WO2018137202A1 - Method, apparatus, and system for transmitting data - Google Patents

Method, apparatus, and system for transmitting data Download PDF

Info

Publication number
WO2018137202A1
WO2018137202A1 PCT/CN2017/072674 CN2017072674W WO2018137202A1 WO 2018137202 A1 WO2018137202 A1 WO 2018137202A1 CN 2017072674 W CN2017072674 W CN 2017072674W WO 2018137202 A1 WO2018137202 A1 WO 2018137202A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal device
data type
parameter value
target data
Prior art date
Application number
PCT/CN2017/072674
Other languages
French (fr)
Chinese (zh)
Inventor
诸华林
李�赫
靳维生
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2017/072674 priority Critical patent/WO2018137202A1/en
Publication of WO2018137202A1 publication Critical patent/WO2018137202A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • the present application relates to the field of wireless communication technologies, and in particular, to a method, an apparatus, and a system for transmitting data.
  • a network device that establishes a mobile network often includes a security management device (such as an authentication, authorization and accounting server (AAA sever), or a Home Subscriber Server (HSS)), and a network control device (such as MulteFire).
  • a security management device such as an authentication, authorization and accounting server (AAA sever), or a Home Subscriber Server (HSS)
  • HSS Home Subscriber Server
  • MulteFire Network Neutral Host Mobility Management Entity
  • NH MME Network Neutral Host Mobility Management Entity
  • security termination device such as Packet Data Network Gateway (PDN GW), Service Capability Exposure Function (SCEF) network Equipment, Evolved Packet Data Gateway (ePDG), etc.
  • PDN GW Packet Data Network Gateway
  • SCEF Service Capability Exposure Function
  • ePDG Evolved Packet Data Gateway
  • the terminal device can transmit data to the server through the mobile network.
  • the Internet of Things data for example, temperature, humidity, etc.
  • the terminal device and the server transmit the Internet of Things data transmission method: the terminal device can send the uplink Internet of Things data to the server, that is, the terminal device can transmit the Internet of Things data to the network control device (such as the NH MME), and the network control device receives the After the IoT data is transmitted, it can be transmitted to the secure termination device, and the secure termination device sends the received IoT data to the server.
  • the network control device such as the NH MME
  • the server may also send the downlink IoT data to the terminal device, that is, the server may transmit the IoT data to the security termination device, and after receiving the IoT data, the security termination device may transmit the data to the network control device (such as the NH MME), and then The network control device sends the received Internet of Things data to the terminal device.
  • the network control device such as the NH MME
  • some enterprises or units may independently deploy network control devices of the mobile network.
  • the terminal device transmits data according to some network control devices and servers deployed by enterprises or units with poor reliability, the network control device may It will steal data transmitted by the terminal device and the server, resulting in poor security of data transmission.
  • the embodiments of the present application provide a method, an apparatus, and a system for transmitting data.
  • the technical solution is as follows:
  • a first aspect provides a method for transmitting data, where the method includes: the security management device can determine a transmission data type of the terminal device; and when the transmission data type of the terminal device includes a preset target data type, the key can be obtained. The parameter value is derived, the first key is obtained according to the key derivation parameter value, and the first key is sent to the security termination device.
  • the security management device in the authentication process, can determine the type of transmission data of the terminal device, and in the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the security management device The key derivation parameter value can be obtained. Further, the first key can be derived based on the obtained key derivation parameter value. Once the first key is determined, it can be sent to the secure termination device. In this way, the security termination device can encrypt the data of the target data type transmitted by the server to the terminal device, so that the network control device can steal the data, thereby The security of data transmission can be guaranteed.
  • the security management device determines the transmission data type of the terminal device, including: determining, according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device, the type of the transmission data of the terminal device; or The transmission data type of the terminal device is determined according to the correspondence between the pre-stored device identifier and the transmission data type and the device identifier sent by the terminal device.
  • the target data type may be an Internet of Things data type
  • the indication information may be an IoT optimization architecture support indication information
  • the method further includes: the security management device sends a key derivation parameter value to the terminal device, where the key derivation parameter value is used by the terminal device to acquire the first key.
  • the security management device acquires the key deduction parameter value, including: when the transmission data type of the terminal device includes the target data type, the security management device Obtain the key derivation parameter value sent by the terminal device.
  • the terminal device and the security termination device can obtain the first key, so as to encrypt or decrypt the data of the target data type transmitted by the terminal device and the server, thereby ensuring the security of data transmission.
  • the sending the first key to the security termination device includes: encrypting the first key based on a predefined public key, obtaining the encrypted first key; and sending the encrypted first terminal to the security termination device The encrypted first key.
  • the security management device may encrypt the first key based on the predefined public key to obtain the encrypted first key, and further, to the security termination device. Send the encrypted first key. In this way, the security of the first key transmission can be enhanced.
  • the sending the encrypted first key to the security termination device includes: sending, by using the network control device, the encrypted first key to the security termination device, so that the network control device is safe.
  • the terminating device sends the encrypted first key.
  • the security management device may send the encrypted first key to the network control device, and the network control device receives the encrypted first key, and may send the encrypted first key. To the safety termination device.
  • the network control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key to the security termination device, including: The control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key when sending the connection establishment request to the security termination device.
  • the network control device may send the encrypted terminal to the security termination device when sending the connection establishment request to the security termination device.
  • a key that is, a connection establishment request, may carry the encrypted first key. In this way, the network control device is not required to transmit the encrypted first key, and the data transmission with the secure termination device is increased once.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • a second aspect provides a method for transmitting data, where the method includes: determining, by a terminal device, a terminal device, a type of transmission data of the terminal device; and when the transmission data type of the terminal device includes a target data type, obtaining the data. a key derivation parameter value; obtaining a first key according to the key derivation parameter value, wherein the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data After The data of the standard data type is decrypted.
  • the terminal device when the transmission data type of the terminal device includes the target data type, the terminal device may obtain the same key derivation parameter value as the security management device, and further, derive the parameter value and the density based on the obtained key. Key material, deriving the first key.
  • the data of the target data type is transmitted to the server, the data may be encrypted, or when the data of the encrypted target data type is received, the received data is decrypted.
  • the method further includes: the terminal device may send, to the security management device, the device identifier of the terminal device and/or the indication information used to indicate the type of the transmission data of the terminal device.
  • the target data type may be an Internet of Things data type
  • the indication information may be an IoT optimization architecture support indication information
  • the terminal device when the transmission data type of the terminal device includes the target data type, acquires the key derivation parameter value, including: when the transmission data type of the terminal device includes the target data type, the terminal device acquires the security. Manage the value of the key derivation parameter sent by the device.
  • the method further includes: the terminal device sends the generated key derivation parameter value to the security management device, where the key derivation parameter value is used by the security management device to acquire the first key.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to decrypt the received data of the target data type, including
  • the first key is used for encrypting data of the target data type to be transmitted by the terminal device, or decrypting the data of the received target data type; or the first key is used for the terminal device based on the first key
  • the key is used to obtain the second key; the second key is used to encrypt the data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type.
  • a third aspect provides a method for transmitting data, the method comprising: receiving, by a security termination device, a first key sent by a security management device, where the first key is used by the security termination device based on the first key pair terminal
  • the data of the encrypted target data type sent by the device is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the security termination device can receive the first key.
  • the encrypted data may be decrypted based on the first key, and when receiving the data of the target data type sent by the server to the terminal device, The data is encrypted based on the first key.
  • the security termination device receives the first key sent by the security management device, including: the security termination device receives the encrypted first key sent by the security management device; and the method further includes: pre- The stored private key decrypts the encrypted first key to obtain the first key.
  • the first key is used by the security termination device to decrypt the data of the encrypted target data type sent by the terminal device based on the first key, or the target data type sent to the terminal device by the server.
  • the data is encrypted, including: the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or the data of the target data type sent by the server to the terminal device is encrypted; or The first key is used by the security termination device to obtain the second key based on the first key; the second key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or send the data to the server.
  • the data of the target data type is encrypted.
  • a security management device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the first aspect by executing the instructions The method of transferring data.
  • a terminal device comprising a processor, a transmitter and a receiver, the processor being configured to execute an instruction stored in the memory; the processor implementing the instruction provided by the second aspect The method of transmitting data.
  • a security termination device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the third aspect by executing the instructions The method of transferring data.
  • a security management device comprising at least one module, the at least one module for implementing the method for transmitting data provided by the first aspect.
  • a terminal device comprising at least one module, the at least one module configured to implement the method for transmitting data provided by the second aspect.
  • the ninth aspect provides a security termination device, where the security termination device includes at least one module, and the at least one module is configured to implement the method for transmitting data provided by the foregoing third aspect.
  • the technical effects obtained by the fourth and seventh aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the first aspect, and are not described herein again.
  • the technical effects obtained by the fifth and eighth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the second aspect, and are not described herein again.
  • the technical effects obtained by the sixth and ninth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the third aspect, and are not described herein again.
  • a tenth aspect provides a system for transmitting data, the system comprising a security management device, a terminal device, and a security termination device, wherein: a security management device is configured to determine a transmission data type of the terminal device; and a transmission data type of the terminal device When the target data type is included, the security management device obtains the key derivation parameter value; and obtains the first key according to the key derivation parameter value, where the first key is used by the security termination device to encrypt the terminal device based on the first key.
  • the data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; the security management device sends the first key to the security termination device; and the terminal device is used to determine the terminal device a transmission data type; when the transmission data type of the terminal device includes a target data type, acquiring a key derivation parameter value; and acquiring a first key according to the key derivation parameter value, wherein the first key Number of target data types to be transmitted by the terminal device based on the first security key Encryption, or encrypted target data type of the received data is decrypted.
  • the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • FIG. 1(a) is a schematic diagram of a system framework provided by an embodiment of the present application.
  • FIG. 1(b) is a schematic diagram of a system framework provided by an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a security termination device according to an embodiment of the present application.
  • FIG. 5 is a flowchart of a method for transmitting data according to an embodiment of the present application.
  • FIG. 6 is a flowchart of a method for acquiring a first key according to an embodiment of the present application
  • FIG. 7 is a flowchart of a method for acquiring a first key according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a security termination device according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of a security termination device according to an embodiment of the present application.
  • the terminal device may include a User Equipment (UE), a Mobile Station ("MS” for short), a Mobile Terminal (Mobile Terminal), and the like.
  • the terminal device may also be a mobile phone (or "cellular” phone), a computer with a mobile terminal, or the like.
  • the terminal device can also be a portable, pocket, handheld, computer built-in or vehicle-mounted mobile device, sensor. They exchange language and/or data with the radio access network to communicate with one or more core networks via a Radio Access Network (“RAN").
  • RAN Radio Access Network
  • the security management device may be an authentication authorization accounting server, a home subscription server, or a functional unit that is jointly performed by the authentication authorization accounting server and the home subscription server.
  • the network control device can be a neutral host mobility management entity of the MulteFire network.
  • the security termination device may be a packet data gateway, a capability open function network device, or an evolved packet data gateway.
  • the server can be a network server for the terminal device server.
  • the security management device may obtain the key derivation parameter value when determining the transmission data type of the terminal device, including the preset target data type, and further deriving the first key based on the obtained key derivation parameter value, and Sended to the security termination device, the security termination device can receive the first key sent by the security management device.
  • the terminal device can also obtain the same key derivation parameter value as the security management device, and derive the first key based on the obtained key derivation parameter value.
  • the terminal device can send data of a target data type (which may be referred to as uplink data) to the server through the network control device and the security termination device.
  • the server may send data of a target data type (which may be referred to as downlink data) to the terminal device through the security terminating device or the network control device, as shown in FIG. 1(a).
  • the network architecture of the mobile network to which the embodiment of the present application is applicable may be as shown in FIG. 1(b), where the MF AP is an access network device and is responsible for direct communication with the UE; the oval frame is a Neutral Host Core Network (neutral host core network) ) is the core network part of the MulteFire network, which may be a network provided by a non-service provider, where the NH MME is responsible for the establishment of the network connection, the mobility management function, and as the Neutral Host Core Network and the service provider network device (SP).
  • the MF AP is an access network device and is responsible for direct communication with the UE
  • the oval frame is a Neutral Host Core Network (neutral host core network)
  • the MulteFire network which may be a network provided by a non-service provider
  • the NH MME is responsible for the establishment of the network connection, the mobility management function, and as the Neutral Host Core Network and the service provider network device (SP).
  • SP Service provider network device
  • AAA an intermediate network element that interacts
  • the Local AAA Proxy is an intermediate network device that the Neutral Host Core Network interacts with a Service Provider Network Equipment (SP AAA);
  • the NH GW is a gateway device;
  • the ePDG belongs to a network device deployed by a service provider, and Used in the non-trusted access architecture, the role is to establish an IPSec tunnel between the UE and the ePDG.
  • the content transmitted in the tunnel is encrypted and is invisible to the network devices in the Neutral Host Core Network.
  • the SP AAA is a network device used by a service provider to authenticate an authenticated UE and provide a secure encryption key.
  • PDN GateWay is the gateway device of the service provider, and data will eventually enter and exit from this gateway device.
  • the security management device may include a processor 210 and a communication interface 220.
  • the processor 210 may be connected to the communication interface 220 and the receiver 230, as shown in FIG.
  • the processor 210 may be a control center of the security management device that performs various functions and processing data of the security management device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory.
  • the processor 210 may be configured to acquire related processing of the first key.
  • the processor 210 may include one or more processing units; the processor 210 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP Processor, etc.), and the like.
  • DSP Signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM and may also include non-volatile memory, such as at least one disk storage.
  • the processor 210 executes program code stored in the memory to implement various functions.
  • the terminal device may include a processor 310, a transmitter 320, and a receiver 330.
  • the processor 310 may be respectively connected to the transmitter 320 and the receiver 330. As shown in FIG. 3, the transmitter 320 and the receiver 330 may be collectively referred to as a transceiver.
  • the transmitter 320 can be used to transmit messages or data.
  • the transmitter 320 can include, but is not limited to, at least one amplifier, a tuner, one or more oscillators, a coupler, an LNA (Low Noise Amplifier), a duplexer. Wait.
  • the processor 310 can be a control center of the terminal device that performs various functions and processing data of the terminal device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory.
  • processor 310 can be used in related processing to encrypt or decrypt data.
  • the processor 310 may include one or more processing units; the processor 310 may be a general purpose processor, including a central processing unit, a network processor, etc.; or may be a digital signal processor, an application specific integrated circuit, a field programmable gate array, or the like. Programmable logic devices, etc.
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM or It can also include a non-volatile memory, such as at least one disk storage.
  • the processor 310 executes program code stored in the memory to implement various functions.
  • the security termination device can include a processor 410 and a communication interface 420, which can be coupled to the communication interface 420, as shown in FIG.
  • the processor 410 can be a control center for the secure termination device that performs various functions and processing data of the secure termination device by running or executing software programs and/or modules stored in the memory, as well as invoking data stored in the memory.
  • the processor 410 may be used for related processing of encrypting or decrypting data
  • the processor 410 may include one or more processing units;
  • the processor 410 may be a general purpose processor including a central processing unit, a network processor Etc.; can also be a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device.
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM and may also include non-volatile memory, such as at least one disk storage.
  • the processor 410 executes program code stored in the memory to implement various functions.
  • the technical solution of the embodiment of the present application may be used to establish an end-to-end secure network architecture using a non-tunnel mode, such as a MulteFire network, or a Long Term Evolution (LTE) network, or a home base station network, or a non-third generation cooperation.
  • a non-tunnel mode such as a MulteFire network, or a Long Term Evolution (LTE) network, or a home base station network, or a non-third generation cooperation.
  • 3GPP for example, mobile network with WIreless-FIdelity (WIFI) access
  • GSM Global System for Mobile communication
  • WCDMA Wideband Code Division Multiple Access
  • Step 501 The terminal device determines a transmission data type of the terminal device.
  • the transmission data type of the terminal device includes the target data type
  • the terminal device acquires a key derivation parameter value.
  • the terminal device may send an attach request to the network control device when the terminal device is powered on.
  • the network control device may send a request for requesting the device identifier of the terminal device to the terminal device, and after receiving the request, the terminal device receives the request.
  • the device identification can be sent to the network control device.
  • the network control device can send it to the security management device.
  • the subsequent terminal device may perform an authentication process with the security management device, wherein the authentication method of the terminal device and the security management device may be an extended authentication protocol-implemented authentication and key agreement (EAP-AKA).
  • EAP-AKA extended authentication protocol-implemented authentication and key agreement
  • EAP-TLS Extensible Authentication Protocol
  • EAP-TTLS Extensible Authentication Protocol-Tunneled Transport Layer Security
  • the terminal device and the security termination device may determine a first key for transmitting data of the target data type, as follows:
  • the terminal device may determine the transmission data type of the terminal device.
  • the key derivation parameter value may be obtained, where the key deduction parameter value may be used by the terminal device to derive the first key.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • the terminal device may further send, to the security management device, indication information indicating the type of the transmission data of the terminal device.
  • the attach request may carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the network control device may send the indication information to the security management device.
  • the network control device can send it to the security management device.
  • the foregoing indication information may be a CP CIOT EPS optimization supported information.
  • step 501 based on the source of the key derivation parameter values, the processing of step 501 can be various, and several feasible processing methods are given below:
  • the terminal device acquires a key derivation parameter value sent by the security management device.
  • the security management device can generate a key derivation parameter value and send it to the terminal device, which will be specifically described later. After the security management device sends the key deduction parameter value to the terminal device, the terminal device may receive the key derivation parameter value sent by the security management device. Optionally, the terminal device may store the received key derivation parameter value.
  • the terminal device In the second manner, the terminal device generates a key derivation parameter value, and sends the generated key derivation parameter value to the security management device.
  • the terminal device can generate a key derivation parameter value and can send it to the security management device.
  • the terminal device may generate a key derivation parameter value, and send a generated secret to the authentication authorization accounting server when sending a client-hello message to the authentication authorization charging server.
  • the key derivation parameter value may be generated by EAP-TLS authentication.
  • Step 502 The terminal device acquires a first key according to the key derivation parameter value, where the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data.
