[go: up one dir, main page]

CN101325804B - Method, device and system for acquiring cryptographic key - Google Patents

Method, device and system for acquiring cryptographic key Download PDF

Info

Publication number
CN101325804B
CN101325804B CN2007101451465A CN200710145146A CN101325804B CN 101325804 B CN101325804 B CN 101325804B CN 2007101451465 A CN2007101451465 A CN 2007101451465A CN 200710145146 A CN200710145146 A CN 200710145146A CN 101325804 B CN101325804 B CN 101325804B
Authority
CN
China
Prior art keywords
authenticator
key information
migrated
network device
needs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101451465A
Other languages
Chinese (zh)
Other versions
CN101325804A (en
Inventor
梁文亮
吴建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101451465A priority Critical patent/CN101325804B/en
Priority to PCT/CN2008/071254 priority patent/WO2008151569A1/en
Publication of CN101325804A publication Critical patent/CN101325804A/en
Application granted granted Critical
Publication of CN101325804B publication Critical patent/CN101325804B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

一种获取密钥的方法、设备及系统,其用于在认证器发生迁移后为需要获取密钥信息的网络设备获取密钥信息。且其包括:首先,需要获取密钥信息的网络设备接收用于表示发生认证器迁移的指示信息后,向迁移后的认证器发送密钥请求,并接收所述认证器返回的密钥信息。因此,本发明的实现可以在认证器发生迁移后,保证移动用户的需要获取密钥信息的网络设备可以获得相应的密钥信息,以使得后续通信过程的顺利进行,从而可以有效提高无线通信系统的通信性能。

Figure 200710145146

A method, device and system for obtaining keys, which are used to obtain key information for network devices that need to obtain key information after an authenticator is migrated. And it includes: firstly, after the network device that needs to obtain the key information receives the indication information indicating that the authenticator has migrated, it sends a key request to the migrated authenticator, and receives the key information returned by the authenticator. Therefore, the implementation of the present invention can ensure that the mobile user's network device that needs to obtain the key information can obtain the corresponding key information after the authenticator is migrated, so that the subsequent communication process can be carried out smoothly, thereby effectively improving the wireless communication system. communication performance.

Figure 200710145146

Description

获取密钥的方法、设备及系统 Method, device and system for obtaining keys

技术领域technical field

本发明涉及网络通信技术领域,尤其涉及一种在认证器发生迁移的情况下获取密钥的实现方案。 The invention relates to the technical field of network communication, in particular to an implementation scheme for obtaining a key when an authenticator is migrated. the

背景技术Background technique

随着因特网业务的快速发展和无线网络的广泛应用,移动用户的安全性已经对无线系统提出了更高的要求,即除相应的设备鉴权、用户鉴权和服务授权等处理外,还需要在AP(无线用户与接入点)或BS(基站)之间建立相应的安全通道,实现相应的保密信息交换,以及在BS和Authenticator(鉴权者),鉴权者和鉴权服务器之间建立保密通道,实现保密信息交换等等。 With the rapid development of Internet services and the wide application of wireless networks, the security of mobile users has put forward higher requirements for wireless systems, that is, in addition to the corresponding equipment authentication, user authentication and service authorization, it also needs Establish corresponding secure channel between AP (wireless user and access point) or BS (base station), realize corresponding confidential information exchange, and between BS and Authenticator (authenticator), authenticator and authentication server Establish confidential channels to realize confidential information exchange and so on. the

在无线网络中,移动用户需要向NAS(网络接入服务器)等认证器发起认证,并在认证通过后,移动用户的FA(外部代理)通过与NAS的通信获取相应的密钥信息,以便于在后续通信过程中应用。 In a wireless network, a mobile user needs to initiate authentication to an authenticator such as NAS (Network Access Server), and after the authentication is passed, the FA (Foreign Agent) of the mobile user obtains the corresponding key information through communication with the NAS, so that Applied during subsequent communications. the

在移动用户MS发生重认证操作后,FA获得密钥的处理过程如图1所示,相应的处理过程包括以下步骤: After the re-authentication operation of the mobile user MS, the processing process of the FA to obtain the key is shown in Figure 1, and the corresponding processing process includes the following steps:

步骤1,MS通过NAS1接入认证成功; Step 1, MS succeeds in access authentication through NAS1;

具体可以是通过NAS1向AAA服务器发起相应的认证过程,并完成相应的认证操作,确定MS认证通过; Specifically, the corresponding authentication process can be initiated to the AAA server through NAS1, and the corresponding authentication operation is completed to determine that the MS authentication is passed;

步骤2,FA在需要MN-FA密钥或FA-HA密钥时向NAS1发送请求,以请求获取相应的MN-FA密钥或FA-HA密钥; Step 2, FA sends a request to NAS1 when it needs the MN-FA key or FA-HA key, to request to obtain the corresponding MN-FA key or FA-HA key;

步骤3,MS通过NAS1发生重认证; Step 3, MS re-authentication occurs through NAS1;

与认证过程类似,具体可以通过NAS1向AAA服务器发起重认证操作,以完成相应的重认证处理; Similar to the authentication process, specifically, NAS1 can initiate a re-authentication operation to the AAA server to complete the corresponding re-authentication process;

步骤4,MS向FA发送MIP-RRQ(MIP注册)消息,携带新密钥计算的认证扩展,并且SPI(安全参数索引)也由重认证后产生的FA-RK计算,或者由其他方式产生; Step 4, the MS sends a MIP-RRQ (MIP registration) message to the FA, carrying the authentication extension calculated by the new key, and the SPI (Security Parameter Index) is also calculated by the FA-RK generated after re-authentication, or generated by other methods;

步骤5,FA收到所述注册消息后,比较MIP-RRQ消息中携带的SPI,确定SPI发生变化,即发生重认证,则向NAS1请求密钥更新信息; Step 5: After receiving the registration message, the FA compares the SPI carried in the MIP-RRQ message, determines that the SPI has changed, that is, re-authentication occurs, and requests key update information from NAS1;

即由于在步骤3中发生了重认证,故NAS1以及MS上的密钥信息均已经更新,但是FA并不知道重认证以及更新后的密钥信息,故FA需要向NAS1请求更新后的密钥信息; That is, due to re-authentication in step 3, the key information on NAS1 and MS has been updated, but FA does not know the re-authentication and updated key information, so FA needs to request the updated key from NAS1 information;

步骤6,FA获得密钥后,则可以继续处理MIP-RRQ消息,完成后续的处理过程。 In step 6, after the FA obtains the key, it can continue to process the MIP-RRQ message to complete the subsequent processing process. the

需要说明的是,在上述处理过程中,无论是否发生重认证,只要FA发生迁移,则同样在FA收到MIP-RRQ消息后,将要执行步骤5,以向NAS1请求密钥,以便于获得当前的密钥,用于完成后续处理过程。 It should be noted that, in the above process, regardless of whether re-authentication occurs, as long as FA migrates, after receiving the MIP-RRQ message, FA will also perform step 5 to request the key from NAS1 in order to obtain the current The key used to complete the subsequent processing. the

在实现本发明过程中,发明人发现现有技术中至少存在如下问题: In the process of realizing the present invention, the inventor finds that there are at least the following problems in the prior art:

在上述处理过程中,若在MS的重认证过程中还发生的NAS迁移,则FA无法从迁移后的NAS获得密钥信息,从而使得在发生NAS迁移后,FA无法对收到的MIP-RRQ消息进行处理。 In the above process, if the NAS relocation occurs during the re-authentication process of the MS, the FA cannot obtain the key information from the relocated NAS, so that after the NAS relocation occurs, the FA cannot verify the received MIP-RRQ The message is processed. the

发明内容Contents of the invention

本发明的实施例提供了一种获取密钥的方法、设备及系统,从而可以在认证器发生迁移的情况下,仍然能够保证需要获取密钥信息的网络设备可以获得相应的密钥信息,以保证后续通信过程的顺利进行。 Embodiments of the present invention provide a method, device, and system for obtaining keys, so that in the case of authenticator migration, it can still ensure that network devices that need to obtain key information can obtain corresponding key information, so as to Ensure the smooth progress of the follow-up communication process. the

本发明实施例提供了一种获取密钥的方法,包括: The embodiment of the present invention provides a method for obtaining a key, including:

需要获取密钥信息的网络设备接收用于表示发生认证器迁移的指示信息,并接收所述认证器发送的密钥信息,获取对应终端的密钥信息。 The network device that needs to obtain the key information receives the indication information indicating that authenticator migration occurs, receives the key information sent by the authenticator, and obtains the key information of the corresponding terminal. the

本发明还提供了一种获取密钥的方法,包括: The present invention also provides a method for obtaining a key, including:

需要获取密钥信息的网络设备接收用于表示发生重认证的指示信息后,接收认证器发送的对应终端的密钥信息。 The network device that needs to obtain the key information receives the key information of the corresponding terminal sent by the authenticator after receiving the indication information indicating that re-authentication occurs. the

本发明实施例提供了一种网络设备,包括: An embodiment of the present invention provides a network device, including:

认证器迁移确定单元,用于根据接收到的用于表示发生认证器迁移的指示信息确定对应终端所属认证器发生迁移; The authenticator migration determination unit is configured to determine that the authenticator to which the corresponding terminal belongs has migrated according to the received indication information indicating that the authenticator migration has occurred;

密钥请求获取单元,用于在所述认证器迁移确定单元确定所述终端所属认证器发生迁移后,接收所述认证器发送的密钥信息,获取所述终端对应的密钥信息。 The key request acquisition unit is configured to receive key information sent by the authenticator after the authenticator migration determination unit determines that the authenticator to which the terminal belongs has migrated, and acquire key information corresponding to the terminal. the

本发明实施例提供了一种获取密钥的系统,包括认证器和需要获取密钥信息的网络设备,其中, An embodiment of the present invention provides a system for obtaining a key, including an authenticator and a network device that needs to obtain key information, wherein,

认证器,用于接收需要获取密钥信息的网络设备发来的密钥请求,并向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息; The authenticator is used to receive the key request sent by the network device that needs to obtain the key information, and send the generated key information corresponding to the terminal to the network device that needs to obtain the key information;

需要获取密钥信息的网络设备,接收用于表示发生认证器迁移的指示信息,并接收所述认证器发送的密钥信息。 A network device that needs to obtain key information receives indication information indicating that authenticator migration occurs, and receives key information sent by the authenticator. the

本发明实例还提供了一种获取密钥的系统,包括认证器和需要获取密钥信息的网络设备,其中, The example of the present invention also provides a system for obtaining a key, including an authenticator and a network device that needs to obtain key information, wherein,

认证器,用于向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息; The authenticator is used to send the generated key information corresponding to the terminal to the network device that needs to obtain the key information;

需要获取密钥信息的网络设备,用于接收用于表示发生重认证的指示信息后,接收认证器发送的所述终端对应的密钥信息。 The network device that needs to obtain the key information is configured to receive the key information corresponding to the terminal sent by the authenticator after receiving the indication information indicating that re-authentication occurs. the

由上述本发明的实施例提供的技术方案可以看出,其可以在认证器发生迁移后,保证需要获取密钥信息的网络设备可以获得相应的密钥信息,以使 得后续通信过程的顺利进行。因此,本发明实施例的实现可以有效提高无线通信系统的通信性能。 It can be seen from the technical solutions provided by the above-mentioned embodiments of the present invention that after the authenticator is migrated, it can ensure that the network equipment that needs to obtain the key information can obtain the corresponding key information, so that the subsequent communication process can proceed smoothly . Therefore, the implementation of the embodiments of the present invention can effectively improve the communication performance of the wireless communication system. the

附图说明Description of drawings

图1为现有技术中FA获取密钥信息的处理过程示意图; Fig. 1 is a schematic diagram of the process of obtaining key information by FA in the prior art;

图2为本发明实施例中FA获取密钥信息的处理过程示意图一; Fig. 2 is a schematic diagram of the processing process of FA acquiring key information in the embodiment of the present invention;

图3为本发明实施例中FA获取密钥信息的处理过程示意图二; FIG. 3 is a second schematic diagram of the processing process for FA to obtain key information in an embodiment of the present invention;

图4为本发明实施例中FA获取密钥信息的处理过程示意图三; Fig. 4 is the third schematic diagram of the processing process of FA acquiring key information in the embodiment of the present invention;

图5为本发明实施例中FA获取密钥信息的处理过程状态机示意图; Fig. 5 is a schematic diagram of the processing state machine of the FA acquiring key information in the embodiment of the present invention;

图6为本发明实施例的完整处理过程示意图; Fig. 6 is the schematic diagram of the complete processing procedure of the embodiment of the present invention;

图7为本发明实施例提供的系统的结构示意图。 Fig. 7 is a schematic structural diagram of a system provided by an embodiment of the present invention. the

具体实施方式Detailed ways

本发明实施例用于在终端的认证器发生迁移后,为需要获取密钥信息的网络设备获取密钥信息,即在需要获取密钥信息的网络设备接收用于表示发生认证器迁移的指示信息后,则确定终端对应的认证器发生迁移,并向迁移后的认证器发送密钥请求,从而接收所述认证器返回的密钥信息,获取该终端对应的密钥信息。 The embodiment of the present invention is used to obtain the key information for the network device that needs to obtain the key information after the authenticator of the terminal is migrated, that is, the network device that needs to obtain the key information receives the indication information indicating that the authenticator migration occurs Afterwards, it is determined that the authenticator corresponding to the terminal has migrated, and a key request is sent to the migrated authenticator, so as to receive the key information returned by the authenticator, and obtain the key information corresponding to the terminal. the

本发明实施例中,所述的需要获取密钥信息的网络设备包括但不限于FA(外部代理)、BS(基站)或GW(网关)等设备,所述的密钥信息包括但不限于:密钥、SPI(安全参数索引)和生命周期中的至少一项。 In the embodiment of the present invention, the network devices that need to obtain key information include but are not limited to FA (foreign agent), BS (base station) or GW (gateway) and other equipment, and the key information includes but not limited to: At least one of key, SPI (Security Parameter Index) and life cycle. the

本发明实施例在实现过程中,用于表示发生认证器迁移的指示信息具体可以由迁移后的认证器或者由原认证器(迁移前的认证器)或者由终端或者由HA(家乡代理)或者由AAA(鉴权、认证、计费)服务器等设备向需要获取密钥信息的网络设备发送,从而使得相应的需要获取密钥信息的网络设备可以获知所述指示信息。可选地,所述的迁移后的认证器或者原认证器或者终端或者HA或者AAA服务器等设备还可以向需要获取密钥信息的网络设备发送迁移后的认证器的地址;其中,若由原认证器向需要获取密钥信息的网络设备发送迁移后的认证器的地址,则所述的认证器还维护终端与迁移后的认证器的地址之间的对应关系,且可选地针对该对应关系设置对应的生存周期,以便于在经过预定时间段后便可以删除维护的所述对应关系信息,从而释放占用的存储及管理资源。 In the implementation process of the embodiment of the present invention, the indication information used to indicate that authenticator migration occurs can be specifically provided by the migrated authenticator or by the original authenticator (authenticator before migration) or by the terminal or by the HA (home agent) or The AAA (authentication, authentication, accounting) server and other devices send it to the network device that needs to obtain the key information, so that the corresponding network device that needs to obtain the key information can learn the indication information. Optionally, the migrated authenticator or the original authenticator or terminal or HA or AAA server and other devices may also send the address of the migrated authenticator to the network device that needs to obtain key information; wherein, if the original The authenticator sends the address of the migrated authenticator to the network device that needs to obtain the key information, then the authenticator also maintains the correspondence between the terminal and the address of the migrated authenticator, and optionally for the corresponding A corresponding life cycle is set for the relationship, so that the maintained corresponding relationship information can be deleted after a predetermined period of time, thereby releasing occupied storage and management resources. the

在上述处理过程中,若由终端向需要获取密钥信息的网络设备发送所述指示信息,则终端需要事先确定发生认证器迁移。终端确定发生认证器迁移的过程具体可以包括:首先,在认证的过程中,由认证器将自身的识别信息发送给终端,这样,终端便可以根据当前收到的认证器的识别信息与之前收到的认证器的识别信息的比较结果,确定认证器是否发生迁移;例如,所述的识别信息可以包括:认证器的地址信息和/或认证器到网关的跳数。 In the above process, if the terminal sends the indication information to the network device that needs to obtain the key information, the terminal needs to determine in advance that authenticator migration occurs. The process for the terminal to determine that authenticator migration has occurred may specifically include: first, during the authentication process, the authenticator sends its own identification information to the terminal, so that the terminal can compare the current identification information received from the authenticator with the previously received identification information. Based on the comparison result of the identification information of the received authenticator, it is determined whether the authenticator has migrated; for example, the identification information may include: the address information of the authenticator and/or the number of hops from the authenticator to the gateway. the

本发明实施例中,迁移后的认证器生成终端对应的密钥信息后,其可以主动将所述密钥信息发送给相应的需要获取密钥信息的网络设备;或者,可选地,由迁移后的认证器将生成的终端对应的密钥信息发送给原认证器,并由原认证器发送给需要获取密钥信息的网络设备。 In the embodiment of the present invention, after the migrated authenticator generates the key information corresponding to the terminal, it can actively send the key information to the corresponding network device that needs to obtain the key information; or, optionally, the migrated authenticator The subsequent authenticator sends the generated key information corresponding to the terminal to the original authenticator, and the original authenticator sends it to the network device that needs to obtain the key information. the

在本发明实施例中,若需要获取密钥信息的网络设备通过上述处理过程实现密钥信息的获取,则可选地,需要获取密钥信息的网络设备在确定终端对应的认证器发生迁移后,还可以判断是否收到迁移后的认证器发来的密钥信息,若确定未获取到迁移后的认证器生成的终端对应的密钥信息后,则可以通过向迁移后的认证器发送密钥请求的方式获取所述密钥信息。 In the embodiment of the present invention, if the network device that needs to obtain the key information obtains the key information through the above-mentioned process, optionally, after the network device that needs to obtain the key information determines that the authenticator corresponding to the terminal has migrated , you can also judge whether you have received the key information sent by the migrated authenticator. If you have not obtained the key information corresponding to the terminal generated by the migrated Obtain the key information by means of a key request. the

本发明实施例在具体实现过程中,需要获取密钥信息的网络设备向迁移后的认证器发送密钥请求之前还可以包括获取迁移后的认证器的地址信息的操作,以使得需要获取密钥信息的网络设备可以获取到迁移后的认证器的地址,便于向其发送密钥请求消息。具体可以用于获取迁移后的认证器的地址信息的方式包括:一种可以为从迁移前的原认证器请求获取迁移后的认证器的地址信息;另一种是接收迁移后的认证器或原认证器主动发送来的迁移后的认证器的地址信息。 In the specific implementation process of the embodiment of the present invention, before the network device that needs to obtain key information sends a key request to the migrated authenticator, it may also include the operation of obtaining the address information of the migrated authenticator, so that it is necessary to obtain the key The information network device can obtain the address of the migrated authenticator, so as to send a key request message to it. The specific methods that can be used to obtain the address information of the migrated authenticator include: one is to request the address information of the migrated authenticator from the original authenticator before migration; the other is to receive the migrated authenticator or Address information of the migrated authenticator actively sent by the original authenticator. the

在认证器迁移过程中,若FA、BS或GW等需要获取密钥信息的网络设备也发生迁移,迁移后的认证器可以将密钥信息首先发送给迁移前的原需要获取密钥信息的网络设备,并由所述原需要获取密钥信息的网络设备将所述密钥信息发送给迁移后的需要获取密钥信息的网络设备;或者,也可以由原需要获取密钥信息的网络设备向迁移后的认证器发送需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址等信息,或者,由迁移后的需要获取密钥信息的网络设备向迁移后的认证器发送需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址,以便于迁移后的认证器将密钥信息发送给迁移后的需要获取密钥信息的网络设备。 During the authenticator migration process, if the network devices that need to obtain key information such as FA, BS, or GW also migrate, the migrated authenticator can first send the key information to the original network that needs to obtain key information before the migration. device, and the network device that originally needed to obtain the key information sends the key information to the migrated network device that needs to obtain the key information; or, the network device that originally needed to obtain the key information can also send the key information to The migrated authenticator sends the migration instruction of the network device that needs to obtain the key information or information such as the address of the migrated network device that needs to obtain the key information, or, the migrated network device needs to obtain the key information to the migrated The relocated authenticator sends the migration instruction of the network device that needs to obtain key information or the address of the relocated network device that needs to obtain key information, so that the relocated authenticator can send the key information to the relocated network device that needs to obtain key information. Network device for key information. the

下面将以FA作为需要获取密钥信息的网络设备为例,将相应的获取密钥信息的处理过程的具体实现过程分不同情况描述: The following will take FA as an example of a network device that needs to obtain key information, and describe the specific implementation process of the corresponding process of obtaining key information in different situations:

(1)FA先于NAS完成了迁移,且新FA获得了原认证器的地址 (1) The FA completed the migration before the NAS, and the new FA obtained the address of the original authenticator

在该情况下,将迁移后的新FA作为终端的当前FA,并采用上述处理过程即可以保证需要获取密钥信息的网络设备能够获取相应密钥信息; In this case, using the migrated new FA as the current FA of the terminal, and adopting the above process can ensure that the network device that needs to obtain the key information can obtain the corresponding key information;

(2)NAS先于FA完成了迁移,原FA获得了新NAS的地址 (2) NAS completed the migration before FA, and the original FA obtained the address of the new NAS

在该情况下,迁移后的新FA在迁移过程中可以获得新NAS地址,这就使得需要获取密钥信息的网络设备能够很容易地获取相应密钥信息;例如,由 迁移后的FA向新NAS发送FA迁移的指示或迁移后的FA的地址,或者,由原FA向新NAS发送FA迁移的指示或新FA的地址等信息,之后,由新NAS将密钥信息发送给迁移后的FA,以便于新NAS将密钥信息发送给新FA; In this case, the new FA after migration can obtain the new NAS address during the migration process, which makes it easy for network devices that need to obtain the key information to obtain the corresponding key information; for example, from the migrated FA to the new The NAS sends the FA migration instruction or the address of the migrated FA, or the original FA sends the FA migration instruction or the address of the new FA to the new NAS, and then the new NAS sends the key information to the migrated FA , so that the new NAS can send the key information to the new FA;

(3)FA迁移过程中,此时原NAS正在进行NAS迁移 (3) During the FA migration process, the original NAS is currently migrating to the NAS

在该情况下,新FA需要向原NAS请求密钥,在原NAS将密钥信息发送给新FA的过程中具体可以包括: In this case, the new FA needs to request a key from the original NAS, and the process of sending the key information to the new FA by the original NAS can specifically include:

若原NAS在告知新FA正在进行NAS迁移时,还将新NAS的地址告知新FA,由新FA向新NAS发送密钥请求,新NAS若已经完成重认证则回复新密钥信息,否则,回复一个令新FA等待的指令或者等重认证完成后再将新密钥信息发送给新FA; If the original NAS notifies the new FA of the NAS migration process, it also informs the new FA of the address of the new NAS, and the new FA sends a key request to the new NAS. If the new NAS has completed re-authentication, it will reply with the new key information; An instruction to make the new FA wait or wait for the re-authentication to complete before sending the new key information to the new FA;

若原NAS仅通知新FA当前正在进行NAS迁移,却未告知其迁移后的新NAS的地址,则新FA可以向原NAS请求新NAS的地址(即迁移后的认证器可以将密钥信息首先发送给原FA,之后,由原FA将所述密钥信息发送给迁移后的FA),或者等待新NAS主动更新密钥。 If the original NAS only informs the new FA that it is currently migrating the NAS, but does not inform it of the address of the new NAS after migration, the new FA can request the address of the new NAS from the original NAS (that is, the migrated authenticator can first send the key information to The original FA then sends the key information to the migrated FA by the original FA, or waits for the new NAS to actively update the key. the

本发明实施例中,在确定终端对应的认证器发生迁移之前,需要获取密钥信息的网络设备还需要确定终端是否发生重认证,以便于在确定终端发生重认证的情况下,进一步确定终端对应的认证器是否发生迁移,进而利用本发明实施例解决发生认证器迁移的情况下的密钥信息的获取问题。其中,需要获取密钥信息的网络设备确定终端是否发生重认证的操作具体可以包括:在需要获取密钥信息的网络设备中保存终端与家乡代理之间的SPI(安全参数索引),若收到的终端或其他设备发来的注册请求中的SPI与保存的终端与家乡代理之间的SPI不同,则确定发生了针对终端的重认证,否则,确定未发生重认证;或者,需要获取密钥信息的网络设备还可以根据收到的消息中的显式的重认证指示或隐式的重认证指示信息确定终端是否发生重认证操作。 In the embodiment of the present invention, before determining that the authenticator corresponding to the terminal has been migrated, the network device that needs to obtain the key information also needs to determine whether the terminal has re-authentication, so as to further determine the terminal's corresponding Whether the authenticator is migrated, and then the embodiment of the present invention is used to solve the problem of obtaining key information in the case of authenticator migration. Among them, the network device that needs to obtain the key information determines whether the re-authentication of the terminal occurs may specifically include: saving the SPI (Security Parameter Index) between the terminal and the home agent in the network device that needs to obtain the key information, if received If the SPI in the registration request sent by the terminal or other device is different from the saved SPI between the terminal and the home agent, it is determined that re-authentication for the terminal has occurred, otherwise, it is determined that no re-authentication has occurred; or, the key needs to be obtained The information network device may also determine whether a re-authentication operation occurs on the terminal according to the explicit re-authentication indication or the implicit re-authentication indication information in the received message. the

以FA作为需要获取密钥信息的网络设备为例,FA需要获取的密钥信息可以为MIP密钥信息。本发明实施例具体可以解决FA更新MIP密钥过程中存在的因NAS发生迁移而无法获得MIP密钥的问题,并减少竞争场景及获得密钥的时间,提供了FA获得有效的MIP密钥的实现方案,该MIP密钥可以包括MN-FA密钥和FA-HA密钥。需要说明的是,本发明实施例并不仅限于该具体应用的举例。 Taking FA as an example of a network device that needs to obtain key information, the key information that FA needs to obtain may be MIP key information. The embodiment of the present invention can specifically solve the problem that the FA cannot obtain the MIP key due to the migration of the NAS in the process of updating the MIP key by the FA, and reduce the competition scene and the time for obtaining the key, and provide the method for the FA to obtain a valid MIP key. In an implementation solution, the MIP key may include an MN-FA key and an FA-HA key. It should be noted that the embodiment of the present invention is not limited to the specific application example. the

在针对终端的重认证过程中,可以伴随着认证器迁移,也可以直接就在原来的认证器上进行。当认证器迁移的时候,需要通知FA新认证器的地址信息,以便FA后续请求密钥信息。FA迁移和认证器的迁移互相独立,即可能同时发生迁移,也可能不是同时发生迁移。 During the re-authentication process for the terminal, it can be accompanied by the migration of the authenticator, or it can be performed directly on the original authenticator. When the authenticator is migrated, the FA needs to be notified of the address information of the new authenticator so that the FA can subsequently request key information. The migration of the FA and the migration of the authenticator are independent of each other, that is, the migration may or may not occur at the same time. the

下面将以作为认证器的NAS发生迁移,FA需要获取的密钥信息包括MN-FA密钥的应用场景为例,对本发明实施例的具体实现过程进行说明。在该场景下,相应的处理过程如图2、图3和图4所示,具体包括以下步骤: The specific implementation process of the embodiment of the present invention will be described below by taking the application scenario where the NAS as the authenticator is migrated and the key information that the FA needs to obtain includes the MN-FA key as an example. In this scenario, the corresponding processing process is shown in Figure 2, Figure 3 and Figure 4, which specifically includes the following steps:

步骤1,MS通过NAS1接入认证成功; Step 1, MS succeeds in access authentication through NAS1;

步骤2,FA在需要MN-FA密钥时向NAS1发送请求,具体可以通过向NAS1发送上下文请求,以请求获取相应密钥; Step 2, FA sends a request to NAS1 when it needs the MN-FA key, specifically, it can request to obtain the corresponding key by sending a context request to NAS1;

步骤3,针对MS的重认证为通过NAS2进行,即发生了NAS迁移; Step 3, the re-authentication for MS is performed through NAS2, that is, NAS migration has occurred;

在该重认证过程中,NAS2以及MS上的密钥信息更新,但FA并未获知发生了重认证事件,也未获知更新后的密钥信息; During the re-authentication process, the key information on NAS2 and MS is updated, but FA does not know that a re-authentication event has occurred, nor does it know the updated key information;

步骤4,在重认证后,MS或HA(家乡代理)等(图中仅以MS为例绘制)设备向FA发送MIP-RRQ消息,所述消息中携带着新的密钥计算的认证扩展,其中的SPI也是由重认证后产生的FA-RK计算获得,或者也可以为其它可以用于确定是否发生重认证的指示信息; Step 4, after re-authentication, MS or HA (home agent) and other devices (only MS is drawn as an example in the figure) send a MIP-RRQ message to FA, which carries the authentication extension of the new key calculation, The SPI is also calculated by the FA-RK generated after re-authentication, or it can be other indication information that can be used to determine whether re-authentication occurs;

步骤5,FA收到所述消息后,比较MIP-RRQ消息中携带的SPI与本地维护的SPI是否相同,若确定发生变化(确定发生重认证),或者根据指示信 息确认重认证发生,则获取更新后的密钥信息,具体仍可以通过向NAS2发送上下文请求,以请求获取相应密钥; Step 5, after the FA receives the message, compare whether the SPI carried in the MIP-RRQ message is the same as the locally maintained SPI, and if it is determined that a change occurs (re-authentication is confirmed), or it is confirmed that the re-authentication occurs according to the indication information, then To obtain the updated key information, you can still request to obtain the corresponding key by sending a context request to NAS2;

在该步骤中,若FA发生迁移,则FA在获得原NAS的地址后,新FA也处于同样的状态中,即知晓原NAS地址信息,且需要获取MIP密钥信息; In this step, if the FA is migrated, after the FA obtains the address of the original NAS, the new FA is also in the same state, that is, it knows the address information of the original NAS and needs to obtain the MIP key information;

在该步骤中,具体的向NAS请求获取更新后的密钥的实现过程可以但不限于有三种,参照图2、图3和图4所示,各实现过程分别为: In this step, the specific implementation process of requesting the NAS to obtain the updated key can be but not limited to three types, as shown in Figure 2, Figure 3 and Figure 4, each implementation process is as follows:

(1)如图2所示,在NAS2的迁移过程中,NAS2通知FA的消息还没有到达FA,则FA向NAS1请求密钥更新信息;并由NAS1向其返回NAS迁移指示和/或新的NAS地址(即NAS2地址);然后,FA向NAS2发送密钥请求消息,以请求获取相应的MIP密钥信息; (1) As shown in Figure 2, during the migration process of NAS2, if the message notified by NAS2 to FA has not reached FA, FA requests key update information from NAS1; and NAS1 returns NAS migration instruction and/or new NAS address (i.e. NAS2 address); then, FA sends a key request message to NAS2 to request the corresponding MIP key information;

(2)如图3所示,在NAS2的迁移过程中,NAS2通知FA的消息还没有到达FA,则FA向NAS1请求密钥更新信息;并由NAS1向FA返回NAS迁移指示和/或新的NAS地址(即NAS2地址);在FA向NAS2发送密钥请求消息之前,NAS2迁移的通知消息到达FA,如果该消息中携带更新后的密钥以及上下文信息,则FA不再发送密钥请求;否则,FA继续向NAS2发送密钥请求,以请求获取相应的MIP密钥信息; (2) As shown in Figure 3, during the migration process of NAS2, if the message notified by NAS2 to FA has not reached FA, FA requests key update information from NAS1; and NAS1 returns NAS migration instruction and/or new key update information to FA. NAS address (i.e. NAS2 address); before FA sends a key request message to NAS2, the notification message of NAS2 migration reaches FA, if the message carries the updated key and context information, FA no longer sends the key request; Otherwise, FA continues to send a key request to NAS2 to request the corresponding MIP key information;

(3)如图4所示,在NAS2的迁移过程中,NAS2通知FA的消息已经到达了FA,如果该消息中携带更新后的密钥以及上下文信息,则FA不再向NAS2发送密钥请求;否则,FA继续向NAS2发送密钥请求,以请求获取相应的MIP密钥信息。 (3) As shown in Figure 4, during the migration process of NAS2, the message that NAS2 notifies FA has arrived at FA, if the message carries the updated key and context information, FA will no longer send a key request to NAS2 ; Otherwise, the FA continues to send a key request to NAS2 to request to obtain the corresponding MIP key information. the

需要说明的是,若FA也发生了迁移,且NAS2的更新消息发送到了原FA,则原FA需要将所述更新消息转发给新FA,以便于新FA仍可以方便地获得相应的MIP密钥信息,或者,返回一个FA迁移的指示或新FA的地址给NAS2,然后NAS2发送密钥信息给新FA。 It should be noted that if the FA also migrates, and the update message of NAS2 is sent to the original FA, the original FA needs to forward the update message to the new FA, so that the new FA can still obtain the corresponding MIP key conveniently information, or return an indication of FA migration or the address of the new FA to NAS2, and then NAS2 sends key information to the new FA. the

通过上述步骤1至步骤5的处理过程,FA获得更新后的密钥信息后,则可 以继续处理MIP-RRQ消息。 Through the processing process of the above steps 1 to 5, after the FA obtains the updated key information, it can continue to process the MIP-RRQ message. the

基于上述应用场景中MIP-RRQ消息中仅携带是否重认证的信息的情况,本发明实施例还提供了另一种具体实施方案,在该方案中考虑选择在MIP-RRQ消息中携带NAS是否迁移的指示信息,相应的处理过程如图5所示,具体可以包括如下过程: Based on the fact that the MIP-RRQ message only carries the information of whether to re-authenticate in the above application scenario, the embodiment of the present invention also provides another specific implementation solution. In this solution, it is considered to choose whether to carry NAS migration in the MIP-RRQ message. Instruction information, the corresponding processing process is shown in Figure 5, which may specifically include the following process:

步骤1,第一次认证,NAS1在EAP过程中将自身的地址或者NAS到服务GW(网关)的跳数发送给MS并作记录; Step 1, the first authentication, NAS1 sends its own address or the number of hops from the NAS to the serving GW (gateway) to the MS during the EAP process and records it;

步骤2,重认证,MS也获得了NAS1地址或者NAS到服务GW的跳数,并且与之前记录的地址或跳数信息(即步骤1中记录的信息)进行比较,发现相同,则确认NAS没有发生迁移; Step 2, re-authentication, the MS also obtains the NAS1 address or the hop number from the NAS to the serving GW, and compares it with the previously recorded address or hop number information (that is, the information recorded in step 1), and if it is found to be the same, then confirm that the NAS does not Migration occurs;

步骤3,MS发送MIP-RRQ中携带指示信息,以表示重认证但是没有NAS迁移,所述指示信息可以为:SPI不同算法,或者,单独的扩展头; Step 3, the MS sends MIP-RRQ carrying indication information to indicate re-authentication but no NAS migration, the indication information can be: different SPI algorithms, or a separate extension header;

具体实现过程中:可以是SPI的单数指示NAS发生了迁移,双数则相反,指示NAS没有发生迁移;如果是扩展头方式,可以直接在扩展头中包含一个类型表示NAS的迁移状态,或者就直接包含当前NAS的地址信息; In the specific implementation process: the singular number of SPI can indicate that the NAS has migrated, and the double number can indicate that the NAS has not migrated; if it is the extension header method, you can directly include a type in the extension header to indicate the migration status of the NAS, or just Directly contain the address information of the current NAS;

步骤4,重认证,MS也获得了NAS2地址或者NAS到服务GW的跳数,并且与之前记录的地址或跳数信息(即步骤1中记录的信息)进行比较,发现不同,则确认NAS发生了迁移; Step 4, re-authentication, the MS also obtains the NAS2 address or the hop number from the NAS to the serving GW, and compares it with the previously recorded address or hop number information (that is, the information recorded in step 1), and if it is found to be different, then it is confirmed that the NAS has occurred migrated;

步骤5,MS发送MIP-RRQ中携带指示信息,以表示MS发生重认证,并且伴随NAS迁移发生。 In step 5, the MS sends MIP-RRQ carrying indication information to indicate that re-authentication of the MS occurs and occurs with NAS relocation. the

基于上述处理过程,则FA收到相应的MIP-RRQ消息后采用的处理过程具体可以为: Based on the above processing process, the processing process adopted by the FA after receiving the corresponding MIP-RRQ message can be as follows:

(1)当FA收到MIP-RRQ消息以后,若消息中未携带NAS地址信息,则根据MIP-RRQ消息的指示信息进行处理:若没有重认证,则继续处理;若重认证但没有NAS迁移,向原NAS请求密钥;如果重认证且伴随NAS迁移,等 待新NAS主动发送通知信息,若新NAS发来的通知信息中没有携带FA所需密钥信息,则需要向新NAS请求相应的密钥信息,或者,也可以向原NAS请求新的NAS信息或者更新后的密钥信息; (1) After the FA receives the MIP-RRQ message, if the message does not carry NAS address information, it will process it according to the instruction information of the MIP-RRQ message: if there is no re-authentication, continue processing; if there is re-authentication but no NAS migration , request the key from the original NAS; if re-authentication is accompanied by NAS migration, wait for the new NAS to actively send notification information, if the notification information sent by the new NAS does not carry the key information required by FA, you need to request the corresponding key information from the new NAS Key information, or, you can also request new NAS information or updated key information from the original NAS;

(2)当FA收到MIP-RRQ消息以后,如果MIP-RRQ消息中直接携带了NAS地址信息,FA可以直接向所指示的NAS请求密钥信息。 (2) After the FA receives the MIP-RRQ message, if the MIP-RRQ message directly carries NAS address information, the FA can directly request key information from the indicated NAS. the

为便于进一步理解FA获取MIP密钥的实现过程,下面将结合附图,以获取MIP密钥中的MN-FA密钥为例,对相应的处理过程做进一步说明。 In order to further understand the implementation process of FA obtaining the MIP key, the following will further describe the corresponding processing process by taking the acquisition of the MN-FA key in the MIP key as an example in conjunction with the accompanying drawings. the

如图6所示,FA的状态机的实现处理过程包括以下步骤: As shown in Figure 6, the implementation process of the FA state machine includes the following steps:

步骤1,FA收到MIP-RRQ消息; Step 1, FA receives the MIP-RRQ message;

步骤2,判断本地是否存在MN-FA密钥,若存在,则执行步骤3,否则,执行步骤7; Step 2, determine whether there is an MN-FA key locally, if so, perform step 3, otherwise, perform step 7;

步骤3,比较收到的MIP-RRQ消息中的SPI是否与本地保存的SPI相同,若相同,即两个SPI相一致,则表示未发生重认证,执行步骤15,否则,表示发生重认证,执行步骤4; Step 3, compare whether the SPI in the received MIP-RRQ message is the same as the locally saved SPI, if they are the same, that is, the two SPIs are consistent, then it means that re-authentication has not occurred, and step 15 is performed; otherwise, it means that re-authentication occurs, Execute step 4;

步骤4,判断是否发生NAS迁移,若是,则执行步骤5,否则,执行步骤6,具体可以但不限于根据SPI或新NAS发送来的Context-Rpt(上下文报告)等收到的表示NAS是否迁移的指示判断是否发生NAS迁移; Step 4, determine whether NAS migration occurs, if so, perform step 5, otherwise, perform step 6, specifically, but not limited to, indicate whether the NAS is migrated according to the received Context-Rpt (context report) sent by SPI or new NAS Instructions to determine whether NAS migration occurs;

在该步骤中,若暂时无法确定是否发生NAS迁移,则执行步骤7; In this step, if it is temporarily impossible to determine whether the NAS migration has occurred, perform step 7;

需要说明的是,在该步骤中,若确定发生迁移,则还可以进一步确定是否已经收到新的NAS的密钥,若收到,则执行步骤15,否则,执行步骤5;其中,收到的新的NAS的密钥可能是新的NAS直接发送来的,也可能是从原NAS发来的其从新的NAS接收到的新NAS的密钥; It should be noted that, in this step, if it is determined that migration occurs, it can be further determined whether the new NAS key has been received, and if so, perform step 15, otherwise, perform step 5; The key of the new NAS may be sent directly by the new NAS, or it may be the key of the new NAS received from the new NAS sent from the original NAS;

步骤5,判断FA是否已经知道迁移后的新NAS的地址,若知道,则执行步骤8,否则,执行步骤9; Step 5, determine whether the FA already knows the address of the new NAS after migration, if so, go to step 8, otherwise, go to step 9;

步骤6,FA向原NAS请求获取MN-FA,并执行步骤15。 In step 6, the FA requests the original NAS to obtain the MN-FA, and performs step 15. the

步骤7,FA向原NAS请求获取MN-FA,或者直接设置时钟并且等待接收来自认证器的信息(重认证进行的认证器),若从原NAS接收到NAS反馈信息,则执行步骤10,若FA收到新NAS发来的指示信息,则执行步骤12; Step 7, FA requests the original NAS to obtain the MN-FA, or directly sets the clock and waits to receive information from the authenticator (authenticator for re-authentication). If the NAS feedback information is received from the original NAS, then step 10 is performed. After receiving the instruction message from the new NAS, go to step 12;

收到所述信息以后,终止所设置的时钟;如果时钟过期还没有收到来自认证器的信息,则丢弃所述MIP-RRQ消息; After receiving the information, terminate the set clock; if the clock expires and has not received information from the authenticator, then discard the MIP-RRQ message;

步骤8,FA向迁移后的新的NAS请求获取MN-FA,并执行步骤15。 In step 8, the FA requests the new NAS after migration to obtain the MN-FA, and performs step 15. the

步骤9,FA等待新的NAS的指示,或者,向原NAS查询新NAS的地址或MN-FA,并在收到新的NAS的指示或原NAS的反馈后,执行步骤12;其中,收到的新的NAS的指示或原NAS的反馈可以为新NAS的MN-FA,也可以是新NAS的地址; In step 9, the FA waits for an instruction from the new NAS, or queries the original NAS for the address of the new NAS or the MN-FA, and after receiving an instruction from the new NAS or a feedback from the original NAS, executes step 12; wherein, the received The instruction of the new NAS or the feedback of the original NAS can be the MN-FA of the new NAS, or the address of the new NAS;

步骤10,FA根据原NAS返回的反馈信息判断是否发生NAS迁移,若发生,则执行步骤,12,否则,执行步骤11; Step 10, FA judges whether NAS migration occurs according to the feedback information returned by the original NAS, if so, execute step 12, otherwise, execute step 11;

同样,在该步骤中,仍可以但不限于根据SPI或Context-Rpt(上下文报告)等收到的表示NAS是否迁移的指示判断是否发生NAS迁移; Similarly, in this step, it is still possible, but not limited to, to determine whether NAS migration occurs according to indications received such as SPI or Context-Rpt (context report) indicating whether NAS migration occurs;

步骤11,如果在原NAS发来的反馈信息中未携带MN-FA,则向原NAS发送请求,以请求获取相应的MN-FA,在获得所述MN-FA后执行步骤15,如果原NAS已经在反馈信息中携带所述MN-FA,则直接执行步骤15。 Step 11, if the feedback information sent by the original NAS does not carry the MN-FA, send a request to the original NAS to request to obtain the corresponding MN-FA, and perform step 15 after obtaining the MN-FA, if the original NAS is already in If the MN-FA is carried in the feedback information, step 15 is performed directly. the

步骤12,判断新的NAS是否已经将对应的MN-FA发送给FA,即判断FA是否收到MN-FA,若收到,则执行步骤13,否则,则从收到的新的NAS的指示或原NAS的反馈信息中获取新NAS的地址,并执行步骤14; Step 12, judging whether the new NAS has sent the corresponding MN-FA to the FA, that is, judging whether the FA has received the MN-FA, if so, go to step 13, otherwise, go to the received new NAS instruction Or obtain the address of the new NAS from the feedback information of the original NAS, and perform step 14;

步骤13,FA从新NAS发送来的信息中获取MN-FA,并执行步骤15; Step 13, FA obtains MN-FA from the information sent by the new NAS, and executes step 15;

步骤14,根据新NAS的地址,FA从新的NAS请求获取相应的MA-FA,并在获得所述MN-FA后执行步骤15; Step 14, according to the address of the new NAS, the FA requests to obtain the corresponding MA-FA from the new NAS, and executes step 15 after obtaining the MN-FA;

步骤15,FA根据获取的密钥信息对收到的MIP-RRQ消息进行处理。 Step 15, the FA processes the received MIP-RRQ message according to the acquired key information. the

本发明实施例还提供了一种网络设备获取密钥的系统,其具体实现结构 如图7所示,具体可以包括以下处理单元: The embodiment of the present invention also provides a system for a network device to obtain a key, its specific implementation structure is shown in Figure 7, and may specifically include the following processing units:

(一)认证器 (1) Authenticator

其用于接收需要获取密钥信息的网络设备发来的密钥请求,并向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息,具体可以包括: It is used to receive the key request from the network device that needs to obtain the key information, and send the generated key information corresponding to the terminal to the network device that needs to obtain the key information, which can specifically include:

(1)密钥请求接收单元,用于接收需要获取密钥信息的网络设备发来的密钥请求; (1) The key request receiving unit is used to receive the key request sent by the network device that needs to obtain the key information;

(2)密钥信息发送单元,用于在所述密钥请求接收单元接收到密钥请求后,向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息。 (2) A key information sending unit, configured to send the generated key information corresponding to the terminal to the network device that needs to obtain the key information after the key request receiving unit receives the key request. the

可选地,所述的认证器还可以包括迁移指示发送单元,用于向所述的需要获取密钥信息的网络设备发送用于表示发生认证器迁移的指示信息;该认证器具体可以为迁移后的认证器,也可以为迁移前的原认证器;若所述迁移指示发送单元设置于原认证器中,且需要向需要获取密钥信息的网络设备发送迁移后的认证器的地址,则所述的认证器还包括终端信息维护单元,用于维护终端与迁移后的认证器的地址之间的对应关系,可选地针对该对应关系设置对应的生存周期。 Optionally, the authenticator may further include a migration indication sending unit, configured to send indication information indicating that authenticator migration occurs to the network device that needs to obtain key information; the authenticator may specifically be a migration The post-migration authenticator may also be the original authenticator before migration; if the migration instruction sending unit is set in the original authenticator, and needs to send the address of the post-migration authenticator to the network device that needs to obtain key information, then The authenticator also includes a terminal information maintenance unit, configured to maintain the correspondence between the terminal and the address of the migrated authenticator, and optionally set a corresponding lifetime for the correspondence. the

在该认证器中可以包括以下任一单元: Any of the following units may be included in this authenticator:

密钥信息直接发送单元,用于将迁移后的认证器生成的密钥信息后,直接主动发送给需要获取密钥信息的网络设备; The key information direct sending unit is used to directly and proactively send the key information generated by the migrated authenticator to the network device that needs to obtain the key information;

密钥信息间接传递单元,用于将迁移后的认证器生成的密钥信息发送给原认讧器,并由原认证器发送给需要获取密钥信息的网络设备。 The key information indirect transmission unit is used to send the key information generated by the migrated authenticator to the original authenticator, and the original authenticator sends the key information to the network device that needs to obtain the key information. the

为便于终端确定认证器是否发生迁移,则在所述认证器还可以包括识别信息发送单元,以用于将认证器的地址信息或认证器到网关的跳数作为识别信息发送给所述终端。 In order for the terminal to determine whether the authenticator has migrated, the authenticator may further include an identification information sending unit for sending the address information of the authenticator or the hop number from the authenticator to the gateway as the identification information to the terminal. the

(二)网络设备 (2) Network equipment

该网络设备为需要获取密钥信息的网络设备,其在接收用于表示发生认 证器迁移的指示信息后,向迁移后的认证器发送密钥请求,接收所述认证器返回的密钥信息。 The network device is a network device that needs to obtain key information. After receiving the indication information indicating that the authenticator has migrated, it sends a key request to the migrated authenticator, and receives the key information returned by the authenticator. . the

具体一点讲,需要获取密钥信息的网络设备具体可以包括: Specifically, the network devices that need to obtain key information can include:

(1)认证器迁移确定单元,用于根据接收到的用于表示发生认证器迁移的指示信息确定终端对应的认证器发生迁移; (1) an authenticator migration determining unit, configured to determine that the authenticator corresponding to the terminal has migrated according to the received indication information indicating that the authenticator migration occurs;

(2)密钥请求获取单元,用于在所述认证器迁移确定单元确定终端对应的认证器发生迁移后,向迁移后的认证器发送密钥请求,并用于接收所述认证器返回的密钥信息,获取该终端对应的密钥。 (2) A key request acquisition unit, configured to send a key request to the migrated authenticator after the authenticator migration determining unit determines that the authenticator corresponding to the terminal has migrated, and to receive the key returned by the authenticator key information to obtain the key corresponding to the terminal. the

可选地,需要获取密钥信息的网络设备还可以包括判断处理单元,用于在所述认证器迁移确定单元确定发生认证器迁移后,若确定未获取到迁移后的认证器生成的密钥信息,则通知所述密钥请求获取单元。 Optionally, the network device that needs to obtain key information may also include a judging processing unit, configured to determine that the key generated by the migrated authenticator has not been obtained after the authenticator migration determination unit determines that the authenticator migration has occurred. information, then notify the key request acquisition unit. the

可选地,需要获取密钥信息的网络设备还可以包括认证器地址获取单元,用于接收并获取迁移后的认证器或原认证器发送来的迁移后的认证器的地址信息,并通知所述密钥请求获取单元,以便于根据所述地址信息发送密钥请求。 Optionally, the network device that needs to obtain key information may also include an authenticator address obtaining unit, configured to receive and obtain address information of the migrated authenticator sent by the migrated authenticator or the original authenticator, and notify all The key request obtaining unit is configured so as to send the key request according to the address information. the

可选地,需要获取密钥信息的网络设备还可以包括以下任一单元: Optionally, the network device that needs to obtain key information may also include any of the following units:

密钥信息转发单元,用于接收迁移后的认证器发来的密钥信息,并将所述的密钥信息发送给迁移后的需要获取密钥信息的网络设备; The key information forwarding unit is used to receive the key information sent by the migrated authenticator, and send the key information to the migrated network device that needs to obtain the key information;

网络设备迁移通知单元,用于在接收迁移后的认证器发来的密钥信息后,向迁移后的认证器返回需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址信息;或者,主动向迁移后的认证器发送需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址信息;以便于迁移后的认证器可以将密钥信息发送给迁移后的需要获取密钥信息的网络设备。 The network device migration notification unit is used to return to the migrated authenticator an indication of the migration of the network device that needs to obtain the key information or the need to obtain the key information after the migration after receiving the key information sent by the migrated authenticator The address information of the network device; or, actively send to the migrated authenticator the indication of the migration of the network device that needs to obtain the key information or the address information of the migrated network device that needs to obtain the key information; in order to facilitate the authentication after migration The device can send the key information to the migrated network device that needs to obtain the key information. the

(三)终端 (3) Terminal

在部分应用场景下,终端还可以向需要获取密钥信息的网络设备发送用于指示终端对应的认证器发生迁移的指示信息,故终端中还可以包括用于确定认证器是否发生迁移的处理单元,具体可以包括: In some application scenarios, the terminal may also send indication information indicating that the authenticator corresponding to the terminal has migrated to the network device that needs to obtain key information, so the terminal may also include a processing unit for determining whether the authenticator has migrated , which can specifically include:

迁移确定单元,用于在认证的过程中,接收认证器发送来的识别信息,并将当前收到的认证器的识别信息与之前收到的认证器的识别信息进行比较,确定认证器是否发生迁移; The migration determination unit is used to receive the identification information sent by the authenticator during the authentication process, and compare the currently received identification information of the authenticator with the previously received identification information of the authenticator to determine whether the authenticator has migration;

指示信息传递单元,用于在所述迁移确定单元确定发生迁移后,向需要获取密钥信息的网络设备发送用于表示发生认证器迁移的指示信息。 The indication information transmitting unit is configured to send indication information indicating that authenticator migration occurs to the network device that needs to obtain key information after the migration determination unit determines that migration occurs. the

综上所述,本发明实施例解决了FA更新MIP密钥过程中存在的NAS发生迁移的情况下无法获取更新后MIP密钥的问题,从而能够尽量消除竞争场景,尽量减少获得密钥的时间,因此,本发明实施例提供了能够令FA获得有效的MIP密钥的实现方案,克服了现有技术中所存在的问题。 To sum up, the embodiment of the present invention solves the problem that the updated MIP key cannot be obtained when the NAS existing in the process of updating the MIP key by the FA is migrated, so that the competition scenario can be eliminated as much as possible, and the time for obtaining the key can be minimized Therefore, the embodiment of the present invention provides an implementation solution enabling the FA to obtain a valid MIP key, which overcomes the problems existing in the prior art. the

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。 The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims. the

Claims (25)

1.一种获取密钥的方法,其特征在于,用于在认证器发生迁移后为需要获取密钥信息的网络设备获取密钥信息,包括:1. A method for obtaining a key, characterized in that it is used to obtain key information for a network device that needs to obtain key information after the authenticator is migrated, including: 需要获取密钥信息的网络设备接收用于表示发生认证器迁移的指示信息并接收迁移后的认证器发送的密钥信息,获取对应终端的密钥信息。The network device that needs to obtain the key information receives the indication information indicating that the authenticator migration occurs, receives the key information sent by the migrated authenticator, and obtains the key information of the corresponding terminal. 2.根据权利要求1所述的方法,其特征在于,所述需要获取密钥信息的网络设备接收,由迁移后的认证器或原认证器或所述终端或家乡代理或鉴权、认证、计费AAA服务器发送的用于表示发生认证器迁移的指示信息;或者,2. The method according to claim 1, wherein the network device that needs to obtain the key information receives it, and the migrated authenticator or the original authenticator or the terminal or home agent or authentication, authentication, The indication information sent by the accounting AAA server to indicate that the authenticator migration has occurred; or, 所述需要获取密钥信息的网络设备接收,由迁移后的认证器或原认证器或所述终端或家乡代理或AAA服务器发送的所述指示信息和迁移后的认证器的地址。The network device that needs to obtain the key information receives the indication information and the address of the migrated authenticator sent by the migrated authenticator or the original authenticator or the terminal, home agent or AAA server. 3.根据权利要求2所述的方法,其特征在于,在由终端发送所述指示信息时,该方法还包括:3. The method according to claim 2, wherein when the terminal sends the indication information, the method further comprises: 在认证的过程中,所述终端接收由网络侧发送的认证器的识别信息;During the authentication process, the terminal receives identification information of the authenticator sent by the network side; 所述终端根据当前收到的认证器的识别信息与之前收到的认证器的识别信息进行比较,确定认证器是否发生迁移。The terminal compares the currently received identification information of the authenticator with the previously received identification information of the authenticator to determine whether the authenticator has migrated. 4.根据权利要求3所述的方法,其特征在于,所述的识别信息包括:认证器的地址信息、认证器的标识信息和认证器到网关的跳数中的至少一项。4. The method according to claim 3, wherein the identification information includes: at least one item of address information of the authenticator, identification information of the authenticator, and hop counts from the authenticator to the gateway. 5.根据权利要求1至4任一项所述的方法,其特征在于,还包括:5. The method according to any one of claims 1 to 4, further comprising: 所述需要获取密钥信息的网络设备接收由迁移后的认证器在生成所述对应终端的密钥信息后,主动发送的所述密钥信息;或者,The network device that needs to obtain the key information receives the key information actively sent by the migrated authenticator after generating the key information of the corresponding terminal; or, 所述需要获取密钥信息的网络设备接收由迁移后的认证器在生成所述对应终端的密钥信息后,经由原认证器发送的所述密钥信息。The network device that needs to obtain the key information receives the key information sent by the original authenticator after the migrated authenticator generates the key information of the corresponding terminal. 6.根据权利要求5所述的方法,其特征在于,在所述的需要获取密钥信息的网络设备确定终端对应的认证器发生迁移后,该方法还包括:6. The method according to claim 5, characterized in that, after the network device that needs to obtain the key information determines that the authenticator corresponding to the terminal has migrated, the method further comprises: 需要获取密钥信息的网络设备在确定未获取到迁移后的认证器生成的所述对应终端的密钥信息后,向迁移后的认证器发送密钥请求。The network device that needs to obtain key information sends a key request to the migrated authenticator after determining that the key information of the corresponding terminal generated by the migrated authenticator has not been obtained. 7.根据权利要求1至4任一项所述的方法,其特征在于,所述的需要获取密钥信息的网络设备向迁移后的认证器发送密钥请求之前还包括获取迁移后的认证器的地址信息的步骤,且该步骤包括:7. The method according to any one of claims 1 to 4, wherein the network device that needs to obtain key information further includes obtaining the migrated authenticator before sending a key request to the migrated authenticator The steps of address information, and the steps include: 从原认证器请求获取迁移后的认证器的地址信息;或者,接收迁移后的认证器或原认证器或终端或家乡代理或AAA服务器主动发送来的迁移后的认证器的地址信息。Request to obtain the address information of the migrated authenticator from the original authenticator; or receive the address information of the migrated authenticator actively sent by the migrated authenticator or the original authenticator or terminal or home agent or AAA server. 8.根据权利要求1至4任一项所述的方法,其特征在于,在认证器迁移过程中,若需要获取密钥信息的网络设备也发生迁移,则该方法还包括以下任一步骤:8. The method according to any one of claims 1 to 4, wherein, during the authenticator migration process, if the network device that needs to obtain key information is also migrated, the method further includes any of the following steps: 迁移后的需要获取密钥信息的网络设备通过原需要获取密钥信息的网络设备,获取迁移后的认证器发送的密钥信息;The migrated network device that needs to obtain the key information obtains the key information sent by the migrated authenticator through the original network device that needs to obtain the key information; 由迁移后的需要获取密钥信息的网络设备向迁移后的认证器发送需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址,并由迁移后的认证器将密钥信息发送给所述迁移后的需要获取密钥信息的网络设备;The migrated network device that needs to obtain the key information sends the migration instruction of the network device that needs to obtain the key information or the address of the migrated network device that needs to obtain the key information to the migrated authenticator, and the migrated network device needs to obtain the key information. The authenticator sends the key information to the migrated network device that needs to obtain the key information; 迁移后的需要获取密钥信息的网络设备接收,由迁移后的认证器在获取到原需要获取密钥信息的网络设备发送的需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址后,发送的密钥信息。Received by the migrated network device that needs to obtain the key information, the migration instruction of the network device that needs to obtain the key information sent by the migrated authenticator after obtaining the original network device that needs to obtain the key information or the need to obtain the key information after migration The key information is sent after the address of the network device of the key information. 9.根据权利要求1至4任一项所述的方法,其特征在于,在确定所述终端所属认证器发生迁移之前,还包括需要获取密钥信息的网络设备确定终端已发生重认证的步骤,且该步骤具体包括:9. The method according to any one of claims 1 to 4, characterized in that before determining that the authenticator to which the terminal belongs has migrated, the network device that needs to obtain key information determines that the terminal has re-authenticated , and this step specifically includes: 需要获取密钥信息的网络设备中保存所述终端与家乡代理之间的安全参数索引SPI,若收到的注册请求中终端与家乡代理之间的SPI与保存的S PI不同,则确定发生重认证。The security parameter index SPI between the terminal and the home agent is saved in the network device that needs to obtain the key information. If the SPI between the terminal and the home agent in the received registration request is different from the saved SPI, then it is determined that a duplicate occurs. certified. 10.一种获取密钥的方法,用于在重认证后为需要获取密钥信息的网络设备获取密钥信息,其特征在于,包括:10. A method for obtaining a key, which is used to obtain key information for a network device that needs to obtain key information after re-authentication, characterized in that it includes: 需要获取密钥信息的网络设备接收用于表示发生重认证的指示信息后,接收认证器发送的对应终端的密钥信息。The network device that needs to obtain the key information receives the key information of the corresponding terminal sent by the authenticator after receiving the indication information indicating that re-authentication occurs. 11.根据权利要求10所述的方法,其特征在于,所述认证器是进行重认证的认证器。11. The method according to claim 10, wherein the authenticator is an authenticator performing re-authentication. 12.根据权利要求11所述的方法,其特征在于,需要获取密钥信息的网络设备接收用于表示发生重认证的指示信息后,启动一个定时器,在定时器有效期内接收所述终端的密钥信息。12. The method according to claim 11, wherein the network device that needs to obtain the key information starts a timer after receiving the indication information indicating that re-authentication occurs, and receives the terminal's key information within the validity period of the timer. key information. 13.根据权利要求12所述的方法,其特征在于,如果在定时器有效期内没有接收到所述密钥信息,丢弃终端发送的移动IP注册请求。13. The method according to claim 12, wherein if the key information is not received within the validity period of the timer, the mobile IP registration request sent by the terminal is discarded. 14.一种网络设备,其特征在于,用于在认证器发生迁移后获取密钥信息,该网络设备包括:14. A network device, characterized in that it is used to obtain key information after the authenticator is migrated, the network device comprising: 认证器迁移确定单元,用于根据接收到的用于表示发生认证器迁移的指示信息确定对应终端所属认证器发生迁移;An authenticator migration determination unit, configured to determine that the authenticator to which the corresponding terminal belongs has migrated according to the received indication information indicating that the authenticator migration has occurred; 密钥请求获取单元,用于在所述认证器迁移确定单元确定所述终端所属认证器发生迁移后,接收迁移后的认证器发送的密钥信息,获取所述终端对应的密钥信息。The key request acquisition unit is configured to receive key information sent by the migrated authenticator after the authenticator migration determining unit determines that the authenticator to which the terminal belongs has migrated, and acquire key information corresponding to the terminal. 15.根据权利要求14所述的设备,其特征在于,该设备还包括判断处理单元,用于在所述认证器迁移确定单元确定发生认证器迁移后,若确定未获取到迁移后的认证器生成的密钥信息,则通知所述密钥请求获取单元;15. The device according to claim 14, characterized in that the device further comprises a judging processing unit, configured to, after the authenticator migration determining unit determines that authenticator migration occurs, if it is determined that the migrated authenticator has not been obtained the generated key information, then notify the key request acquisition unit; 且所述密钥请求获取单元还用于在获取所述判断处理单元的通知后,向所述迁移后的认证器发送密钥请求。And the key request obtaining unit is further configured to send a key request to the migrated authenticator after obtaining the notification from the judging processing unit. 16.根据权利要求14或15所述的设备,其特征在于,该设备还包括认证器地址获取单元,用于接收并获取迁移后的认证器或原认证器发送来的迁移后的认证器的地址信息,并通知所述密钥请求获取单元。16. The device according to claim 14 or 15, characterized in that the device further comprises an authenticator address acquisition unit, configured to receive and acquire the address of the migrated authenticator or the migrated authenticator sent by the original authenticator. Address information, and notify the key request acquisition unit. 17.一种获取密钥的系统,其特征在于,用于在认证器发生迁移后为需要获取密钥信息的网络设备获取密钥信息,所述系统包括认证器和需要获取密钥信息的网络设备,其中,17. A system for obtaining keys, characterized in that it is used to obtain key information for network devices that need to obtain key information after the authenticator is migrated, and the system includes the authenticator and the network that needs to obtain key information equipment, among which, 认证器,用于接收需要获取密钥信息的网络设备发来的密钥请求,并向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息;The authenticator is used to receive the key request sent by the network device that needs to obtain the key information, and send the generated key information corresponding to the terminal to the network device that needs to obtain the key information; 需要获取密钥信息的网络设备,接收用于表示发生认证器迁移的指示信息,并接收迁移后的认证器发送的密钥信息。A network device that needs to obtain key information receives indication information indicating that authenticator migration occurs, and receives key information sent by the migrated authenticator. 18.根据权利要求17所述的系统,其特征在于,该系统还包括终端,且该终端包括:18. The system according to claim 17, wherein the system further comprises a terminal, and the terminal comprises: 迁移确定单元,用于在认证的过程中,接收认证器发送来的识别信息,并根据当前收到的认证器的识别信息与之前收到的认证器的识别信息进行比较,确定认证器是否发生迁移;The migration determination unit is used to receive the identification information sent by the authenticator during the authentication process, and compare the currently received identification information of the authenticator with the previously received identification information of the authenticator to determine whether the authenticator has migrate; 指示信息传递单元,用于在所述迁移确定单元确定发生迁移后,向需要获取密钥信息的网络设备发送用于表示发生认证器迁移的指示信息。The indication information transmitting unit is configured to send indication information indicating that authenticator migration occurs to the network device that needs to obtain key information after the migration determination unit determines that migration occurs. 19.根据权利要求18所述的系统,其特征在于,所述认证器还包括识别信息发送单元,用于将认证器的地址信息或认证器到网关的跳数作为识别信息发送给所述终端。19. The system according to claim 18, wherein the authenticator further comprises an identification information sending unit, configured to send the address information of the authenticator or the hop count from the authenticator to the gateway as identification information to the terminal . 20.根据权利要求17、18或19所述的系统,其特征在于,所述的认证器包括密钥请求接收单元和密钥信息发送单元,其中,20. The system according to claim 17, 18 or 19, wherein the authenticator includes a key request receiving unit and a key information sending unit, wherein, 密钥请求接收单元,用于接收需要获取密钥信息的网络设备发来的密钥请求;A key request receiving unit, configured to receive a key request from a network device that needs to obtain key information; 密钥信息发送单元,用于在所述密钥请求接收单元接收到密钥请求后,向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息;A key information sending unit, configured to send the generated key information corresponding to the terminal to the network device that needs to obtain the key information after the key request receiving unit receives the key request; 21.根据权利要求17、18或19所述的系统,其特征在于,所述认证器还包括:21. The system according to claim 17, 18 or 19, wherein the authenticator further comprises: 密钥信息直接发送单元,用于将迁移后的认证器生成的密钥信息后,直接发送给所述需要获取密钥信息的网络设备;或者,A key information direct sending unit, configured to directly send the key information generated by the migrated authenticator to the network device that needs to obtain the key information; or, 密钥信息间接传递单元,用于将迁移后的认证器将生成的密钥信息发送给原认证器,并由原认证器发送给所述需要获取密钥信息的网络设备。The key information indirect transfer unit is configured to send the key information generated by the migrated authenticator to the original authenticator, and the original authenticator sends the key information to the network device that needs to obtain the key information. 22.根据权利要求17、18或19所述的系统,其特征在于,所述的认证器还包括迁移指示发送单元,用于向需要获取密钥信息的网络设备发送用于表示发生认证器迁移的指示信息和/或者迁移后的认证器的地址。22. The system according to claim 17, 18 or 19, wherein the authenticator further includes a migration instruction sending unit, configured to send a message indicating that authenticator migration occurs to a network device that needs to obtain key information and/or the address of the migrated authenticator. 23.根据权利要求22所述的系统,其特征在于,若所述迁移指示发送单元向需要获取密钥信息的网络设备发送迁移后的认证器的地址,则所述的认证器还包括终端信息维护单元,用于维护终端与迁移后的认证器的地址之间的对应关系。23. The system according to claim 22, wherein if the migration instruction sending unit sends the address of the migrated authenticator to the network device that needs to obtain key information, the authenticator further includes terminal information The maintenance unit is configured to maintain the corresponding relationship between the terminal and the address of the authenticator after migration. 24.根据权利要求17、18或19所述的系统,其特征在于,所述的需要获取密钥信息的网络设备中还包括:24. The system according to claim 17, 18 or 19, wherein the network device that needs to obtain key information further includes: 密钥信息转发单元,用于接收迁移后的认证器发来的密钥信息,并发送给迁移后的需要获取密钥信息的网络设备;或者,A key information forwarding unit, configured to receive the key information sent by the migrated authenticator, and send it to the migrated network device that needs to obtain the key information; or, 网络设备迁移通知单元,用于在接收迁移后的认证器发来的密钥信息后,向迁移后的认证器返回需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址信息;或者,主动向迁移后的认证器发送需要获取密钥信息的网络设备迁移的指示或迁移后的需要获取密钥信息的网络设备的地址信息。The network device migration notification unit is used to return to the migrated authenticator an indication of the migration of the network device that needs to obtain the key information or the need to obtain the key information after the migration after receiving the key information sent by the migrated authenticator or actively send to the migrated authenticator an indication of the migration of the network device that needs to obtain the key information or the address information of the migrated network device that needs to obtain the key information. 25.一种获取密钥的系统,其特征在于,用于在重认证后为需要获取密钥信息的网络设备获取密钥信息,所述系统包括认证器和需要获取密钥信息的网络设备,其中,25. A system for obtaining a key, characterized in that it is used to obtain key information for a network device that needs to obtain key information after re-authentication, and the system includes an authenticator and a network device that needs to obtain key information, in, 认证器,用于向需要获取密钥信息的网络设备发送其生成的终端对应的密钥信息;The authenticator is used to send the generated key information corresponding to the terminal to the network device that needs to obtain the key information; 需要获取密钥信息的网络设备,用于接收用于表示发生重认证的指示信息后,接收认证器发送的所述终端对应的密钥信息。The network device that needs to obtain the key information is configured to receive the key information corresponding to the terminal sent by the authenticator after receiving the indication information indicating that re-authentication occurs.
CN2007101451465A 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key Expired - Fee Related CN101325804B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2007101451465A CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key
PCT/CN2008/071254 WO2008151569A1 (en) 2007-06-11 2008-06-10 Method, device and system for acquiring key

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN200710112367.2 2007-06-11
CN200710112367 2007-06-11
CN200710136389 2007-07-26
CN200710136389.2 2007-07-26
CN2007101451465A CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key

Publications (2)

Publication Number Publication Date
CN101325804A CN101325804A (en) 2008-12-17
CN101325804B true CN101325804B (en) 2011-04-20

Family

ID=40189067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101451465A Expired - Fee Related CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key

Country Status (1)

Country Link
CN (1) CN101325804B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909292B (en) * 2010-08-18 2016-04-13 中兴通讯股份有限公司 The update method of air interface key, core net node and subscriber equipment
CN106559913B (en) * 2015-09-25 2019-11-05 展讯通信(上海)有限公司 Data transfer control method when mobile terminal and its LTE and WLAN are converged

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047397A2 (en) * 2002-11-15 2004-06-03 Cisco Technology, Inc. A method for fast, secure 802.11 re-association without additional authentication, accounting, and authorization infrastructure
CN1658553A (en) * 2004-02-20 2005-08-24 中国电子科技集团公司第三十研究所 A Strong Authentication Method Using Public Key Cryptography Algorithm Encryption Mode
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047397A2 (en) * 2002-11-15 2004-06-03 Cisco Technology, Inc. A method for fast, secure 802.11 re-association without additional authentication, accounting, and authorization infrastructure
CN1658553A (en) * 2004-02-20 2005-08-24 中国电子科技集团公司第三十研究所 A Strong Authentication Method Using Public Key Cryptography Algorithm Encryption Mode
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Also Published As

Publication number Publication date
CN101325804A (en) 2008-12-17

Similar Documents

Publication Publication Date Title
CN101656668B (en) Method and apparatus for state transfer using core-based nodes
KR101167781B1 (en) System and method for authenticating a context transfer
US7561692B2 (en) Method of authenticating mobile terminal
US9713001B2 (en) Method and system for generating an identifier of a key
US8483131B2 (en) Method for negotiating and transmitting length information of location update time
KR101398908B1 (en) Method and system for managing mobility in mobile telecommunication system using mobile ip
CN101102190A (en) Methods for generating local interface keys
JP2013527673A (en) Method and apparatus for authenticating a communication device
US7630712B2 (en) Method for reconnecting a mobile terminal in a wireless network
WO2012146282A1 (en) Authenticating a device in a network
WO2006130354A1 (en) A method for seamless session transfer of a mobile station
CN101384079A (en) Method, system and device for preventing degradation attack during terminal movement
KR20110138548A (en) Security management method and apparatus in mobile communication system supporting emergency call and system
KR20170097487A (en) Service method for converged core network, universal control entity and converged core network system
CN101959177B (en) Processing method and device for switching to WiFi network from non-WiFi network
US20240267973A1 (en) Link re-establishment method, apparatus, and system
WO2019196963A1 (en) Method and device for accessing network slice, storage medium, electronic device
US20050287989A1 (en) Authentication method for supporting mobile internet protocol system
CN110830996B (en) Key updating method, network equipment and terminal
CN101325804B (en) Method, device and system for acquiring cryptographic key
CN1937840B (en) Method and device for obtaining safety alliance information during mobile terminal switching
CN103974223B (en) Wireless LAN interacted with fixed network in realize certification and charging method and system
KR100419578B1 (en) Session control method in DIAMETER base transfer internet protocol net
WO2005006791A1 (en) Method and system for de-registering a broadcast/multicast service in a high-rate packet data system
CN110087338A (en) A method and device for authentication in narrowband Internet of Things

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110420

CF01 Termination of patent right due to non-payment of annual fee