WO2023283789A1 - Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau - Google Patents
Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau Download PDFInfo
- Publication number
- WO2023283789A1 WO2023283789A1 PCT/CN2021/105852 CN2021105852W WO2023283789A1 WO 2023283789 A1 WO2023283789 A1 WO 2023283789A1 CN 2021105852 W CN2021105852 W CN 2021105852W WO 2023283789 A1 WO2023283789 A1 WO 2023283789A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- key
- terminal device
- network device
- ciphertext
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 106
- 238000004891 communication Methods 0.000 title claims abstract description 79
- 230000004044 response Effects 0.000 claims abstract description 68
- 238000012545 processing Methods 0.000 claims abstract description 30
- 230000015654 memory Effects 0.000 claims description 51
- 238000004590 computer program Methods 0.000 claims description 49
- 238000012795 verification Methods 0.000 claims description 21
- 238000010586 diagram Methods 0.000 description 22
- 230000006870 function Effects 0.000 description 22
- 230000007246 mechanism Effects 0.000 description 20
- 230000008569 process Effects 0.000 description 20
- 238000009795 derivation Methods 0.000 description 16
- 238000005516 engineering process Methods 0.000 description 13
- 230000001360 synchronised effect Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 8
- 230000011664 signaling Effects 0.000 description 7
- 230000007774 longterm Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- VIEYMVWPECAOCY-UHFFFAOYSA-N 7-amino-4-(chloromethyl)chromen-2-one Chemical compound ClCC1=CC(=O)OC2=CC(N)=CC=C21 VIEYMVWPECAOCY-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
Definitions
- the embodiments of the present application relate to the field of mobile communication technologies, and in particular to a secure communication method and device, terminal equipment, and network equipment.
- the current key derivation mechanism requires terminal devices and network devices to derive complex and cumbersome key systems to achieve secure communication between terminal devices and network devices.
- the technical cost of this key derivation mechanism is relatively high, and the terminal device needs to have sufficient storage space, sufficient computing power, and sufficient energy supply to realize it.
- Embodiments of the present application provide a secure communication method and device, a terminal device, a network device, a chip, a computer-readable storage medium, a computer program product, and a computer program.
- the terminal device receives the first request message sent by the network device
- the terminal device performs security processing on the first message based on the first session key to obtain a first response message, and sends the first response message to the network device.
- the network device sends a first request message to the terminal device, and receives a first response message sent by the terminal device;
- the network device generates a second session key based on the first response message, and obtains the first message from the first response message based on the second session key.
- the secure communication device provided in the embodiment of the present application is applied to terminal equipment, and the device includes:
- a receiving unit configured to receive the first request message sent by the network device
- a processing unit configured to generate a first session key based on the first request message; perform security processing on the first message based on the first session key to obtain a first response message;
- a sending unit configured to send the first response message to the network device.
- the secure communication device provided in the embodiment of the present application is applied to network equipment, and the device includes:
- a sending unit configured to send a first request message to the terminal device
- a receiving unit configured to receive a first response message sent by the terminal device
- a processing unit configured to generate a second session key based on the first response message, and obtain the first message from the first response message based on the second session key.
- the terminal device provided in the embodiment of the present application includes a processor and a memory.
- the memory is used to store computer programs, and the processor is used to call and run the computer programs stored in the memory to execute the above-mentioned secure communication method.
- the network device provided in the embodiment of the present application includes a processor and a memory.
- the memory is used to store computer programs, and the processor is used to call and run the computer programs stored in the memory to execute the above-mentioned secure communication method.
- the chip provided in the embodiment of the present application is used to implement the above secure communication method.
- the chip includes: a processor, configured to call and run a computer program from the memory, so that the device installed with the chip executes the above-mentioned secure communication method.
- the computer-readable storage medium provided by the embodiment of the present application is used for storing a computer program, and the computer program enables a computer to execute the above-mentioned secure communication method.
- the computer program product provided by the embodiment of the present application includes a computer program instruction, and the computer program instruction causes a computer to execute the above-mentioned secure communication method.
- the computer program provided by the embodiment of the present application when running on a computer, enables the computer to execute the above secure communication method.
- the terminal device only needs to generate the first session key based on the first request message sent by the network device, so as to use the first session key to securely process the first message to be sent to the network device.
- the network device only needs to generate the second session key based on the first response message sent by the terminal device, so as to use the second session key to obtain the first message from the received first response message.
- FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present application
- FIG. 2 is a diagram of an authentication framework for secure access of a 5G terminal according to an embodiment of the present application
- Fig. 3 is a kind of key derivation architecture diagram of the embodiment of the present application.
- FIG. 4 is an architecture diagram of secure communication between a terminal device and a network device provided in an embodiment of the present application
- FIG. 5 is a first schematic flow diagram of a secure communication method provided by an embodiment of the present application.
- FIG. 6 is a second schematic flow diagram of a secure communication method provided by an embodiment of the present application.
- FIG. 7 is a flowchart of secure communication between a UE and a base station provided in an embodiment of the present application.
- Fig. 8 is the key generation principle of the technical solution provided by the embodiment of the present application.
- FIG. 9 is a first structural diagram of a secure communication device provided by an embodiment of the present application.
- FIG. 10 is a second schematic diagram of the structure and composition of the secure communication device provided by the embodiment of the present application.
- Fig. 11 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
- FIG. 12 is a schematic structural diagram of a chip according to an embodiment of the present application.
- Fig. 13 is a schematic block diagram of a communication system provided by an embodiment of the present application.
- FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present application.
- a communication system 100 may include a terminal device 110 and a network device 120 .
- the network device 120 may communicate with the terminal device 110 through an air interface. Multi-service transmission is supported between the terminal device 110 and the network device 120 .
- the embodiment of the present application is only described by using the communication system 100 as an example, but the embodiment of the present application is not limited thereto. That is to say, the technical solutions of the embodiments of the present application can be applied to various communication systems, such as: Long Term Evolution (Long Term Evolution, LTE) system, LTE Time Division Duplex (Time Division Duplex, TDD), Universal Mobile Communication System (Universal Mobile Telecommunication System, UMTS), Internet of Things (Internet of Things, IoT) system, Narrow Band Internet of Things (NB-IoT) system, enhanced Machine-Type Communications (eMTC) system, 5G communication system (also known as New Radio (NR) communication system), or future communication systems, etc.
- LTE Long Term Evolution
- LTE Time Division Duplex Time Division Duplex
- TDD Time Division Duplex
- Universal Mobile Telecommunication System Universal Mobile Telecommunication System
- UMTS Universal Mobile Communication System
- Internet of Things Internet of Things
- NB-IoT Narrow Band Internet of Things
- eMTC enhanced Machine-Type Communications
- the network device 120 may be an access network device that communicates with the terminal device 110 .
- the access network device can provide communication coverage for a specific geographical area, and can communicate with terminal devices 110 (such as UEs) located in the coverage area.
- the network device 120 may be an evolved base station (Evolutional Node B, eNB or eNodeB) in a Long Term Evolution (Long Term Evolution, LTE) system, or a Next Generation Radio Access Network (NG RAN) device, Either a base station (gNB) in the NR system, or a wireless controller in a cloud radio access network (Cloud Radio Access Network, CRAN), or the network device 120 can be a relay station, an access point, a vehicle-mounted device, a wearable Devices, hubs, switches, bridges, routers, or network devices in the future evolution of the Public Land Mobile Network (Public Land Mobile Network, PLMN), etc.
- Evolutional Node B, eNB or eNodeB in a Long Term Evolution (Long Term Evolution, LTE) system
- NG RAN Next Generation Radio Access Network
- gNB base station
- CRAN Cloud Radio Access Network
- the network device 120 can be a relay station, an access point, a vehicle-mounted device, a wear
- the terminal device 110 may be any terminal device, including but not limited to a terminal device connected to the network device 120 or other terminal devices by wire or wirelessly.
- the terminal equipment 110 may refer to an access terminal, a user equipment (User Equipment, UE), a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a terminal, a wireless communication device, user agent, or user device.
- Access terminals can be cellular phones, cordless phones, Session Initiation Protocol (SIP) phones, IoT devices, satellite handheld terminals, Wireless Local Loop (WLL) stations, Personal Digital Assistant , PDA), handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or terminal devices in future evolution networks, etc.
- SIP Session Initiation Protocol
- WLL Wireless Local Loop
- PDA Personal Digital Assistant
- the terminal device 110 can be used for device-to-device (Device to Device, D2D) communication.
- D2D Device to Device
- the wireless communication system 100 may also include a core network device 130 that communicates with the base station.
- the core network device 130 may be a 5G core network (5G Core, 5GC) device, for example, Access and Mobility Management Function (Access and Mobility Management Function , AMF), and for example, authentication server function (Authentication Server Function, AUSF), and for example, user plane function (User Plane Function, UPF), and for example, session management function (Session Management Function, SMF).
- the core network device 130 may also be a packet core evolution (Evolved Packet Core, EPC) device of the LTE network, for example, a data gateway (Session Management Function+Core Packet Gateway, SMF+PGW- C) Equipment.
- EPC packet core evolution
- SMF+PGW-C can realize the functions of SMF and PGW-C at the same time.
- the above-mentioned core network equipment may be called by other names, or a new network entity may be formed by dividing functions of the core network, which is not limited in this embodiment of the present application.
- Various functional units in the communication system 100 may also establish a connection through a next generation network (next generation, NG) interface to implement communication.
- NG next generation network
- the terminal device establishes an air interface connection with the access network device through the NR interface to transmit user plane data and control plane signaling; the terminal device can establish a control plane signaling connection with the AMF through the NG interface 1 (N1 for short); access Network equipment such as the next generation wireless access base station (gNB), can establish a user plane data connection with UPF through NG interface 3 (abbreviated as N3); access network equipment can establish control plane signaling with AMF through NG interface 2 (abbreviated as N2) connection; UPF can establish a control plane signaling connection with SMF through NG interface 4 (abbreviated as N4); UPF can exchange user plane data with the data network through NG interface 6 (abbreviated as N6); AMF can communicate with SMF through NG interface 11 (abbreviated as N11) The SMF establishes a control plane signaling connection; the SMF may establish a control plane signaling connection with the PCF through an NG interface 7 (N7 for short).
- gNB next generation wireless access base station
- Figure 1 exemplarily shows a base station, a core network device, and two terminal devices.
- the wireless communication system 100 may include multiple base station devices and each base station may include other numbers of terminals within the coverage area.
- the device is not limited in the embodiment of this application.
- FIG. 1 is only an illustration of a system applicable to this application, and of course, the method shown in the embodiment of this application may also be applicable to other systems.
- system and “network” are often used interchangeably herein.
- the term “and/or” in this article is just an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist simultaneously, and there exists alone B these three situations.
- the character "/" in this article generally indicates that the contextual objects are an "or” relationship.
- the "indication” mentioned in the embodiments of the present application may be a direct indication, may also be an indirect indication, and may also mean that there is an association relationship.
- A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also indicate that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also indicate that there is an association between A and B relation.
- the "correspondence” mentioned in the embodiments of the present application may mean that there is a direct correspondence or an indirect correspondence between the two, or that there is an association between the two, or that it indicates and is indicated. , configuration and configured relationship.
- the "predefined” or “predefined rules” mentioned in the embodiments of this application can be used by pre-saving corresponding codes, tables or other It is implemented by indicating related information, and this application does not limit the specific implementation.
- pre-defined may refer to defined in the protocol.
- the "protocol” may refer to a standard protocol in the communication field, for example, it may include the LTE protocol, the NR protocol, and related protocols applied to future communication systems, and this application does not limit this .
- 5G terminal security access technology mainly includes two authentication mechanisms, one authentication mechanism is based on 5G authentication and key agreement protocol (5G-AKA), and the other authentication mechanism is based on extended authentication and Key Agreement Protocol (EAP-AKA'). Both authentication mechanisms are applicable to the same authentication architecture.
- 5G-AKA 5G authentication and key agreement protocol
- EAP-AKA' extended authentication and Key Agreement Protocol
- Both authentication mechanisms are applicable to the same authentication architecture.
- the authentication architecture for secure access of 5G terminals is shown in Figure 2.
- the characteristics of the network elements and interfaces involved in the authentication architecture are shown in Table 1 below.
- the UE first initiates a request message containing the Subscriber Concealed Identifier (SUCI) to SEAF. Since the UE uses the public key encryption of the home network to generate the SUCI, the UDM in the home network can use its own private The key decrypts the SUCI to obtain the SUPI, so that the validity of the SUPI can be judged and the root key of the UE can be retrieved. Since the root key K is pre-existed between UE and UDM, both authentication mechanisms of 5G-AKA or EAP-AKA' can realize authentication between UE and the network side.
- SUCI Subscriber Concealed Identifier
- FIG. 3 is a key derivation architecture diagram, as shown in Figure 3, K is the root key, and the key derivation direction is from top to bottom, for example, the root key K can derive the encryption key (CK) and complete encryption Key (IK); CK and IK can use 5G AKA or EAP-AKA' to derive the key K AUSF shared by AUSF and UE; K AUSF can derive the key K SEAF shared by SEAF and UE; K SEAF can derive access The key K AMF shared with the mobility management function network element (AMF) and UE; K AMF can derive the key K N3IWF shared by N3IWF and UE; K AMF can also derive the NAS layer integrity encryption shared by AMF and UE Key K NASint and NAS layer encryption key K NASenc ; K AMF can also derive the key Kg
- AMF mobility management function network element
- network elements such as gNB, AMF, SEAF, and AUSF, as well as the control plane and user plane all have their own corresponding keys.
- the UE side also needs to derive a key system at the same level.
- the current authentication architecture involves many network elements, and the authentication process is cumbersome and complicated, with many interactions.
- the current key derivation mechanism requires the terminal device and the network side to maintain more secret elements, so the current mechanism and technology cost is relatively high.
- zero-power terminals there will be a variety of zero-power terminals in zero-power application scenarios. Zero-power terminals have less storage space, and at the same time, computing power and energy supply are very limited. Therefore, it is necessary to explore simpler and more secure solutions.
- the authentication mechanism is adapted to the hardware resources of the terminal equipment, and a more efficient key derivation method is explored to improve the management efficiency of the key and ensure the confidentiality and integrity of the identity of the terminal equipment and data.
- Fig. 4 is an architecture diagram of a secure communication between a terminal device and a network device provided by an embodiment of the present application.
- the architecture mainly includes two entities, namely a terminal device and a network device, wherein the type of the terminal device It can be, but not limited to, a zero-power consumption terminal, and the network device can be a base station, such as gNB.
- the architecture also includes a master control center (CA), which may also be referred to as a master control center, which is responsible for issuing certificates for network devices.
- CA master control center
- the terminal device After receiving the broadcast request message initiated by the network device, the terminal device confirms the identity of the network device according to the broadcast request message and generates a session key, and uses the session key to encrypt and protect the integrity of the message to be sent to the network device.
- the ciphertext message is obtained, and the ciphertext message is sent to the network device.
- the network device After the network device receives the ciphertext message sent by the terminal device, it generates a session key and uses the session key to perform integrity verification and decryption processing on the ciphertext message to obtain the message sent by the terminal device to the network device.
- the technical solution implemented in this application mixes asymmetric encryption technology and symmetric encryption technology, thereby ensuring secure communication between terminal equipment and network equipment.
- Fig. 5 is a first schematic flow diagram of a secure communication method provided by an embodiment of the present application. As shown in Fig. 5, the secure communication method includes the following steps:
- Step 501 The terminal device receives a first request message sent by the network device.
- Step 502 The terminal device generates a first session key based on the first request message.
- Step 503 The terminal device performs security processing on the first message based on the first session key, obtains a first response message, and sends the first response message to the network device.
- the type of the terminal device is a zero-power consumption terminal.
- a typical zero-power terminal may be a radio frequency identification (RFID) device.
- RFID radio frequency identification
- the type of the terminal device may also be a traditional terminal, such as a mobile phone, a tablet, and the like. This application does not limit the type of the terminal device.
- the network device is a base station, such as a gNB.
- the first request message is sent by a network device in a broadcast form, and the first request message may also be called a broadcast request message.
- the first request message includes at least one of the following:
- a first certificate where the first certificate carries the public key of the network device.
- the first random number is generated by the network device.
- the first signature is obtained by the network device signing the second message with a private key of the network device.
- the first certificate is signed by the private key of the master control center.
- the terminal device after receiving the first request message sent by the network device, the terminal device generates the first session key based on the first request message.
- the terminal device first verifies the legality of the identity of the network device based on the first request message, and if the identity of the network device is legal, then based on the first request message Generate a first session key.
- the terminal device uses the public key of the main control center to verify the validity of the first certificate and/or uses the public key of the network device to verify the validity of the first signature, and when the verification is successful Then generate the first session key.
- the terminal device may obtain the public key of the network device from the first certificate, or may also obtain the public key of the network device from locally pre-stored information.
- the terminal device uses the public key of the main control center to verify the validity of the first certificate, and obtains the public key of the network device from the first certificate after the verification is successful;
- the terminal device uses the public key of the network device to verify the validity of the first signature, and generates a first session key after the verification succeeds.
- the terminal device obtains the public key of the network device from locally pre-stored information, the terminal device uses the public key of the network device to verify the validity of the first signature, and when the verification is successful Then generate the first session key.
- the successful verification of the first signature by the terminal device means that the identity of the network device is legal.
- the terminal device may generate the first session key in the following manner:
- the terminal device generates a private key of the terminal device and a public key of the terminal device; here, the private key of the terminal device is a random number generated by the terminal device, and the public key of the terminal device is determined by The terminal device generates based on the private key of the terminal device;
- the terminal device generates a first session key based on the private key of the terminal device, the public key of the network device, and the first random number.
- the private key of the terminal device is r i
- the public key of the network device is PK gNB
- the first random number is Nonce
- First session key KDF(DH(r i , PK gNB ), Nonce);
- KDF Key Derivation Algorithm
- DH Key Agreement Algorithm
- the first session key includes a first encryption key and a first integrity key.
- the relationship between the first session key, the first encryption key, and the first integrity key may be expressed by the following formula:
- the terminal device can obtain the first encryption key and the first integrity key according to the first session key.
- the first session key is represented by 256 bits
- the first 128 bits of the first session key correspond to the first encryption key
- the last 128 bits of the first session key correspond to the first integrity key.
- the terminal device after the terminal device generates the first session key, it performs security processing on the first message based on the first session key to obtain the first response message.
- the first message includes at least one of the following: identification information of the terminal device; service information of a target service associated with the terminal device.
- the target business is one of the following businesses: logistics business, warehouse business, and household business.
- the present application does not limit the content contained in the first message, and the first message may contain any one or more types of information that the terminal device wants to send to the network device.
- the terminal device may perform security processing on the first message in the following manner:
- the terminal device uses the first encryption key to encrypt the first message to generate a ciphertext message; and/or, the terminal device uses the first integrity key to correspond to the first message Integrity protection of the ciphertext message is carried out, and a check code of the ciphertext message is generated;
- the terminal device generates a first response message based on at least one of the public key of the terminal device, the ciphertext message, and the check code of the ciphertext message, wherein the first response message At least one of the following is included: the public key of the terminal device, the ciphertext message, and a check code of the ciphertext message.
- the first encryption key is CK i represents the first encryption key
- the first message is msg
- the ciphertext message can be generated by the following formula:
- C i represents the ciphertext message
- Enc represents the encryption algorithm
- msg first information
- the content of the msg is not limited to being formed by connecting the above two messages, but may be formed by connecting any other number of messages, or may include only one message alone.
- the check code corresponding to the ciphertext message can be generated by the following formula:
- MAC i represents the check code corresponding to the ciphertext message
- Int represents the integrity protection algorithm
- the public key of the terminal device is R i
- the ciphertext message is C i
- the check code corresponding to the ciphertext message is MAC i
- the first response message can be recorded as (R i ,Ci,MAC i )
- the first response message includes R i , Ci and MAC i .
- FIG. 6 is a second schematic flow diagram of a secure communication method provided in an embodiment of the present application. As shown in FIG. 6, the secure communication method includes the following steps:
- Step 601 The network device sends a first request message to the terminal device, and receives a first response message sent by the terminal device.
- Step 602 The network device generates a second session key based on the first response message, and obtains the first message from the first response message based on the second session key.
- the network device is a base station, such as a gNB.
- the type of the terminal device is a zero-power consumption terminal.
- a typical zero power consumption terminal may be an RFID device.
- the type of the terminal device may also be a traditional terminal, such as a mobile phone, a tablet, and the like. This application does not limit the type of the terminal device.
- the first request message is sent by a network device in a broadcast form, and the first request message may also be called a broadcast request message.
- the first request message includes at least one of the following:
- a first certificate where the first certificate carries the public key of the network device.
- the first signature is obtained by the network device signing the second message with a private key of the network device.
- the first certificate is signed by the private key of the master control center.
- the first response message includes at least one of the following: a public key of the terminal device, a ciphertext message, and a check code of the ciphertext message.
- the network device after receiving the first response message sent by the terminal device, the network device generates a second session key based on the first response message, and based on the second session key, extracts from the first response message Get first news.
- the network device may generate the second session key in the following manner:
- the network device generates a second session key based on the public key of the terminal device, the private key of the network device, and the first random number.
- the public key of the terminal device is R i
- the private key of the network device is SK gNB
- the first random number is Nonce
- the second session key can be calculated by the following formula:
- Second session key KDF(DH(R i , SK gNB ), Nonce);
- KDF Key Derivation Algorithm
- DH Key Agreement Algorithm
- the second session key includes a second encryption key and a second integrity key.
- the relationship between the first session key, the first encryption key, and the first integrity key may be expressed by the following formula:
- the network device can obtain the second encryption key and the second integrity key according to the second session key.
- the second session key is represented by 256 bits
- the first 128 bits of the second session key correspond to the second encryption key
- the last 128 bits of the second session key correspond to the second integrity key.
- the network device after the network device generates the second session key, it acquires the first message from the first response message based on the second session key.
- the first message includes at least one of the following: identification information of the terminal device; service information of a target service associated with the terminal device.
- the target business is one of the following businesses: logistics business, warehouse business, and household business.
- the present application does not limit the content contained in the first message, and the first message may contain any one or more types of information that the terminal device wants to send to the network device.
- the network device can obtain the first message from the first response message in the following manner:
- the network device uses the second integrity key to verify the validity of the check code of the ciphertext message and/or uses the second encryption key to decrypt the ciphertext message, and from the Obtain the first message from the ciphertext message.
- the network device uses the second integrity key to verify the validity of the verification code of the ciphertext message, and uses the second encryption key to encrypt the ciphertext after the verification is successful.
- the message is decrypted, and if the decryption is successful, the first message is obtained from the ciphertext message.
- the terminal equipment is used as a UE, and the network equipment is used as a base station for illustration.
- the initial configuration of UE and base station is as follows:
- the main control center (such as the general certification center in the smart factory) needs to use its private key to issue a certificate Cert gNB to the base station, and the certificate of the base station contains the public key PK gNB of the base station. Therefore, the base station The certificate of can also be a public key certificate.
- the UE needs a safe storage environment, so as to store its own identity ID and the public key PK CA of the main control center.
- the base station needs to keep secret the identity ID of the UE, the certificate of the base station and the private key SK gNB of the base station.
- Step 701 the base station signs the message Msg with the private key SK gNB of the base station, and obtains the signature S gNB .
- Step 702 the base station sends a broadcast request message (Msg, S gNB , Cert gNB ).
- the broadcast request message corresponds to the first request message in the above scheme, and the broadcast request message can be written as (Msg, S gNB , Cert gNB ), which means that the broadcast request message includes Msg, S gNB and Cert gNB , wherein Msg contains random Count Nonce.
- Step 703 The UE uses the public key PK CA of the main control center to verify the validity of the certificate Cert gNB , and obtains the public key PK gNB of the base station from the certificate Cert gNB after the verification is successful; the UE uses the public key PK gNB of the base station to verify the signature S gNB Validity, calculate the temporary session key after the verification is successful, and use the temporary session key to encrypt and integrity protect the message msg, and obtain the ciphertext message C i and the check code MAC i of the ciphertext message.
- the UE uses its own pre-stored public key PK CA of the main control center to verify the validity of the certificate Cert gNB , and obtains the public key PK gNB of the base station from the certificate after the verification is successful;
- UE calculates the temporary session key as: CK i
- IK i KDF(DH( ri ,PK gNB ),Nonce), where CK i is the encryption key and IK i is the integrity key.
- the msg includes the content that the UE wants to send to the base station, for example, it may include the ID of the UE, service information and so on.
- the UE uses the public key PK gNB of the base station to verify the validity of the signature S gNB , which can be realized through the signature verification algorithm VerifySign. Specifically, the UE uses the public key PK gNB of the base station to verify the validity of the signature S gNB through the formula: VerifySign (PK gNB , S gNB ) to achieve.
- VerifySign PK gNB , S gNB
- Step 704 UE sends a response message (R i , C i , MAC i ).
- the response message corresponds to the first response message in the above solution, and the response message may be recorded as (R i , C i , MAC i ), which means that the response message includes R i , C i and MAC i .
- the UE sends the response message (R i , C i , MAC i ) to the base station.
- Step 705 the base station calculates the temporary session key, and uses the temporary session key to verify the verification code MACi of the ciphertext message and decrypt the ciphertext message to obtain msg.
- the base station calculates the temporary session key as: CK i
- IK i KDF(DH(R i ,SK gNB ),Nonce), where CK i is the encryption key and IK i is integrity key.
- the base station uses the integrity key IK i to verify whether the check code MAC i of the ciphertext message is valid. If the verification is successful, the base station uses the encryption key CK i to decrypt C i to obtain the message msg, and the UE security access process is completed.
- the principle of key generation is shown in Figure 8.
- a cryptographic algorithm is used to generate a session key CK i
- the base station side use the same cryptographic algorithm to generate session keys CK i
- Sign() is the signature algorithm
- VerifySign() is the signature verification algorithm.
- This application does not limit the signature algorithm Sign() and the signature verification algorithm VerifySign().
- the SM2/ECDSA algorithm can be used.
- KDF() is a key derivation algorithm. This application does not limit the key derivation algorithm.
- the HMAC-SHA-256 algorithm or the HMAC-SM3 algorithm can be used.
- DH() is a key agreement algorithm. This application does not limit the key agreement algorithm.
- the elliptic curve Diffie-Hellman algorithm can be used.
- Enc() and Dec() are symmetrical encryption algorithm and decryption algorithm respectively, the application does not limit the encryption algorithm and decryption algorithm, as an example, SNOW 3G algorithm, or SM4 algorithm, or AES algorithm, or ZUC algorithm can be used.
- Int() is an integrity protection algorithm, and this application does not limit the integrity protection algorithm.
- the SNOW 3G algorithm, or the AES (CMAC mode) algorithm, or the ZUC algorithm can be used.
- SK private key of the signer
- PK public key of the signer
- SK the private key of the execution subject
- PK the public key of the other party in the session
- K shared secret value
- CK encryption key
- Msg the plaintext message to be encrypted
- IK Integrity Key
- Msg message to be integrity protected
- the technical solution of the embodiment of the present application is applicable to the secure access of a large number of lightweight zero-power terminals.
- the terminal device can verify the legitimacy of the base station through the signature carried in the request message broadcast by the base station.
- the terminal device combines the elliptic curve cryptography mechanism to derive the session key shared only with the base station based on the private key of the terminal device and the public key of the base station, and uses the session key to encrypt and integrity protect the messages sent to the base station. Therefore, the confidentiality and integrity of the information of the terminal device can be strictly ensured.
- the base station does not need to store secret information related to the terminal equipment in advance, and it can also avoid the additional space and time complexity caused by the storage and retrieval content of the base station, and can also reduce the fixed storage space of the terminal equipment.
- the mechanism of the embodiment of the present application only requires one round of interaction between the two parties, which prevents the base station from providing excess energy for the terminal device, reduces the power consumption burden of the base station, and ensures the portability of the security mechanism. Access security provides a good security guarantee.
- the network device is described by taking a base station as an example, but it is not limited thereto, and the network device may also be other core network elements or servers.
- the security algorithm used by the network device is not limited to a specific algorithm, and may be any algorithm that satisfies computational security.
- sequence numbers of the above-mentioned processes do not mean the order of execution, and the order of execution of the processes should be determined by their functions and internal logic, and should not be used in this application.
- the implementation of the examples constitutes no limitation.
- the terms “downlink”, “uplink” and “sidelink” are used to indicate the transmission direction of signals or data, wherein “downlink” is used to indicate that the transmission direction of signals or data is sent from the station The first direction to the user equipment in the cell, “uplink” is used to indicate that the signal or data transmission direction is the second direction sent from the user equipment in the cell to the station, and “side line” is used to indicate that the signal or data transmission direction is A third direction sent from UE1 to UE2.
- “downlink signal” indicates that the transmission direction of the signal is the first direction.
- the term “and/or” is only an association relationship describing associated objects, indicating that there may be three relationships. Specifically, A and/or B may mean: A exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this article generally indicates that the contextual objects are an "or” relationship.
- Fig. 9 is a schematic diagram of the first structural composition of the safety communication device provided by the embodiment of the present application, which is applied to terminal equipment. As shown in Fig. 9, the safety communication device includes:
- a receiving unit 901 configured to receive a first request message sent by a network device
- a processing unit 902 configured to generate a first session key based on the first request message; perform security processing on the first message based on the first session key to obtain a first response message;
- the sending unit 903 is configured to send the first response message to the network device.
- the first request message includes at least one of the following:
- a first certificate where the first certificate carries the public key of the network device.
- the first signature is obtained by the network device signing the second message by using a private key of the network device.
- the first certificate is signed by the private key of the master control center.
- the processing unit 902 is configured to use the public key of the master control center to verify the validity of the first certificate and/or use the public key of the network device to verify the validity of the first certificate. The validity of the signature is verified, and the first session key is generated after the verification is successful.
- the processing unit 902 is configured to generate the private key of the terminal device and the public key of the terminal device; based on the private key of the terminal device, the public key of the network device and The first random number generates a first session key.
- the first session key includes a first encryption key and a first integrity key.
- processing unit 902 is configured to:
- a first response message is generated, wherein the first response message includes at least one of the following: The public key of the terminal device, the ciphertext message, and the check code of the ciphertext message.
- the first message includes at least one of the following:
- the target business is one of the following businesses: logistics business, warehouse business, and household business.
- the type of the terminal device is a zero-power consumption terminal.
- Fig. 10 is a schematic diagram of the second structural composition of the secure communication device provided by the embodiment of the present application, which is applied to network equipment.
- the secure communication device includes:
- a sending unit 1001 configured to send a first request message to the terminal device
- a receiving unit 1002 configured to receive a first response message sent by the terminal device
- the processing unit 1003 is configured to generate a second session key based on the first response message, and obtain the first message from the first response message based on the second session key.
- the first request message includes at least one of the following:
- a first certificate where the first certificate carries the public key of the network device.
- the first signature is obtained by the network device signing the second message by using a private key of the network device.
- the first certificate is signed by the private key of the master control center.
- the first response message includes at least one of the following: a public key of the terminal device, a ciphertext message, and a check code of the ciphertext message.
- the processing unit 1003 is configured to generate a second session key based on the public key of the terminal device, the private key of the network device, and the first random number.
- the second session key includes a second encryption key and a second integrity key.
- the processing unit 1003 is configured to use the second integrity key to verify the validity of the check code of the ciphertext message and/or use the second encryption key pair
- the ciphertext message is decrypted, and a first message is obtained from the ciphertext message.
- the first message includes at least one of the following:
- the target business is one of the following businesses: logistics business, warehouse business, and household business.
- the type of the terminal device is a zero-power consumption terminal.
- the technical solutions of the embodiments of this application can be applied to scenarios such as future smart logistics, smart warehouses, and smart homes, but are not limited to, and are suitable for lightweight security authentication and data transmission mechanisms for zero-power terminals in 3GPP networks.
- the security authentication between the zero-power terminal and the base station is realized, and the key negotiation technology and key derivation technology are used to enable the communication parties to share the session key key, thus ensuring the confidentiality and integrity of the message sent by the terminal device;
- the above technical features ensure the portability of the authentication mechanism, and not only get rid of the huge signaling of complex and cumbersome mechanisms (such as 5G-AKA authentication and key derivation mechanism). Interaction pressure, and avoid the space and time complexity required for the base station to store and retrieve the keys of a large number of terminal devices, so it is suitable for the zero-power terminal IoT scenario with great potential in the future 5G.
- FIG. 11 is a schematic structural diagram of a communication device 1100 provided by an embodiment of the present application.
- the communication device may be a terminal device or a network device.
- the communication device 1100 shown in FIG. 11 includes a processor 1110, and the processor 1110 can invoke and run a computer program from a memory, so as to implement the method in the embodiment of the present application.
- the communication device 1100 may further include a memory 1120 .
- the processor 1110 can invoke and run a computer program from the memory 1120, so as to implement the method in the embodiment of the present application.
- the memory 1120 may be an independent device independent of the processor 1110 , or may be integrated in the processor 1110 .
- the communication device 1100 may further include a transceiver 1130, and the processor 1110 may control the transceiver 1130 to communicate with other devices, specifically, to send information or data to other devices, or to receive other Information or data sent by the device.
- the processor 1110 may control the transceiver 1130 to communicate with other devices, specifically, to send information or data to other devices, or to receive other Information or data sent by the device.
- the transceiver 1130 may include a transmitter and a receiver.
- the transceiver 1130 may further include an antenna, and the number of antennas may be one or more.
- the communication device 1100 may specifically be the network device of the embodiment of the present application, and the communication device 1100 may implement the corresponding processes implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, details are not repeated here. .
- the communication device 1100 may specifically be the mobile terminal/terminal device of the embodiment of the present application, and the communication device 1100 may implement the corresponding processes implemented by the mobile terminal/terminal device in each method of the embodiment of the present application, for the sake of brevity , which will not be repeated here.
- FIG. 12 is a schematic structural diagram of a chip according to an embodiment of the present application.
- the chip 1200 shown in FIG. 12 includes a processor 1210, and the processor 1210 can call and run a computer program from a memory, so as to implement the method in the embodiment of the present application.
- the chip 1200 may further include a memory 1220 .
- the processor 1210 can invoke and run a computer program from the memory 1220, so as to implement the method in the embodiment of the present application.
- the memory 1220 may be an independent device independent of the processor 1210 , or may be integrated in the processor 1210 .
- the chip 1200 may also include an input interface 1230 .
- the processor 1210 can control the input interface 1230 to communicate with other devices or chips, specifically, can obtain information or data sent by other devices or chips.
- the chip 1200 may also include an output interface 1240 .
- the processor 1210 can control the output interface 1240 to communicate with other devices or chips, specifically, can output information or data to other devices or chips.
- the chip can be applied to the network device in the embodiment of the present application, and the chip can implement the corresponding processes implemented by the network device in the methods of the embodiment of the present application.
- the chip can implement the corresponding processes implemented by the network device in the methods of the embodiment of the present application.
- the chip can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the chip can implement the corresponding processes implemented by the mobile terminal/terminal device in the various methods of the embodiments of the present application.
- the chip can implement the corresponding processes implemented by the mobile terminal/terminal device in the various methods of the embodiments of the present application.
- the chip can implement the corresponding processes implemented by the mobile terminal/terminal device in the various methods of the embodiments of the present application.
- the chip can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the chip can implement the corresponding processes implemented by the mobile terminal/terminal device in the various methods of the embodiments of the present application.
- the chip mentioned in the embodiment of the present application may also be called a system-on-chip, a system-on-chip, a system-on-a-chip, or a system-on-a-chip.
- Fig. 13 is a schematic block diagram of a communication system 1300 provided by an embodiment of the present application. As shown in FIG. 13 , the communication system 1300 includes a terminal device 1310 and a network device 1320 .
- the terminal device 1310 can be used to realize the corresponding functions realized by the terminal device in the above method
- the network device 1320 can be used to realize the corresponding functions realized by the network device in the above method.
- the processor in the embodiment of the present application may be an integrated circuit chip, which has a signal processing capability.
- each step of the above-mentioned method embodiments may be completed by an integrated logic circuit of hardware in a processor or instructions in the form of software.
- the above-mentioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other available Program logic devices, discrete gate or transistor logic devices, discrete hardware components.
- DSP Digital Signal Processor
- ASIC Application Specific Integrated Circuit
- FPGA Field Programmable Gate Array
- a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
- the steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
- the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
- the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware.
- the memory in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories.
- the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electronically programmable Erase Programmable Read-Only Memory (Electrically EPROM, EEPROM) or Flash.
- the volatile memory can be Random Access Memory (RAM), which acts as external cache memory.
- RAM Static Random Access Memory
- SRAM Static Random Access Memory
- DRAM Dynamic Random Access Memory
- Synchronous Dynamic Random Access Memory Synchronous Dynamic Random Access Memory
- SDRAM double data rate synchronous dynamic random access memory
- Double Data Rate SDRAM, DDR SDRAM enhanced synchronous dynamic random access memory
- Enhanced SDRAM, ESDRAM synchronous connection dynamic random access memory
- Synchlink DRAM, SLDRAM Direct Memory Bus Random Access Memory
- Direct Rambus RAM Direct Rambus RAM
- the memory in the embodiment of the present application may also be a static random access memory (static RAM, SRAM), a dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM), etc. That is, the memory in the embodiments of the present application is intended to include, but not be limited to, these and any other suitable types of memory.
- the embodiment of the present application also provides a computer-readable storage medium for storing computer programs.
- the computer-readable storage medium can be applied to the network device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the network device in the methods of the embodiments of the present application.
- the computer program enables the computer to execute the corresponding processes implemented by the network device in the methods of the embodiments of the present application.
- the computer-readable storage medium can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in the various methods of the embodiments of the present application , for the sake of brevity, it is not repeated here.
- the embodiment of the present application also provides a computer program product, including computer program instructions.
- the computer program product may be applied to the network device in the embodiment of the present application, and the computer program instructions cause the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application.
- the Let me repeat for the sake of brevity, the Let me repeat.
- the computer program product can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program instructions cause the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in the methods of the embodiments of the present application, For the sake of brevity, details are not repeated here.
- the embodiment of the present application also provides a computer program.
- the computer program can be applied to the network device in the embodiment of the present application.
- the computer program executes the corresponding process implemented by the network device in each method of the embodiment of the present application.
- the computer program executes the corresponding process implemented by the network device in each method of the embodiment of the present application.
- the computer program can be applied to the mobile terminal/terminal device in the embodiment of the present application.
- the computer program executes each method in the embodiment of the present application to be implemented by the mobile terminal/terminal device
- the corresponding process will not be repeated here.
- the disclosed systems, devices and methods may be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
- each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
- the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
- the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disk or optical disc, etc., which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Selon des modes de réalisation, la présente invention concerne un procédé et un appareil de communication sécurisée, un dispositif terminal et un périphérique de réseau. Le procédé comprend les étapes suivantes : un dispositif terminal reçoit un premier message de demande transmis par un périphérique de réseau ; le dispositif terminal génère une première clé de session sur la base du premier message de demande ; le dispositif terminal effectue un traitement de sécurité sur un premier message sur la base de la première clé de session pour obtenir un premier message de réponse, et transmet le premier message de réponse au périphérique de réseau. Le périphérique de réseau transmet le premier message de demande au dispositif terminal, et reçoit le premier message de réponse transmis par le dispositif terminal ; le périphérique de réseau génère une seconde clé de session sur la base du premier message de réponse, et obtient le premier message à partir du premier message de réponse sur la base de la seconde clé de session.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/105852 WO2023283789A1 (fr) | 2021-07-12 | 2021-07-12 | Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau |
CN202180099306.5A CN117546441A (zh) | 2021-07-12 | 2021-07-12 | 一种安全通信方法及装置、终端设备、网络设备 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/105852 WO2023283789A1 (fr) | 2021-07-12 | 2021-07-12 | Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023283789A1 true WO2023283789A1 (fr) | 2023-01-19 |
Family
ID=84919799
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/105852 WO2023283789A1 (fr) | 2021-07-12 | 2021-07-12 | Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117546441A (fr) |
WO (1) | WO2023283789A1 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116437339A (zh) * | 2023-04-12 | 2023-07-14 | 国网江苏电力有限公司电力科学研究院 | 无线传感网络认证与密钥协商方法、装置及系统 |
CN116723511A (zh) * | 2023-08-11 | 2023-09-08 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | 车联网中实现隐私保护的位置管理方法、系统及车联网 |
CN116800423A (zh) * | 2023-08-28 | 2023-09-22 | 长沙盈芯半导体科技有限公司 | 基于rfid的数据采集及双重加密解密数据保护方法和装置 |
CN117692902A (zh) * | 2024-02-02 | 2024-03-12 | 深圳市迈腾电子有限公司 | 一种基于嵌入式家庭网关的智能家居的交互方法及系统 |
CN118540059A (zh) * | 2024-07-25 | 2024-08-23 | 深圳市纽创信安科技开发有限公司 | 密钥生成方法、装置、设备、介质及程序产品 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1564514A (zh) * | 2004-03-26 | 2005-01-12 | 中兴通讯股份有限公司 | 无线局域网自组网模式共享密钥认证和会话密钥协商方法 |
CN101383698A (zh) * | 2008-10-29 | 2009-03-11 | 中国电信股份有限公司 | 会话密钥分发方法及系统 |
CN101420413A (zh) * | 2007-10-25 | 2009-04-29 | 华为技术有限公司 | 会话密钥协商方法、网络系统、认证服务器及网络设备 |
US20100023768A1 (en) * | 2007-06-27 | 2010-01-28 | Intel Corporation | Method and system for security key agreement |
-
2021
- 2021-07-12 WO PCT/CN2021/105852 patent/WO2023283789A1/fr active Application Filing
- 2021-07-12 CN CN202180099306.5A patent/CN117546441A/zh active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1564514A (zh) * | 2004-03-26 | 2005-01-12 | 中兴通讯股份有限公司 | 无线局域网自组网模式共享密钥认证和会话密钥协商方法 |
US20100023768A1 (en) * | 2007-06-27 | 2010-01-28 | Intel Corporation | Method and system for security key agreement |
CN101420413A (zh) * | 2007-10-25 | 2009-04-29 | 华为技术有限公司 | 会话密钥协商方法、网络系统、认证服务器及网络设备 |
CN101383698A (zh) * | 2008-10-29 | 2009-03-11 | 中国电信股份有限公司 | 会话密钥分发方法及系统 |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116437339A (zh) * | 2023-04-12 | 2023-07-14 | 国网江苏电力有限公司电力科学研究院 | 无线传感网络认证与密钥协商方法、装置及系统 |
CN116723511A (zh) * | 2023-08-11 | 2023-09-08 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | 车联网中实现隐私保护的位置管理方法、系统及车联网 |
CN116723511B (zh) * | 2023-08-11 | 2023-10-20 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | 车联网中实现隐私保护的位置管理方法、系统及车联网 |
CN116800423A (zh) * | 2023-08-28 | 2023-09-22 | 长沙盈芯半导体科技有限公司 | 基于rfid的数据采集及双重加密解密数据保护方法和装置 |
CN116800423B (zh) * | 2023-08-28 | 2023-11-03 | 长沙盈芯半导体科技有限公司 | 基于rfid的数据采集及双重加密解密数据保护方法和装置 |
CN117692902A (zh) * | 2024-02-02 | 2024-03-12 | 深圳市迈腾电子有限公司 | 一种基于嵌入式家庭网关的智能家居的交互方法及系统 |
CN118540059A (zh) * | 2024-07-25 | 2024-08-23 | 深圳市纽创信安科技开发有限公司 | 密钥生成方法、装置、设备、介质及程序产品 |
Also Published As
Publication number | Publication date |
---|---|
CN117546441A (zh) | 2024-02-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10943005B2 (en) | Secure authentication of devices for internet of things | |
WO2023283789A1 (fr) | Procédé et appareil de communication sécurisée, dispositif terminal et périphérique de réseau | |
CN107809411B (zh) | 移动网络的认证方法、终端设备、服务器和网络认证实体 | |
WO2020177768A1 (fr) | Procédé, appareil et système de vérification de réseau | |
RU2663972C1 (ru) | Обеспечение безопасности при связи между устройством связи и сетевым устройством | |
WO2017091959A1 (fr) | Procédé de transmission de données, équipement utilisateur et dispositif côté réseau | |
US20170012778A1 (en) | End-To-End Service Layer Authentication | |
WO2019034014A1 (fr) | Procédé et appareil pour authentification d'accès | |
US11582233B2 (en) | Secure authentication of devices for Internet of Things | |
WO2020248624A1 (fr) | Procédé de communication, dispositif de réseau, équipement utilisateur et dispositif de réseau d'accès | |
US11997078B2 (en) | Secured authenticated communication between an initiator and a responder | |
US11082843B2 (en) | Communication method and communications apparatus | |
WO2017133021A1 (fr) | Procédé de traitement de sécurité et dispositif pertinent | |
WO2018219181A1 (fr) | Procédé et dispositif permettant de déterminer l'identifiant d'un dispositif terminal | |
CN112602290B (zh) | 一种身份验证方法、装置和可读存储介质 | |
CN112771904B (zh) | 分布式网络蜂窝身份管理 | |
CN112449323B (zh) | 一种通信方法、装置和系统 | |
CN113872755A (zh) | 一种密钥交换方法及装置 | |
CN109756324A (zh) | 一种Mesh网络中的密钥协商方法、终端及网关 | |
US20190149326A1 (en) | Key obtaining method and apparatus | |
WO2022134089A1 (fr) | Procédé et appareil de génération de contexte de sécurite, et support de stockage lisible par ordinateur | |
WO2023143022A1 (fr) | Procédé et appareil de traitement de données dans un processus d'accès aléatoire | |
WO2023159603A1 (fr) | Procédé et appareil de mise en œuvre de sécurité, dispositif terminal et éléments de réseau | |
WO2023141914A1 (fr) | Procédé et dispositif de protection d'informations | |
WO2023212904A1 (fr) | Procédé et dispositif de communication par relais |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21949585 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202180099306.5 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21949585 Country of ref document: EP Kind code of ref document: A1 |