US9681261B2 (en) * 2012-11-01 2017-06-13 Lg Electronics Inc. Method and apparatus of providing integrity protection for proximity-based service discovery with extended discovery range
BR112016021675A2 (pt) * 2014-03-21 2018-12-04 Ericsson Telefon Ab L M método, dispositivo sem fio, nó de rede e programa de computador para autenticação em descoberta de dispositivo a dispositivo, e, produto de programa de computador.
WO2016065647A1 (zh) * 2014-10-31 2016-05-06 西安酷派软件科技有限公司 D2d通信中检验mic的方法和d2d通信系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014116083A1 (en) * 2013-01-28 2014-07-31 Samsung Electronics Co., Ltd. Method and apparatus for device to device communication
CN104066200A (zh) * 2013-03-21 2014-09-24 北京三星通信技术研究有限公司 一种ue间端到端通信的实现方法及用户设备
US20140344578A1 (en) * 2013-05-16 2014-11-20 Samsung Electronics Co., Ltd. Method and apparatus for performing discovery for device-to-device communication
CN104168629A (zh) * 2013-05-17 2014-11-26 电信科学技术研究院 邻近服务中继节点的发现方法、终端及邻近服务通信系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3229435A4 *

Also Published As

Publication number Publication date
CN105828413B (zh) 2020-11-10
EP3229435A1 (en) 2017-10-11
EP3229435B1 (en) 2019-01-02
US20180279394A1 (en) 2018-09-27
CN105828413A (zh) 2016-08-03
EP3229435A4 (en) 2017-11-15
US10405363B2 (en) 2019-09-03

Similar Documents

Publication Publication Date Title
WO2016110093A1 (zh) D2d模式b发现的安全方法、终端和系统、存储介质
US9819596B2 (en) Efficient policy enforcement using network tokens for services C-plane approach
US10694046B2 (en) Method and system for charging information recording in device to device (D2D) communication
JP6185017B2 (ja) セキュアユーザプレーンロケーション(supl)システムにおける認証
CN102448064B (zh) 通过非3gpp接入网的接入
CN107852341B (zh) 用于特征的授权和激活的子系统
US9766967B2 (en) Providing a network access failure cause value of a user equipment
EP3284276B1 (en) Security improvements in a cellular network
US20140349611A1 (en) Method and System for Selective and Secure interaction of BYOD (Bring Your Own Device) with Enterprise network through mobile wireless networks
JP2018510578A (ja) 完全前方秘匿性を有する認証および鍵共有
KR20210035925A (ko) 비밀 식별자를 사용하는 사용자 장비에 관련된 동작
US10484396B2 (en) Method and device for examining message integrity check
WO2013185709A1 (zh) 一种呼叫认证方法、设备和系统
US20190014472A1 (en) Secure Communication Method and Core Network Node
CN112073925A (zh) 处理数据包的方法及装置
WO2015196704A1 (zh) 处理prose业务授权变化的方法、第一网元、第二网元
WO2015158055A1 (zh) 一种实现设备到设备发现业务的方法、终端、存储介质
US11985497B2 (en) Systems and methods for network-based encryption of a user equipment identifier
WO2022174729A1 (zh) 保护身份标识隐私的方法与通信装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15876597

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2015876597

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 15542081

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE