[go: up one dir, main page]

CN106534050A - Method and device for realizing key agreement of virtual private network (VPN) - Google Patents

Method and device for realizing key agreement of virtual private network (VPN) Download PDF

Info

Publication number
CN106534050A
CN106534050A CN201510579550.8A CN201510579550A CN106534050A CN 106534050 A CN106534050 A CN 106534050A CN 201510579550 A CN201510579550 A CN 201510579550A CN 106534050 A CN106534050 A CN 106534050A
Authority
CN
China
Prior art keywords
key
terminal
tid
vpn
bsf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510579550.8A
Other languages
Chinese (zh)
Inventor
黄鸣
黄一鸣
郦荣
罗红
路晓明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201510579550.8A priority Critical patent/CN106534050A/en
Publication of CN106534050A publication Critical patent/CN106534050A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种实现虚拟专用网络密钥协商的方法和装置,包括:终端在需要发起VPN服务器连接后,若所述终端已存储根密钥,则根据根密钥、所述终端的B-TID以及VPN服务器的NAF_id确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。本发明将共享密钥作为客户端与服务器之间的会话密钥,并根据已存储的根密钥、终端的B-TID以及VPN服务器的NAF_id生成第一共享密钥,免去了现有VPN中每次认证都需要重新协商的重复流程,因此其生成速度极快,降低了密钥协商延迟,减少了系统资源消耗,优化了VPN的使用体验。

The present invention discloses a method and device for realizing virtual private network key negotiation, including: after a terminal needs to initiate a VPN server connection, if the terminal has stored a root key, then according to the root key, the terminal's B -TID and the NAF_id of the VPN server determine the first shared key, and send the determined first shared key and the B-TID to the VPN server; if a successful authentication response from the VPN server is received, the key is determined to be completed negotiate. The present invention uses the shared key as the session key between the client and the server, and generates the first shared key according to the stored root key, the B-TID of the terminal, and the NAF_id of the VPN server, eliminating the need for the existing VPN Each authentication requires a repeated process of renegotiation, so its generation speed is extremely fast, which reduces the key negotiation delay, reduces system resource consumption, and optimizes the VPN experience.

Description

一种实现虚拟专用网络密钥协商的方法和装置A method and device for realizing virtual private network key negotiation

技术领域technical field

本发明涉及通信技术领域,尤其涉及一种实现虚拟专用网络密钥协商的方法和装置。The invention relates to the technical field of communication, in particular to a method and device for realizing virtual private network key negotiation.

背景技术Background technique

虚拟专用网络(VPN,Virtual Private Network),其功能是在共用网络上建立的专用网络,进行加密通讯。在企业网络中有着广泛的应用。VPN网关通过对数据包的加密和数据包目标地址的转换实现远程访问。VPN有多种分类方式,按协议方式可分为多协议标签转换虚拟专用网(MPLS VPN,Multiprotocol LabelSwitching VPN)、安全套接层虚拟专用网(SSL VPN,Security Socket Layer VPN)、IP协议安全结构虚拟专用网(IPSec VPN,Security Architecture for IP NetworkVPN),按实现方式可分为服务器、硬件、软件等。VPN具有成本低,并且易于使用的特点。在所有VPN技术中,SSL VPN是解决远程用户访问公司敏感数据最简单最安全的解决技术。SSL VPN基于成熟的SSL协议,无需专用客户端软件支持,在客户端与服务器之间使用公钥证书进行身份验证,进而协商生成双方加密通信的对称密钥,保证数据传输的安全。Virtual Private Network (VPN, Virtual Private Network), its function is to establish a private network on a shared network for encrypted communication. It is widely used in enterprise network. The VPN gateway realizes remote access by encrypting the data packet and converting the destination address of the data packet. There are many classification methods of VPN, which can be divided into multi-protocol label switching virtual private network (MPLS VPN, Multiprotocol LabelSwitching VPN), secure socket layer virtual private network (SSL VPN, Security Socket Layer VPN) and IP protocol security structure virtual network according to the protocol method. Private network (IPSec VPN, Security Architecture for IP NetworkVPN), can be divided into server, hardware, software, etc. according to the implementation method. VPNs are cheap and easy to use. Among all VPN technologies, SSL VPN is the simplest and most secure solution for remote users to access sensitive company data. Based on the mature SSL protocol, SSL VPN does not require special client software support. It uses public key certificates for authentication between the client and the server, and then negotiates to generate a symmetric key for encrypted communication between the two parties to ensure the security of data transmission.

但是SSL VPN在应用部署时仍存在着一定的不足:However, SSL VPN still has certain deficiencies in application deployment:

首先,企业SSL VPN往往需要员工首先使用已分配好的用户名密码进行身份认证,认证通过后才能够进行VPN的协商配置,最终完成安全通道的建立,基于用户名密码的认证方式首先便给员工带来了不便,缺乏责任心的员工可能为了使用方便,会设置一个简单的密码,这就为企业信息泄露带来了极大的安全隐患;First of all, enterprise SSL VPN often requires employees to first use the assigned user name and password for identity authentication. Inconvenience is caused, and employees who lack responsibility may set a simple password for the convenience of use, which brings great security risks to corporate information leakage;

其次,现有SSL VPN认证基于公钥证书进行密钥协商的方式,客户端与服务器之间需经过多次交互协商,最终生成传输保护用的共享密钥,这个过程非常耗时,并且在每一次VPN连接后,再次连接仍需要重新协商,耗费大量的系统资源,若保存一个长时间的共享密钥,在一个时段内都可以使用该密钥进行VPN连接,则更易出现问题,首先是服务器需要为每个用户保存共享密钥,增加了维护成本,同时在终端侧,由于密钥只能在应用层存储,极易被终端上的恶意程序盗取,造成密钥泄露,因此SSL VPN使用历史密钥极不安全;Secondly, the existing SSL VPN authentication is based on public key certificates for key negotiation. The client and server need to go through multiple interactive negotiations to finally generate a shared key for transmission protection. This process is very time-consuming, and every After a VPN connection, renegotiation still needs to be renegotiated, which consumes a lot of system resources. If a shared key is stored for a long time and can be used for a VPN connection within a period of time, problems are more likely to occur. First, the server It is necessary to save the shared key for each user, which increases the maintenance cost. At the same time, on the terminal side, since the key can only be stored at the application layer, it is very easy to be stolen by malicious programs on the terminal, resulting in key leakage. Therefore, SSL VPN uses Historical keys are extremely insecure;

最后,为了追求协商速度,SSL VPN认证中的密钥协商往往采用的是单向鉴权,即只有服务器具备公钥证书,协商时只需要客户端认证服务器,而服务器不需要认证客户端,相比于双向鉴权,这也给攻击者带来了可乘之机。Finally, in order to pursue negotiation speed, key negotiation in SSL VPN authentication often adopts one-way authentication, that is, only the server has a public key certificate, and only the client needs to authenticate the server during negotiation, while the server does not need to authenticate the client. Compared with two-way authentication, this also brings opportunities for attackers.

综上所述,现有SSL VPN认证因需使用用户名密码方式进行鉴权,不仅造成使用不方便,而且易导致机密信息的泄露,极不安全;此外,在协商共享密钥时每次都需重新协商且需经过多次交互方可生成共享密钥,不仅耗时同时亦造成系统资源的浪费。To sum up, the existing SSL VPN authentication needs to use username and password for authentication, which not only causes inconvenient use, but also easily leads to the leakage of confidential information, which is extremely unsafe; in addition, when negotiating a shared key every time Renegotiation and multiple interactions are required to generate the shared key, which not only takes time but also wastes system resources.

发明内容Contents of the invention

本发明实施例提供一种实现虚拟专用网络密钥协商的方法和装置,用以解决现有技术中SSL VPN认证安全性低、时间比较长以及浪费系统资源的问题。Embodiments of the present invention provide a method and device for implementing virtual private network key agreement, which are used to solve the problems of low security, long time and waste of system resources in SSL VPN authentication in the prior art.

本发明实施例提供的一种实现虚拟专用网络密钥协商的方法,包括:A method for implementing virtual private network key negotiation provided by an embodiment of the present invention includes:

终端在需要发起虚拟专用网络VPN服务器连接后,若所述终端已存储根密钥,则根据根密钥、所述终端引导标识(B-TID,Bootstrapping TransactionIdentifier)以及VPN服务器的网络应用标识(NAF_id,Network ApplicationFunction Identifier)确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;After the terminal needs to initiate a virtual private network VPN server connection, if the terminal has stored the root key, then according to the root key, the terminal bootstrapping identifier (B-TID, Bootstrapping TransactionIdentifier) and the network application identifier (NAF_id) of the VPN server , Network ApplicationFunction Identifier) determine the first shared key, and send the determined first shared key and the B-TID to the VPN server;

若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。If the authentication success response from the VPN server is received, it is determined that the key negotiation is completed.

可选的,终端在需要发起VPN服务器连接后,还包括:Optionally, after the terminal needs to initiate a VPN server connection, it also includes:

若所述终端未存储根密钥,则终端与认证服务功能BSF网元协商确定根密钥和B-TID,并执行确定第一共享密钥的步骤。If the terminal does not store the root key, the terminal negotiates with the authentication service function BSF network element to determine the root key and B-TID, and executes the step of determining the first shared key.

可选的,所述终端与BSF网元协商确定根密钥和B-TID,具体包括:Optionally, the terminal negotiates with the BSF network element to determine the root key and the B-TID, specifically including:

所述终端向BSF网元发送用户标识;The terminal sends the user identification to the BSF network element;

所述终端根据收到的来自BSF网元的随机数和认证标记,进行验证,并在验证通过后确定加密密钥、完整性密钥以及鉴权数据响应RES;The terminal performs verification according to the received random number and authentication mark from the BSF network element, and determines the encryption key, the integrity key and the authentication data response RES after the verification is passed;

所述终端根据鉴权数据响应向BSF网元请求认证,并在认证通过后,接收来自所述BSF网元的所述终端的B-TID,以及根据加密密钥和完整性密钥确定根密钥。The terminal requests authentication from the BSF network element according to the authentication data response, and after the authentication is passed, receives the B-TID of the terminal from the BSF network element, and determines the root key according to the encryption key and the integrity key key.

本发明实施例提供的一种实现虚拟专用网络密钥协商的方法,包括:A method for implementing virtual private network key negotiation provided by an embodiment of the present invention includes:

BSF网元在收到VPN服务器发送的终端的B-TID和VPN服务器的NAF_id后,根据所述B-TID和根密钥的绑定关系,确定所述B-TID对应的根密钥;After receiving the B-TID of the terminal sent by the VPN server and the NAF_id of the VPN server, the BSF network element determines the root key corresponding to the B-TID according to the binding relationship between the B-TID and the root key;

所述BSF网元根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥;The BSF network element determines a second shared key according to the B-TID, the NAF_id and the root key;

所述BSF网元将确定的第二共享密钥返回至VPN服务器,以使VPN服务器根据收到的所述第二共享密钥对所述终端进行鉴权。The BSF network element returns the determined second shared key to the VPN server, so that the VPN server authenticates the terminal according to the received second shared key.

可选的,所述BSF根据下列方式建立B-TID和根密钥的绑定关系:Optionally, the BSF establishes the binding relationship between the B-TID and the root key in the following manner:

所述BSF网元根据收到的终端发送的用户标识,从网络侧获取鉴权五元组认证向量;The BSF network element obtains an authentication quintuple authentication vector from the network side according to the received user identifier sent by the terminal;

所述BSF网元将所述鉴权五元组认证向量中的随机数与认证标记发送给终端;The BSF network element sends the random number and the authentication mark in the authentication quintuple authentication vector to the terminal;

所述BSF网元在收到来自所述终端的鉴权数据响应后,通过所述鉴权五元组认证向量中的加密密钥、完整性密钥和应答响应期望值XRES对终端进行认证,并在认证通过后,根据加密密钥和完整性密钥确定根密钥和终端的B-TID,并建立B-TID和根密钥的绑定关系。After the BSF network element receives the authentication data response from the terminal, it authenticates the terminal through the encryption key, the integrity key and the expected response value XRES in the authentication quintuple authentication vector, and After passing the authentication, determine the root key and the B-TID of the terminal according to the encryption key and the integrity key, and establish the binding relationship between the B-TID and the root key.

可选的,所述BSF根据加密密钥和完整性密钥确定根密钥和B-TID之后,还包括:Optionally, after the BSF determines the root key and the B-TID according to the encryption key and the integrity key, it further includes:

所述BSF将所述B-TID发送给所述终端。The BSF sends the B-TID to the terminal.

本发明实施例提供的一种实现虚拟专用网络密钥协商的方法,包括:A method for implementing virtual private network key negotiation provided by an embodiment of the present invention includes:

VPN服务器接收终端发送的第一共享密钥及B-TID,并将B-TID与VPN服务器的NAF_id发送给BSF网元;The VPN server receives the first shared key and B-TID sent by the terminal, and sends the B-TID and the NAF_id of the VPN server to the BSF network element;

所述VPN服务器接收BSF网元返回的第二共享密钥;The VPN server receives the second shared key returned by the BSF network element;

所述VPN服务器将所述第一共享密钥和第二共享密钥进行比较;the VPN server compares the first shared key with a second shared key;

如果所述第一共享密钥和第二共享密钥相同,则向所述终端返回认证成功响应。If the first shared key and the second shared key are the same, return an authentication success response to the terminal.

本发明实施例提供的一种实现虚拟专用网络密钥协商的终端,包括:A terminal for implementing virtual private network key negotiation provided by an embodiment of the present invention includes:

第一确定模块,用于在需要发起虚拟专用网络VPN服务器连接后,若已存储根密钥,则根据根密钥、所述终端引导标识(B-TID,Bootstrapping TransactionIdentifier)以及VPN服务器的网络应用标识(NAF_id,Network ApplicationFunction Identifier)确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;The first determining module is used to initiate a virtual private network VPN server connection, if the root key has been stored, then according to the root key, the terminal bootstrapping identifier (B-TID, Bootstrapping TransactionIdentifier) and the network application of the VPN server The identifier (NAF_id, Network ApplicationFunction Identifier) determines the first shared key, and sends the determined first shared key and the B-TID to the VPN server;

第一接收模块,用于若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。The first receiving module is configured to determine that the key agreement is completed if the authentication success response from the VPN server is received.

可选的,所述第一确定模块还用于:Optionally, the first determining module is also used for:

在需要发起VPN服务器连接后,若未存储根密钥,则与认证服务功能BSF网元协商确定根密钥和B-TID,并执行生成第一共享密钥的步骤。After the need to initiate a VPN server connection, if the root key is not stored, negotiate with the authentication service function BSF network element to determine the root key and B-TID, and execute the step of generating the first shared key.

可选的,所述第一确定模块还用于:Optionally, the first determining module is also used for:

与BSF网元协商确定根密钥和B-TID,向BSF网元发送用户标识;根据收到的来自BSF网元的随机数和认证标记,进行验证,并在验证通过后确定加密密钥、完整性密钥以及鉴权数据响应RES;根据鉴权数据响应向BSF网元请求认证,并在认证通过后,接收来自所述BSF网元的所述终端的B-TID,以及根据加密密钥和完整性密钥确定根密钥。Negotiate with the BSF network element to determine the root key and B-TID, send the user ID to the BSF network element; perform verification according to the received random number and authentication mark from the BSF network element, and determine the encryption key, Integrity key and authentication data response RES; request authentication from the BSF network element according to the authentication data response, and after the authentication is passed, receive the B-TID of the terminal from the BSF network element, and according to the encryption key and the integrity key to determine the root key.

本发明实施例提供的一种实现虚拟专用网络密钥协商的BSF网元,包括:A BSF network element that implements virtual private network key negotiation provided by an embodiment of the present invention includes:

查询模块,用于在收到VPN服务器发送的终端B-TID和VPN服务器的NAF_id后,根据所述B-TID和根密钥的绑定关系,确定所述B-TID对应的根密钥;The query module is used to determine the root key corresponding to the B-TID according to the binding relationship between the B-TID and the root key after receiving the terminal B-TID sent by the VPN server and the NAF_id of the VPN server;

第二确定模块,用于根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥;A second determining module, configured to determine a second shared key according to the B-TID, the NAF_id, and the root key;

发送模块,用于将确定的第二共享密钥返回至VPN服务器,以使VPN服务器根据收到的所述第二共享密钥对所述终端进行鉴权。A sending module, configured to return the determined second shared key to the VPN server, so that the VPN server authenticates the terminal according to the received second shared key.

可选的,所述查询模块具体用于:Optionally, the query module is specifically used for:

根据下列方式建立B-TID和根密钥的绑定关系:根据收到的终端发送的用户标识,从网络侧获取鉴权五元组认证向量;将所述鉴权五元组认证向量中的随机数与认证信息发送给终端;在收到来自所述终端的鉴权数据响应后,通过所述鉴权五元组认证向量中的加密密钥、完整性密钥和应答响应期望值XRES对终端进行认证,并在认证通过后,根据加密密钥和完整性密钥确定根密钥和终端的B-TID,并建立B-TID和根密钥的绑定关系。Establish the binding relationship between the B-TID and the root key in the following manner: according to the received user identification sent by the terminal, obtain the authentication quintuple authentication vector from the network side; Send the random number and authentication information to the terminal; after receiving the authentication data response from the terminal, pass the encryption key, integrity key and response response expectation value XRES in the authentication quintuple authentication vector to the terminal Perform authentication, and after the authentication is passed, determine the root key and the B-TID of the terminal according to the encryption key and the integrity key, and establish the binding relationship between the B-TID and the root key.

可选的,所述发送模块具体用于:Optionally, the sending module is specifically used for:

根据加密密钥和完整性密钥确定根密钥和B-TID之后,将所述B-TID发送给所述终端。After the root key and the B-TID are determined according to the encryption key and the integrity key, the B-TID is sent to the terminal.

本发明实施例提供的一种实现虚拟专用网络密钥协商的VPN服务器,包括:A VPN server for implementing virtual private network key negotiation provided by an embodiment of the present invention includes:

收发模块,用于接收终端发送的第一共享密钥及B-TID,并将B-TID与VPN服务器的NAF_id发送给BSF网元;The transceiver module is used to receive the first shared key and B-TID sent by the terminal, and send the B-TID and the NAF_id of the VPN server to the BSF network element;

第二接收模块,用于接收BSF网元返回的第二共享密钥;The second receiving module is used to receive the second shared key returned by the BSF network element;

比较模块,用于将所述第一共享密钥和第二共享密钥进行比较;a comparison module, configured to compare the first shared key with the second shared key;

处理模块,用于如果所述第一共享密钥和第二共享密钥相同,则向所述终端返回认证成功响应。A processing module, configured to return an authentication success response to the terminal if the first shared key and the second shared key are the same.

本发明实施例中,终端在需要发起VPN服务器连接后,若所述终端已存储根密钥,则根据根密钥、所述终端的B-TID以及VPN服务器的NAF_id确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。相对于现有的SSLVPN认证协商,本发明实施例提供的实现虚拟专用网络密钥协商的方法,将共享密钥作为客户端与服务器之间的会话密钥,并根据已存储的根密钥、终端的B-TID以及VPN服务器的NAF_id生成第一共享密钥,免去了现有VPN中每次认证都需要重新协商的重复流程,因此其生成速度极快,降低了密钥协商延迟,减少了系统资源消耗,优化了VPN的使用体验;In the embodiment of the present invention, after the terminal needs to initiate a VPN server connection, if the terminal has stored the root key, then determine the first shared key according to the root key, the B-TID of the terminal, and the NAF_id of the VPN server, And send the determined first shared key and the B-TID to the VPN server; if a successful authentication response from the VPN server is received, it is determined to complete the key negotiation. Compared with the existing SSLVPN authentication negotiation, the method for realizing virtual private network key negotiation provided by the embodiment of the present invention uses the shared key as the session key between the client and the server, and according to the stored root key, The B-TID of the terminal and the NAF_id of the VPN server generate the first shared key, which avoids the repeated process of renegotiation for each authentication in the existing VPN, so the generation speed is extremely fast, which reduces the key negotiation delay and reduces Reduced system resource consumption and optimized VPN experience;

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本发明实施例提供的实现虚拟专用网络密钥协商的方法流程图之一;Fig. 1 is one of the flow charts of the method for realizing virtual private network key negotiation provided by the embodiment of the present invention;

图2为本发明实施例提供的实现虚拟专用网络密钥协商的方法流程图之二;Fig. 2 is the second flow chart of the method for implementing virtual private network key negotiation provided by the embodiment of the present invention;

图3为本发明实施例提供的实现虚拟专用网络根密钥协商的流程示意图;Fig. 3 is a schematic flow diagram of implementing virtual private network root key negotiation provided by an embodiment of the present invention;

图4为本发明实施例提供的实现虚拟专用网络密钥协商的方法流程图之三;Fig. 4 is the third flow chart of the method for implementing virtual private network key negotiation provided by the embodiment of the present invention;

图5为本发明实施例提供的实现虚拟专用网络共享密钥协商的流程示意图;FIG. 5 is a schematic flow diagram for implementing virtual private network shared key negotiation provided by an embodiment of the present invention;

图6为本发明实施例提供的实现虚拟专用网络密钥协商的示例图;FIG. 6 is an example diagram for realizing virtual private network key negotiation provided by an embodiment of the present invention;

图7为本发明实施例提供的实现单个APP与多个VPN服务器的密钥协商架构图;FIG. 7 is an architecture diagram for implementing key agreement between a single APP and multiple VPN servers provided by an embodiment of the present invention;

图8为本发明实施例提供的实现虚拟专用网络密钥协商的终端流程图;FIG. 8 is a flowchart of a terminal for implementing virtual private network key negotiation provided by an embodiment of the present invention;

图9为本发明实施例提供的实现虚拟专用网络密钥协商的BSF网元流程图;FIG. 9 is a flowchart of a BSF network element implementing virtual private network key negotiation provided by an embodiment of the present invention;

图10为本发明实施例提供的实现虚拟专用网络密钥协商的VPN服务器流程图。FIG. 10 is a flow chart of a VPN server for realizing virtual private network key negotiation provided by an embodiment of the present invention.

具体实施方式detailed description

为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings. Obviously, the described embodiments are only some of the embodiments of the present invention, rather than all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

下面结合说明书附图对本发明实施例作进一步详细描述。The embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明实施例提供的实现虚拟专用网络密钥协商的方法,可以应用于终端,如图1所示,具体包括以下步骤:The method for implementing virtual private network key negotiation provided by the embodiment of the present invention can be applied to a terminal, as shown in FIG. 1 , and specifically includes the following steps:

步骤101,终端在需要发起VPN服务器连接后,若所述终端已存储根密钥,则根据根密钥、所述终端的B-TID以及VPN服务器的NAF_id确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;Step 101: After the terminal needs to initiate a VPN server connection, if the terminal has stored the root key, determine the first shared key according to the root key, the B-TID of the terminal, and the NAF_id of the VPN server, and determine The first shared key and the B-TID are sent to the VPN server;

步骤102,若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。Step 102, if the authentication success response from the VPN server is received, it is determined that the key negotiation is completed.

可选的,上述步骤101中,在终端安装VPN专用APP,APP可用于实现终端及VPN服务器之间的交互。终端在发起需要连接的VPN服务器时,查看当前是否已存储根密钥(Ks,Keystore),若已存储则根据根密钥Ks、所述终端的B-TID以及VPN服务器的NAF_id确定第一共享密钥(Ks_NAF1,Keystore_Network Application Function),并将确定的第一共享密钥Ks_NAF1及所述B-TID发送给VPN服务器。Optionally, in the above step 101, a dedicated VPN APP is installed on the terminal, and the APP can be used to realize the interaction between the terminal and the VPN server. When the terminal initiates a VPN server that needs to be connected, it checks whether the root key (Ks, Keystore) is currently stored, and if it has been stored, then the first shared key is determined according to the root key Ks, the B-TID of the terminal, and the NAF_id of the VPN server. key (Ks_NAF1, Keystore_Network Application Function), and send the determined first shared key Ks_NAF1 and the B-TID to the VPN server.

具体地,终端根据根密钥Ks、所述终端的B-TID以及VPN服务器的NAF_id确定第一共享密钥,具体为Ks_NAF1=KDF(Ks,“gba-me”,RAND,IMPI,NAP_ID),其中,KDF是密钥引导算法(KDF,KeyDerivationFunction),RAND为协商Ks时BSF生成的随机数(RAND,Random Number),IMPI是终端的IP多媒体私有标识(IMPI,IP Multimedia Private Identity)、NAF_ID是业务的网络应用标识。Specifically, the terminal determines the first shared key according to the root key Ks, the B-TID of the terminal, and the NAF_id of the VPN server, specifically Ks_NAF1=KDF(Ks, "gba-me", RAND, IMPI, NAP_ID), Among them, KDF is the key guidance algorithm (KDF, KeyDerivationFunction), RAND is the random number (RAND, Random Number) generated by BSF when negotiating Ks, IMPI is the IP multimedia private identity (IMPI, IP Multimedia Private Identity) of the terminal, NAF_ID is The web application ID of the business.

可选的,终端在将第一共享密钥及所述B-TID发送给VPN服务器时,可以通过对第一共享密钥进行加密,并将加密后的第一共享密钥、所述终端的B-TID一起发送给VPN服务器。例如终端生成认证随机数rand,并使用第一共享密钥加密后生成随机数密文encrand,将rand、encrand以及B-TID发送给VPN服务器。Optionally, when the terminal sends the first shared key and the B-TID to the VPN server, it may encrypt the first shared key, and encrypt the encrypted first shared key, the terminal's B-TID is sent to the VPN server together. For example, the terminal generates an authentication random number rand, encrypts it with the first shared key, generates a random number ciphertext encrand, and sends the rand, encrand, and B-TID to the VPN server.

在步骤101中,所述终端在需要发起VPN服务器连接后,若所述终端未存储根密钥Ks,则终端与认证服务功能(BSF,Bootstrapping Server Function)网元协商确定根密钥Ks和B-TID,并执行生成第一共享密钥的步骤。In step 101, after the terminal needs to initiate a VPN server connection, if the terminal does not store the root key Ks, the terminal negotiates with the authentication service function (BSF, Bootstrapping Server Function) network element to determine the root key Ks and B -TID, and perform the step of generating a first shared key.

具体地,所述终端与BSF网元协商确定根密钥Ks和B-TID,包括:Specifically, the terminal negotiates with the BSF network element to determine the root key Ks and B-TID, including:

终端向BSF网元发送用户标识;根据收到的来自BSF网元的随机数RAND和认证标记(AUTN,Authentication Token)通过鉴权算法进行验证,并在验证通过后确定加密密钥(CK,Cipher Key),完整性密钥(IK,Integrity Key)以及鉴权数据响应(RES,Response);根据鉴权数据响应RES向BSF网元请求认证,并在认证通过后,接收来自所述BSF网元的所述终端的B-TID,以及根据加密密钥CK和完整性密钥IK确定根密钥Ks。可选的,用户标识可以是IP多媒体私有标识(IMPI,IP Multimedia Private Identity),还可以是国际移动用户标识(IMSI,International Mobile Subscriber Identity)。The terminal sends the user identification to the BSF network element; according to the received random number RAND and the authentication token (AUTN, Authentication Token) from the BSF network element, it is verified through the authentication algorithm, and the encryption key (CK, Cipher Key), integrity key (IK, Integrity Key) and authentication data response (RES, Response); according to the authentication data response RES to request authentication from the BSF network element, and after the authentication is passed, receive the authentication data from the BSF network element The B-TID of the terminal, and determine the root key Ks according to the encryption key CK and the integrity key IK. Optionally, the subscriber identity may be an IP Multimedia Private Identity (IMPI, IP Multimedia Private Identity), or an International Mobile Subscriber Identity (IMSI, International Mobile Subscriber Identity).

进一步地,终端在与BSF网元协商确定根密钥和B-TID之后,执行生成第一共享密钥的步骤。Further, after the terminal negotiates with the BSF network element to determine the root key and the B-TID, it executes the step of generating the first shared key.

其中,根密钥Ks是一类可存储且可设置有效期的共享密钥,在有效期内可重复使用,Ks在客户端与BSF网元协商后完成初始化,之后便存储在SIM卡及BSF中,具备很高的存储安全性。Among them, the root key Ks is a type of shared key that can be stored and has a validity period that can be set. It can be reused within the validity period. Ks is initialized after negotiation between the client and the BSF network element, and then stored in the SIM card and BSF. It has high storage security.

若根密钥超出有效期,则重新进行根密钥协商流程,建立新的B-TID与根密钥的绑定关系。If the root key exceeds the validity period, the root key negotiation process is performed again to establish a new binding relationship between the B-TID and the root key.

进一步地,终端在通过步骤101确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器之后,接收来自VPN服务器的认证成功响应,确定完成密钥协商。Further, after the terminal determines the first shared key through step 101, and sends the determined first shared key and the B-TID to the VPN server, it receives an authentication success response from the VPN server, and determines that the key negotiation is completed .

在本发明实施例提供的VPN认证及密钥协商的方法中,通过根密钥的协商以及在根密钥之上扩展生成的共享密钥,实现了对传统SSL VPN每次需要重新协商共享密钥的流程优化,且由于根密钥存储在终端及BSF中,具备很高的存储安全性,大大提高了VPN的安全性及使用性能。In the VPN authentication and key agreement method provided by the embodiment of the present invention, through the negotiation of the root key and the shared key generated by extending the root key, it is realized that the traditional SSL VPN needs to renegotiate the shared key every time. The key process is optimized, and because the root key is stored in the terminal and BSF, it has high storage security, which greatly improves the security and performance of VPN.

本发明实施例提供的实现虚拟专用网络VPN认证及密钥协商的方法,可以应用于BSF网元,如图2所示,具体包括以下步骤:The method for realizing virtual private network VPN authentication and key negotiation provided by the embodiment of the present invention can be applied to a BSF network element, as shown in FIG. 2 , specifically comprising the following steps:

步骤201,BSF网元在收到VPN服务器发送的终端的B-TID和VPN服务器的NAF_id后,根据所述B-TID和根密钥的绑定关系,确定所述B-TID对应的根密钥;Step 201: After receiving the B-TID of the terminal and the NAF_id of the VPN server sent by the VPN server, the BSF network element determines the root key corresponding to the B-TID according to the binding relationship between the B-TID and the root key key;

步骤202,所述BSF网元根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥;Step 202, the BSF network element determines a second shared key according to the B-TID, the NAF_id and the root key;

步骤203,所述BSF网元将确定的第二共享密钥返回至VPN服务器,以使VPN服务器根据收到的所述第二共享密钥对所述终端进行鉴权。Step 203, the BSF network element returns the determined second shared key to the VPN server, so that the VPN server authenticates the terminal according to the received second shared key.

具体地,在执行步骤201时,BSF网元根据下列方式建立B-TID和根密钥的绑定关系:Specifically, when executing step 201, the BSF network element establishes the binding relationship between the B-TID and the root key in the following manner:

所述BSF网元根据收到的终端发送的用户标识,从网络侧获取鉴权五元组认证向量;The BSF network element obtains an authentication quintuple authentication vector from the network side according to the received user identifier sent by the terminal;

所述BSF网元将所述鉴权五元组认证向量中的随机数与认证信息发送给终端;The BSF network element sends the random number and authentication information in the authentication quintuple authentication vector to the terminal;

所述BSF网元在收到来自所述终端的鉴权数据响应后,通过所述鉴权五元组认证向量中的加密密钥、完整性密钥和应答响应期望值(XRES,ExpectedResponse)对终端进行认证,并在认证通过后,根据加密密钥和完整性密钥确定根密钥和终端的B-TID,并建立B-TID和根密钥的绑定关系。After the BSF network element receives the authentication data response from the terminal, it uses the encryption key, integrity key and expected response value (XRES, ExpectedResponse) in the authentication quintuple authentication vector to the terminal Perform authentication, and after the authentication is passed, determine the root key and the B-TID of the terminal according to the encryption key and the integrity key, and establish the binding relationship between the B-TID and the root key.

可选的,所述BSF网元根据收到的终端发送的用户标识,从网络侧获取鉴权五元组认证向量,具体为:BSF网元向归属签约用户服务器(HSS,HomeSubscriber Server)获取所述用户标识所对应的鉴权五元组认证向量,HSS根据用户标识返回鉴权五元组认证向量AV=RAND||AUTN||XRES||CK||IK,其中RAND为随机数,保证每次协商的Ks都不一样,AUTN是认证标记,需终端进行验证,XRES用于终端返回的认证信息鉴权,CK与IK用于生成Ks。Optionally, the BSF network element obtains the authentication quintuple authentication vector from the network side according to the received user identifier sent by the terminal, specifically: the BSF network element obtains the authentication vector from the Home Subscriber Server (HSS, HomeSubscriber Server) The authentication quintuple authentication vector corresponding to the user identifier, the HSS returns the authentication quintuple authentication vector AV=RAND||AUTN||XRES||CK||IK according to the user identifier, where RAND is a random number, ensuring that each The Ks of each negotiation are different, AUTN is an authentication mark, which needs to be verified by the terminal, XRES is used for authentication of the authentication information returned by the terminal, and CK and IK are used to generate Ks.

可选的,BSF网元在收到HSS的认证向量AV后,将RAND与AUTN返回至终端,要求终端对BSF网元进行认证,XRES、CK、IK信息保存在BSF本地。Optionally, after receiving the authentication vector AV from the HSS, the BSF network element returns RAND and AUTN to the terminal, requiring the terminal to authenticate the BSF network element, and the XRES, CK, and IK information are stored locally in the BSF.

可选的,BSF网元在收到来自所述终端的鉴权数据响应后,通过保存的CK、IK、XRES对终端进行认证,并在认证通过后,计算根密钥Ks=CK||IK,同时产生B-TID的值,B-TID=base64encode(RAND)@BSF_servers_domain_name。Optionally, after receiving the authentication data response from the terminal, the BSF network element authenticates the terminal through the stored CK, IK, and XRES, and calculates the root key Ks=CK||IK after the authentication is passed , and generate the value of B-TID at the same time, B-TID=base64encode(RAND)@BSF_servers_domain_name.

进一步地,BSF网元根据CK和IK确定根密钥Ks和B-TID之后,将所述B-TID发送给所述终端。Further, the BSF network element sends the B-TID to the terminal after determining the root key Ks and the B-TID according to the CK and IK.

在执行步骤201之后,BSF网元根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥Ks_NAF2。After step 201 is executed, the BSF network element determines the second shared key Ks_NAF2 according to the B-TID, the NAF_id and the root key.

具体地,BSF网元根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥Ks_NAF2,具体为Ks_NAF2=KDF(Ks,“gba-me”,RAND,IMPI,NAP_ID),其中,KDF是密钥引导算法(KDF,KeyDerivationFunction),RAND为协商Ks时BSF生成的随机数(RAND,Random Number),IMPI是终端的IP多媒体私有标识(IMPI,IP Multimedia Private Identity)、NAF_ID是业务的网络应用标识。Specifically, the BSF network element determines the second shared key Ks_NAF2 according to the B-TID, the NAF_id, and the root key, specifically, Ks_NAF2=KDF(Ks, "gba-me", RAND, IMPI, NAP_ID ), wherein, KDF is a key guidance algorithm (KDF, KeyDerivationFunction), RAND is a random number (RAND, Random Number) generated by BSF when negotiating Ks, and IMPI is an IP multimedia private identity (IMPI, IP Multimedia Private Identity) of a terminal, NAF_ID is the network application identifier of the service.

在步骤203中,BSF网元将经过步骤202确定的第二共享密钥返回至VPN服务器,以使VPN服务器根据收到的所述第二共享密钥对所述终端进行鉴权。In step 203, the BSF network element returns the second shared key determined in step 202 to the VPN server, so that the VPN server authenticates the terminal according to the received second shared key.

本发明实施例提供的上述实现虚拟专用网络VPN认证及密钥协商的方法,基于终端SIM卡及网络侧鉴权五元组的认证方式,替代了传统SSL VPN需使用用户名密码方式进行鉴权的认证体制,在消除了密码破解导致机密信息泄漏,提升系统安全性的基础上,减少用户在认证过程中的参与,极大的优化了VPN的认证流程,此外,在存在根密钥Ks的情况下,将用户身份认证与共享密钥协商在一次协商的过程中完成,简化了认证协商流程,在保证安全性的情况下大大提高了VPN认证协商效率。The above-mentioned method for realizing virtual private network VPN authentication and key negotiation provided by the embodiment of the present invention is based on the authentication method of the terminal SIM card and the network side authentication quintuple, which replaces the traditional SSL VPN that needs to use the username and password method for authentication The authentication system eliminates the leakage of confidential information caused by password cracking, improves system security, reduces user participation in the authentication process, and greatly optimizes the VPN authentication process. In addition, in the presence of the root key Ks In this case, user identity authentication and shared key negotiation are completed in one negotiation process, which simplifies the authentication negotiation process and greatly improves the efficiency of VPN authentication negotiation while ensuring security.

下面结合图3举一具体实施例,介绍本发明的技术方案如何实现虚拟专用网络根密钥Ks的协商。A specific embodiment is given below with reference to FIG. 3 , and how the technical solution of the present invention realizes the negotiation of the virtual private network root key Ks.

如图3所示,终端设备(UE,User Equipment)携带用户信息IMPI向BSF发起初始化请求;BSF收到UE的请求后,向HSS获取该IMPI所对应的用户信息,HSS根据IMPI返回鉴权五元组认证向量AV=RAND||AUTH||XRES||CK||IK,其中RAND为随机数,保证每次协商的Ks都不一样,AUTH是认证信息,需UE进行验证,XRES用于UE返回的认证信息鉴权,CK与IK用于生成Ks;BSF收到HSS的认证向量AV,将RAND与AUTN返回至UE,要求UE对BSF进行认证,XRES、CK、IK信息保存在BSF本地;UE收到RAND及AUTH,通过鉴权算法验证AUTN,确认此消息来自授权的网络,同时计算出CK、IK及RES。此时BSF与UE中都保存了CK与IK;UE使用RES计算得到response并发送给BSF请求认证;BSF通过保存的CK、IK、XRES验证response的正确性,若正确则计算根密钥Ks=CK||IK,同时产生B-TID的值,B-TID=base64encode(RAND)@BSF_servers_domain_name;BSF发送认证成功响应及B-TID给UE,并告知Ks的有效期。UE收到成功消息后,同样使用CK||IK计算得出Ks,此时UE与BSF都保存了根密钥Ks,Ks初始化完成,协商结束。As shown in Figure 3, the terminal equipment (UE, User Equipment) carries the user information IMPI to initiate an initialization request to the BSF; after receiving the request from the UE, the BSF obtains the user information corresponding to the IMPI from the HSS, and the HSS returns the authentication code according to the IMPI. Tuple authentication vector AV=RAND||AUTH||XRES||CK||IK, where RAND is a random number to ensure that the Ks of each negotiation is different, AUTH is authentication information, which needs to be verified by UE, and XRES is used for UE The returned authentication information is authenticated, CK and IK are used to generate Ks; BSF receives the authentication vector AV of HSS, returns RAND and AUTN to UE, and requires UE to authenticate BSF, and XRES, CK, and IK information are stored locally in BSF; After receiving RAND and AUTH, UE verifies AUTN through the authentication algorithm, confirms that the message comes from the authorized network, and calculates CK, IK and RES at the same time. At this time, both BSF and UE have stored CK and IK; UE uses RES to calculate the response and sends it to BSF to request authentication; BSF verifies the correctness of the response through the stored CK, IK, and XRES, and if it is correct, calculates the root key Ks= CK||IK generates the value of B-TID at the same time, B-TID=base64encode(RAND)@BSF_servers_domain_name; BSF sends an authentication success response and B-TID to UE, and informs the validity period of Ks. After receiving the success message, UE also uses CK||IK to calculate Ks. At this time, UE and BSF both save the root key Ks, Ks initialization is completed, and the negotiation ends.

本发明实施例提供的实现虚拟专用网络密钥协商的方法,可以应用于服务器侧,如图4所示,具体包括以下步骤:The method for implementing virtual private network key negotiation provided by the embodiment of the present invention can be applied to the server side, as shown in FIG. 4 , and specifically includes the following steps:

步骤401,VPN服务器接收终端发送的第一共享密钥及B-TID,并将B-TID与VPN服务器的NAF_id发送给BSF网元;Step 401, the VPN server receives the first shared key and the B-TID sent by the terminal, and sends the B-TID and the NAF_id of the VPN server to the BSF network element;

步骤402,所述VPN服务器接收BSF网元返回的第二共享密钥;Step 402, the VPN server receives the second shared key returned by the BSF network element;

步骤403,所述VPN服务器将所述第一共享密钥和第二共享密钥进行比较;Step 403, the VPN server compares the first shared key with the second shared key;

步骤404,如果所述第一共享密钥和第二共享密钥相同,则向所述终端返回认证成功响应。Step 404, if the first shared key and the second shared key are the same, return an authentication success response to the terminal.

具体地,VPN服务器在接收到BSF网元返回的第二共享密钥时,用该第二共享密钥校验第一共享密钥,若解密出的内容一致,则认证成功。例如VPN服务器接收到终端发送的rand(终端生成认证随机数),encrand(使用第一共享密钥加密后生成)以及B-TID,在BSF网元返回第二共享密钥时,VPN服务器根据第二共享密钥校验encrand,若解密出的内容与rand一致,则认证成功。Specifically, when the VPN server receives the second shared key returned by the BSF network element, it uses the second shared key to verify the first shared key, and if the decrypted content is consistent, the authentication is successful. For example, the VPN server receives the rand (the terminal generates an authentication random number), encrand (generated after encryption using the first shared key) and B-TID sent by the terminal. When the BSF network element returns the second shared key, the VPN server 2. The shared key verifies the encrand. If the decrypted content is consistent with the rand, the authentication is successful.

下面结合图5举一具体实施例,介绍本发明的技术方案如何实现虚拟专用网络共享密钥的协商。A specific embodiment is given below with reference to FIG. 5 , and how the technical solution of the present invention realizes the negotiation of the virtual private network shared key.

如图5所示,UE在APP上选择想要连接的VPN服务器,APP向UE发送被选服务器的NAF_id并申请共享密钥;UE查看当前是否已存储根密钥Ks,若存在则根据设备B-TID与接收到的NAF_id生成Ks_naf,若不存在则根据图5中的Ks初始化流程与BSF协商Ks,再生成第一共享密钥Ks_naf1;UE将生成的Ks_naf1及B-TID发送给APP;APP生成认证随机数rand,并使用Ks_naf1加密后生成encrand,将rand、encrand、B-TID一起发送给VPN服务器请求认证并要求服务器也生成共享密钥;VPN服务器接收到请求后,将B-TID与其NAF_id发送给BSF,BSF根据Ks、B-TID及NAF_id同样生成Ks_naf2,并通过安全通道返回至VPN服务器;VPN服务器根据BSF返回的Ks_naf2校验encrand,若解密出的内容与rand一致,则认证成功,返回APP认证成功响应;APP收到认证成功响应,此时APP与VPN服务器都已拥有共享密钥Ks_naf,密钥协商成功,即可进行安全通信。VPN认证及密钥协商流程结束。As shown in Figure 5, the UE selects the VPN server it wants to connect to on the APP, and the APP sends the NAF_id of the selected server to the UE and applies for a shared key; the UE checks whether the root key Ks is currently stored, and if so, according to the -TID and the received NAF_id generate Ks_naf, if it does not exist, negotiate Ks with BSF according to the Ks initialization process in Figure 5, and then generate the first shared key Ks_naf1; UE sends the generated Ks_naf1 and B-TID to APP; APP Generate the authentication random number rand, encrypt it with Ks_naf1 to generate encrand, and send rand, encrand, and B-TID to the VPN server to request authentication and ask the server to also generate a shared key; after receiving the request, the VPN server combines B-TID with NAF_id is sent to BSF, BSF also generates Ks_naf2 according to Ks, B-TID and NAF_id, and returns to VPN server through a secure channel; VPN server verifies encrand according to Ks_naf2 returned by BSF, if the decrypted content is consistent with rand, the authentication is successful , returns the APP authentication success response; APP receives the authentication success response, at this time, both the APP and the VPN server have the shared key Ks_naf, and the key negotiation is successful, and the secure communication can be carried out. The VPN authentication and key negotiation process ends.

参照图6的场景以便更好地论述本发明实施例中的具体实现过程,图6只是一个场景例子,显然本发明的技术方案可以应用到VPN密钥协商的任何场景下。Referring to the scene in Figure 6 to better discuss the specific implementation process in the embodiment of the present invention, Figure 6 is just an example of the scene, obviously the technical solution of the present invention can be applied to any scene of VPN key negotiation.

如图6所示,通用认证机制(GBA,General Bootstrapping Architecture)定义了一种在终端和服务器之间的通用密钥协商机制,从其架构模型可以看出,具体网元包括:As shown in Figure 6, the general authentication mechanism (GBA, General Bootstrapping Architecture) defines a general key agreement mechanism between the terminal and the server. It can be seen from its architecture model that the specific network elements include:

UE是终端设备和SIM卡的总称,在本发明中指手机及可插入SIM卡的移动终端,可用于与BSF网元协商确定根密钥Ks,并基于Ks确定第一共享密钥。UE is the general term of terminal equipment and SIM card. In the present invention, it refers to a mobile phone and a mobile terminal that can be inserted into a SIM card. It can be used to negotiate with BSF network elements to determine the root key Ks, and determine the first shared key based on Ks.

应用服务器(NAF,Network Application Function),实现应用的业务逻辑功能,在完成对终端的认证后为终端提供业务服务,在本发明中即是指企业VPN服务器,用于将接收的UE发送的第一共享密钥和接收的BSF网元返回的第二共享密钥进行比较,如果所述第一共享密钥和第二共享密钥相同,则向UE返回认证成功响应,即可与终端进行安全通信。The application server (NAF, Network Application Function), implements the business logic function of the application, and provides business services for the terminal after completing the authentication of the terminal. In the present invention, it refers to the enterprise VPN server, which is used to send the received UE A shared key is compared with the received second shared key returned by the BSF network element, and if the first shared key is the same as the second shared key, then an authentication success response is returned to the UE, and security is performed with the terminal. communication.

BSF是核心网元,BSF和UE通过鉴权和密钥协商(AKA,Authentication andKey Agreement)协议实现认证,并且协商出随后用于UE和NAF间通信的会话密钥,BSF能够根据本地策略设定密钥的有效期,在本发明中即为BSF和UE协商确定根密钥Ks,并基于Ks确定第二共享密钥。The BSF is the core network element. The BSF and the UE implement authentication through the AKA (Authentication and Key Agreement) protocol, and negotiate a session key for subsequent communication between the UE and the NAF. The BSF can set the The validity period of the key means that in the present invention, the root key Ks is negotiated and determined between the BSF and the UE, and the second shared key is determined based on Ks.

HSS存储了终端(U)SIM卡中的鉴权数据,在本发明中HSS根据用户标识向BSF返回鉴权五元组认证向量,以使BSF对UE进行认证。The HSS stores the authentication data in the terminal (U)SIM card. In the present invention, the HSS returns an authentication quintuple authentication vector to the BSF according to the user identification, so that the BSF can authenticate the UE.

各网元间的参考点包括:The reference points between network elements include:

Ub为UE与BSF之间进行交互并协商根密钥(Ks,Root Key)的接口,用于通用认证机制流程初始化,后续操作依赖于Ks进行。Ub is an interface for interacting and negotiating a root key (Ks, Root Key) between UE and BSF, and is used for general authentication mechanism process initialization, and subsequent operations depend on Ks.

Zh为BSF在HSS上获得客户端认证信息的接口,用于BSF鉴权客户端身份并生成根密钥Ks。Zh is the interface for BSF to obtain client authentication information on HSS, which is used for BSF to authenticate client identity and generate root key Ks.

Zn为NAF与BSF之间进行交互的接口,NAF通过该接口向BSF鉴权用户身份并获取扩展共享密钥(Ks_naf,Extended Shared Key)。在本发明中,VPN服务器通过该接口在BSF处获得与客户端一致的共享密钥。Zn is an interface for interaction between the NAF and the BSF, through which the NAF authenticates the user identity to the BSF and obtains an extended shared key (Ks_naf, Extended Shared Key). In the present invention, the VPN server obtains the same shared key as the client at the BSF through the interface.

Ua为UE与NAF之间的扩展共享密钥Ks_naf协商接口,通过该接口传输Ks_naf的生成参数,完成Ks_naf的生成。Ua is the extended shared key Ks_naf negotiation interface between the UE and the NAF, through which the generation parameters of Ks_naf are transmitted to complete the generation of Ks_naf.

可选的,如图7所示,基于共享密钥的生成特性,亦可实现单个APP与多个VPN服务器的快速身份认证及共享密钥协商,用更有效的技术大大扩展了系统架构,优化了VPN的使用效果。Optionally, as shown in Figure 7, based on the generation characteristics of the shared key, fast identity authentication and shared key negotiation between a single APP and multiple VPN servers can also be realized, which greatly expands the system architecture with more effective technologies and optimizes The effect of using VPN.

基于相同的技术构思,本发明实施例还提供一种实现虚拟专用网络密钥协商的装置,该装置可执行上述方法实施例,由于该装置解决问题的原理与前述一种实现虚拟专用网络密钥协商的方法相似,因此该装置的实施可以参见方法的实施,重复之处不再赘述。Based on the same technical concept, the embodiment of the present invention also provides a device for implementing virtual private network key negotiation, which can execute the above-mentioned method embodiment, because the problem-solving principle of the device is the same as that of the aforementioned one for realizing virtual private network key The method of negotiation is similar, so the implementation of the device can refer to the implementation of the method, and the repetition will not be repeated.

本发明实施例提供的一种实现虚拟专用网络密钥协商的终端,如图8所示,包括:A terminal for implementing virtual private network key negotiation provided by an embodiment of the present invention, as shown in FIG. 8 , includes:

第一确定模块801,用于在需要发起虚拟专用网络VPN服务器连接后,若已存储根密钥,则根据根密钥、所述终端引导标识B-TID以及VPN服务器的网络应用标识NAF_id确定第一共享密钥,并将确定的第一共享密钥及所述B-TID发送给VPN服务器;The first determination module 801 is used to determine the first determination module 801 according to the root key, the terminal guide identifier B-TID and the network application identifier NAF_id of the VPN server if the root key has been stored after the virtual private network VPN server connection needs to be initiated. A shared key, and send the determined first shared key and the B-TID to the VPN server;

第一接收模块802,用于若接收到来自VPN服务器的认证成功响应,则确定完成密钥协商。The first receiving module 802 is configured to determine that the key negotiation is completed if an authentication success response from the VPN server is received.

可选的,所述第一确定模块801还用于:Optionally, the first determining module 801 is further configured to:

在需要发起VPN服务器连接后,若未存储根密钥,则与认证服务功能BSF网元协商确定根密钥和B-TID,并执行生成第一共享密钥的步骤。After the need to initiate a VPN server connection, if the root key is not stored, negotiate with the authentication service function BSF network element to determine the root key and B-TID, and execute the step of generating the first shared key.

可选的,所述第一确定模块801还用于:Optionally, the first determining module 801 is further configured to:

与BSF网元协商确定根密钥和B-TID,向BSF网元发送用户标识;根据收到的来自BSF网元的随机数和认证标记,进行验证,并在验证通过后确定加密密钥、完整性密钥以及鉴权数据响应RES;根据鉴权数据响应向BSF网元请求认证,并在认证通过后,接收来自所述BSF网元的所述终端的B-TID,以及根据加密密钥和完整性密钥确定根密钥。Negotiate with the BSF network element to determine the root key and B-TID, send the user ID to the BSF network element; perform verification according to the received random number and authentication mark from the BSF network element, and determine the encryption key, Integrity key and authentication data response RES; request authentication from the BSF network element according to the authentication data response, and after the authentication is passed, receive the B-TID of the terminal from the BSF network element, and according to the encryption key and the integrity key to determine the root key.

本发明实施例还提供了一种实现虚拟专用网络密钥协商的BSF网元,如图9所示,包括:The embodiment of the present invention also provides a BSF network element for implementing virtual private network key negotiation, as shown in FIG. 9 , including:

查询模块901,用于在收到VPN服务器发送的终端B-TID和VPN服务器的NAF_id后,根据所述B-TID和根密钥的绑定关系,确定所述B-TID对应的根密钥;The query module 901 is configured to determine the root key corresponding to the B-TID according to the binding relationship between the B-TID and the root key after receiving the terminal B-TID sent by the VPN server and the NAF_id of the VPN server ;

第二确定模块902,用于根据所述B-TID、所述NAF_id以及所述根密钥,确定第二共享密钥;The second determination module 902 is configured to determine a second shared key according to the B-TID, the NAF_id and the root key;

发送模块903,用于将确定的第二共享密钥返回至VPN服务器,以使VPN服务器根据收到的所述第二共享密钥对所述终端进行鉴权。The sending module 903 is configured to return the determined second shared key to the VPN server, so that the VPN server authenticates the terminal according to the received second shared key.

可选的,所述查询模块901具体用于:Optionally, the query module 901 is specifically used for:

根据下列方式建立B-TID和根密钥的绑定关系:根据收到的终端发送的用户标识,从网络侧获取鉴权五元组认证向量;将所述鉴权五元组认证向量中的随机数与认证信息发送给终端;在收到来自所述终端的鉴权数据响应后,通过所述鉴权五元组认证向量中的加密密钥、完整性密钥和应答响应期望值XRES对终端进行认证,并在认证通过后,根据加密密钥和完整性密钥确定根密钥和终端的B-TID,并建立B-TID和根密钥的绑定关系。Establish the binding relationship between the B-TID and the root key in the following manner: according to the received user identification sent by the terminal, obtain the authentication quintuple authentication vector from the network side; Send the random number and authentication information to the terminal; after receiving the authentication data response from the terminal, pass the encryption key, integrity key and response response expectation value XRES in the authentication quintuple authentication vector to the terminal Perform authentication, and after the authentication is passed, determine the root key and the B-TID of the terminal according to the encryption key and the integrity key, and establish the binding relationship between the B-TID and the root key.

可选的,所述发送模块903具体用于:Optionally, the sending module 903 is specifically configured to:

根据加密密钥和完整性密钥确定根密钥和B-TID之后,将所述B-TID发送给所述终端。After the root key and the B-TID are determined according to the encryption key and the integrity key, the B-TID is sent to the terminal.

本发明实施例还提供了一种实现虚拟专用网络密钥协商的VPN服务器,如图10所示,包括:The embodiment of the present invention also provides a VPN server for implementing virtual private network key negotiation, as shown in FIG. 10 , including:

收发模块1001,用于接收终端发送的第一共享密钥及B-TID,并将B-TID与VPN服务器的NAF_id发送给BSF网元;The transceiver module 1001 is configured to receive the first shared key and the B-TID sent by the terminal, and send the B-TID and the NAF_id of the VPN server to the BSF network element;

第二接收模块1002,用于接收BSF网元返回的第二共享密钥;The second receiving module 1002 is configured to receive the second shared key returned by the BSF network element;

比较模块1003,用于将所述第一共享密钥和第二共享密钥进行比较;A comparison module 1003, configured to compare the first shared key with the second shared key;

处理模块1004,用于如果所述第一共享密钥和第二共享密钥相同,则向所述终端返回认证成功响应。The processing module 1004 is configured to return an authentication success response to the terminal if the first shared key is the same as the second shared key.

本领域内的技术人员应明白,本申请的实施例可提供为方法、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.

Claims (14)

1. a kind of method for realizing VPN (virtual private network) key agreement, it is characterised in that the method includes:
Terminal is after needing to initiate the connection of VPN (virtual private network) vpn server, if to have stored root close for the terminal Key, then identify according to the network application of root key, terminal guiding mark B-TID and vpn server NAF_id determines the first shared key, and the first shared key for determining and the B-TID are sent to VPN Server;
If receiving the certification success response from vpn server, it is determined that complete key agreement.
2. method according to claim 1, it is characterised in that the terminal is needing to initiate VPN After server connection, also include:
If the non-storage root key of the terminal, terminal consults to determine that root is close with authentication service function BSF network element Key and B-TID, and perform the step of generating the first shared key.
3. method according to claim 2, it is characterised in that the terminal consults true with BSF network elements Determine root key and B-TID, specifically include:
The terminal sends ID to BSF network elements;
The terminal verified according to the random number and certification mark from the BSF network elements that receive, and Encryption key, Integrity Key and authorization data response RES is determined after being verified;
The terminal is responded to BSF network elements according to authorization data and asks certification, and after certification passes through, is received From the B-TID of the terminal of the BSF network elements, and determined according to encryption key and Integrity Key Root key.
4. a kind of method for realizing VPN (virtual private network) key agreement, it is characterised in that the method includes:
B-TID and the NAF_id of vpn server of the BSF network elements in the terminal for receiving vpn server transmission Afterwards, according to the B-TID and the binding relationship of root key, the corresponding root keys of the B-TID are determined;
The BSF network elements determine second according to the B-TID, the NAF_id and the root key Shared key;
The second shared key for determining is back to vpn server by the BSF network elements, so that VPN services Device is authenticated to the terminal according to second shared key for receiving.
5. method according to claim 4, it is characterised in that the BSF is set up according to following manner The binding relationship of B-TID and root key:
The ID that the BSF network elements are sent according to the terminal for receiving, obtains authentication five-tuple from network side Ciphering Key;
Random number in the authentication five-tuple Ciphering Key is sent to end with authentication information by the BSF network elements End;
The BSF network elements are being received after the authorization data response of the terminal, authenticate five yuan by described Encryption key, Integrity Key and response expected value XRES in group Ciphering Key is recognized to terminal Card, and after certification passes through, the B-TID of root key and terminal is determined according to encryption key and Integrity Key, And set up the binding relationship of B-TID and root key.
6. method according to claim 5, it is characterised in that the BSF is according to encryption key and complete After whole property key determines root key and B-TID, also include:
The B-TID is sent to the terminal by the BSF.
7. a kind of method for realizing VPN (virtual private network) key agreement, it is characterised in that the method includes:
The first shared key and B-TID that vpn server receiving terminal sends, and B-TID and VPN is taken The NAF_id of business device is sent to BSF network elements;
The vpn server receives the second shared key that BSF network elements are returned;
First shared key and the second shared key are compared by the vpn server;
If first shared key is identical with the second shared key, to the terminal return authentication success Response.
8. a kind of terminal for realizing VPN (virtual private network) key agreement, it is characterised in that include:
First determining module, for after needing to initiate the connection of VPN (virtual private network) vpn server, if deposit Storage root key, then should according to the network of root key, terminal guiding mark B-TID and vpn server The first shared key is determined with mark NAF_id, and the first shared key for determining and the B-TID are sent out Give vpn server;
First receiver module, if for receiving the certification success response from vpn server, it is determined that complete Into key agreement.
9. terminal according to claim 8, it is characterised in that first determining module is additionally operable to:
After needing to initiate vpn server connection, if non-storage root key, with authentication service function BSF Network element is consulted to determine root key and B-TID, and performs the step of generating the first shared key.
10. terminal according to claim 9, it is characterised in that first determining module is additionally operable to:
Consult to determine root key and B-TID with BSF network elements, ID is sent to BSF network elements;According to receipts The random number and certification mark from BSF network elements for arriving, is verified, and determines encryption after being verified Key, Integrity Key and authorization data response RES;Responded to BSF network elements according to authorization data and asked Certification, and after certification passes through, receive the B-TID, Yi Jigen of the terminal from the BSF network elements Root key is determined according to encryption key and Integrity Key.
11. a kind of BSF network elements for realizing VPN (virtual private network) key agreement, it is characterised in that include:
Enquiry module, in terminal B-TID and vpn server for receiving vpn server transmission After NAF_id, according to the B-TID and the binding relationship of root key, determine that corresponding of the B-TID is close Key;
Second determining module, for according to the B-TID, the NAF_id and the root key, it is determined that Second shared key;
Sending module, for the second shared key for determining is back to vpn server, so that VPN clothes Business device is authenticated to the terminal according to second shared key for receiving.
12. BSF network elements according to claim 11, it is characterised in that the enquiry module is specifically used In:
The binding relationship of B-TID and root key is set up according to following manner:According to the use that the terminal for receiving sends Family identifies, and obtains authentication five-tuple Ciphering Key from network side;By in the authentication five-tuple Ciphering Key Random number is sent to terminal with authentication information;Receiving after the authorization data response of the terminal, passing through Encryption key, Integrity Key and response expected value XRES in the authentication five-tuple Ciphering Key Terminal is authenticated, and after certification passes through, according to encryption key and Integrity Key determine root key and The B-TID of terminal, and set up the binding relationship of B-TID and root key.
13. BSF network elements according to claim 12, it is characterised in that the sending module is specifically used In:
After determining root key and B-TID according to encryption key and Integrity Key, the B-TID is sent To the terminal.
14. a kind of vpn servers for realizing VPN (virtual private network) key agreement, it is characterised in that include:
Transceiver module, the first shared key sent for receiving terminal and B-TID, and by B-TID and VPN The NAF_id of server is sent to BSF network elements;
Second receiver module, for receiving the second shared key of BSF network elements return;
Comparison module, for first shared key and the second shared key are compared;
Processing module, if identical with the second shared key for first shared key, to the end End return authentication success response.
CN201510579550.8A 2015-09-11 2015-09-11 Method and device for realizing key agreement of virtual private network (VPN) Pending CN106534050A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510579550.8A CN106534050A (en) 2015-09-11 2015-09-11 Method and device for realizing key agreement of virtual private network (VPN)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510579550.8A CN106534050A (en) 2015-09-11 2015-09-11 Method and device for realizing key agreement of virtual private network (VPN)

Publications (1)

Publication Number Publication Date
CN106534050A true CN106534050A (en) 2017-03-22

Family

ID=58346704

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510579550.8A Pending CN106534050A (en) 2015-09-11 2015-09-11 Method and device for realizing key agreement of virtual private network (VPN)

Country Status (1)

Country Link
CN (1) CN106534050A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037958A1 (en) * 2018-08-23 2020-02-27 刘高峰 Gba-based client registration and key sharing method, device, and system
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system
CN112491533A (en) * 2019-09-12 2021-03-12 华为技术有限公司 Key generation method and device
CN112514321A (en) * 2018-05-31 2021-03-16 爱迪德技术有限公司 Shared secret establishment
CN113015126A (en) * 2019-12-04 2021-06-22 中兴通讯股份有限公司 Internet of vehicles authentication method, system, terminal and storage medium
CN113114459A (en) * 2021-05-21 2021-07-13 上海银基信息安全技术股份有限公司 Security authentication method, device, equipment and storage medium
CN113506388A (en) * 2021-06-09 2021-10-15 广东纬德信息科技股份有限公司 Lockset safety control method and device and storage medium
CN115208555A (en) * 2021-03-24 2022-10-18 阿里巴巴新加坡控股有限公司 Gateway negotiation method, device and storage medium
CN115226416A (en) * 2021-02-20 2022-10-21 华为技术有限公司 Root key protection method and system
CN117641339A (en) * 2024-01-18 2024-03-01 中国电子科技集团公司第三十研究所 Fast application layer authentication and key agreement system and method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007022731A1 (en) * 2005-08-26 2007-03-01 Huawei Technologies Co., Ltd. Encryption key negotiation method, system and equipment in the enhanced universal verify frame
CN1929371A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method for User and Peripheral to Negotiate a Shared Key
CN101426190A (en) * 2007-11-01 2009-05-06 华为技术有限公司 Service access authentication method and system
CN101640607A (en) * 2009-04-13 2010-02-03 山石网科通信技术(北京)有限公司 Collocation method of virtual private network based on internet security protocol and system therefor
CN102065421A (en) * 2009-11-11 2011-05-18 中国移动通信集团公司 Method, device and system for updating key
US20110238972A1 (en) * 2005-02-04 2011-09-29 Qualcomm Incorporated Secure Bootstrapping for Wireless Communications
CN103414556A (en) * 2013-08-16 2013-11-27 成都卫士通信息产业股份有限公司 IKE key agreement strategy searching method
CN104660603A (en) * 2015-02-14 2015-05-27 山东量子科学技术研究院有限公司 Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110238972A1 (en) * 2005-02-04 2011-09-29 Qualcomm Incorporated Secure Bootstrapping for Wireless Communications
WO2007022731A1 (en) * 2005-08-26 2007-03-01 Huawei Technologies Co., Ltd. Encryption key negotiation method, system and equipment in the enhanced universal verify frame
CN1929371A (en) * 2005-09-05 2007-03-14 华为技术有限公司 Method for User and Peripheral to Negotiate a Shared Key
CN101426190A (en) * 2007-11-01 2009-05-06 华为技术有限公司 Service access authentication method and system
CN101640607A (en) * 2009-04-13 2010-02-03 山石网科通信技术(北京)有限公司 Collocation method of virtual private network based on internet security protocol and system therefor
CN102065421A (en) * 2009-11-11 2011-05-18 中国移动通信集团公司 Method, device and system for updating key
CN103414556A (en) * 2013-08-16 2013-11-27 成都卫士通信息产业股份有限公司 IKE key agreement strategy searching method
CN104660603A (en) * 2015-02-14 2015-05-27 山东量子科学技术研究院有限公司 Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112514321A (en) * 2018-05-31 2021-03-16 爱迪德技术有限公司 Shared secret establishment
WO2020037958A1 (en) * 2018-08-23 2020-02-27 刘高峰 Gba-based client registration and key sharing method, device, and system
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system
CN110858968A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system
CN112491533A (en) * 2019-09-12 2021-03-12 华为技术有限公司 Key generation method and device
CN112491533B (en) * 2019-09-12 2022-09-02 华为技术有限公司 Key generation method and device
CN113015126A (en) * 2019-12-04 2021-06-22 中兴通讯股份有限公司 Internet of vehicles authentication method, system, terminal and storage medium
CN115226416B (en) * 2021-02-20 2024-05-03 华为技术有限公司 Root key protection method and system
CN115226416A (en) * 2021-02-20 2022-10-21 华为技术有限公司 Root key protection method and system
CN115208555A (en) * 2021-03-24 2022-10-18 阿里巴巴新加坡控股有限公司 Gateway negotiation method, device and storage medium
CN113114459B (en) * 2021-05-21 2023-06-02 上海银基信息安全技术股份有限公司 Safety authentication method, device, equipment and storage medium
CN113114459A (en) * 2021-05-21 2021-07-13 上海银基信息安全技术股份有限公司 Security authentication method, device, equipment and storage medium
CN113506388A (en) * 2021-06-09 2021-10-15 广东纬德信息科技股份有限公司 Lockset safety control method and device and storage medium
CN117641339A (en) * 2024-01-18 2024-03-01 中国电子科技集团公司第三十研究所 Fast application layer authentication and key agreement system and method
CN117641339B (en) * 2024-01-18 2024-04-09 中国电子科技集团公司第三十研究所 System and method for fast application layer authentication and key agreement

Similar Documents

Publication Publication Date Title
US10243742B2 (en) Method and system for accessing a device by a user
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
CN106534050A (en) Method and device for realizing key agreement of virtual private network (VPN)
US11736304B2 (en) Secure authentication of remote equipment
CN107317789B (en) Key distribution, authentication method, device and system
US8201233B2 (en) Secure extended authentication bypass
US8321663B2 (en) Enhanced authorization process using digital signatures
CN103491540B (en) The two-way access authentication system of a kind of WLAN based on identity documents and method
US20060259759A1 (en) Method and apparatus for securely extending a protected network through secure intermediation of AAA information
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
CN101371550A (en) Method and system for automatically and securely provisioning a user of a mobile communication terminal with service access credentials for an online service
CN1658547B (en) Crytographic keys distribution method
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
US20140215217A1 (en) Secure Communication
CN111935213A (en) Distributed trusted authentication virtual networking system and method
CN114040390A (en) A quantum security-based 5G virtual quotient keystore distribution method
Ali et al. A comparative study of authentication methods for wi-fi networks
CN100544247C (en) Security Capability Negotiation Method
CN103781026B (en) The authentication method of common authentication mechanism
CN105591748B (en) A kind of authentication method and device
CN110719169A (en) Method and device for transmitting router safety information
CN110366179A (en) An authentication method, device and computer-readable storage medium
Mehic et al. Overview of quantum key distribution network key-delivery specifications
US12316623B2 (en) Verifying the authenticity of internet key exchange messages in a virtual private network
CN114915494B (en) A method, system, device and storage medium for anonymous authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170322

RJ01 Rejection of invention patent application after publication