  • the data of the target data type is decrypted.
  • the terminal device may derive the first key based on the obtained key derivation parameter value.
  • the terminal device can store the deduced first key.
  • the terminal device can encrypt the data to be transmitted based on the first key.
  • the received data can be decrypted based on the first key.
  • the terminal device may further derive the second key based on the first key.
  • the first key is used to encrypt data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type; or the first key is used by the terminal device
  • a key is used to derive the second key; the second key is used to securely terminate the data of the target data type to be transmitted by the device, or to decrypt the received data of the target data type.
  • Step 503 The security management device determines a transmission data type of the terminal device.
  • the security management device can determine the type of transmission data of the terminal device.
  • step 502 there is no clear relationship between step 502 and step 503, and may be in parallel, or step 502 may be preceded by step 503, or step 502 may be followed by step 503.
  • the process of step 503 may be as follows: according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device. Determining a transmission data type of the terminal device; or determining a transmission data type of the terminal device according to a correspondence between the pre-acquired device identifier and the transmission data type.
  • the security management device may receive the device identifier of the terminal device sent by the terminal device and/or indicate the terminal. Indicates the type of data transmitted by the device. For indicating the terminal device sent by the receiving terminal device In the case of the indication information of the transmission data type, after receiving the indication information, the security management device can determine the transmission data type of the terminal device. For the case where the indication information sent by the terminal device is not received, the security management device may determine the transmission data type corresponding to the device identifier of the terminal device in the correspondence between the pre-stored device identifier and the transmission data type.
  • Step 504 When the transmission data type of the terminal device includes the preset target data type, the security management device acquires the key deduction parameter value, and obtains the first key according to the key derivation parameter value.
  • the security management device may determine whether the transmission data type of the terminal device includes a preset target data type. If included, the security management device may obtain a key derivation parameter value, where the key derivation The parameter value is the same as the key derivation parameter value acquired by the terminal device. Further, the first key may be derived based on the obtained key derivation parameter value. Optionally, the security management device can store the first key of the deduction.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • step 504 can be various, and several feasible processing methods are given below:
  • the transmission data type of the terminal device includes the preset target data type
  • the generated key derivation parameter value is obtained, and the key derivation parameter value is sent to the terminal device, and the first key is obtained according to the key derivation parameter value. key.
  • the security management device can generate a key derivation parameter. Specifically, after receiving the indication information sent by the terminal device, the key derivation parameter value may be generated.
  • the authentication authorization accounting server may generate a key derivation parameter value, and may send the server hello to the terminal device when sending the server hello to the terminal device. The device sends the generated key derivation parameter value, so that the terminal device derives the parameter value based on the key derivation and deduces the first key.
  • the processing method for generating key derivation parameter values can be various.
  • Several feasible processing methods are given below.
  • the terminal device and The security management device still performs the existing authentication process, and the embodiment of the present application does not change the existing process.
  • the authentication authorization accounting server may perform the next processing according to the existing authentication processing flow, that is, may send the AKA to the home subscription server.
  • the home subscription server receives the AKA authentication vector request, in addition to performing existing processing (such as generating an authentication vector), may also generate a key derivation parameter value (such as a random value), and may generate The key derivation parameter value is sent to the authentication authorization charging server (where the home subscription server may send the key derivation parameter value when sending the authentication vector to the authentication authorization charging server, or may be at other time nodes),
  • the authentication authorization accounting server may obtain the generated key derivation parameter value and may send it to the terminal device.
  • the authentication authorization accounting server may derive the first key based on the key derivation parameter value parameter value and other key materials.
  • the first key may be derived based on the key derivation parameter value, and further, the first key may be sent to the authentication authorization charging server.
  • the key derivation parameter value can be transmitted in the same manner as in the mode 1.
  • the authentication authorization charging server may generate a key deduction parameter value and may send the key deduction parameter value to the terminal device.
  • the key derivation parameter value After the key derivation parameter value is generated, the first key can be derived based on the generated key derivation parameter value.
  • the authentication authorization charging The AKA authentication vector request sent by the server to the home subscription server may further carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the home subscription server may perform subsequent processing of generating the key deduction parameter value. .
  • CK'/IK' in addition to deriving the parameter value by using the key, other key materials (for example: CK'/IK') may be utilized.
  • the key derivation parameter value sent by the terminal device is obtained.
  • the security management device may receive the key derivation parameter value sent by the terminal device and may store it.
  • the security management device may obtain the key derivation parameter value sent by the terminal device, and further derive the first based on the key derivation parameter value. Key.
  • Step 505 The security management device sends the first key to the security termination device.
  • the security termination device may be a trusted network device deployed by a service provider (such as an operator), and may be a network device on a transmission path of the terminal device and the server transmitting data of a target data type.
  • the security termination network device may be a PDN GW, a SCEF, or an ePDG, or an independent security gateway whose deployment location is before the PDN GW.
  • the security management device after the security management device obtains the first key, it can send it to the security termination device.
  • the security management device may encrypt the first key.
  • the process of step 505 may be as follows: encrypting the first key based on a predefined public key, and obtaining the encrypted The first key; the encrypted first key is sent to the security terminating device.
  • the public key may be pre-stored in the security management device.
  • the first key may be encrypted by using a pre-stored public key to obtain the encrypted first key.
  • the secure termination device sends the encrypted first key.
  • the security termination device may send the encrypted first key to the security termination device through the network control device, and correspondingly, the processing procedure may be as follows: the security management device sends the encrypted first to the security termination device by using the network control device A key for causing the network control device to send the encrypted first key to the security terminating device.
  • the encrypted first key may be sent to the network control device during the authentication process, for example, the existing primary device may be sent to the network control device.
  • the encrypted first key is sent to the network control device.
  • the network control device may send the encrypted first key to the security termination device when detecting that the key transmission trigger event occurs.
  • the network control device may send the encrypted first key to the security termination device when sending the connection establishment request, and correspondingly, the processing may be as follows: sending the encrypted first to the security termination device by using the network control device A key, so that the network control device sends the encrypted first key when sending a connection establishment request to the security termination device.
  • the network control device may send a connection establishment request to the security termination device to establish a data transmission path of the target data type.
  • the network control device may also initiate a packet data network (PDN) connection establishment process after the attach process is completed.
  • PDN packet data network
  • the network control device may receive the connection establishment request sent by the terminal device. Afterwards, the connection establishment request is sent to the security termination device, where the connection establishment request is carried in the connection establishment request An indication indicating a type of transmission data of the terminal device.
  • the network control device may send the encrypted first key when sending the connection establishment request to the security termination device.
  • Step 506 The security termination device receives the first key sent by the security management device, where the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device based on the first key, or Encrypt data of the target data type that the server sends to the terminal device.
  • the security termination device receives the encrypted first key sent by the security management device, and then encrypts the encryption based on the pre-acquired private key pair. The latter first key is decrypted to obtain the first key.
  • the security termination device may further derive the second key based on the first key.
  • the processing of step 506 may be as follows: the first key is used to securely terminate the encrypted target data sent by the device to the terminal device. The type of data is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; or the first key is used by the security termination device to derive the second key based on the first key; the second key is used The security termination device decrypts the encrypted target data type data sent by the terminal device based on the second key, or encrypts the data of the target data type sent by the server to the terminal device.
  • FIG. 6 a flowchart for obtaining the first key for the EPA-AKA , the authentication, the security management device, and the terminal device may be as shown in FIG. 6. among them,
  • SP AAA (where SP AAA is an authentication and authorization accounting server provided by the server provider) may store the public key in advance. (Used to encrypt the first key in step 21).
  • the UE performs IoT (Internet of Things) network selection.
  • IoT Internet of Things
  • An air interface connection is established between the UE and the MF AP, that is, an RRC (Radio Resource Control) connection.
  • RRC Radio Resource Control
  • the UE initiates an attach request, which carries a "CP CIoT EPS optimization supported" indication message indicating that the IoT data transmission function is to be used.
  • the "CP CIoT EPS optimization supported” indication information is the IoT optimization architecture support indication information.
  • the NH-MME sends the EAP-RQ/Identity to the UE through the NAS (Non-Access Stratum) message, requesting the device identifier of the UE.
  • the EAP-RQ/Identity may be a message name used to request the device identifier of the UE.
  • the UE feeds back the device identifier to the NH-MME.
  • the NH-MME sends the device identifier and the "CP CIoT EPS optimization supported" indication information to the SP AAA.
  • the SP AAA sends an AKA authentication vector request to the HSS, and the authentication vector is used to generate an encryption key and verify the UE.
  • the HSS generates an authentication vector and an IoT-RAND random value (IoT-RAND is the key derivation parameter value described above), and the random value is used to derive the MSK-IoT key of step 21 and step 24c (the secret)
  • the key is the first key).
  • HSS returns the IoT-RAND random value to SP AAA.
  • the SP generates a primary session key MSK based on the authentication vector obtained from the HSS.
  • the UE generates a primary session key MSK and a response RES (Response) according to the received authentication vector;
  • the SP AAA will verify that the received RES and the SP AAA itself generate the same RES in step 10, and if they are the same, consider that the UE is a legitimate terminal;
  • the subscription data is obtained from the HSS
  • the SP AAA derives the generated key MSK-IoT from the IoT-RAND random value obtained in step 9c and other key material (e.g., CK'/IK').
  • SP AAA sends the primary session key MSK and the generated MSK-IoT to the NH-MME. Moreover, the MSK-IoT is transmitted to the NH-MME through the public key encryption of step 1, that is to say, the NH-MME obtains the MSK-IoT as an encrypted information, and does not see the real MSK-IoT.
  • the NH-MME sends the EAP authentication success information to the UE.
  • the UE and the NH-MME derive the key Kasme according to the obtained authentication vector for NAS message encryption.
  • UE is the same as step 21, and also performs MSK-IoT.
  • the UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
  • the above is the execution of the authentication process.
  • the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME.
  • the authentication process shown in FIG. 6 is prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application.
  • the information of each execution subject interaction may be a message name and/or information carried in the message.
  • the MSK-IoT may be derived according to the IoT-RAND random value and other key materials, and then the MSK-IoT is sent to the SP AAA, and other steps are processed as shown in FIG. 6. The same.
  • the MSK-IoT can be encrypted with a pre-stored public key, and the encrypted MSK-IoT is sent to the SP AAA.
  • the SP AAA may also generate the IoT-RAND, that is, the 10th step in the process shown in FIG. 6 may also generate the IoT-RAND, no longer by the HSS.
  • the other steps are the same as in Fig. 6.
  • the SP AAA may also send a “CP CIoT EPS optimization supported” indication information to the HSS.
  • the NH-MME can send a connection establishment request to the security termination device in the prior art.
  • the connection establishment request may carry the encrypted first key.
  • the attaching process is complete, or the terminal device may initiate a PDN connection establishment process.
  • the NH-MME may send a connection establishment request to the security termination device.
  • the encrypted connection first key may also be carried in the connection establishment request.
  • a flowchart of the security management device and the terminal device acquiring the first key may be as shown in FIG. 7. among them,
  • SP AAA can pre-store the public key
  • the UE initiates an initial connection message (ie, an attach request); and carries the CP CIoT EPS optimization supported indication information, indicating that the IoT network will be used;
  • the NH MME requests the UE for the device identifier of the UE.
  • the UE sends the device identifier.
  • the NH MME forwards the device identifier to the SP AAA Server and carries the CP CIoT EPS optimization supported indication.
  • the authentication server retrieves the authentication database through the user identifier, and learns that the TLS authentication mechanism is adopted.
  • the TLS authentication process is initiated by sending a Start message to the applicant, waiting for TLS authentication.
  • the UE sends an EAP-TLS: Client-Hello message to the SP AAA Server.
  • This message contains a list of algorithms that you can implement, Client Random Value, and other required information.
  • the SP AAA Server After receiving the EAP-TLS: Client-Hello, the SP AAA Server determines that the TLS authentication has been established, and sends the digital certificate Server-Certificate including the SP AAA Server, the UE's digital certificate request Client Certificate-Request, Sever-Hello, and Server Key-Exchange messages are used to exchange key procedures.
  • Server Hello determines the algorithm and Server Random Value required for this communication.
  • the SP AAA Server also generates a random value Server-IoT Random (that is, a key derivation parameter value) and sends it to the UE.
  • the UE verifies the digital certificate Server-Certificate of the SP AAA Server. If it is valid, it sends a Client-Cert, Client Key-Exchange, Change Cipher-spec, and Finished message to the SP AAA Server.
  • the Client-Cert is the digital certificate of the UE
  • the Client Key-Exchange is a fixed-length random string encrypted by the public key of the SP AAA Server. It is also called Pre Master Secert.
  • the Change Cipher-spec is the encryption type that the UE can support.
  • the SP AAA Server verifies the UE's certificate Client-Certificate. If it is valid, then it replies to the UE to change the Cipher-spec and Finished messages.
  • the Change Cipher-spec contains the encryption type specified by the SP AAA Server.
  • the UE returns a response message.
  • the UE and the SP AAA Server derive the main session key MSK;
  • the UE and the SP AAA Server derive the key MSK-IoT used by the IoT according to the Server-IoT-Random obtained in steps 9 and 10;
  • the SP AAA Server sends the authentication success information and the primary session key MSK to the NH-MME, and encrypts the MSK-IoT with the public key stored in step 0 and sends it to the NH-MME;
  • the NH-MME sends an authentication success message EAP-Success to the UE.
  • the UE and the NH MME each derive a key Kasme for NAS encryption according to the MSK.
  • the UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
  • the above is the execution of the authentication process.
  • the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME.
  • the authentication process shown in FIG. 7 is a prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application.
  • the information of each execution subject interaction may be a message name and/or information carried in the message.
  • the scheme shown in FIG. 7 is that the SP AAA server generates a key derivation parameter value.
  • the key derivation parameter value may also be generated by the terminal device and sent to the SP AAA through steps 7 and 8 in FIG. 7. Server.
  • both the terminal device and the SP AAA server can derive the first key by using the key derivation parameter value generated by the terminal device, and other processes can be the same as in FIG. 7.
  • the security management device may In the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the key derivation parameter value is obtained, and further, the first key is obtained based on the obtained key derivation parameter value, and is sent To the safety termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • FIG. 8 is a block diagram of a security management device provided by an embodiment of the present application.
  • the security management device provided by the embodiment of the present application may implement the steps performed by the security management device in the process described in FIG. 5 of the embodiment of the present application, where the security management device includes:
  • the determining module 810 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 503, and other implicit steps.
  • the obtaining module 820 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically obtain the obtaining function in the above step 504, and other implicit steps.
  • the obtaining module 820 is further configured to obtain the first key according to the key derivation parameter value, and specifically implement the derivation function in the foregoing step 504, and other implicit steps.
  • the sending module 830 is configured to send the first key to the security termination device, and specifically implement the sending function in the foregoing step 505, and other implicit steps.
  • the determining module 810 is configured to:
  • Determining a transmission data type of the terminal device according to a correspondence between a predefined device identifier and a transmission data type and a device identifier sent by the terminal device.
  • the target data type is an Internet of Things data type
  • the indication information is an Internet of Things optimization architecture support indication information
  • the sending module 830 is further configured to:
  • the obtaining module 820 is configured to:
  • the transmission data type of the terminal device includes the target data type
  • the key derivation parameter value sent by the terminal device is obtained.
  • the security management device further includes:
  • the encryption module 840 is configured to encrypt the first key based on a predefined public key to obtain an encrypted first key.
  • the sending module 830 is configured to send the encrypted first key to the security termination device.
  • the sending module 830 is configured to:
  • the sending module 830 is configured to:
  • the key derivation parameter value is a random value or a device identifier of the terminal device.
  • the foregoing determining module 810, the obtaining module 820, and the encrypting module 840 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 830 may be Implemented.
  • FIG. 10 is a block diagram of a terminal device according to an embodiment of the present application.
  • the terminal device provided by the embodiment of the present application may implement the steps performed by the terminal device in the process described in FIG. 5 of the embodiment of the present application, where the terminal device includes:
  • the determining module 1010 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 501, and other implicit steps.
  • the obtaining module 1020 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically, the obtaining function in the foregoing step 501, and other implicit steps.
  • the obtaining module 1020 is further configured to acquire a first key according to the key derivation parameter value, where the first key is used by the terminal device according to the target data type to be transmitted by the first key
  • the data is encrypted, or the received data of the encrypted target data type is decrypted, and the obtaining function in the above step 502 and other implicit steps can be specifically implemented.
  • the terminal device further includes:
  • the sending module 1030 is configured to send, to the security management device, a device identifier of the terminal device and/or indication information used to indicate a type of transmission data of the terminal device.
  • the target data type is an Internet of Things data type
  • the indication information is an Internet of Things optimization architecture support indication information
  • the obtaining module 1020 is configured to:
  • the key derivation parameter value sent by the security management device is obtained.
  • the terminal device further includes:
  • the sending module 1030 is configured to send the generated key derivation parameter value to the security management device.
  • the key derivation parameter value is a random value or a device identifier of the terminal device.
  • the first key is used by the terminal device to encrypt data of a target data type to be transmitted according to the first key, or to decrypt data of the received encrypted target data type.
  • the terminal device uses the terminal device to encrypt data of a target data type to be transmitted according to the first key, or to decrypt data of the received encrypted target data type.
  • the first key is used to encrypt data of a target data type to be transmitted by the terminal device, or to decrypt data of the received encrypted target data type;
  • the first key is used by the terminal device to derive a second key based on the first key; the second key is used to encrypt data of a target data type to be transmitted by the terminal device, or The received encrypted data of the target data type is decrypted.
  • determining module 1010 and the obtaining module 1020 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 1030 may be implemented by a transmitter.
  • FIG. 12 is a block diagram of a security termination device provided by an embodiment of the present application.
  • the security termination device provided by the embodiment of the present application may implement the steps performed by the security termination device in the process described in FIG. 5 of the embodiment of the present application, where the security termination device includes:
  • the receiving module 1210 is configured to receive a first key sent by the security management device, where the first key is used by the security termination device to send the encrypted target to the terminal device based on the first key.
  • the data of the data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the receiving function in the above step 506 and other implicit steps can be implemented.
  • the receiving module 1210 is configured to:
  • the security termination device receives the encrypted first key sent by the security management device
  • the security termination device further includes:
  • the decryption module 1220 is configured to decrypt the encrypted first key based on a pre-stored private key to obtain a first key.
  • the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device based on the first key, or sent to the terminal by the server.
  • the data of the target data type of the device is encrypted, including:
  • the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device, or encrypt data of a target data type sent by the server to the terminal device; or ,
  • the first key is used by the security termination device to acquire a second key based on the first key; the second key is used by the security termination device to send the encrypted information to the terminal device.
  • the data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the decryption module 1220 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute a program instruction in the memory, and the receiving module 1210 may be implemented by a receiver.
  • the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • the related hardware may be instructed by a program, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned above may be a read only memory, a magnetic disk or an optical disk.

Abstract

Embodiments of the present application relate to the technical field of wireless communications. Disclosed are a method, apparatus, and system for transmitting data. The method comprises: a secure management device may acquire a key deduction parameter value, so as to acquire a first key on the basis of the acquired key deduction parameter value, and send the first key to a secure termination device. The secure termination device can decrypt, on the basis of the first key, encrypted data of a target data type sent by a terminal device or encrypt the data of the target data type sent to the terminal device from a server. The terminal device can also acquire the key deduction parameter value so as to acquire the first key, so that the terminal device can encrypt, on the basis of the first key, the data to be transmitted of the target data type or decrypt the received encrypted data of the target data type. By means of the present application, the security of data transmission can be enhanced.

Description

一种传输数据的方法、装置和系统Method, device and system for transmitting data 技术领域Technical field
本申请涉及无线通信技术领域,特别涉及一种传输数据的方法、装置和系统。The present application relates to the field of wireless communication technologies, and in particular, to a method, an apparatus, and a system for transmitting data.
背景技术Background technique
随着无线通信技术的发展,越来越多的移动网络得到了普及,比如MulteFire网络(其中,MulteFire是一种移动网络的名称,可简称为MF)、长期演进网络等。建立移动网络的网络设备往往包含安全管理设备(比如鉴权授权计费服务器(Authentication,authorization and accounting server,AAA sever)、或者归属签约服务器(Home Subscriber Server,HSS))、网络控制设备(比如MulteFire网络的中立主机移动管理实体(Neutral Host Mobility Management Entity,NH MME))以及安全终结设备(比如分组数据网关(Packet Data Network Gateway,PDN GW)、业务能力开放功能(Service Capability Exposure Function,SCEF)网络设备、演进的分组数据网关(Evolved Packet Data Gateway,ePDG))等。With the development of wireless communication technologies, more and more mobile networks have become popular, such as the MulteFire network (where MulteFire is the name of a mobile network, hereinafter referred to as MF), and the long-term evolution network. A network device that establishes a mobile network often includes a security management device (such as an authentication, authorization and accounting server (AAA sever), or a Home Subscriber Server (HSS)), and a network control device (such as MulteFire). Network Neutral Host Mobility Management Entity (NH MME) and security termination device (such as Packet Data Network Gateway (PDN GW), Service Capability Exposure Function (SCEF) network Equipment, Evolved Packet Data Gateway (ePDG), etc.
终端设备可以通过移动网络与服务器进行数据传输,比如,可以通过移动网络与服务器传输物联网数据(比如,温度、湿度等数据)。目前,终端设备与服务器传输物联网数据的传输方法是:终端设备可以向服务器发送上行物联网数据,即终端设备可以将物联网数据传输给网络控制设备(比如NH MME),网络控制设备接收到物联网数据后,可以将其传输至安全终结设备,进而,安全终结设备将接收到的物联网数据发送至服务器。服务器也可以向终端设备发送下行物联网数据,即服务器可以将物联网数据传输给安全终结设备,安全终结设备接收到物联网数据后,可以将其传输给网络控制设备(比如NH MME),进而,网络控制设备将接收到的物联网数据发送至终端设备。The terminal device can transmit data to the server through the mobile network. For example, the Internet of Things data (for example, temperature, humidity, etc.) can be transmitted through the mobile network and the server. At present, the terminal device and the server transmit the Internet of Things data transmission method: the terminal device can send the uplink Internet of Things data to the server, that is, the terminal device can transmit the Internet of Things data to the network control device (such as the NH MME), and the network control device receives the After the IoT data is transmitted, it can be transmitted to the secure termination device, and the secure termination device sends the received IoT data to the server. The server may also send the downlink IoT data to the terminal device, that is, the server may transmit the IoT data to the security termination device, and after receiving the IoT data, the security termination device may transmit the data to the network control device (such as the NH MME), and then The network control device sends the received Internet of Things data to the terminal device.
然而,现有技术中,某些企业或者单位可以自主部署移动网络的网络控制设备,当终端设备基于某些可信性差的企业或者单位部署的网络控制设备与服务器传输数据时,网络控制设备可能会窃取终端设备与服务器传输的数据,从而,导致数据传输的安全性较差。However, in the prior art, some enterprises or units may independently deploy network control devices of the mobile network. When the terminal device transmits data according to some network control devices and servers deployed by enterprises or units with poor reliability, the network control device may It will steal data transmitted by the terminal device and the server, resulting in poor security of data transmission.
发明内容Summary of the invention
为了实现增强数据传输安全性的目的,本申请实施例提供了一种传输数据的方法、装置和系统。所述技术方案如下:In order to achieve the purpose of enhancing data transmission security, the embodiments of the present application provide a method, an apparatus, and a system for transmitting data. The technical solution is as follows:
第一方面,提供了一种传输数据的方法,所述方法包括:安全管理设备可以确定终端设备的传输数据类型;当终端设备的传输数据类型包括预设的目标数据类型时,可以获取密钥推演参数值,根据密钥推演参数值,获取第一密钥;向安全终结设备发送第一密钥。A first aspect provides a method for transmitting data, where the method includes: the security management device can determine a transmission data type of the terminal device; and when the transmission data type of the terminal device includes a preset target data type, the key can be obtained. The parameter value is derived, the first key is obtained according to the key derivation parameter value, and the first key is sent to the security termination device.
本申请实施例所示的方案,在鉴权过程中,安全管理设备可以判断终端设备的传输数据类型,在判断出终端设备的传输数据类型包括预设的目标数据类型的情况下,安全管理设备可以获取密钥推演参数值,进而,可以基于获取的密钥推演参数值,推演第一密钥。确定出第一密钥后,可以将其发送至安全终结设备。这样,安全终结设备可以对服务器传输至终端设备的目标数据类型的数据进行加密,以免网络控制设备可以窃取该数据,从而, 可以保证数据传输的安全性。In the solution shown in the embodiment of the present application, in the authentication process, the security management device can determine the type of transmission data of the terminal device, and in the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the security management device The key derivation parameter value can be obtained. Further, the first key can be derived based on the obtained key derivation parameter value. Once the first key is determined, it can be sent to the secure termination device. In this way, the security termination device can encrypt the data of the target data type transmitted by the server to the terminal device, so that the network control device can steal the data, thereby The security of data transmission can be guaranteed.
在一种可能的实现方式中,安全管理设备确定终端设备的传输数据类型,包括:根据终端设备发送的用于指示终端设备的传输数据类型的指示信息,确定终端设备的传输数据类型;或者,根据预先存储的设备标识与传输数据类型的对应关系以及终端设备发送的设备标识,确定终端设备的传输数据类型。In a possible implementation manner, the security management device determines the transmission data type of the terminal device, including: determining, according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device, the type of the transmission data of the terminal device; or The transmission data type of the terminal device is determined according to the correspondence between the pre-stored device identifier and the transmission data type and the device identifier sent by the terminal device.
在一种可能的实现方式中,目标数据类型可以为物联网数据类型,指示信息可以为物联网优化架构支持指示信息。In a possible implementation manner, the target data type may be an Internet of Things data type, and the indication information may be an IoT optimization architecture support indication information.
在一种可能的实现方式中,该方法还包括:安全管理设备向终端设备发送密钥推演参数值,密钥推演参数值用于终端设备获取第一密钥。In a possible implementation manner, the method further includes: the security management device sends a key derivation parameter value to the terminal device, where the key derivation parameter value is used by the terminal device to acquire the first key.
在一种可能的实现方式中,当终端设备的传输数据类型包括目标数据类型时,安全管理设备获取密钥推演参数值,包括:当终端设备的传输数据类型包括目标数据类型时,安全管理设备获取终端设备发送的密钥推演参数值。这样,可以使得终端设备和安全终结设备都可获取第一密钥,以便对终端设备和服务器传输的目标数据类型的数据进行加密或解密,从而,可以保证数据传输的安全性。In a possible implementation manner, when the transmission data type of the terminal device includes the target data type, the security management device acquires the key deduction parameter value, including: when the transmission data type of the terminal device includes the target data type, the security management device Obtain the key derivation parameter value sent by the terminal device. In this way, both the terminal device and the security termination device can obtain the first key, so as to encrypt or decrypt the data of the target data type transmitted by the terminal device and the server, thereby ensuring the security of data transmission.
在一种可能的实现方式中,向安全终结设备发送第一密钥,包括:基于预先定义的公钥,对第一密钥进行加密,得到加密后的第一密钥;向安全终结设备发送加密后的第一密钥。In a possible implementation, the sending the first key to the security termination device includes: encrypting the first key based on a predefined public key, obtaining the encrypted first key; and sending the encrypted first terminal to the security termination device The encrypted first key.
本申请实施例所示的方案,安全管理设备得到第一密钥后,可以基于预先定义的公钥,对第一密钥进行加密,得到加密后的第一密钥,进而,向安全终结设备发送加密后的第一密钥。这样,可以增强第一密钥传输的安全性。In the solution shown in the embodiment of the present application, after obtaining the first key, the security management device may encrypt the first key based on the predefined public key to obtain the encrypted first key, and further, to the security termination device. Send the encrypted first key. In this way, the security of the first key transmission can be enhanced.
在一种可能的实现方式中,向安全终结设备发送加密后的第一密钥,包括:通过网络控制设备,向安全终结设备发送加密后的第一密钥,以使网络控制设备,向安全终结设备发送加密后的第一密钥。In a possible implementation, the sending the encrypted first key to the security termination device includes: sending, by using the network control device, the encrypted first key to the security termination device, so that the network control device is safe. The terminating device sends the encrypted first key.
本申请实施例所示的方案,安全管理设备可以向网络控制设备发送加密后的第一密钥,网络控制设备接收到加密后的第一密钥,可以再将加密后的第一密钥发送至安全终结设备。In the solution shown in the embodiment of the present application, the security management device may send the encrypted first key to the network control device, and the network control device receives the encrypted first key, and may send the encrypted first key. To the safety termination device.
在一种可能的实现方式中,通过网络控制设备,向安全终结设备发送加密后的第一密钥,以使网络控制设备,向安全终结设备发送加密后的第一密钥,包括:通过网络控制设备,向安全终结设备发送加密后的第一密钥,以使网络控制设备,在向安全终结设备发送连接建立请求时,发送加密后的第一密钥。In a possible implementation manner, the network control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key to the security termination device, including: The control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key when sending the connection establishment request to the security termination device.
本申请实施例所示的方案,网络控制设备在接收到安全管理设备发送的加密后的第一密钥后,可以在向安全终结设备发送连接建立请求时,向安全终结设备发送加密后的第一密钥,即连接建立请求中可以携带有加密后的第一密钥。这样,无需网络控制设备为传输加密后的第一密钥,在增加一次与安全终结设备的数据传输。In the solution shown in the embodiment of the present application, after receiving the encrypted first key sent by the security management device, the network control device may send the encrypted terminal to the security termination device when sending the connection establishment request to the security termination device. A key, that is, a connection establishment request, may carry the encrypted first key. In this way, the network control device is not required to transmit the encrypted first key, and the data transmission with the secure termination device is increased once.
在一种可能的实现方式中,密钥推演参数值可以为随机值或者终端设备的设备标识。In a possible implementation manner, the key derivation parameter value may be a random value or a device identifier of the terminal device.
第二方面,提供了一种传输数据的方法,其特征在于,所述方法包括:终端设备终端设备确定终端设备的传输数据类型;当终端设备的传输数据类型包括目标数据类型时,可以获取密钥推演参数值;根据密钥推演参数值,获取第一密钥,其中,第一密钥用于终端设备基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目 标数据类型的数据进行解密。A second aspect provides a method for transmitting data, where the method includes: determining, by a terminal device, a terminal device, a type of transmission data of the terminal device; and when the transmission data type of the terminal device includes a target data type, obtaining the data. a key derivation parameter value; obtaining a first key according to the key derivation parameter value, wherein the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data After The data of the standard data type is decrypted.
本申请实施例所示的方案,当终端设备的传输数据类型包括目标数据类型时,终端设备可以获取与安全管理设备相同的密钥推演参数值,进而,基于获取的密钥推演参数值和密钥材料,推演第一密钥。当向服务器传输目标数据类型的数据时,可以对数据进行加密,或者,当接收到加密后的目标数据类型的数据时,对接收到的数据进行解密。In the solution shown in the embodiment of the present application, when the transmission data type of the terminal device includes the target data type, the terminal device may obtain the same key derivation parameter value as the security management device, and further, derive the parameter value and the density based on the obtained key. Key material, deriving the first key. When the data of the target data type is transmitted to the server, the data may be encrypted, or when the data of the encrypted target data type is received, the received data is decrypted.
在一种可能的实现方式中,该方法还包括:终端设备可以向安全管理设备发送终端设备的设备标识和/或用于指示终端设备的传输数据类型的指示信息。In a possible implementation manner, the method further includes: the terminal device may send, to the security management device, the device identifier of the terminal device and/or the indication information used to indicate the type of the transmission data of the terminal device.
在一种可能的实现方式中,目标数据类型可以为物联网数据类型,指示信息可以为物联网优化架构支持指示信息。In a possible implementation manner, the target data type may be an Internet of Things data type, and the indication information may be an IoT optimization architecture support indication information.
在一种可能的实现方式中,当终端设备的传输数据类型包括目标数据类型时,终端设备获取密钥推演参数值,包括:当终端设备的传输数据类型包括目标数据类型时,终端设备获取安全管理设备发送的密钥推演参数值。In a possible implementation manner, when the transmission data type of the terminal device includes the target data type, the terminal device acquires the key derivation parameter value, including: when the transmission data type of the terminal device includes the target data type, the terminal device acquires the security. Manage the value of the key derivation parameter sent by the device.
在一种可能的实现方式中,该方法还包括:终端设备向安全管理设备发送生成的密钥推演参数值,密钥推演参数值用于安全管理设备获取第一密钥。In a possible implementation manner, the method further includes: the terminal device sends the generated key derivation parameter value to the security management device, where the key derivation parameter value is used by the security management device to acquire the first key.
在一种可能的实现方式中,密钥推演参数值可以为随机值或者终端设备的设备标识。In a possible implementation manner, the key derivation parameter value may be a random value or a device identifier of the terminal device.
在一种可能的实现方式中,第一密钥用于终端设备基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密,包括:第一密钥用于终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密;或者,第一密钥用于终端设备基于第一密钥,获取第二密钥;第二密钥用于终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。In a possible implementation manner, the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to decrypt the received data of the target data type, including The first key is used for encrypting data of the target data type to be transmitted by the terminal device, or decrypting the data of the received target data type; or the first key is used for the terminal device based on the first key The key is used to obtain the second key; the second key is used to encrypt the data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type.
第三方面,提供了一种传输数据的方法,所述方法包括:安全终结设备接收安全管理设备发送的第一密钥,其中,第一密钥用于安全终结设备基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。A third aspect provides a method for transmitting data, the method comprising: receiving, by a security termination device, a first key sent by a security management device, where the first key is used by the security termination device based on the first key pair terminal The data of the encrypted target data type sent by the device is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
本申请实施例所示的方案,安全管理设备向安全终结设备发送第一密钥后,安全终结设备可以接收第一密钥。当接收到终端设备发送的加密后的目标数据类型的数据时,可以基于基于第一密钥对加密后的数据进行解密,当接收到服务器发送给终端设备的目标数据类型的数据时,可以基于基于第一密钥对数据进行加密。In the solution shown in the embodiment of the present application, after the security management device sends the first key to the security termination device, the security termination device can receive the first key. When receiving the data of the encrypted target data type sent by the terminal device, the encrypted data may be decrypted based on the first key, and when receiving the data of the target data type sent by the server to the terminal device, The data is encrypted based on the first key.
在一种可能的实现方式中,安全终结设备接收安全管理设备发送的第一密钥,包括:安全终结设备接收安全管理设备发送的加密后的第一密钥;所述方法还包括:基于预先存储的私钥对加密后的第一密钥进行解密,得到第一密钥。In a possible implementation, the security termination device receives the first key sent by the security management device, including: the security termination device receives the encrypted first key sent by the security management device; and the method further includes: pre- The stored private key decrypts the encrypted first key to obtain the first key.
在一种可能的实现方式中,第一密钥用于安全终结设备基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密,包括:第一密钥用于安全终结设备对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密;或者,第一密钥用于安全终结设备基于第一密钥,获取第二密钥;第二密钥用于安全终结设备对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设 备的目标数据类型的数据进行加密。In a possible implementation, the first key is used by the security termination device to decrypt the data of the encrypted target data type sent by the terminal device based on the first key, or the target data type sent to the terminal device by the server. The data is encrypted, including: the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or the data of the target data type sent by the server to the terminal device is encrypted; or The first key is used by the security termination device to obtain the second key based on the first key; the second key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or send the data to the server. Set to the terminal The data of the target data type is encrypted.
第四方面,提供了一种安全管理设备,该安全管理设备包括处理器和通信接口,处理器被配置为执行存储器中存储的指令;处理器通过执行指令来实现上述第一方面所提供的进行传输数据的方法。In a fourth aspect, a security management device is provided, the security management device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the first aspect by executing the instructions The method of transferring data.
第五方面,提供了一种终端设备,该终端设备包括处理器、发射器和接收器,处理器被配置为执行存储器中存储的指令;处理器通过执行指令来实现上述第二方面所提供的进行传输数据的方法。In a fifth aspect, a terminal device is provided, the terminal device comprising a processor, a transmitter and a receiver, the processor being configured to execute an instruction stored in the memory; the processor implementing the instruction provided by the second aspect The method of transmitting data.
第六方面,提供了一种安全终结设备,该安全终结设备包括处理器和通信接口,处理器被配置为执行存储器中存储的指令;处理器通过执行指令来实现上述第三方面所提供的进行传输数据的方法。In a sixth aspect, a security termination device is provided, the security termination device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the third aspect by executing the instructions The method of transferring data.
第七方面,提供了一种安全管理设备,该安全管理设备包括至少一个模块,该至少一个模块用于实现上述第一方面所提供的传输数据的方法。In a seventh aspect, a security management device is provided, the security management device comprising at least one module, the at least one module for implementing the method for transmitting data provided by the first aspect.
第八方面,提供了一种终端设备,该终端设备包括至少一个模块,该至少一个模块用于实现上述第二方面所提供的传输数据的方法。In an eighth aspect, a terminal device is provided, the terminal device comprising at least one module, the at least one module configured to implement the method for transmitting data provided by the second aspect.
第九方面,提供了一种安全终结设备,该安全终结设备包括至少一个模块,该至少一个模块用于实现上述第三方面所提供的传输数据的方法。The ninth aspect provides a security termination device, where the security termination device includes at least one module, and the at least one module is configured to implement the method for transmitting data provided by the foregoing third aspect.
上述本申请实施例第四和第七方面所获得的技术效果与第一方面中对应的技术手段获得的技术效果近似,在这里不再赘述。上述本申请实施例第五和第八方面所获得的技术效果与第二方面中对应的技术手段获得的技术效果近似,在这里不再赘述。上述本申请实施例第六和第九方面所获得的技术效果与第三方面中对应的技术手段获得的技术效果近似,在这里不再赘述。The technical effects obtained by the fourth and seventh aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the first aspect, and are not described herein again. The technical effects obtained by the fifth and eighth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the second aspect, and are not described herein again. The technical effects obtained by the sixth and ninth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the third aspect, and are not described herein again.
第十方面,提供了一种传输数据的系统,该系统包括安全管理设备、终端设备和安全终结设备,其中:安全管理设备,用于确定终端设备的传输数据类型;当终端设备的传输数据类型包括目标数据类型时,安全管理设备获取密钥推演参数值;根据密钥推演参数值,获取第一密钥,第一密钥用于安全终结设备基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密;安全管理设备向安全终结设备发送所述第一密钥;所述终端设备,用于确定终端设备的传输数据类型;当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值;根据所述密钥推演参数值,获取第一密钥,其中,所述第一密钥用于所述终端设备基于所述第一安全密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。A tenth aspect provides a system for transmitting data, the system comprising a security management device, a terminal device, and a security termination device, wherein: a security management device is configured to determine a transmission data type of the terminal device; and a transmission data type of the terminal device When the target data type is included, the security management device obtains the key derivation parameter value; and obtains the first key according to the key derivation parameter value, where the first key is used by the security termination device to encrypt the terminal device based on the first key. The data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; the security management device sends the first key to the security termination device; and the terminal device is used to determine the terminal device a transmission data type; when the transmission data type of the terminal device includes a target data type, acquiring a key derivation parameter value; and acquiring a first key according to the key derivation parameter value, wherein the first key Number of target data types to be transmitted by the terminal device based on the first security key Encryption, or encrypted target data type of the received data is decrypted.
本申请实施例提供的技术方案带来的有益效果是: The beneficial effects brought by the technical solutions provided by the embodiments of the present application are:
本申请实施例中,在终端设备与服务器传输目标数据类型的数据前,安全管理设备可以在确定出终端设备的传输数据类型包括预设的目标数据类型的情况下,获取密钥推演参数值,进而,可以基于获取的密钥推演参数值,获取第一密钥,并将其发送至安全终结设备。安全终结设备接收到第一密钥后,可以基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。终端设备也可以获取与安全管理设备获取的密钥推演参数值相同的密钥推演参数值,终端设备也可以获取第一密钥,进而,终端设备可以基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。这样,终端设备与服务器进行目标数据类型的数据传输时,终端设备和传输路径中的安全终结设备可以基于预先获知的第一密钥对数据进行加密,由于网络控制设备中没有存储第一密钥,因此,网络控制设备无法对终端设备与服务器传输的加密后的数据进行解密,即无法窃取终端设备与服务器传输的数据,从而,可以增强数据传输的安全性。In the embodiment of the present application, before the terminal device and the server transmit the data of the target data type, the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device. The terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key. The data is encrypted or the received encrypted data of the target data type is decrypted. In this way, when the terminal device and the server perform data transmission of the target data type, the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
附图说明DRAWINGS
图1(a)是本申请实施例提供的一种系统框架示意图;1(a) is a schematic diagram of a system framework provided by an embodiment of the present application;
图1(b)是本申请实施例提供的一种系统框架示意图;FIG. 1(b) is a schematic diagram of a system framework provided by an embodiment of the present application;
图2是本申请实施例提供的一种安全管理设备的结构示意图;2 is a schematic structural diagram of a security management device according to an embodiment of the present application;
图3是本申请实施例提供的一种终端设备的结构示意图;3 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
图4是本申请实施例提供的一种安全终结设备的结构示意图;4 is a schematic structural diagram of a security termination device according to an embodiment of the present application;
图5是本申请实施例提供的一种传输数据的方法流程图;FIG. 5 is a flowchart of a method for transmitting data according to an embodiment of the present application;
图6是本申请实施例提供的一种获取第一密钥的方法流程图;FIG. 6 is a flowchart of a method for acquiring a first key according to an embodiment of the present application;
图7是本申请实施例提供的一种获取第一密钥的方法流程图;FIG. 7 is a flowchart of a method for acquiring a first key according to an embodiment of the present application;
图8是本申请实施例提供的一种安全管理设备的结构示意图;FIG. 8 is a schematic structural diagram of a security management device according to an embodiment of the present application;
图9是本申请实施例提供的一种安全管理设备的结构示意图;9 is a schematic structural diagram of a security management device according to an embodiment of the present application;
图10是本申请实施例提供的一种终端设备的结构示意图;FIG. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure;
图11是本申请实施例提供的一种终端设备的结构示意图;FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application;
图12是本申请实施例提供的一种安全终结设备的结构示意图;FIG. 12 is a schematic structural diagram of a security termination device according to an embodiment of the present disclosure;
图13是本申请实施例提供的一种安全终结设备的结构示意图。FIG. 13 is a schematic structural diagram of a security termination device according to an embodiment of the present application.
具体实施方式detailed description
在本申请中,终端设备可以包括用户设备(User Equipment,UE)、移动台(Mobile Station,简称为“MS”)、移动终端(Mobile Terminal)等。终端设备还可以是移动电话(或称为“蜂窝”电话)、具有移动终端的计算机等。终端设备还可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置、传感器。它们与无线接入网交换语言和/或数据,从而经无线接入网(Radio Access Network,简称为“RAN”)与一个或多个核心网进行通信。In the present application, the terminal device may include a User Equipment (UE), a Mobile Station ("MS" for short), a Mobile Terminal (Mobile Terminal), and the like. The terminal device may also be a mobile phone (or "cellular" phone), a computer with a mobile terminal, or the like. The terminal device can also be a portable, pocket, handheld, computer built-in or vehicle-mounted mobile device, sensor. They exchange language and/or data with the radio access network to communicate with one or more core networks via a Radio Access Network ("RAN").
安全管理设备可以是鉴权授权计费服务器,也可以是归属签约服务器,也可以是由鉴权授权计费服务器和归属签约服务器协同完成的功能单元。网络控制设备可以是MulteFire网络的中立主机移动管理实体。安全终结设备可以是分组数据网关、也可以是能力开放功能网络设备、也可以是演进的分组数据网关。服务器可以是为终端设备提供网络服务器的 服务器。安全管理设备可以在确定出终端设备的传输数据类型包括预设的目标数据类型的情况下,获取密钥推演参数值,进而,基于获取的密钥推演参数值推演第一密钥,并将其发送至安全终结设备,安全终结设备可以接收安全管理设备发送的第一密钥。同样,终端设备也可以获取与安全管理设备相同的密钥推演参数值,并基于获取的密钥推演参数值推演第一密钥。终端设备可以通过网络控制设备、安全终结设备向服务器发送目标数据类型的数据(可以称为上行数据)。服务器可以通过安全终结设备、网络控制设备向终端设备发送目标数据类型的数据(可以称为下行数据),如图1(a)所示。The security management device may be an authentication authorization accounting server, a home subscription server, or a functional unit that is jointly performed by the authentication authorization accounting server and the home subscription server. The network control device can be a neutral host mobility management entity of the MulteFire network. The security termination device may be a packet data gateway, a capability open function network device, or an evolved packet data gateway. The server can be a network server for the terminal device server. The security management device may obtain the key derivation parameter value when determining the transmission data type of the terminal device, including the preset target data type, and further deriving the first key based on the obtained key derivation parameter value, and Sended to the security termination device, the security termination device can receive the first key sent by the security management device. Similarly, the terminal device can also obtain the same key derivation parameter value as the security management device, and derive the first key based on the obtained key derivation parameter value. The terminal device can send data of a target data type (which may be referred to as uplink data) to the server through the network control device and the security termination device. The server may send data of a target data type (which may be referred to as downlink data) to the terminal device through the security terminating device or the network control device, as shown in FIG. 1(a).
本申请实施例适用的移动网络的网络架构可以如图1(b)所示,其中,MF AP是接入网设备,负责与UE直接通信;椭圆框内是Neutral Host Core Network(中立主机核心网),是MulteFire网络的核心网部分,可能是由非服务提供商提供的网络,其中NH MME负责网络连接的建立,移动性管理的功能,并且作为Neutral Host Core Network与服务提供商网络设备(SP AAA)交互的中间网元;Local AAA Proxy是Neutral Host Core Network与服务提供商网络设备(SP AAA)交互的中间网络设备;NH GW是网关设备;ePDG属于服务提供商部署的网络设备,它在非可信接入架构中使用,作用是建立UE与ePDG之间的IPSec隧道,在隧道中传输的内容是加密的,对于Neutral Host Core Network中的网络设备不可见。SP AAA是服务提供商用来鉴权认证UE,并且提供安全加密密钥的网络设备。PDN GateWay是服务提供商的网关设备,数据最终会从这个网关设备进出。The network architecture of the mobile network to which the embodiment of the present application is applicable may be as shown in FIG. 1(b), where the MF AP is an access network device and is responsible for direct communication with the UE; the oval frame is a Neutral Host Core Network (neutral host core network) ) is the core network part of the MulteFire network, which may be a network provided by a non-service provider, where the NH MME is responsible for the establishment of the network connection, the mobility management function, and as the Neutral Host Core Network and the service provider network device (SP). AAA) an intermediate network element that interacts; the Local AAA Proxy is an intermediate network device that the Neutral Host Core Network interacts with a Service Provider Network Equipment (SP AAA); the NH GW is a gateway device; the ePDG belongs to a network device deployed by a service provider, and Used in the non-trusted access architecture, the role is to establish an IPSec tunnel between the UE and the ePDG. The content transmitted in the tunnel is encrypted and is invisible to the network devices in the Neutral Host Core Network. The SP AAA is a network device used by a service provider to authenticate an authenticated UE and provide a secure encryption key. PDN GateWay is the gateway device of the service provider, and data will eventually enter and exit from this gateway device.
安全管理设备可以包括处理器210、通信接口220,处理器210可以与通信接口220、接收器230连接,如图2所示。处理器210可以是安全管理设备的控制中心,通过运行或执行存储在存储器内的软件程序和/或模块,以及调用存储在存储器内的数据,执行安全管理设备的各种功能和处理数据。在本申请中,处理器210可以用于获取第一密钥的相关处理。处理器210可以包括一个或多个处理单元;处理器210可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或者其他可编程逻辑器件等。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可以用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可能包含RAM,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。处理器210执行存储器中存储的程序代码,以实现各种功能。The security management device may include a processor 210 and a communication interface 220. The processor 210 may be connected to the communication interface 220 and the receiver 230, as shown in FIG. The processor 210 may be a control center of the security management device that performs various functions and processing data of the security management device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory. In the present application, the processor 210 may be configured to acquire related processing of the first key. The processor 210 may include one or more processing units; the processor 210 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP Processor, etc.), and the like. Signal processor (DSP), application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device. In particular, the program can include program code, the program code including computer operating instructions. The memory can be used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory may contain RAM and may also include non-volatile memory, such as at least one disk storage. The processor 210 executes program code stored in the memory to implement various functions.
终端设备可以包括处理器310、发射器320、接收器330,处理器310可以分别与发射器320、接收器330连接,如图3所示,发射器320和接收器330可以统称为收发器。发射器320可以用于发送消息或数据,发射器320可以包括但不限于至少一个放大器、调谐器、一个或多个振荡器、耦合器、LNA(Low Noise Amplifier,低噪声放大器)、双工器等。处理器310可以是终端设备的控制中心,通过运行或执行存储在存储器内的软件程序和/或模块,以及调用存储在存储器内的数据,执行终端设备的各种功能和处理数据。在本申请中,处理器310可以用于对数据进行加密或解密的相关处理。处理器310可以包括一个或多个处理单元;处理器310可以是通用处理器,包括中央处理器、网络处理器等;还可以是数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件等。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可以用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可能包含RAM,也可 能还包括非易失性存储器,例如至少一个磁盘存储器。处理器310执行存储器中存储的程序代码,以实现各种功能。The terminal device may include a processor 310, a transmitter 320, and a receiver 330. The processor 310 may be respectively connected to the transmitter 320 and the receiver 330. As shown in FIG. 3, the transmitter 320 and the receiver 330 may be collectively referred to as a transceiver. The transmitter 320 can be used to transmit messages or data. The transmitter 320 can include, but is not limited to, at least one amplifier, a tuner, one or more oscillators, a coupler, an LNA (Low Noise Amplifier), a duplexer. Wait. The processor 310 can be a control center of the terminal device that performs various functions and processing data of the terminal device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory. In the present application, processor 310 can be used in related processing to encrypt or decrypt data. The processor 310 may include one or more processing units; the processor 310 may be a general purpose processor, including a central processing unit, a network processor, etc.; or may be a digital signal processor, an application specific integrated circuit, a field programmable gate array, or the like. Programmable logic devices, etc. In particular, the program can include program code, the program code including computer operating instructions. The memory can be used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory may contain RAM or It can also include a non-volatile memory, such as at least one disk storage. The processor 310 executes program code stored in the memory to implement various functions.
安全终结设备可以包括处理器410和通信接口420,处理器410可以与通信接口420、连接,如图4所示。处理器410可以是安全终结设备的控制中心,通过运行或执行存储在存储器内的软件程序和/或模块,以及调用存储在存储器内的数据,执行安全终结设备的各种功能和处理数据。在本申请中,处理器410可以用于对数据进行加密或解密的相关处理,处理器410可以包括一个或多个处理单元;处理器410可以是通用处理器,包括中央处理器、网络处理器等;还可以是数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件等。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可以用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器可能包含RAM,也可能还包括非易失性存储器,例如至少一个磁盘存储器。处理器410执行存储器中存储的程序代码,以实现各种功能。The security termination device can include a processor 410 and a communication interface 420, which can be coupled to the communication interface 420, as shown in FIG. The processor 410 can be a control center for the secure termination device that performs various functions and processing data of the secure termination device by running or executing software programs and/or modules stored in the memory, as well as invoking data stored in the memory. In the present application, the processor 410 may be used for related processing of encrypting or decrypting data, the processor 410 may include one or more processing units; the processor 410 may be a general purpose processor including a central processing unit, a network processor Etc.; can also be a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device. In particular, the program can include program code, the program code including computer operating instructions. The memory can be used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory may contain RAM and may also include non-volatile memory, such as at least one disk storage. The processor 410 executes program code stored in the memory to implement various functions.
本申请实施例的技术方案可以用于使用非隧道模式建立端到端安全的网络架构,例如MulteFire网络,或者长期演进(Long Term Evolution,LTE)网络,或者家庭基站网络,或者非第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)(例如:无线保真(WIreless-FIdelity,WIFI)接入的移动网络),或者全球移动通讯系统(Global System for Mobile communication,GSM)网络,或者宽带码分多址(Wideband Code Division Multiple Access,WCDMA)网络,或者未来5G/6G网络。The technical solution of the embodiment of the present application may be used to establish an end-to-end secure network architecture using a non-tunnel mode, such as a MulteFire network, or a Long Term Evolution (LTE) network, or a home base station network, or a non-third generation cooperation. 3rd Generation Partnership Project (3GPP) (for example, mobile network with WIreless-FIdelity (WIFI) access), or Global System for Mobile communication (GSM) network, or broadband code Wideband Code Division Multiple Access (WCDMA) network, or future 5G/6G network.
如图5所示,该本申请实施例的方法如下步骤:As shown in FIG. 5, the method in this embodiment of the present application is as follows:
步骤501,终端设备确定终端设备的传输数据类型;当终端设备的传输数据类型包括目标数据类型时,终端设备获取密钥推演参数值。Step 501: The terminal device determines a transmission data type of the terminal device. When the transmission data type of the terminal device includes the target data type, the terminal device acquires a key derivation parameter value.
可选的,终端设备开机时可以向网络控制设备发送附着请求,网络控制设备接收到附着请求后,可以向终端设备发送用于请求终端设备的设备标识的请求,终端设备接收到该请求后,可以向网络控制设备发送设备标识。网络控制设备接收到终端设备的设备标识后,可以将其发送至安全管理设备。后续终端设备可以与安全管理设备执行鉴权过程,其中,终端设备与安全管理设备的鉴权方法可以是扩展认证协议-改进的认证和秘钥协商(Extensible Authentication Protocol–Improved Authentication KeyAgreement,EAP-AKA),也可以是扩展认证协议-传输层安全协议(Extensible Authentication Protocol–Transport Layer Security,EAP-TLS),也可以是扩展认证协议-隧道传输层安全协议(Extensible Authentication Protocol–Tunneled Transport Layer Security,EAP-TTLS),本申请实施例不对鉴权方法进行限定。Optionally, the terminal device may send an attach request to the network control device when the terminal device is powered on. After receiving the attach request, the network control device may send a request for requesting the device identifier of the terminal device to the terminal device, and after receiving the request, the terminal device receives the request. The device identification can be sent to the network control device. After receiving the device identifier of the terminal device, the network control device can send it to the security management device. The subsequent terminal device may perform an authentication process with the security management device, wherein the authentication method of the terminal device and the security management device may be an extended authentication protocol-implemented authentication and key agreement (EAP-AKA). , ), can also be an Extensible Authentication Protocol (Transport Layer Security) (EAP-TLS), or an Extensible Authentication Protocol-Tunneled Transport Layer Security (Extensible Authentication Protocol-Tunneled Transport Layer Security, EAP-TTLS), the embodiment of the present application does not limit the authentication method.
在鉴权过程中,终端设备和安全终结设备可以确定出用于传输目标数据类型的数据的第一密钥,具体如下:In the authentication process, the terminal device and the security termination device may determine a first key for transmitting data of the target data type, as follows:
终端设备可以确定终端设备的传输数据类型,当终端设备的传输数据类型包括目标数据类型时,可以获取密钥推演参数值,其中,密钥推演参数值可以用于终端设备推演第一密钥,密钥推演参数值可以为随机值,也可以是终端设备的设备标识。The terminal device may determine the transmission data type of the terminal device. When the transmission data type of the terminal device includes the target data type, the key derivation parameter value may be obtained, where the key deduction parameter value may be used by the terminal device to derive the first key. The key derivation parameter value may be a random value or a device identifier of the terminal device.
可选的,终端设备还可以向安全管理设备发送用于指示终端设备的传输数据类型的指示信息。 Optionally, the terminal device may further send, to the security management device, indication information indicating the type of the transmission data of the terminal device.
具体的,终端设备在向网络控制设备发送附着请求时,附着请求中可以携带有用于指示终端设备的传输数据类型的指示信息,网络控制设备接收到指示信息后,可以将其发送至安全管理设备。Specifically, when the terminal device sends an attach request to the network control device, the attach request may carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the network control device may send the indication information to the security management device. .
另外,网络控制设备接收到指示信息后,可以将其发送至安全管理设备。In addition, after receiving the indication information, the network control device can send it to the security management device.
可选的,当目标数据类型为物联网数据类型时,上述指示信息可以为物联网优化架构支持指示信息(CP CIOT EPS optimization supported)。Optionally, when the target data type is an Internet of Things data type, the foregoing indication information may be a CP CIOT EPS optimization supported information.
可选的,基于密钥推演参数值的来源不同,步骤501的处理过程可以多种多样,以下给出了几种可行的处理方式:Optionally, based on the source of the key derivation parameter values, the processing of step 501 can be various, and several feasible processing methods are given below:
方式一,终端设备获取安全管理设备发送的密钥推演参数值。In the first manner, the terminal device acquires a key derivation parameter value sent by the security management device.
安全管理设备可以生成密钥推演参数值,并将其发送至终端设备,该部分将在后续进行具体的表述。安全管理设备向终端设备发送密钥推演参数值后,终端设备可以接收安全管理设备发送的密钥推演参数值。可选的,终端设备可以存储接收的密钥推演参数值。The security management device can generate a key derivation parameter value and send it to the terminal device, which will be specifically described later. After the security management device sends the key deduction parameter value to the terminal device, the terminal device may receive the key derivation parameter value sent by the security management device. Optionally, the terminal device may store the received key derivation parameter value.
方式二,终端设备生成密钥推演参数值,向安全管理设备发送生成的密钥推演参数值。In the second manner, the terminal device generates a key derivation parameter value, and sends the generated key derivation parameter value to the security management device.
在鉴权过程中,终端设备可以生成密钥推演参数值,并可以将其发送至安全管理设备。例如,对于EAP-TLS鉴权,终端设备可以生成密钥推演参数值,并在向鉴权授权计费服务器发送客户问候(client-hello)消息时,向鉴权授权计费服务器发送生成的密钥推演参数值。In the authentication process, the terminal device can generate a key derivation parameter value and can send it to the security management device. For example, for EAP-TLS authentication, the terminal device may generate a key derivation parameter value, and send a generated secret to the authentication authorization accounting server when sending a client-hello message to the authentication authorization charging server. The key derivation parameter value.
步骤502,终端设备根据密钥推演参数值,获取第一密钥,其中,第一密钥用于终端设备基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。Step 502: The terminal device acquires a first key according to the key derivation parameter value, where the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data. The data of the target data type is decrypted.
终端设备获取到密钥推演参数值后,终端设备可以基于获取的密钥推演参数值推演第一密钥。可选的,终端设备可以存储推演的第一密钥。当需要向服务器传输目标数据类型的数据时,终端设备可以基于第一密钥对待传输的数据进行加密。当接收到加密后的目标数据类型的数据时,可以基于第一密钥对接收到的数据进行解密。After the terminal device obtains the key derivation parameter value, the terminal device may derive the first key based on the obtained key derivation parameter value. Optionally, the terminal device can store the deduced first key. When it is required to transmit data of a target data type to the server, the terminal device can encrypt the data to be transmitted based on the first key. When the data of the encrypted target data type is received, the received data can be decrypted based on the first key.
可选的,终端设备还可以基于第一密钥推演第二密钥。具体的:第一密钥用于终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密;或者,第一密钥用于终端设备基于第一密钥,推演第二密钥;第二密钥用于安全终结设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。Optionally, the terminal device may further derive the second key based on the first key. Specifically, the first key is used to encrypt data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type; or the first key is used by the terminal device A key is used to derive the second key; the second key is used to securely terminate the data of the target data type to be transmitted by the device, or to decrypt the received data of the target data type.
步骤503,安全管理设备确定终端设备的传输数据类型。Step 503: The security management device determines a transmission data type of the terminal device.
在鉴权过程中,安全管理设备可以确定终端设备的传输数据类型。另外,步骤502与步骤503并无明确的先后关系,可以并行,也可以是步骤502先于步骤503,也可以步骤502后于步骤503。In the authentication process, the security management device can determine the type of transmission data of the terminal device. In addition, there is no clear relationship between step 502 and step 503, and may be in parallel, or step 502 may be preceded by step 503, or step 502 may be followed by step 503.
可选的,针对终端设备向安全管理设备发送终端设备的设备标识和/或指示信息的情况,步骤503的处理过程可以如下:根据终端设备发送的用于指示终端设备的传输数据类型的指示信息,确定终端设备的传输数据类型;或者,根据预先获取的设备标识与传输数据类型的对应关系,确定终端设备的传输数据类型。Optionally, for the case that the terminal device sends the device identifier and/or the indication information of the terminal device to the security management device, the process of step 503 may be as follows: according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device. Determining a transmission data type of the terminal device; or determining a transmission data type of the terminal device according to a correspondence between the pre-acquired device identifier and the transmission data type.
终端设备向安全管理设备发送终端设备的设备标识和/或用于指示终端设备的传输数据类型的指示信息后,安全管理设备可以接收终端设备发送的终端设备的设备标识和/或用于指示终端设备的传输数据类型的指示信息。针对接收到终端设备发送的用于指示终端设备 的传输数据类型的指示信息的情况,安全管理设备接收到该指示信息后,即可确定出终端设备的传输数据类型。针对没有接收到终端设备发送的指示信息的情况,安全管理设备可以在预先存储的设备标识与传输数据类型的对应关系中,确定终端设备的设备标识对应的传输数据类型。After the terminal device sends the device identifier of the terminal device to the security management device and/or the indication information indicating the type of the transmission data of the terminal device, the security management device may receive the device identifier of the terminal device sent by the terminal device and/or indicate the terminal. Indicates the type of data transmitted by the device. For indicating the terminal device sent by the receiving terminal device In the case of the indication information of the transmission data type, after receiving the indication information, the security management device can determine the transmission data type of the terminal device. For the case where the indication information sent by the terminal device is not received, the security management device may determine the transmission data type corresponding to the device identifier of the terminal device in the correspondence between the pre-stored device identifier and the transmission data type.
步骤504,当终端设备的传输数据类型包括预设的目标数据类型时,安全管理设备获取密钥推演参数值,根据密钥推演参数值,获取第一密钥。Step 504: When the transmission data type of the terminal device includes the preset target data type, the security management device acquires the key deduction parameter value, and obtains the first key according to the key derivation parameter value.
安全管理设备确定出终端设备的传输数据类型后,可以判断终端设备的传输数据类型是否包括预设的目标数据类型,如果包括,则安全管理设备可以获取密钥推演参数值,其中,密钥推演参数值是与终端设备获取的密钥推演参数值相同,进而,可以基于获取的密钥推演参数值推演第一密钥。可选的,安全管理设备可以存储推演的第一密钥。After the security management device determines the transmission data type of the terminal device, it may determine whether the transmission data type of the terminal device includes a preset target data type. If included, the security management device may obtain a key derivation parameter value, where the key derivation The parameter value is the same as the key derivation parameter value acquired by the terminal device. Further, the first key may be derived based on the obtained key derivation parameter value. Optionally, the security management device can store the first key of the deduction.
可选的,密钥推演参数值可以为随机值,也可以为终端设备的设备标识。Optionally, the key derivation parameter value may be a random value or a device identifier of the terminal device.
可选的,基于密钥推演参数值的来源不同,步骤504的处理过程可以多种多样,以下给出了几种可行的处理方式:Optionally, based on the source of the key derivation parameter values, the processing of step 504 can be various, and several feasible processing methods are given below:
方式一,当终端设备的传输数据类型包括预设的目标数据类型时,获取生成的密钥推演参数值,并向终端设备发送密钥推演参数值,根据密钥推演参数值,获取第一密钥。In the first manner, when the transmission data type of the terminal device includes the preset target data type, the generated key derivation parameter value is obtained, and the key derivation parameter value is sent to the terminal device, and the first key is obtained according to the key derivation parameter value. key.
在与终端设备的鉴权过程中,安全管理设备可以生成密钥推演参数。具体的,可以在接收到终端设备发送的指示信息后,生成密钥推演参数值。对于EPA-TLS鉴权,鉴权授权计费服务器接收到终端设备发送的client-hello后,可以生成密钥推演参数值,并可以在向终端设备发送服务器问候(server-hello)时,向终端设备发送生成的密钥推演参数值,以便终端设备基于该密钥推演参数值,推演第一密钥。In the authentication process with the terminal device, the security management device can generate a key derivation parameter. Specifically, after receiving the indication information sent by the terminal device, the key derivation parameter value may be generated. For the EPA-TLS authentication, after receiving the client-hello sent by the terminal device, the authentication authorization accounting server may generate a key derivation parameter value, and may send the server hello to the terminal device when sending the server hello to the terminal device. The device sends the generated key derivation parameter value, so that the terminal device derives the parameter value based on the key derivation and deduces the first key.
对于EPA-AKA鉴权的情况,生成密钥推演参数值的处理方式可以多种多样,以下给出了几种可行的处理方式,其中,以下给出的几种处理方式中,终端设备与安全管理设备依然进行现有的鉴权处理,本申请实施例不对现有的处理进行改变。For EPA-AKA , in the case of authentication, the processing method for generating key derivation parameter values can be various. Several feasible processing methods are given below. Among the several processing methods given below, the terminal device and The security management device still performs the existing authentication process, and the embodiment of the present application does not change the existing process.
方式1,鉴权授权计费服务器接收到终端设备通过网络控制设备发送的设备标识和/或指示信息后,可以按照现有的鉴权处理流程进行下一步处理,即可以向归属签约服务器发送AKA鉴权向量请求,归属签约服务器接收到AKA鉴权向量请求后,除进行现有的处理(比如生成鉴权向量)外,还可以生成密钥推演参数值(比如随机值),并可以将生成的密钥推演参数值发送至鉴权授权计费服务器(其中,归属签约服务器可以在向鉴权授权计费服务器发送鉴权向量时,发送密钥推演参数值,也可以在其他时间节点),鉴权授权计费服务器接收到密钥推演参数值后,可以获取生成的密钥推演参数值,并可以将其发送至终端设备。鉴权授权计费服务器获取到密钥推演参数值后,可以基于密钥推演参数值参数值和其他密钥材料,推演第一密钥。 Mode 1, after receiving the device identifier and/or indication information sent by the terminal device through the network control device, the authentication authorization accounting server may perform the next processing according to the existing authentication processing flow, that is, may send the AKA to the home subscription server. After the authentication vector request, the home subscription server receives the AKA authentication vector request, in addition to performing existing processing (such as generating an authentication vector), may also generate a key derivation parameter value (such as a random value), and may generate The key derivation parameter value is sent to the authentication authorization charging server (where the home subscription server may send the key derivation parameter value when sending the authentication vector to the authentication authorization charging server, or may be at other time nodes), After receiving the key derivation parameter value, the authentication authorization accounting server may obtain the generated key derivation parameter value and may send it to the terminal device. After obtaining the key derivation parameter value, the authentication authorization accounting server may derive the first key based on the key derivation parameter value parameter value and other key materials.
方式2,归属签约服务器生成密钥推演参数值后,可以基于密钥推演参数值推演第一密钥,进而,可以将第一密钥发送至鉴权授权计费服务器。另外,密钥推演参数值的发送可以与方式1相同。In the mode 2, after the home signing server generates the key derivation parameter value, the first key may be derived based on the key derivation parameter value, and further, the first key may be sent to the authentication authorization charging server. In addition, the key derivation parameter value can be transmitted in the same manner as in the mode 1.
方式3,鉴权授权计费服务器接收到用于指示终端设备的传输数据类型的指示信息后,可以生成密钥推演参数值,并可以将其发送至终端设备。生成密钥推演参数值后,可以基于生成的密钥推演参数值,推演第一密钥。In the mode 3, after receiving the indication information indicating the type of the transmission data of the terminal device, the authentication authorization charging server may generate a key deduction parameter value and may send the key deduction parameter value to the terminal device. After the key derivation parameter value is generated, the first key can be derived based on the generated key derivation parameter value.
方式4,对于方式1和2中归属签约服务器生成密钥推演参数值的情况,鉴权授权计费 服务器向归属签约服务器发送的AKA鉴权向量请求中还可以携带有用于指示终端设备的传输数据类型的指示信息,归属签约服务器接收到该指示信息后,可以进行后续生成密钥推演参数值的处理。Mode 4, for the case where the home subscription server generates the key derivation parameter values in modes 1 and 2, the authentication authorization charging The AKA authentication vector request sent by the server to the home subscription server may further carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the home subscription server may perform subsequent processing of generating the key deduction parameter value. .
可选的,在推演第一密钥的过程中,除了利用密钥推演参数值,还可以利用其他密钥材料(例如:CK’/IK’)。Optionally, in the process of deriving the first key, in addition to deriving the parameter value by using the key, other key materials (for example: CK'/IK') may be utilized.
方式二,当终端设备的传输数据类型包括预设的目标数据类型时,获取终端设备发送的密钥推演参数值。In the second manner, when the transmission data type of the terminal device includes the preset target data type, the key derivation parameter value sent by the terminal device is obtained.
针对上述讲述的终端设备生成密钥推演参数值的情况,安全管理设备可以接收终端设备发送的密钥推演参数值,并可以将其进行存储。在安全管理设备判断出终端设备的传输数据类型包括预设的目标数据类型的情况下,安全管理设备可以获取终端设备发送的密钥推演参数值,进而,基于密钥推演参数值,推演第一密钥。For the case where the terminal device generates the key derivation parameter value, the security management device may receive the key derivation parameter value sent by the terminal device and may store it. When the security management device determines that the transmission data type of the terminal device includes the preset target data type, the security management device may obtain the key derivation parameter value sent by the terminal device, and further derive the first based on the key derivation parameter value. Key.
步骤505,安全管理设备向安全终结设备发送第一密钥。Step 505: The security management device sends the first key to the security termination device.
其中,安全终结设备可以是服务提供商(比如运营商)部署的具有可信性的网络设备,可以是终端设备与服务器传输目标数据类型的数据的传输路径上的网络设备。例如:安全终结网络设备可以是PDN GW、也可以是SCEF、也可以是ePDG,也可以是部署位置位于PDN GW之前的独立的安全网关。The security termination device may be a trusted network device deployed by a service provider (such as an operator), and may be a network device on a transmission path of the terminal device and the server transmitting data of a target data type. For example, the security termination network device may be a PDN GW, a SCEF, or an ePDG, or an independent security gateway whose deployment location is before the PDN GW.
在实施中,安全管理设备得到第一密钥后,可以将其发送至安全终结设备。In the implementation, after the security management device obtains the first key, it can send it to the security termination device.
可选的,为增加安全性,安全管理设备可以对第一密钥进行加密,相应的,步骤505的处理过程可以如下:基于预先定义的公钥,对第一密钥进行加密,得到加密后的第一密钥;向安全终结设备发送加密后的第一密钥。Optionally, in order to increase security, the security management device may encrypt the first key. Correspondingly, the process of step 505 may be as follows: encrypting the first key based on a predefined public key, and obtaining the encrypted The first key; the encrypted first key is sent to the security terminating device.
可选的,安全管理设备中可以预先存储有公钥,得到第一密钥后,可以采用预先存储的公钥对第一密钥进行加密,得到加密后的第一密钥,进而,可以向安全终结设备发送加密后的第一密钥。Optionally, the public key may be pre-stored in the security management device. After the first key is obtained, the first key may be encrypted by using a pre-stored public key to obtain the encrypted first key. The secure termination device sends the encrypted first key.
可选的,安全终结设备可以通过网络控制设备向安全终结设备发送加密后的第一密钥,相应的,处理过程可以如下:安全管理设备通过网络控制设备,向安全终结设备发送加密后的第一密钥,以使网络控制设备,向安全终结设备发送加密后的第一密钥。Optionally, the security termination device may send the encrypted first key to the security termination device through the network control device, and correspondingly, the processing procedure may be as follows: the security management device sends the encrypted first to the security termination device by using the network control device A key for causing the network control device to send the encrypted first key to the security terminating device.
在实施中,安全管理设备得到加密后的第一密钥后,可以在鉴权过程中,将加密后的第一密钥发送至网络控制设备,比如可以在现有的向网络控制设备发送主会话密钥时,向网络控制设备发送加密后的第一密钥。向网络控制设备发送加密后的第一密钥后,网络控制设备可以在检测到密钥发送触发事件发生时,向安全终结设备发送加密后的第一密钥。In an implementation, after the security management device obtains the encrypted first key, the encrypted first key may be sent to the network control device during the authentication process, for example, the existing primary device may be sent to the network control device. When the session key is used, the encrypted first key is sent to the network control device. After the encrypted first key is sent to the network control device, the network control device may send the encrypted first key to the security termination device when detecting that the key transmission trigger event occurs.
可选的,网络控制设备可以在发送连接建立请求时,向安全终结设备发送加密后的第一密钥,相应的,处理过程可以如下:通过网络控制设备,向安全终结设备发送加密后的第一密钥,以使网络控制设备,在向安全终结设备发送连接建立请求时,发送加密后的第一密钥。Optionally, the network control device may send the encrypted first key to the security termination device when sending the connection establishment request, and correspondingly, the processing may be as follows: sending the encrypted first to the security termination device by using the network control device A key, so that the network control device sends the encrypted first key when sending a connection establishment request to the security termination device.
在实施中,现有技术中,网络控制设备可以在与终端设备协商出密钥(即鉴权执行完成)后,向安全终结设备发送连接建立请求,以建立目标数据类型的数据传输路径。另外,网络控制设备也可以在附着过程完成后,终端设备主动发起分组数据网络(Packet Data Network,PDN)连接建立过程,此种情况下,网络控制设备可以在接收到终端设备发送的连接建立请求后,向安全终结设备发送连接建立请求,其中,连接建立请求中携带有用于 指示终端设备的传输数据类型的指示信息。In an implementation, in the prior art, after the network control device negotiates a key with the terminal device (ie, the authentication execution is completed), the network control device may send a connection establishment request to the security termination device to establish a data transmission path of the target data type. In addition, the network control device may also initiate a packet data network (PDN) connection establishment process after the attach process is completed. In this case, the network control device may receive the connection establishment request sent by the terminal device. Afterwards, the connection establishment request is sent to the security termination device, where the connection establishment request is carried in the connection establishment request An indication indicating a type of transmission data of the terminal device.
网络控制设备接收到安全管理设备发送的加密后的第一密钥后,网络控制设备可以在向安全终结设备发送连接建立请求时,发送加密后的第一密钥。After receiving the encrypted first key sent by the security management device, the network control device may send the encrypted first key when sending the connection establishment request to the security termination device.
步骤506,安全终结设备接收安全管理设备发送的第一密钥,其中,第一密钥用于安全终结设备基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。Step 506: The security termination device receives the first key sent by the security management device, where the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device based on the first key, or Encrypt data of the target data type that the server sends to the terminal device.
可选的,针对安全管理设备向安全终结设备发送加密后的第一密钥的情况,安全终结设备接收到安全管理设备发送的加密后的第一密钥后,基于预先获得的私钥对加密后的第一密钥进行解密,得到第一密钥。Optionally, in the case that the security management device sends the encrypted first key to the security termination device, the security termination device receives the encrypted first key sent by the security management device, and then encrypts the encryption based on the pre-acquired private key pair. The latter first key is decrypted to obtain the first key.
可选的,安全终结设备还可以基于第一密钥推演第二密钥,相应的,步骤506的处理过程可以如下:第一密钥用于安全终结设备对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密;或者,第一密钥用于安全终结设备基于第一密钥,推演第二密钥;第二密钥用于安全终结设备基于第二密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。Optionally, the security termination device may further derive the second key based on the first key. Correspondingly, the processing of step 506 may be as follows: the first key is used to securely terminate the encrypted target data sent by the device to the terminal device. The type of data is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; or the first key is used by the security termination device to derive the second key based on the first key; the second key is used The security termination device decrypts the encrypted target data type data sent by the terminal device based on the second key, or encrypts the data of the target data type sent by the server to the terminal device.
以图1(b)所述的网络架构为例,对于EPA-AKA鉴权,安全管理设备和终端设备获取第一密钥的流程图可以如图6所示。其中,Taking the network architecture described in FIG. 1(b) as an example, a flowchart for obtaining the first key for the EPA-AKA , the authentication, the security management device, and the terminal device may be as shown in FIG. 6. among them,
1、SP AAA(其中,SP AAA为服务器提供商提供的鉴权授权计费服务器)可以预先存储公钥。(用于步骤21加密第一密钥)。1. SP AAA (where SP AAA is an authentication and authorization accounting server provided by the server provider) may store the public key in advance. (Used to encrypt the first key in step 21).
2、UE进行IoT(物联网)网络选择。2. The UE performs IoT (Internet of Things) network selection.
3、UE与MF AP之间建立空口连接,即RRC(Radio Resource Control,无线资源控制)连接。3. An air interface connection is established between the UE and the MF AP, that is, an RRC (Radio Resource Control) connection.
4、UE发起附着请求,其中携带“CP CIoT EPS optimization supported”指示信息,表明要使用IoT数据传输功能。其中,“CP CIoT EPS optimization supported”指示信息为物联网优化架构支持指示信息。4. The UE initiates an attach request, which carries a "CP CIoT EPS optimization supported" indication message indicating that the IoT data transmission function is to be used. The "CP CIoT EPS optimization supported" indication information is the IoT optimization architecture support indication information.
5、NH-MME通过NAS(非接入层)消息发送EAP-RQ/Identity给UE,请求UE的设备标识。其中,EAP-RQ/Identity可以是一种消息名称,用于请求UE的设备标识。5. The NH-MME sends the EAP-RQ/Identity to the UE through the NAS (Non-Access Stratum) message, requesting the device identifier of the UE. The EAP-RQ/Identity may be a message name used to request the device identifier of the UE.
6、UE反馈设备标识给NH-MME。6. The UE feeds back the device identifier to the NH-MME.
7-8、NH-MME将设备标识以及“CP CIoT EPS optimization supported”指示信息发送给SP AAA。7-8. The NH-MME sends the device identifier and the "CP CIoT EPS optimization supported" indication information to the SP AAA.
9a、SP AAA向HSS发送AKA鉴权向量请求,鉴权向量用于生成加密密钥和验证UE。9a. The SP AAA sends an AKA authentication vector request to the HSS, and the authentication vector is used to generate an encryption key and verify the UE.
9b、HSS生成鉴权向量以及IoT-RAND随机值(IoT-RAND即为上述所述的密钥推演参数值),该随机值用于推演步骤21和步骤24c的MSK-IoT密钥(该密钥即为第一密钥)。9b, the HSS generates an authentication vector and an IoT-RAND random value (IoT-RAND is the key derivation parameter value described above), and the random value is used to derive the MSK-IoT key of step 21 and step 24c (the secret) The key is the first key).
9c、HSS返回IoT-RAND随机值给SP AAA。9c, HSS returns the IoT-RAND random value to SP AAA.
10、SP根据从HSS获取的鉴权向量生成主会话密钥MSK。10. The SP generates a primary session key MSK based on the authentication vector obtained from the HSS.
11a-12b、发送鉴权向量和IoT-RAND给UE;11a-12b, sending an authentication vector and IoT-RAND to the UE;
13、UE根据收到的鉴权向量生成主会话密钥MSK和响应RES(Response);13. The UE generates a primary session key MSK and a response RES (Response) according to the received authentication vector;
14-15b、发送响应RES给SP AAA; 14-15b, send response RES to SP AAA;
16、SP AAA将验证接收到的RES和SP AAA自身在步骤10生成RES是否相同,如果相同则认为UE是合法的终端;16. The SP AAA will verify that the received RES and the SP AAA itself generate the same RES in step 10, and if they are the same, consider that the UE is a legitimate terminal;
17-19、可选步骤,此处可以忽略;17-19. Optional steps, which can be ignored here;
20、如果16步骤认证通过,则从HSS获取签约数据;20. If the 16-step authentication is passed, the subscription data is obtained from the HSS;
21、SP AAA根据步骤9c获得的IoT-RAND随机值和其他密钥材料(例如,CK’/IK’)推演生成密钥MSK-IoT。21. The SP AAA derives the generated key MSK-IoT from the IoT-RAND random value obtained in step 9c and other key material (e.g., CK'/IK').
22a-22b、SP AAA把主会话密钥MSK以及生成的MSK-IoT发送给NH-MME。而且MSK-IoT要通过步骤1的公钥加密传输给NH-MME,也就是说NH-MME拿到这个MSK-IoT是个加密的信息,看不到真实的MSK-IoT。22a-22b, SP AAA sends the primary session key MSK and the generated MSK-IoT to the NH-MME. Moreover, the MSK-IoT is transmitted to the NH-MME through the public key encryption of step 1, that is to say, the NH-MME obtains the MSK-IoT as an encrypted information, and does not see the real MSK-IoT.
23、NH-MME发送EAP鉴权成功信息给UE。23. The NH-MME sends the EAP authentication success information to the UE.
24a-24b、UE和NH-MME根据获得鉴权向量推演出密钥Kasme,用于NAS消息加密。24a-24b, the UE and the NH-MME derive the key Kasme according to the obtained authentication vector for NAS message encryption.
24c、UE同步骤21一样,同样推演出MSK-IoT。24c, UE is the same as step 21, and also performs MSK-IoT.
25、UE与NH-MME通过SMC(Security Mode Command,安全模式命令)协商出UE与NH-MME之间的加密算法。The UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
以上就是鉴权过程的执行,本申请经过上述鉴权过程实现了UE上有密钥MSK-IoT,NH-MME上有加密后的密钥MSK-IoT。图6所示的鉴权流程是现有技术,在鉴权过程中生成第一密钥(MSK-IoT)的相关处理均是本申请的方案。图6中,每个执行主体交互的信息可以是消息名称和/或消息中携带的信息。The above is the execution of the authentication process. After the above authentication process, the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME. The authentication process shown in FIG. 6 is prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application. In FIG. 6, the information of each execution subject interaction may be a message name and/or information carried in the message.
可选的,HSS生成IoT-RAND随机值后,还可以根据IoT-RAND随机值和其他密钥材料推演MSK-IoT,进而,将MSK-IoT发送至SP AAA,其他步骤处理与图6所示的相同。可选的,HSS推演出MSK-IoT后,可以用预先存储的公钥对MSK-IoT进行加密,将加密后的MSK-IoT发送给SP AAA。Optionally, after the HSS generates the IoT-RAND random value, the MSK-IoT may be derived according to the IoT-RAND random value and other key materials, and then the MSK-IoT is sent to the SP AAA, and other steps are processed as shown in FIG. 6. The same. Optionally, after the HSS derives the MSK-IoT, the MSK-IoT can be encrypted with a pre-stored public key, and the encrypted MSK-IoT is sent to the SP AAA.
可选的,SP AAA接收到“CP CIoT EPS optimization supported”指示信息后,还可以生成IoT-RAND,即在图6所示的流程中的第10步骤还可以生成IoT-RAND,不再由HSS生成,其他步骤与图6相同。Optionally, after receiving the “CP CIoT EPS optimization supported” indication information, the SP AAA may also generate the IoT-RAND, that is, the 10th step in the process shown in FIG. 6 may also generate the IoT-RAND, no longer by the HSS. The other steps are the same as in Fig. 6.
可选的,在图6的9a步骤,SP AAA还可以向HSS发送“CP CIoT EPS optimization supported”指示信息。Optionally, in step 9a of FIG. 6, the SP AAA may also send a “CP CIoT EPS optimization supported” indication information to the HSS.
可选的,在步骤25之后,现有技术中NH-MME可以向安全终结设备发送连接建立请求,本申请实施例中,该连接建立请求中可以携带有加密后的第一密钥。可选的,现有技术中,附着过程完成或,终端设备可以主动发起PDN连接建立过程,NH-MME接收到终端设备发送的连接建立请求后,可以向安全终结设备发送连接建立请求,本申请实施例中,该连接建立请求中还可以携带加密后的第一密钥。Optionally, after the step 25, the NH-MME can send a connection establishment request to the security termination device in the prior art. In this embodiment, the connection establishment request may carry the encrypted first key. Optionally, in the prior art, the attaching process is complete, or the terminal device may initiate a PDN connection establishment process. After receiving the connection establishment request sent by the terminal device, the NH-MME may send a connection establishment request to the security termination device. In an embodiment, the encrypted connection first key may also be carried in the connection establishment request.
可选的,对于EPA-TLS鉴权,安全管理设备和终端设备获取第一密钥的流程图可以如图7所示。其中,Optionally, for EPA-TLS authentication, a flowchart of the security management device and the terminal device acquiring the first key may be as shown in FIG. 7. among them,
0、SP AAA可以预先存储公钥;0, SP AAA can pre-store the public key;
1、UE发起初始连接消息(即附着请求);其中携带CP CIoT EPS optimization supported指示信息,表示将使用IoT网络;1. The UE initiates an initial connection message (ie, an attach request); and carries the CP CIoT EPS optimization supported indication information, indicating that the IoT network will be used;
2、NH MME向UE请求UE的设备标识; 2. The NH MME requests the UE for the device identifier of the UE.
3、UE发送设备标识;3. The UE sends the device identifier.
4、NH MME转发设备标识给SP AAA Server,并且携带CP CIoT EPS optimization supported指示。4. The NH MME forwards the device identifier to the SP AAA Server and carries the CP CIoT EPS optimization supported indication.
5-6、认证服务器通过用户标识检索认证数据库,获知采用TLS认证机制。通过向申请者发送Start消息,启动TLS认证过程,等待进行TLS认证。5-6. The authentication server retrieves the authentication database through the user identifier, and learns that the TLS authentication mechanism is adopted. The TLS authentication process is initiated by sending a Start message to the applicant, waiting for TLS authentication.
7-8、UE发送EAP-TLS:Client-Hello消息给SP AAA Server。这个消息里面包含了自己可实现的算法列表、Client Random Value和其它一些需要的信息。7-8. The UE sends an EAP-TLS: Client-Hello message to the SP AAA Server. This message contains a list of algorithms that you can implement, Client Random Value, and other required information.
9-10、SP AAA Server接收到EAP-TLS:Client-Hello后,确定TLS认证已建立,发送包含SP AAA Server的数字证书Server-Certificate、UE的数字证书请求Client Certificate-Request、Sever-Hello和Server Key-Exchange消息用于用交换密钥过程。Server Hello,确定了这次通信所需要的算法和Server Random Value。在本实施例,SP AAA Server还要生成一个随机值Server-IoT Random(即密钥推演参数值)发送给UE。9-10. After receiving the EAP-TLS: Client-Hello, the SP AAA Server determines that the TLS authentication has been established, and sends the digital certificate Server-Certificate including the SP AAA Server, the UE's digital certificate request Client Certificate-Request, Sever-Hello, and Server Key-Exchange messages are used to exchange key procedures. Server Hello, determines the algorithm and Server Random Value required for this communication. In this embodiment, the SP AAA Server also generates a random value Server-IoT Random (that is, a key derivation parameter value) and sends it to the UE.
11-12、UE校验SP AAA Server的数字证书Server-Certificate,如果合法,向SP AAA Server发送Client-Cert、Client Key-Exchange、Change Cipher-spec和Finished消息。Client-Cert为UE的数字证书、Client Key-Exchange为使用SP AAA Server的公钥加密的定长随机串,也叫Pre Master Secert,Change Cipher-spec为UE能够支持的加密类型。11-12. The UE verifies the digital certificate Server-Certificate of the SP AAA Server. If it is valid, it sends a Client-Cert, Client Key-Exchange, Change Cipher-spec, and Finished message to the SP AAA Server. The Client-Cert is the digital certificate of the UE, and the Client Key-Exchange is a fixed-length random string encrypted by the public key of the SP AAA Server. It is also called Pre Master Secert. The Change Cipher-spec is the encryption type that the UE can support.
13-14、SP AAA Server校验UE的证书Client-Certificate,如果合法,然后回复UE以Change Cipher-spec和Finished消息,Change Cipher-spec包含了SP AAA Server指定使用的加密类型。13-14. The SP AAA Server verifies the UE's certificate Client-Certificate. If it is valid, then it replies to the UE to change the Cipher-spec and Finished messages. The Change Cipher-spec contains the encryption type specified by the SP AAA Server.
15-16、UE返回响应消息。15-16. The UE returns a response message.
17、UE和SP AAA Server推演出主会话密钥MSK;17. The UE and the SP AAA Server derive the main session key MSK;
18、UE和SP AAA Server根据步骤9和10获得的Server-IoT-Random推演出IoT使用的密钥MSK-IoT;18. The UE and the SP AAA Server derive the key MSK-IoT used by the IoT according to the Server-IoT-Random obtained in steps 9 and 10;
19、SP AAA Server发送鉴权成功信息和主会话密钥MSK给NH-MME,并且用步骤0存储的公钥对MSK-IoT加密并发送给NH-MME;The SP AAA Server sends the authentication success information and the primary session key MSK to the NH-MME, and encrypts the MSK-IoT with the public key stored in step 0 and sends it to the NH-MME;
20、NH-MME发送鉴权成功消息EAP-Success给UE;20. The NH-MME sends an authentication success message EAP-Success to the UE.
21、UE和NH MME各自根据MSK推演出NAS加密用的密钥Kasme。21. The UE and the NH MME each derive a key Kasme for NAS encryption according to the MSK.
22、UE与NH-MME通过SMC(Security Mode Command,安全模式命令)协商出UE与NH-MME之间的加密算法。22. The UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
23、附着过程完成。23. The attachment process is completed.
以上就是鉴权过程的执行,本申请经过上述鉴权过程实现了UE上有密钥MSK-IoT,NH-MME上有加密后的密钥MSK-IoT。图7所示的鉴权流程是现有技术,在鉴权过程中生成第一密钥(MSK-IoT)的相关处理均是本申请的方案。图7中,每个执行主体交互的信息可以是消息名称和/或消息中携带的信息。The above is the execution of the authentication process. After the above authentication process, the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME. The authentication process shown in FIG. 7 is a prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application. In FIG. 7, the information of each execution subject interaction may be a message name and/or information carried in the message.
图7所示的方案是SP AAA server生成密钥推演参数值,可选的,密钥推演参数值也可以是由终端设备生成,并通过图7中的步骤7和8将其发送至SP AAA server。此种情况下,终端设备和SP AAA server均可通过终端设备生成的密钥推演参数值推演第一密钥,其他处理可以与图7相同。The scheme shown in FIG. 7 is that the SP AAA server generates a key derivation parameter value. Alternatively, the key derivation parameter value may also be generated by the terminal device and sent to the SP AAA through steps 7 and 8 in FIG. 7. Server. In this case, both the terminal device and the SP AAA server can derive the first key by using the key derivation parameter value generated by the terminal device, and other processes can be the same as in FIG. 7.
本申请实施例中,在终端设备与服务器传输目标数据类型的数据前,安全管理设备可 以在确定出终端设备的传输数据类型包括预设的目标数据类型的情况下,获取密钥推演参数值,进而,可以基于获取的密钥推演参数值,获取第一密钥,并将其发送至安全终结设备。安全终结设备接收到第一密钥后,可以基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。终端设备也可以获取与安全管理设备获取的密钥推演参数值相同的密钥推演参数值,终端设备也可以获取第一密钥,进而,终端设备可以基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。这样,终端设备与服务器进行目标数据类型的数据传输时,终端设备和传输路径中的安全终结设备可以基于预先获知的第一密钥对数据进行加密,由于网络控制设备中没有存储第一密钥,因此,网络控制设备无法对终端设备与服务器传输的加密后的数据进行解密,即无法窃取终端设备与服务器传输的数据,从而,可以增强数据传输的安全性。In the embodiment of the present application, before the terminal device and the server transmit the data of the target data type, the security management device may In the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the key derivation parameter value is obtained, and further, the first key is obtained based on the obtained key derivation parameter value, and is sent To the safety termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device. The terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key. The data is encrypted or the received encrypted data of the target data type is decrypted. In this way, when the terminal device and the server perform data transmission of the target data type, the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
图8是本申请实施例提供的安全管理设备的框图。本申请实施例提供的安全管理设备可以实现本申请实施例图5所述的流程中安全管理设备执行的步骤,该安全管理设备包括:FIG. 8 is a block diagram of a security management device provided by an embodiment of the present application. The security management device provided by the embodiment of the present application may implement the steps performed by the security management device in the process described in FIG. 5 of the embodiment of the present application, where the security management device includes:
确定模块810,用于确定终端设备的传输数据类型,具体可以实现上述步骤503中的确定功能,以及其他隐含步骤。The determining module 810 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 503, and other implicit steps.
获取模块820,用于当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值,具体可以实现上述步骤504中的获取功能,以及其他隐含步骤。The obtaining module 820 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically obtain the obtaining function in the above step 504, and other implicit steps.
获取模块820,还用于根据所述密钥推演参数值,获取第一密钥,具体可以实现上述步骤504中的推演功能,以及其他隐含步骤。The obtaining module 820 is further configured to obtain the first key according to the key derivation parameter value, and specifically implement the derivation function in the foregoing step 504, and other implicit steps.
发送模块830,用于向安全终结设备发送所述第一密钥,具体可以实现上述步骤505中的发送功能,以及其他隐含步骤。The sending module 830 is configured to send the first key to the security termination device, and specifically implement the sending function in the foregoing step 505, and other implicit steps.
可选的,所述确定模块810,用于:Optionally, the determining module 810 is configured to:
根据所述终端设备发送的传输数据类型的指示信息,确定所述终端设备的传输数据类型;或者,Determining, according to the indication information of the transmission data type sent by the terminal device, the transmission data type of the terminal device; or
根据预先定义的设备标识与传输数据类型的对应关系以及所述终端设备发送的设备标识,确定所述终端设备的传输数据类型。Determining a transmission data type of the terminal device according to a correspondence between a predefined device identifier and a transmission data type and a device identifier sent by the terminal device.
可选的,所述目标数据类型为物联网数据类型,所述指示信息为物联网优化架构支持指示信息。Optionally, the target data type is an Internet of Things data type, and the indication information is an Internet of Things optimization architecture support indication information.
可选的,所述发送模块830,还用于:Optionally, the sending module 830 is further configured to:
向所述终端设备发送所述密钥推演参数值,所述密钥推演参数值用于所述终端设备获取所述第一密钥。Sending, by the terminal device, the key derivation parameter value, where the key derivation parameter value is used by the terminal device to acquire the first key.
可选的,所述获取模块820,用于:Optionally, the obtaining module 820 is configured to:
当所述终端设备的传输数据类型包括目标数据类型时,获取所述终端设备发送的密钥推演参数值。When the transmission data type of the terminal device includes the target data type, the key derivation parameter value sent by the terminal device is obtained.
可选的,如图9所示,所述安全管理设备,还包括:Optionally, as shown in FIG. 9, the security management device further includes:
加密模块840,用于基于预先定义的公钥,对所述第一密钥进行加密,得到加密后的第一密钥;The encryption module 840 is configured to encrypt the first key based on a predefined public key to obtain an encrypted first key.
所述发送模块830,用于向安全终结设备发送所述加密后的第一密钥。 The sending module 830 is configured to send the encrypted first key to the security termination device.
可选的,所述发送模块830,用于:Optionally, the sending module 830 is configured to:
通过网络控制设备,向安全终结设备发送所述加密后的第一密钥,以使所述网络控制设备,向所述安全终结设备发送所述加密后的第一密钥。Sending, by the network control device, the encrypted first key to the security termination device, so that the network control device sends the encrypted first key to the security termination device.
可选的,所述发送模块830,用于:Optionally, the sending module 830 is configured to:
通过网络控制设备,向安全终结设备发送所述加密后的第一密钥,以使所述网络控制设备,在向所述安全终结设备发送连接建立请求时,发送所述加密后的第一密钥。Transmitting, by the network control device, the encrypted first key to the security termination device, so that the network control device sends the encrypted first secret when sending a connection establishment request to the security termination device key.
可选的,所述密钥推演参数值为随机值或者终端设备的设备标识。Optionally, the key derivation parameter value is a random value or a device identifier of the terminal device.
需要说明的是,上述确定模块810、获取模块820、加密模块840可以由处理器实现,或者处理器配合存储器来实现,或者,处理器执行存储器中的程序指令来实现,发送模块830可以由发射器实现。It should be noted that the foregoing determining module 810, the obtaining module 820, and the encrypting module 840 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 830 may be Implemented.
图10是本申请实施例提供的终端设备的框图。本申请实施例提供的终端设备可以实现本申请实施例图5所述的流程中终端设备执行的步骤,该终端设备包括:FIG. 10 is a block diagram of a terminal device according to an embodiment of the present application. The terminal device provided by the embodiment of the present application may implement the steps performed by the terminal device in the process described in FIG. 5 of the embodiment of the present application, where the terminal device includes:
确定模块1010,用于确定终端设备的传输数据类型,具体可以实现上述步骤501中的确定功能,以及其他隐含步骤。The determining module 1010 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 501, and other implicit steps.
获取模块1020,用于当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值,具体可以实现上述步骤501中的获取功能,以及其他隐含步骤。The obtaining module 1020 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically, the obtaining function in the foregoing step 501, and other implicit steps.
获取模块1020,还用于根据所述密钥推演参数值,获取第一密钥,其中,所述第一密钥用于所述终端设备基于所述第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密,具体可以实现上述步骤502中的获取功能,以及其他隐含步骤。The obtaining module 1020 is further configured to acquire a first key according to the key derivation parameter value, where the first key is used by the terminal device according to the target data type to be transmitted by the first key The data is encrypted, or the received data of the encrypted target data type is decrypted, and the obtaining function in the above step 502 and other implicit steps can be specifically implemented.
可选的,如图11所示,所述终端设备还包括:Optionally, as shown in FIG. 11, the terminal device further includes:
发送模块1030,用于向所述安全管理设备发送所述终端设备的设备标识和/或用于指示所述终端设备的传输数据类型的指示信息。The sending module 1030 is configured to send, to the security management device, a device identifier of the terminal device and/or indication information used to indicate a type of transmission data of the terminal device.
可选的,所述目标数据类型为物联网数据类型,所述指示信息为物联网优化架构支持指示信息。Optionally, the target data type is an Internet of Things data type, and the indication information is an Internet of Things optimization architecture support indication information.
可选的,所述获取模块1020,用于:Optionally, the obtaining module 1020 is configured to:
当所述终端设备的传输数据类型包括目标数据类型时,获取所述安全管理设备发送的密钥推演参数值。When the transmission data type of the terminal device includes the target data type, the key derivation parameter value sent by the security management device is obtained.
可选的,所述终端设备还包括:Optionally, the terminal device further includes:
发送模块1030,用于向所述安全管理设备发送生成的所述密钥推演参数值。The sending module 1030 is configured to send the generated key derivation parameter value to the security management device.
可选的,所述密钥推演参数值为随机值或者终端设备的设备标识。Optionally, the key derivation parameter value is a random value or a device identifier of the terminal device.
可选的,所述第一密钥用于所述终端设备基于所述第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密,包括:Optionally, the first key is used by the terminal device to encrypt data of a target data type to be transmitted according to the first key, or to decrypt data of the received encrypted target data type. include:
所述第一密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密;或者,The first key is used to encrypt data of a target data type to be transmitted by the terminal device, or to decrypt data of the received encrypted target data type; or
所述第一密钥用于所述终端设备基于所述第一密钥,推演第二密钥;所述第二密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。 The first key is used by the terminal device to derive a second key based on the first key; the second key is used to encrypt data of a target data type to be transmitted by the terminal device, or The received encrypted data of the target data type is decrypted.
需要说明的是,上述确定模块1010、获取模块1020可以由处理器实现,或者处理器配合存储器来实现,或者,处理器执行存储器中的程序指令来实现,发送模块1030可以由发射器实现。It should be noted that the foregoing determining module 1010 and the obtaining module 1020 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 1030 may be implemented by a transmitter.
图12是本申请实施例提供的安全终结设备的框图。本申请实施例提供的安全终结设备可以实现本申请实施例图5所述的流程中安全终结设备执行的步骤,该安全终结设备包括:FIG. 12 is a block diagram of a security termination device provided by an embodiment of the present application. The security termination device provided by the embodiment of the present application may implement the steps performed by the security termination device in the process described in FIG. 5 of the embodiment of the present application, where the security termination device includes:
接收模块1210,用于接收安全管理设备发送的第一密钥,其中,所述第一密钥用于所述安全终结设备基于所述第一密钥对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密,具体可以实现上述步骤506中的接收功能,以及其他隐含步骤。The receiving module 1210 is configured to receive a first key sent by the security management device, where the first key is used by the security termination device to send the encrypted target to the terminal device based on the first key. The data of the data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted. Specifically, the receiving function in the above step 506 and other implicit steps can be implemented.
可选的,所述接收模块1210,用于:Optionally, the receiving module 1210 is configured to:
安全终结设备接收安全管理设备发送的加密后的第一密钥;The security termination device receives the encrypted first key sent by the security management device;
如图13所示,所述安全终结设备还包括:As shown in FIG. 13, the security termination device further includes:
解密模块1220,用于基于预先存储的私钥对所述加密后的第一密钥进行解密,得到第一密钥。The decryption module 1220 is configured to decrypt the encrypted first key based on a pre-stored private key to obtain a first key.
可选的,所述第一密钥用于所述安全终结设备基于所述第一密钥对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密,包括:Optionally, the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device based on the first key, or sent to the terminal by the server. The data of the target data type of the device is encrypted, including:
所述第一密钥用于所述安全终结设备对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密;或者,The first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device, or encrypt data of a target data type sent by the server to the terminal device; or ,
所述第一密钥用于所述安全终结设备基于所述第一密钥,获取第二密钥;所述第二密钥用于所述安全终结设备对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密。The first key is used by the security termination device to acquire a second key based on the first key; the second key is used by the security termination device to send the encrypted information to the terminal device. The data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
需要说明的是,上述解密模块1220可以由处理器实现,或者处理器配合存储器来实现,或者,处理器执行存储器中的程序指令来实现,接收模块1210可以由接收器实现。It should be noted that the decryption module 1220 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute a program instruction in the memory, and the receiving module 1210 may be implemented by a receiver.
本申请实施例中,在终端设备与服务器传输目标数据类型的数据前,安全管理设备可以在确定出终端设备的传输数据类型包括预设的目标数据类型的情况下,获取密钥推演参数值,进而,可以基于获取的密钥推演参数值,获取第一密钥,并将其发送至安全终结设备。安全终结设备接收到第一密钥后,可以基于第一密钥对终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给终端设备的目标数据类型的数据进行加密。终端设备也可以获取与安全管理设备获取的密钥推演参数值相同的密钥推演参数值,终端设备也可以获取第一密钥,进而,终端设备可以基于第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。这样,终端设备与服务器进行目标数据类型的数据传输时,终端设备和传输路径中的安全终结设备可以基于预先获知的第一密钥对数据进行加密,由于网络控制设备中没有存储第一密钥,因此,网络控制设备无法对终端设备与服务器传输的加密后的数据进行解密,即无法窃取终端设备与服务器传输的数据,从而,可以增强数据传输的安全性。In the embodiment of the present application, before the terminal device and the server transmit the data of the target data type, the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device. The terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key. The data is encrypted or the received encrypted data of the target data type is decrypted. In this way, when the terminal device and the server perform data transmission of the target data type, the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完 成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。One of ordinary skill in the art can understand that all or part of the steps to implement the above embodiments can be completed by hardware. Alternatively, the related hardware may be instructed by a program, and the program may be stored in a computer readable storage medium. The storage medium mentioned above may be a read only memory, a magnetic disk or an optical disk.
以上所述仅为本申请一个实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。 The above is only one embodiment of the present application, and is not intended to limit the application. Any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are included in the scope of the present application. Inside.

Claims (31)

  1. 一种传输数据的方法,其特征在于,所述方法包括:A method of transmitting data, characterized in that the method comprises:
    安全管理设备确定终端设备的传输数据类型;The security management device determines the type of transmission data of the terminal device;
    当所述终端设备的传输数据类型包括目标数据类型时,所述安全管理设备获取密钥推演参数值;When the transmission data type of the terminal device includes a target data type, the security management device acquires a key derivation parameter value;
    所述安全管理设备根据所述密钥推演参数值,获取第一密钥,所述第一密钥用于安全终结设备基于所述第一密钥对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密;The security management device acquires a first key according to the key derivation parameter value, where the first key is used by the security termination device to send the encrypted target data to the terminal device based on the first key. Type of data is decrypted, or data of a target data type sent by the server to the terminal device is encrypted;
    所述安全管理设备向所述安全终结设备发送所述第一密钥。The security management device sends the first key to the security termination device.
  2. 根据权利要求1所述的方法,其特征在于,所述安全管理设备确定终端设备的传输数据类型,包括:The method according to claim 1, wherein the security management device determines the type of transmission data of the terminal device, including:
    根据所述终端设备发送的传输数据类型的指示信息,确定所述终端设备的传输数据类型;或者,Determining, according to the indication information of the transmission data type sent by the terminal device, the transmission data type of the terminal device; or
    根据预先定义的设备标识与传输数据类型的对应关系以及所述终端设备发送的设备标识,确定所述终端设备的传输数据类型。Determining a transmission data type of the terminal device according to a correspondence between a predefined device identifier and a transmission data type and a device identifier sent by the terminal device.
  3. 根据权利要求2所述的方法,其特征在于,所述目标数据类型为物联网数据类型。The method of claim 2 wherein said target data type is an Internet of Things data type.
  4. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    所述安全管理设备向所述终端设备发送所述密钥推演参数值,所述密钥推演参数值用于所述终端设备获取所述第一密钥。The security management device sends the key derivation parameter value to the terminal device, where the key derivation parameter value is used by the terminal device to acquire the first key.
  5. 根据权利要求1所述的方法,其特征在于,当所述终端设备的传输数据类型包括目标数据类型时,所述安全管理设备获取密钥推演参数值,包括:当所述终端设备的传输数据类型包括目标数据类型时,所述安全管理设备获取所述终端设备发送的密钥推演参数值。The method according to claim 1, wherein when the transmission data type of the terminal device includes a target data type, the security management device acquires a key derivation parameter value, including: when the terminal device transmits data When the type includes the target data type, the security management device acquires a key derivation parameter value sent by the terminal device.
  6. 根据权利要求1所述的方法,其特征在于,所述向所述安全终结设备发送所述第一密钥,包括:The method according to claim 1, wherein the sending the first key to the security termination device comprises:
    基于预先定义的公钥,对所述第一密钥进行加密,得到加密后的第一密钥;Encrypting the first key based on a predefined public key to obtain an encrypted first key;
    向所述安全终结设备发送所述加密后的第一密钥。Sending the encrypted first key to the security terminating device.
  7. 根据权利要求6所述的方法,其特征在于,所述向所述安全终结设备发送所述加密后的第一密钥,包括:The method according to claim 6, wherein the sending the encrypted first key to the security termination device comprises:
    通过网络控制设备,向所述安全终结设备发送所述加密后的第一密钥。And transmitting, by the network control device, the encrypted first key to the security termination device.
  8. 根据权利要求1所述的方法,其特征在于,所述密钥推演参数值为随机值或者终端设备的设备标识。The method according to claim 1, wherein the key derivation parameter value is a random value or a device identifier of the terminal device.
  9. 一种传输数据的方法,其特征在于,所述方法包括:A method of transmitting data, characterized in that the method comprises:
    终端设备确定终端设备的传输数据类型;The terminal device determines a transmission data type of the terminal device;
    当所述终端设备的传输数据类型包括目标数据类型时,所述终端设备获取密钥推演参数值;When the transmission data type of the terminal device includes a target data type, the terminal device acquires a key derivation parameter value;
    所述终端设备根据所述密钥推演参数值,获取第一密钥,其中,所述第一密钥用于所述终端设备基于所述第一安全密钥对待传输的目标数据类型的数据进行加密,或者对接收到的 加密后的目标数据类型的数据进行解密。The terminal device acquires a first key according to the key derivation parameter value, where the first key is used by the terminal device to perform data based on a target data type to be transmitted by the first security key. Encrypted, or received The encrypted target data type data is decrypted.
  10. 根据权利要求9所述的方法,其特征在于,当所述终端设备的传输数据类型包括目标数据类型时,所述终端设备获取密钥推演参数值,包括:The method according to claim 9, wherein when the transmission data type of the terminal device includes a target data type, the terminal device acquires a key derivation parameter value, including:
    当所述终端设备的传输数据类型包括目标数据类型时,所述终端设备获取所述安全管理设备发送的密钥推演参数值。When the transmission data type of the terminal device includes a target data type, the terminal device acquires a key derivation parameter value sent by the security management device.
  11. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method of claim 9 wherein the method further comprises:
    所述终端设备向所述安全管理设备发送生成的所述密钥推演参数值,所述密钥推演参数值用于所述安全管理设备获取所述第一密钥。Sending, by the terminal device, the generated key derivation parameter value to the security management device, where the key derivation parameter value is used by the security management device to acquire the first key.
  12. 根据权利要求9所述的方法,其特征在于,所述密钥推演参数值为随机值或者终端设备的设备标识。The method according to claim 9, wherein the key derivation parameter value is a random value or a device identifier of the terminal device.
  13. 根据权利要求9所述的方法,其特征在于,所述第一密钥用于所述终端设备基于所述第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密,包括:The method according to claim 9, wherein the first key is used by the terminal device to encrypt data of a target data type to be transmitted based on the first key, or after receiving the encrypted The data of the target data type is decrypted, including:
    所述第一密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密;或者,The first key is used to encrypt data of a target data type to be transmitted by the terminal device, or to decrypt data of the received encrypted target data type; or
    所述第一密钥用于所述终端设备基于所述第一密钥,获取第二密钥;所述第二密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。The first key is used by the terminal device to acquire a second key based on the first key; the second key is used to encrypt data of a target data type to be transmitted by the terminal device, or The received encrypted data of the target data type is decrypted.
  14. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method of claim 9 wherein the method further comprises:
    所述终端设备向所述安全管理设备发送所述终端设备的设备标识和/或用于指示所述终端设备的传输数据类型的指示信息。The terminal device sends, to the security management device, a device identifier of the terminal device and/or indication information indicating a type of transmission data of the terminal device.
  15. 根据权利要求14所述的方法,其特征在于,所述目标数据类型为物联网数据类型。The method of claim 14 wherein said target data type is an Internet of Things data type.
  16. 一种安全管理设备,其特征在于,所述安全管理设备包括处理器和通信接口,其中:A security management device, characterized in that the security management device comprises a processor and a communication interface, wherein:
    所述处理器,用于确定终端设备的传输数据类型;当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值;根据所述密钥推演参数值,获取第一密钥,所述第一密钥用于安全终结设备基于所述第一密钥对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密;通过所述通信接口向所述安全终结设备发送所述第一密钥。The processor is configured to determine a transmission data type of the terminal device; when the transmission data type of the terminal device includes a target data type, obtain a key derivation parameter value; and obtain a first secret according to the key derivation parameter value Key, the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device based on the first key, or target data sent by the server to the terminal device The type of data is encrypted; the first key is sent to the secure termination device through the communication interface.
  17. 根据权利要求16所述的安全管理设备,其特征在于,所述处理器,用于:The security management device according to claim 16, wherein the processor is configured to:
    根据所述终端设备发送的传输数据类型的指示信息,确定所述终端设备的传输数据类型;或者,Determining, according to the indication information of the transmission data type sent by the terminal device, the transmission data type of the terminal device; or
    根据预先定义的设备标识与传输数据类型的对应关系以及所述终端设备发送的设备标识,确定所述终端设备的传输数据类型。Determining a transmission data type of the terminal device according to a correspondence between a predefined device identifier and a transmission data type and a device identifier sent by the terminal device.
  18. 根据权利要求17所述的安全管理设备,其特征在于,所述目标数据类型为物联网数据类型。The security management device according to claim 17, wherein said target data type is an Internet of Things data type.
  19. 根据权利要求16所述的安全管理设备,其特征在于,所述所述处理器,还用于:The security management device according to claim 16, wherein the processor is further configured to:
    通过所述通信接口向所述终端设备发送所述密钥推演参数值,所述密钥推演参数值用于所述终端设备获取所述第一密钥。 Sending, by the communication interface, the key derivation parameter value to the terminal device, where the key derivation parameter value is used by the terminal device to acquire the first key.
  20. 根据权利要求16所述的安全管理设备,其特征在于,所述处理器,用于:The security management device according to claim 16, wherein the processor is configured to:
    当所述终端设备的传输数据类型包括目标数据类型时,获取所述终端设备发送的密钥推演参数值。When the transmission data type of the terminal device includes the target data type, the key derivation parameter value sent by the terminal device is obtained.
  21. 根据权利要求16所述的安全管理设备,其特征在于,所述处理器,用于:The security management device according to claim 16, wherein the processor is configured to:
    基于预先定义的公钥,对所述第一密钥进行加密,得到加密后的第一密钥;Encrypting the first key based on a predefined public key to obtain an encrypted first key;
    通过所述通信接口向所述安全终结设备发送所述加密后的第一密钥。Sending the encrypted first key to the security termination device through the communication interface.
  22. 根据权利要求21所述的安全管理设备,其特征在于,所述处理器,用于:The security management device according to claim 21, wherein the processor is configured to:
    通过网络控制设备,向所述安全终结设备发送所述加密后的第一密钥。And transmitting, by the network control device, the encrypted first key to the security termination device.
  23. 根据权利要求16所述的安全管理设备,其特征在于,所述密钥推演参数值为随机值或者终端设备的设备标识。The security management device according to claim 16, wherein the key derivation parameter value is a random value or a device identifier of the terminal device.
  24. 一种终端设备,其特征在于,所述终端设备包括处理器,其中:A terminal device, characterized in that the terminal device comprises a processor, wherein:
    所述处理器,用于确定终端设备的传输数据类型;当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值;根据所述密钥推演参数值,获取第一密钥,其中,所述第一密钥用于所述终端设备基于所述第一安全密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。The processor is configured to determine a transmission data type of the terminal device; when the transmission data type of the terminal device includes a target data type, obtain a key derivation parameter value; and obtain a first secret according to the key derivation parameter value a key, wherein the first key is used by the terminal device to encrypt data of a target data type to be transmitted based on the first security key, or to decrypt data of the received encrypted target data type .
  25. 根据权利要求24所述的终端设备,其特征在于,所述处理器,用于:The terminal device according to claim 24, wherein the processor is configured to:
    当所述终端设备的传输数据类型包括目标数据类型时,所述终端设备获取所述安全管理设备发送的密钥推演参数值。When the transmission data type of the terminal device includes a target data type, the terminal device acquires a key derivation parameter value sent by the security management device.
  26. 根据权利要求24所述的终端设备,其特征在于,所述终端设备还包括:The terminal device according to claim 24, wherein the terminal device further comprises:
    发射器,用于向所述安全管理设备发送生成的密钥推演参数值,所述密钥推演参数值用于所述安全管理设备获取所述第一密钥。And a transmitter, configured to send the generated key derivation parameter value to the security management device, where the key derivation parameter value is used by the security management device to acquire the first key.
  27. 根据权利要求24所述的终端设备,其特征在于,所述密钥推演参数值为随机值或者终端设备的设备标识。The terminal device according to claim 24, wherein the key derivation parameter value is a random value or a device identifier of the terminal device.
  28. 根据权利要求24所述的终端设备,其特征在于,所述第一密钥用于所述终端设备基于所述第一密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密,包括:The terminal device according to claim 24, wherein the first key is used by the terminal device to encrypt data of a target data type to be transmitted based on the first key, or to encrypt the received data. The data of the target data type is decrypted, including:
    所述第一密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密;或者,The first key is used to encrypt data of a target data type to be transmitted by the terminal device, or to decrypt data of the received encrypted target data type; or
    所述第一密钥用于所述终端设备基于所述第一密钥,获取第二密钥;所述第二密钥用于所述终端设备对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。The first key is used by the terminal device to acquire a second key based on the first key; the second key is used to encrypt data of a target data type to be transmitted by the terminal device, or The received encrypted data of the target data type is decrypted.
  29. 根据权利要求24所述的终端设备,其特征在于,所述终端设备还包括:The terminal device according to claim 24, wherein the terminal device further comprises:
    发射器,用于:向所述安全管理设备发送所述终端设备的设备标识和/或用于指示所述终端设备的传输数据类型的指示信息。And a transmitter, configured to: send, to the security management device, a device identifier of the terminal device and/or indication information used to indicate a type of transmission data of the terminal device.
  30. 根据权利要求29所述的终端设备,其特征在于,所述目标数据类型为物联网数据类型。The terminal device according to claim 29, wherein said target data type is an Internet of Things data type.
  31. 一种传输数据的系统,其特征在于,所述系统包括安全管理设备和终端设备,其中:A system for transmitting data, characterized in that the system comprises a security management device and a terminal device, wherein:
    所述安全管理设备,用于确定所述终端设备的传输数据类型;当所述终端设备的传输数 据类型包括目标数据类型时,获取密钥推演参数值;根据所述密钥推演参数值,获取第一密钥,所述第一密钥用于安全终结设备基于所述第一密钥对所述终端设备发送的加密后的目标数据类型的数据进行解密,或者对服务器发送给所述终端设备的目标数据类型的数据进行加密;所述安全管理设备向所述安全终结设备发送所述第一密钥;The security management device is configured to determine a transmission data type of the terminal device; when the number of transmissions of the terminal device Obtaining a key derivation parameter value according to the type including the target data type; acquiring a first key according to the key derivation parameter value, where the first key is used by the security termination device based on the first key pair Decrypting the data of the encrypted target data type sent by the terminal device, or encrypting data of the target data type sent by the server to the terminal device; the security management device sending the first to the security termination device Key
    所述终端设备,用于确定所述终端设备的传输数据类型;当所述终端设备的传输数据类型包括目标数据类型时,获取密钥推演参数值;根据所述密钥推演参数值,获取第一密钥,其中,所述第一密钥用于所述终端设备基于所述第一安全密钥对待传输的目标数据类型的数据进行加密,或者对接收到的加密后的目标数据类型的数据进行解密。 The terminal device is configured to determine a transmission data type of the terminal device; when the transmission data type of the terminal device includes a target data type, obtain a key derivation parameter value; and obtain a first a key, wherein the first key is used by the terminal device to encrypt data of a target data type to be transmitted based on the first security key, or data of a received target data type after being encrypted Decrypt.
PCT/CN2017/072674 2017-01-25 2017-01-25 Method, apparatus, and system for transmitting data WO2018137202A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/072674 WO2018137202A1 (en) 2017-01-25 2017-01-25 Method, apparatus, and system for transmitting data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/072674 WO2018137202A1 (en) 2017-01-25 2017-01-25 Method, apparatus, and system for transmitting data

Publications (1)

Publication Number Publication Date
WO2018137202A1 true WO2018137202A1 (en) 2018-08-02

Family

ID=62978907

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/072674 WO2018137202A1 (en) 2017-01-25 2017-01-25 Method, apparatus, and system for transmitting data

Country Status (1)

Country Link
WO (1) WO2018137202A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111832259A (en) * 2019-04-12 2020-10-27 中国联合网络通信集团有限公司 JSON data generation method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002271313A (en) * 2001-03-14 2002-09-20 Sony Disc Technology Inc Encipherment communication system, its encipherment communication method and forming method of its encipherment key
CN103297224A (en) * 2012-02-23 2013-09-11 中国移动通信集团公司 Encryption key information distribution method and related device
CN103532975A (en) * 2013-10-28 2014-01-22 国家电网公司 Dynamically and smoothly expandable data acquisition system and method
CN105141637A (en) * 2015-09-25 2015-12-09 中铁工程装备集团有限公司 Transmission encryption method taking flows as granularity
CN105281904A (en) * 2014-06-06 2016-01-27 佛山市顺德区美的电热电器制造有限公司 Message data encryption method and system, internet of things server and internet of things terminal
TW201631918A (en) * 2015-01-27 2016-09-01 高通公司 Group acknowledgement/negative acknowledgement and triggering GACK/channel state information

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002271313A (en) * 2001-03-14 2002-09-20 Sony Disc Technology Inc Encipherment communication system, its encipherment communication method and forming method of its encipherment key
CN103297224A (en) * 2012-02-23 2013-09-11 中国移动通信集团公司 Encryption key information distribution method and related device
CN103532975A (en) * 2013-10-28 2014-01-22 国家电网公司 Dynamically and smoothly expandable data acquisition system and method
CN105281904A (en) * 2014-06-06 2016-01-27 佛山市顺德区美的电热电器制造有限公司 Message data encryption method and system, internet of things server and internet of things terminal
TW201631918A (en) * 2015-01-27 2016-09-01 高通公司 Group acknowledgement/negative acknowledgement and triggering GACK/channel state information
CN105141637A (en) * 2015-09-25 2015-12-09 中铁工程装备集团有限公司 Transmission encryption method taking flows as granularity

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
INTEL ET AL.: "pCR to TR 33.899: Authentication and Key Agreement for non-3GPP access", S3-161719 ; 3GPPTSG SA WG3 (SECURITY) MEETING #85, 11 November 2016 (2016-11-11), XP051186077 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111832259A (en) * 2019-04-12 2020-10-27 中国联合网络通信集团有限公司 JSON data generation method and device
CN111832259B (en) * 2019-04-12 2023-09-12 中国联合网络通信集团有限公司 JSON data generation method and device

Similar Documents

Publication Publication Date Title
US10849191B2 (en) Unified authentication for heterogeneous networks
US11212676B2 (en) User identity privacy protection in public wireless local access network, WLAN, access
CN108781366B (en) Authentication mechanism for 5G technology
US9240881B2 (en) Secure communications for computing devices utilizing proximity services
CA2800941C (en) Method and apparatus for binding subscriber authentication and device authentication in communication systems
EP3216249B1 (en) Apparatuses and methods for wireless communication
KR100704675B1 (en) authentication method and key generating method in wireless portable internet system
JP2011139457A (en) System and method for secure transaction of data between wireless communication device and server
WO2009094942A1 (en) Method and communication network system for establishing security conjunction
US20170223531A1 (en) Authentication in a wireless communications network
CN108353279B (en) Authentication method and authentication system
WO2015100974A1 (en) Terminal authentication method, device and system
WO2013166908A1 (en) Method, system, terminal equipment and access network apparatus for generating key information
US11316670B2 (en) Secure communications using network access identity
JP6123035B1 (en) Protection of WLCP message exchange between TWAG and UE
US9307406B2 (en) Apparatus and method for authenticating access of a mobile station in a wireless communication system
WO2018137202A1 (en) Method, apparatus, and system for transmitting data
Georgantas Fast initial authentication, a new mechanism to enable fast WLAN mobility
CN114245372B (en) Authentication method, device and system
Mehto et al. An enhanced authentication mechanism for IEEE 802.16 (e) mobile WiMAX

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17894312

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17894312

Country of ref document: EP

Kind code of ref document: A1