CN102111761B - Secrete key management method and equipment - Google Patents
Secrete key management method and equipment Download PDFInfo
- Publication number
- CN102111761B CN102111761B CN200910261713.2A CN200910261713A CN102111761B CN 102111761 B CN102111761 B CN 102111761B CN 200910261713 A CN200910261713 A CN 200910261713A CN 102111761 B CN102111761 B CN 102111761B
- Authority
- CN
- China
- Prior art keywords
- network
- key
- terminal
- master
- session key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000007726 management method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 55
- 230000008569 process Effects 0.000 claims description 36
- 238000012795 verification Methods 0.000 claims description 20
- 230000006855 networking Effects 0.000 claims description 12
- 238000004321 preservation Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 13
- 230000007246 mechanism Effects 0.000 description 10
- 101000945096 Homo sapiens Ribosomal protein S6 kinase alpha-5 Proteins 0.000 description 7
- 102100033645 Ribosomal protein S6 kinase alpha-5 Human genes 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 101000945093 Homo sapiens Ribosomal protein S6 kinase alpha-4 Proteins 0.000 description 5
- 102100033644 Ribosomal protein S6 kinase alpha-4 Human genes 0.000 description 5
- 238000002347 injection Methods 0.000 description 5
- 239000007924 injection Substances 0.000 description 5
- 230000002123 temporal effect Effects 0.000 description 5
- 101100083745 Caenorhabditis elegans pmk-2 gene Proteins 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 101100534109 Schizosaccharomyces pombe (strain 972 / ATCC 24843) spm1 gene Proteins 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 101150028393 pmk-1 gene Proteins 0.000 description 2
- 230000001172 regenerating effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 101100083746 Caenorhabditis elegans pmk-3 gene Proteins 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the technical field of communication and discloses a secrete key management method and equipment. The method comprises the following steps: an authentication server receives an authentication message sent by an authenticator, wherein network identification information of a network to which the authenticator belongs is carried in the authentication message; the network corresponding to authentication is determined by using the network identification information; and a main conversation secrete key aiming at the network is generated by using a main secrete key which is stored by the network, and the main secrete key aiming at the network and the main secrete keys aiming at other networks are differentiated and stored. By utilizing the method and equipment, the secrete key aiming at a target network authentication and the secrete key aiming at the current network authentication can not be overlapped mutually when a terminal implements the pre-authentication to a switch target network through the current network.
Description
Technical field
The present invention relates to the communication technology, be specifically related to a kind of key management method and equipment.
Background technology
WiFi(Wireless Fidelity, Wireless Fidelity) be a kind of wireless local area network technology, utilize this technology can form WLAN (wireless local area network).WiMAX(Worldwide Interoperability for Microwave Access, micro-wave access global inter communication) be a kind of WiMAX access technology, the high coverage of WiMAX access point power is large, the low coverage of WiFi access point power is little, but realize that simple cost is low, both can realize complementation when network design.Therefore, the important technological problems faced at present is exactly how terminal is switched to the WiFi network fast from the WiMAX network, to guarantee the continuity of business.
Delay while switching from the WiMAX network to the WiFi network in order to reduce terminal, WiMAX-WiFi intercommunication operation group has proposed the thought of pre-authentication at present, exactly when terminal is current while being attached to the WiMAX network by the communication connection of WiMAX network, proceed in advance the pre-authentication of WiFi network and be created in advance the key that WiFi network service needs, like this when terminal finally is switched to the WiFi radio frequency from the WiMAX radio frequency, the key obtained in the time of just can directly using pre-authentication, thus the network process that enters to the WiFi network can be reduced after terminal switching radio frequency.
The inventor is in realizing process of the present invention, find that at least there is following shortcoming in prior art: when terminal proceeds to the pre-authentication of WiFi network from the current WiMAX network adhered to, according to current key management mechanism, certificate server and terminal will be calculated respectively and produce new MSK, EMSK, and these new MSK, EMSK will replace MSK, the EMSK generated when terminal authenticates (initial network entry or re-authentication) for the last time in the WiMAX network so.The WiFi web technology, terminal, home agent will be by new MSK, EMSK generates the key needed separately, but terminal is not at this moment then carried out the switching from the WiMAX network to the WiFi network, if at this moment terminal is because expire or the reason such as switching at the key of WiMAX network, need to carry out at the WiMAX network process of re-authentication, this re-authentication process also will recalculate and produce new MSK so, EMSK, the MSK that these are new, EMSK equally also can replace terminal when the WiFi network pre-authentication in terminal, the MSK that generates on certificate server and preserve, EMSK, thereby the new MSK by these, EMSK generates the WiMAX authenticator, terminal, the key that the network entities such as home agent need separately, that is to say, for the key generated to the objective network pre-authentication, can mutually cover with the key of current network authentication.Will cause like this terminal after being switched to the WiFi network, the key inconsistent (not calculated by same MSK or EMSK) that the network entities such as certificate server, WiFi authenticator, terminal, home agent are used, cause communication to realize.Equally, when terminal is switched from the WiFi network to the WiMAX network, also there is same problem.
Summary of the invention
The embodiment of the present invention provides a kind of key management method and equipment, while with the assurance terminal, by current network, carrying out switching objective network pre-authentication, can mutually cover with the key of current network authentication for the key generated to the objective network pre-authentication, guarantee that the communication that terminal is switched to objective network can realize.
For this reason, the embodiment of the present invention provides following technical scheme:
A kind of key management method comprises:
Certificate server receives the authentication message that authenticator sends, and carries the network identification information of described authenticator belonging network in described authentication message;
Utilize described network identification information to determine the corresponding network of authentication;
Utilize the master key of oneself preserving to generate the master session key for described network, and will distinguish storage for the master session key of described network and the master session key for other networks;
Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates.
A kind of key management method comprises:
Terminal is determined the objective network that needs access;
Utilize the master key of oneself preserving to generate the master session key for described objective network, and will distinguish storage for the master session key of described objective network and the master session key for source network;
Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates.
A kind of certificate server comprises:
Receiving element, for receiving the authentication message of authenticator transmission, carry the network identification information of described authenticator belonging network in described authentication message;
The network determining unit, determine the corresponding network of authentication for utilizing described network identification information;
The first key generation unit, generate the master session key for described network for utilizing the master key of oneself preserving; Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates;
The first memory cell, for distinguishing storage for the master session key of described network and the master session key for other networks.
A kind of terminal comprises:
The access network determining unit, for determining the objective network that needs access;
The second key generation unit, generate the master session key for described objective network for utilizing the master key of oneself preserving; Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates;
The second memory cell, for distinguishing storage for the master session key of described objective network and the master session key for source network.
The key management method that the embodiment of the present invention provides and equipment, can, for the corresponding network of authentication, utilize the master key of oneself preserving to generate the master session key for described network.Thereby guaranteed that terminal is when heterogeneous network switches, the key produced when carrying out switching objective network pre-authentication by current network, the key used in current network with terminal can not cover mutually, guarantees that the communication that terminal is switched to objective network can realize.
The accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, in below describing embodiment, the accompanying drawing of required use is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is EAP authenticate key management level structural representation in the embodiment of the present invention;
Fig. 2 is a kind of flow chart of embodiment of the present invention key management method;
Fig. 3 is the another kind of flow chart of embodiment of the present invention key management method;
Fig. 4 is the structural representation of embodiment of the present invention certificate server;
Fig. 5 is the structural representation of embodiment of the present invention terminal.
Embodiment
In order to make those skilled in the art person understand better the scheme of the embodiment of the present invention, below in conjunction with drawings and embodiments, the embodiment of the present invention is described in further detail.
Embodiment of the present invention key management method and equipment, key management while authenticating for EAP, master session key (MSK to existing key management mechanism, EMSK) management level are expanded, be about to the MSK of certificate server and terminal, EMSK key management layer expands to EAP authenticate key management level, as shown in Figure 1, make these EAP authenticate key management level can distinguish the many group master session key MSKs of management for dissimilar network or network domains (as mobile domains), EMSKs, particularly, can arrange for the authenticate key manager to different type network or network domains, the master session key MSKs produced by master key (MK) when office terminal is to different type network or network domains authentication respectively, EMSKs, thereby avoid when terminal need to arrive a plurality of different type network authentication simultaneously, because covering mutually, master session key causes the problem that can mutually cover with the key of current network authentication for the key generated to the objective network pre-authentication, guarantee that the communication that terminal is switched to objective network can realize.
For example, when terminal is carried out the pre-authentication of switching objective network by current network, described terminal and certificate server calculate master session key according to the MK preserved separately respectively, simultaneously, certificate server sends to the master session key calculated the authenticator of described switching objective network.The authenticator of described terminal and described switching objective network calculates respectively the pairwise master key of corresponding described switching objective network application again according to the master session key obtained separately; After terminal is switched to described switching objective network, the pairwise master key of the corresponding described switching objective network application that described terminal calculates according to oneself respectively with the authenticator of described switching objective network, generate the pair temporal key in described switching objective network communication for terminal, as terminal in described switching objective network with the encryption key of base station communication.
Certainly, the embodiment of the present invention can also need the application of key or different Network Mobility territories that the master session key manager is set for other, the master session key with management for other application.
Below from network side and end side, the method to the embodiment of the present invention is elaborated respectively.
As shown in Figure 2, be a kind of flow chart of embodiment of the present invention key management method, comprise the following steps:
Step 201, certificate server receives the authentication message that authenticator sends, and carries the network identification information of described authenticator belonging network in described authentication message;
Step 202, utilize described network identification information to determine the corresponding network of authentication.
Step 203, utilize the master key of oneself preserving to generate the master session key for described network, and will distinguish storage for the master session key of described network and the master session key for other networks.
Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates.For example, according to existing EAP authentication mechanism, terminal is from a certain type network initial network entry, after terminal is successfully completed the EAP authentication, to produce master session key MSK on terminal and certificate server, EMSK, at this moment can be based on this MSK, EMSK carry out logical operation or get simply wherein some the position as MK, the existing a lot of data of concrete key schedule are introduced, can be with reference to relevant documentation, or employing and existing EAP method, as EAP-AKA(Authentication and Key Agreement, authentication and secret key negotiation mechanism), EAP-TLS(Transport Layer Security, Transport Layer Security) etc. similar key algorithm in.
When terminal initial networks, specific as follows by a process that produces completely master session key after the EAP verification process:
1. terminal sends EAPOL-Start to authenticator;
2. authenticator sends to terminal the request that EAP-Request Identity requires identity verification, requires terminal to send user profile;
3. terminal sends EAP-Response Identity response to authenticator, comprise user profile in EAP-Response Identity, the Frame that authenticator sends terminal generation RADIUS Request message after package is processed is given certificate server and is processed;
4., after certificate server is received RADIUS Request message, terminal is authenticated;
5., after authentication is passed through, certificate server sends RADIUS Accept message to authenticator;
6., after authenticator is received RADIUS Accept message, to terminal, send EAPOL Success message.
7. after authentication success, terminal and certificate server generate MSK and EMSK according to the customizing messages of terminal respectively.
Certificate server can produce above-mentioned terminal master session key MSK, EMSK in the EAP verification process when the initial network entry, directly as the master session key for the type network; Also can carry out again regenerating master session key MSK, the EMSK for the type network after logical operation based on MK obtained above.
Certificate server can, by calling corresponding EAP method, utilize master key MK to generate the master session key for a certain type network.Also can directly pass through the mutual of EAP message (EAP-Request/Response), transmit and calculate the master session key information needed, and generating the master session key for a certain type network based on master key MK, the information of carrying in concrete message interaction process and message can be with reference to corresponding EAP method document.
The master session key that certificate server utilizes master key MK to generate for a certain type network can be when terminal initial networks, utilize master key MK to generate in advance, can be also that scene generates the method that obtains MSK, EMSK in (computational methods can with reference to existing IETF(Internet Engineering Task Force, Internet Engineering task groups) document when these master session key of needs the time).For example, key for when authentication in the WiMAX network, WiMAX network authentication key management person is set, the WiMAX master session key MSK1 produced when WiMAX network initial authentication for office terminal, EMSK1, when terminal need to be when the WiMAX network carries out re-authentication, terminal and certificate server are in the process of re-authentication, to utilize master key MK to produce new WiMAX re-authentication master session key MSK3, EMSK3, at this moment WiMAX re-authentication master session key MSK3, the master session key MSK1 that EMSK3 will generate in the time of replacing terminal to WiMAX network initial authentication, EMSK1.
It should be noted that, in embodiment illustrated in fig. 2, also can be further comprising the steps:
Described certificate server sends to described authenticator by described master session key, so that described authenticator utilizes described master session key to generate the pairwise key of corresponding described network.The pairwise key of the described network of described correspondence comprises: the pairwise master key of corresponding described network and/or pair temporal key.
Embodiment of the present invention key management method, at network side, key management while authenticating for EAP, the difference management is for many groups master session key MSKs, the EMSKs of dissimilar network or network domains (as mobile domains), the authentication authorization and accounting server can be for the corresponding network of authentication, utilize the master key of oneself preserving to generate the master session key for described network, thereby can make the authenticator of described network generate the pairwise key of corresponding described network according to this master session key.Based on the EAP authentication mechanism, terminal generates identical MK with the algorithm of network side based on identical, generate master session key MSKs, the EMSKs for heterogeneous networks by MK again, thereby can avoid when terminal need to arrive a plurality of different type network authentication simultaneously, master session key mutually covers because master session key covers mutually and causes the problem that can mutually cover with the key of current network authentication for the key generated to the objective network pre-authentication, guarantees that the communication that terminal is switched to objective network can realize.
As shown in Figure 3, be the another kind of flow chart of embodiment of the present invention key management method, comprise the following steps:
Like this, just can avoid when terminal need to arrive a plurality of different type network authentication simultaneously the problem that master session key covers mutually.
It should be noted that, the method of master key based on identical that the master key that terminal oneself is preserved is preserved with certificate server generates, that is to say, the master key that terminal oneself is preserved is identical with the master key that certificate server is preserved, and the master session key produced in the verification process in the time of can networking according to terminal initial generates.Detailed process can be with reference to the description in the embodiment of the present invention of front.
The master session key MSK, the EMSK that in EAP verification process when terminal can be by initial network entry, produce, directly as the master session key for the type network; Also can carry out again regenerating master session key MSK, the EMSK for the type network after logical operation based on MK obtained above.
Equally, the master session key that terminal utilizes master key MK to generate for a certain type network can utilize master key MK to generate in advance when terminal initial networks, and can be also that scene generates when these master session key of needs the time.
It should be noted that, in embodiments of the present invention, also can be further comprising the steps: described terminal utilization generates pairwise master key and/or the pair temporal key of corresponding described objective network for the master session key of described objective network.
Below with the injection frequency terminal, from the WiMAX network, to the WiFi network, switch to example, the key management mechanism of the expansion that the detailed description embodiment of the present invention provides.
Here said injection frequency terminal refers to and supports WiFi, two kinds of rf-modes of WiMAX, but any moment can only be worked in by a kind of radio-frequency module the terminal of emission state, referred to as WiFi/WiMAX injection frequency terminal, below said terminal just refer to this terminal.
Suppose that WiFi/WiMAX injection frequency terminal is in WiMAX network execution initial network entry process, after the EAP verification process is successfully completed, terminal and certificate server calculate MSK1, EMSK1 by master key MK respectively, and certificate server sends to the WiMAX authenticator by MSK1 simultaneously.WiMAX authenticator and terminal utilize respectively MSK1 to calculate the PMK1(pairwise master key), also can directly get front some positions of MSK1 as PMK1, terminal and WiMAX authenticator further generate the AK1(pair temporal key by interacting message), as terminal in the WiMAX network with the encryption key of base station communication.
Due to injection reason frequently, in order to make terminal when from the WiMAX network, being switched to the WiFi network, the continuity that can keep business, just need terminal to carry out in advance the pre-authentication of switching target WiFi network by current WiMAX network, the key management mechanism of the expansion provided according to the embodiment of the present invention, when terminal is carried out the pre-authentication of WiFi network at the WiMAX network by current, terminal and certificate server generate the master session key MSK2 for the WiFi network according to master key MK, EMSK2, wherein, MSK2 is for generating pairwise master key or the pair temporal key for objective network, EMSK2 is the Mobile IP at objective network for terminal, the application purpose keys such as IP secure tunnel generate.Certainly, in embodiments of the present invention, do not relate to for application purpose key generative processes such as Mobile IP, IP secure tunnels, therefore, can only generate MSK2 yet.Then, by certificate server, send MSK2 to the WiFi authenticator, terminal and WiFi authenticator obtain PMK2 by MSK2, and further by interacting message, calculate PTK2.
After terminal is accomplished to the pre-authentication of WiFi network by current WiMAX network, terminal is switching at once not, so during pre-authentication completes and really from the WiMAX network, is switched to the WiFi network with terminal, terminal may need to be carried out re-authentication at the WiMAX network due to base station switching or the reason of key lifetime.Key management mechanism according to the embodiment of the present invention, when terminal is carried out re-authentication during this in the WiMAX network, by terminal and WiMAX certificate server in the process of re-authentication, utilize master key MK to produce new WiMAX network re-authentication master session key MSK3, EMSK3, at this moment the master session key MSK3 that terminal produces when WiMAX network re-authentication, the master session key MSK1 that EMSK3 will generate in the time of replacing terminal to WiMAX network initial authentication, EMSK1, certificate server sends MSK3 to the authenticator in the WiMAX network, terminal and WiMAX authenticator calculate PMK3 by MSK3, and further by interacting message, produce new AK2, and the AK1 produced while with new AK2, replacing terminal to the WiMAX initial network entry.
When terminal need to be switched to the WiFi network from the WiMAX network, because terminal has completed the pre-authentication that arrives the WiFi network in advance, the PMK2 generated when WiFi authenticator and terminal have been preserved pre-authentication, so after WiFi, terminal only need consult to generate for terminal by 4-Way Handshake according to PMK2 with the WiFi authenticator and get final product at the PTK of WiFi network service when terminal switching radio frequency.
By said process, can find out, utilize the key management method of the embodiment of the present invention, in the EAP of certificate server and terminal authenticate key management level (MSK, EMSK management level), the master session key MSK, the EMSK that when office terminal is to WiFi network and WiMAX network authentication respectively, produce, avoided having completed after the pre-authentication of WiFi network when terminal, when the terminal problem that the master session key on terminal and server covers mutually when the WiMAX network carries out re-authentication again.
In said process, terminal and certificate server need to be determined when the key that produces when each EAP authentication is for which kind network authentication and produce, to this, IP address in the message that certificate server can receive when mutual with the heterogeneous networks authenticator, or the network identity carried in message, authenticator sign (as MAC Address), terminal iidentification etc. are identified each EAP authentication.On terminal, distinguish the authentication each time for heterogeneous networks, when terminal is used same authentication application person, because in the mutual EAP message of the authentication application person on terminal and authenticator, do not carry at present the identification information of authenticating network, so in this case, when terminal is authenticated with the network of number of different types simultaneously, the authentication application person on terminal can't distinguish the network that the master session key produced while authenticating each time belongs to that type.For this reason can be by expansion EAP message, the method for carrying therein the network identity (Net-ID) of authenticator belonging network solves this problem.When making terminal can distinguish the authentication of EAP each time for network, thereby make the main shared key manager for the different type network setting on terminal can distinguish when management authenticates for heterogeneous networks the master session key produced, as a kind of concrete EAP authentication message expansion embodiment, carry the network identity of authenticator belonging network (being also the network that terminal will authenticate) in the EAP-Request message that can send to terminal at authenticator, terminal is by resolving the network identity in this message, just can distinguish each EAP and authenticate corresponding network, thereby the master session key produced during by each EAP authentication, appointment is preserved and is managed by the master session key manager to should type network of prior setting, and when needing, the master session key user to should type network provides master session key for it.
It should be noted that, above-mentioned to handoff procedure in the description of key management mechanism, the lifetime of having supposed re-authentication master session key, pre-authentication master session key does not have expiredly, if re-authentication master session key, pre-authentication master session key lifetime are expired, need to do not exceeded the time limit by MSK or EMSK(hypothesis MSK, EMSK key) recalculate and obtain re-authentication master session key, pre-authentication master session key.If the lifetime of MSK, EMSK key is expired, terminal need to recalculate and upgrade MSK, EMSK key with certificate server, upgrades the re-authentication master session key that calculated by MSK, EMSK, pre-authentication master session key etc. simultaneously.
Visible, embodiment of the present invention key management method, key when EPA is authenticated adopts the administrative mechanism of layering, make terminal when heterogeneous network switches, the key produced when carrying out switching objective network pre-authentication by current network, the key used in current network with terminal can not cover, and, due to terminal by current network carry out switching objective network pre-authentication and terminal when former network carries out re-authentication without recalculating the process that generates MSK, EMSK, improved efficiency.
One of ordinary skill in the art will appreciate that all or part of step realized in above-described embodiment method is to come the hardware that instruction is relevant to complete by program, described program can be stored in a computer read/write memory medium, described storage medium, as: ROM/RAM, magnetic disc, CD etc.
Correspondingly, the embodiment of the present invention also provides a kind of certificate server, as shown in Figure 4, is the structural representation of embodiment of the present invention certificate server.
In this embodiment, described certificate server comprises:
Receiving element 401, for receiving the authentication message of authenticator transmission, carry the network identification information of described authenticator belonging network in described authentication message;
The first key generation unit 403, generate the master session key for described network for utilizing the master key of oneself preserving;
The first memory cell 404, for distinguishing storage for the master session key of described network and the master session key for other networks.
The generative process of described master key can, with reference to the description in the embodiment of the present invention key management method of front, not repeat them here.
In embodiments of the present invention, also can further comprise: the first master key generation unit 405 and transmitting element 406.Wherein, described the first master key generation unit 405, the master session key that the verification process when networking according to terminal initial produces generates described master key.Described transmitting element 406, for described master session key is sent to described authenticator, so that described authenticator utilizes described master session key to generate the pairwise key of corresponding described network.
The certificate server of the embodiment of the present invention, key management while authenticating for EAP, the difference management is for many groups master session key MSKs, the EMSKs of dissimilar network or network domains (as mobile domains), the authentication authorization and accounting server can be for the corresponding network of authentication, utilize the master key of oneself preserving to generate the master session key for described network, can effectively avoid when terminal need to arrive a plurality of different type network authentication simultaneously, the problem that master session key covers mutually, guarantee that the communication that terminal is switched to objective network can realize.
Correspondingly, the embodiment of the present invention also provides a kind of terminal, as shown in Figure 5, is the structural representation of embodiment of the present invention terminal.
In this embodiment, described terminal comprises:
Access network determining unit 501, for determining the objective network that needs access;
The second key generation unit 502, generate the master session key for described objective network for utilizing the master key of oneself preserving;
The second memory cell 503, for distinguishing storage for the master session key of described objective network and the master session key for source network.
The generative process of described master key can, with reference to the description in the embodiment of the present invention key management method of front, not repeat them here.
In embodiments of the present invention, described the second key generation unit 502, also can be further used in the verification process when described terminal initial networks generating initial master session key; Correspondingly, described terminal also further comprises: the second master key generation unit 504, and for according to described initial master session key, generating described master key.
In embodiments of the present invention, described terminal also can further comprise: pairwise key generation unit 505, and for utilizing the pairwise key that generates corresponding described objective network for the master session key of described objective network.
The terminal of the embodiment of the present invention, by distinguishing storage for the master session key of described objective network and the master session key for source network, can be when heterogeneous network switches, the key produced when carrying out switching objective network pre-authentication by current network, with the key used in current network, can not cover, and, terminal by current network carry out switching objective network pre-authentication and terminal when former network carries out re-authentication without recalculating the process that generates MSK, EMSK, improved efficiency.
Above the embodiment of the present invention is described in detail, has applied embodiment herein the present invention is set forth, the explanation of above embodiment is just for helping to understand method and apparatus of the present invention; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention simultaneously.
Claims (12)
1. a key management method, is characterized in that, comprising:
Certificate server receives the authentication message that authenticator sends, and carries the network identification information of described authenticator belonging network in described authentication message;
Utilize described network identification information to determine the corresponding network of authentication;
Utilize the master key of oneself preserving to generate the master session key for described network, and will distinguish storage for the master session key of described network and the master session key for other networks;
Wherein, described master key is that the master session key produced in the verification process while networking according to terminal initial generates.
2. method according to claim 1, is characterized in that, described method also comprises:
Described certificate server sends to described authenticator by described master session key, so that described authenticator utilizes described master session key to generate the pairwise key of corresponding described network.
3. a key management method, is characterized in that, comprising:
Terminal is determined the objective network that needs access;
Utilize the master key of oneself preserving to generate the master session key for described objective network, and will distinguish storage for the master session key of described objective network and the master session key for source network;
Wherein, described master key is that the master session key produced in the verification process while networking according to terminal initial generates.
4. method according to claim 3, is characterized in that, described terminal is determined needs the objective network of access to comprise:
The network identity carried in the authentication request message of terminal according to the authenticator transmission of the described objective network received is determined the objective network that needs access.
5. method according to claim 3, is characterized in that, described method also comprises:
Generate initial master session key in the verification process of described terminal when initial network entry;
Generate described master key according to described initial master session key.
6. method according to claim 5, is characterized in that, described method also comprises:
Described terminal utilization generates the pairwise key of corresponding described network for the master session key of described objective network.
7. a certificate server, is characterized in that, comprising:
Receiving element, for receiving the authentication message of authenticator transmission, carry the network identification information of described authenticator belonging network in described authentication message;
The network determining unit, determine the corresponding network of authentication for utilizing described network identification information;
The first key generation unit, generate the master session key for described network for utilizing the master key of oneself preserving; Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates;
The first memory cell, for distinguishing storage for the master session key of described network and the master session key for other networks.
8. certificate server according to claim 7, is characterized in that, also comprises:
The first master key generation unit, the master session key that the verification process when networking according to terminal initial produces generates described master key.
9. certificate server according to claim 7, is characterized in that, also comprises:
Transmitting element, for described master session key is sent to described authenticator, so that described authenticator utilizes described master session key to generate the pairwise key of corresponding described network.
10. a terminal, is characterized in that, comprising:
The access network determining unit, for determining the objective network that needs access;
The second key generation unit, generate the master session key for described objective network for utilizing the master key of oneself preserving; Wherein, the master key of described preservation is that the master session key produced in the verification process while networking according to terminal initial generates;
The second memory cell, for distinguishing storage for the master session key of described objective network and the master session key for source network.
11. terminal according to claim 10, is characterized in that,
Described the second key generation unit, also generate initial master session key for the verification process when described terminal initial networks;
Described terminal also comprises:
The second master key generation unit, for generating described master key according to described initial master session key.
12. terminal according to claim 11, is characterized in that, described terminal also comprises:
The pairwise key generation unit, for utilizing the pairwise key that generates corresponding described objective network for the master session key of described objective network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910261713.2A CN102111761B (en) | 2009-12-28 | 2009-12-28 | Secrete key management method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910261713.2A CN102111761B (en) | 2009-12-28 | 2009-12-28 | Secrete key management method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102111761A CN102111761A (en) | 2011-06-29 |
| CN102111761B true CN102111761B (en) | 2014-01-01 |
Family
ID=44175757
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910261713.2A Expired - Fee Related CN102111761B (en) | 2009-12-28 | 2009-12-28 | Secrete key management method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102111761B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9622142B2 (en) | 2014-08-25 | 2017-04-11 | International Business Machines Corporation | System and method en-route wireless network access |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103402201B (en) * | 2013-08-01 | 2016-08-17 | 广州大学 | A kind of WiFi-WiMAX heterogeneous wireless network authentication method based on pre-authentication |
| CN103618600B (en) * | 2013-10-29 | 2016-05-25 | 电子科技大学 | A kind of hybrid cryptographic key processing method of rivest, shamir, adelman |
| US9674165B2 (en) * | 2015-05-28 | 2017-06-06 | Nxp B.V. | Efficient key derivation with forward secrecy |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953395A (en) * | 2006-09-18 | 2007-04-25 | 北京明朝万达科技有限公司 | A method to control network separation based on mode switch |
| CN101083839A (en) * | 2007-06-29 | 2007-12-05 | 中兴通讯股份有限公司 | Cipher key processing method for switching among different mobile access systems |
| CN101102600A (en) * | 2007-06-29 | 2008-01-09 | 中兴通讯股份有限公司 | Secret key processing method for switching between different mobile access systems |
| CN101296481A (en) * | 2007-04-27 | 2008-10-29 | 华为技术有限公司 | A network switching method, device and system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1964259B (en) * | 2005-11-07 | 2011-02-16 | 华为技术有限公司 | A method to manage secret key in the course of switch-over |
| CN101009910A (en) * | 2006-01-25 | 2007-08-01 | 华为技术有限公司 | Method and device for realizing the extended authentication protocol in the wireless network |
| JP2009010470A (en) * | 2007-06-26 | 2009-01-15 | Toshiba Corp | Terminal device, group management server, network communication system, and method for generating encryption key |
| KR100924168B1 (en) * | 2007-08-07 | 2009-10-28 | 한국전자통신연구원 | Authentication Key Generation Method and Authentication Method Negotiation Method for Frequency Overlay-based Communication Systems |
| CN101471777B (en) * | 2007-12-29 | 2011-08-31 | 中国科学院计算技术研究所 | Access control system and method between domains based on domain name |
| ES2393577T3 (en) * | 2008-04-02 | 2012-12-26 | Nokia Siemens Networks Oy | Security for non-3GPP access to an evolved package system |
| US20090274302A1 (en) * | 2008-04-30 | 2009-11-05 | Mediatek Inc. | Method for deriving traffic encryption key |
-
2009
- 2009-12-28 CN CN200910261713.2A patent/CN102111761B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953395A (en) * | 2006-09-18 | 2007-04-25 | 北京明朝万达科技有限公司 | A method to control network separation based on mode switch |
| CN101296481A (en) * | 2007-04-27 | 2008-10-29 | 华为技术有限公司 | A network switching method, device and system |
| CN101083839A (en) * | 2007-06-29 | 2007-12-05 | 中兴通讯股份有限公司 | Cipher key processing method for switching among different mobile access systems |
| CN101102600A (en) * | 2007-06-29 | 2008-01-09 | 中兴通讯股份有限公司 | Secret key processing method for switching between different mobile access systems |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9622142B2 (en) | 2014-08-25 | 2017-04-11 | International Business Machines Corporation | System and method en-route wireless network access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102111761A (en) | 2011-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6293800B2 (en) | System and method for performing link setup and authentication | |
| US7793103B2 (en) | Ad-hoc network key management | |
| CA2986223C (en) | Method and apparatus for initial certificate enrollment in a wireless communication system | |
| KR101648158B1 (en) | Wireless communication using concurrent re-authentication and connection setup | |
| CN102685741B (en) | Access authentication processing method and system, terminal as well as network equipment | |
| US8295488B2 (en) | Exchange of key material | |
| WO2009108523A2 (en) | Method and system for mutual authentication of nodes in a wireless communication network | |
| WO2019137030A1 (en) | Safety certification method, related device and system | |
| WO2019007476A1 (en) | Secure communications using network access identity | |
| WO2007034299A1 (en) | Re-keying in a generic bootstrapping architecture following handover of a mobile terminal | |
| CN101616407B (en) | Pre-certification method and certification system | |
| US20120254615A1 (en) | Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network | |
| CN102111761B (en) | Secrete key management method and equipment | |
| Elbouabidi et al. | An efficient design and validation technique for secure handover between 3GPP LTE and WLANs systems | |
| WO2018126791A1 (en) | Authentication method and device, and computer storage medium | |
| US20100161958A1 (en) | Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device | |
| CN102056162A (en) | Method and device for carrying out access authentication and authentication system | |
| Qachri et al. | A formally verified protocol for secure vertical handovers in 4G heterogeneous networks | |
| Nguyen et al. | An pre-authentication protocol with symmetric keys for secure handover in mobile WiMAX networks | |
| Huang et al. | A secure and efficient multi-device and multi-service authentication protocol (semmap) for 3gpp-lte networks | |
| Gu et al. | Secure and efficient handover schemes for WiMAX over EPON networks | |
| Mani et al. | Secured broadband data access system in WiMAX | |
| Suman | A novel authentication algorithm for vertical handoff in heterogeneous wireless networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 518129 Longgang District, Guangdong, Bantian HUAWEI base B District, building 2, building No. Applicant after: HUAWEI DEVICE Co.,Ltd. Address before: 518129 Longgang District, Guangdong, Bantian HUAWEI base B District, building 2, building No. Applicant before: Huawei Device Co.,Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: SHENZHEN HUAWEI COMMUNICATION TECHNOLOGY CO., LTD. TO: HUAWEI DEVICE CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING ZHONGCAI WYSE EDUCATION TECHNOLOGY CO., LT Free format text: FORMER OWNER: HUAWEI DEVICE CO., LTD. Effective date: 20141115 Owner name: NANTONG TONGZHOU XINZHIHAO INDUSTRIAL CO., LTD. Free format text: FORMER OWNER: BEIJING ZHONGCAI WYSE EDUCATION TECHNOLOGY CO., LTD. Effective date: 20141115 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518129 SHENZHEN, GUANGDONG PROVINCE TO: 100083 HAIDIAN, BEIJING Free format text: CORRECT: ADDRESS; FROM: 100083 HAIDIAN, BEIJING TO: 226314 NANTONG, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20141115 Address after: 226314 Jiangsu city of Nantong province Tongzhou District Chuan Jiang Zhen Zhi Hao Market Patentee after: Tongzhou District Nantong Xin Hao Industrial Co.,Ltd. Address before: 100083 Beijing Haidian District Zhongguancun Road No. 18 smartfortune International Building B706 Patentee before: Beijing Zhongcai Wyse Education Technology Co.,Ltd. Effective date of registration: 20141115 Address after: 100083 Beijing Haidian District Zhongguancun Road No. 18 smartfortune International Building B706 Patentee after: Beijing Zhongcai Wyse Education Technology Co.,Ltd. Address before: 518129 Longgang District, Guangdong, Bantian HUAWEI base B District, building 2, building No. Patentee before: HUAWEI DEVICE Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140101 Termination date: 20181228 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |