[go: up one dir, main page]

CN1604534A - Method for acquiring key by user through service data carried key information - Google Patents

Method for acquiring key by user through service data carried key information Download PDF

Info

Publication number
CN1604534A
CN1604534A CN 03154459 CN03154459A CN1604534A CN 1604534 A CN1604534 A CN 1604534A CN 03154459 CN03154459 CN 03154459 CN 03154459 A CN03154459 A CN 03154459A CN 1604534 A CN1604534 A CN 1604534A
Authority
CN
China
Prior art keywords
multicast
key
broadcast service
broadcast
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 03154459
Other languages
Chinese (zh)
Inventor
郑志彬
张文林
黄迎新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 03154459 priority Critical patent/CN1604534A/en
Publication of CN1604534A publication Critical patent/CN1604534A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种用户通过业务数据携带密钥信息的方式获取密钥的方法,多播/广播服务器与多播/广播业务用户建立密钥参数与密钥参数标识的对应关系;多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和密钥参数标识,多播/广播业务用户根据收到的密钥参数标识和存储的密钥参数与密钥参数标识的对应关系,获取当前群组加密密钥。根据本发明提出的方法,发送多播/广播业务信息的同时,只需发送几个bit的密钥参数标识,就可使多播/广播业务用户获取群组加密密钥,从而使多播/广播业务信息能够有效使用传输空间。本发明通过不断变换密钥参数标识,使多播/广播业务用户获取不同群组加密密钥,实现对群组加密密钥的更新。

Figure 03154459

The invention discloses a method for a user to obtain a key by carrying key information in business data. A multicast/broadcast server and a multicast/broadcast service user establish a corresponding relationship between a key parameter and a key parameter identifier; the multicast/broadcast The broadcast server sends encrypted multicast/broadcast service information and key parameter identification to the multicast/broadcast service user at the same time, and the multicast/broadcast service user uses the received key parameter identification and the stored key parameter and key parameter identification The corresponding relationship to obtain the current group encryption key. According to the method proposed by the present invention, while sending multicast/broadcast service information, only a few bits of key parameter identifiers need to be sent to enable the multicast/broadcast service user to obtain a group encryption key, so that the multicast/broadcast Broadcasting service information enables efficient use of transmission space. The invention enables multicast/broadcast service users to acquire different group encryption keys by continuously changing the key parameter identification, and realizes updating of the group encryption keys.

Figure 03154459

Description

用户通过业务数据携带密钥信息的方式获取密钥的方法The method for the user to obtain the key by carrying the key information in the business data

技术领域technical field

本发明涉及数据传输技术,特别是指一种无线通信网络中用户通过业务数据携带密钥信息的方式获取加密密钥的方法。The invention relates to data transmission technology, in particular to a method for a user in a wireless communication network to obtain an encryption key by carrying key information in service data.

背景技术Background technique

在无线通信网络中,多播/广播业务是指一点到多点的单向承载业务,多播/广播业务信息由一个原实体发送,多个实体接收,如图1所示,多播/广播业务信息由多播/广播服务器广播发送至多个终端。在一定区域内,已经订阅多播/广播业务的用户能够享受多播/广播业务的服务。多播/广播服务器是指能够提供多播/广播服务,兼具密钥生成管理功能的功能实体,可为在无线通信网络中新增的功能实体,也可为现有无线通信网络中的一个功能实体或多个功能实体的组合。In a wireless communication network, multicast/broadcast services refer to point-to-multipoint unidirectional bearer services. Multicast/broadcast service information is sent by one original entity and received by multiple entities. As shown in Figure 1, multicast/broadcast Service information is broadcasted to multiple terminals by the multicast/broadcast server. In a certain area, users who have subscribed to the multicast/broadcast service can enjoy the service of the multicast/broadcast service. A multicast/broadcast server refers to a functional entity that can provide multicast/broadcast services and also has key generation and management functions. It can be a new functional entity in the wireless communication network, or one of the existing wireless communication networks. A functional entity or a combination of multiple functional entities.

在多播/广播业务中,为防止没有订阅多播/广播业务或未付费的用户享受到多播/广播业务的服务,需要在多播/广播业务中设置共享的群组加密密钥,并且群组加密密钥只有多播/广播业务用户和提供多播/广播业务的多播/广播服务器知道,而没有订阅多播/广播业务或未付费的用户无权知道该群组加密密钥。多播/广播服务器使用群组加密密钥对多播/广播业务信息进行加密,然后再发送给多播/广播业务用户;多播/广播业务用户收到加密的多播/广播业务信息后,使用群组加密密钥对多播/广播业务信息进行解密,获取多播/广播业务信息,最终享受到多播/广播业务的服务。In the multicast/broadcast service, in order to prevent users who have not subscribed to the multicast/broadcast service or have not paid for the service of the multicast/broadcast service, it is necessary to set a shared group encryption key in the multicast/broadcast service, and The group encryption key is only known to the multicast/broadcast service user and the multicast/broadcast server providing the multicast/broadcast service, but users who have not subscribed to the multicast/broadcast service or have not paid have no right to know the group encryption key. The multicast/broadcast server uses the group encryption key to encrypt the multicast/broadcast service information, and then sends it to the multicast/broadcast service user; after the multicast/broadcast service user receives the encrypted multicast/broadcast service information, Use the group encryption key to decrypt the multicast/broadcast service information, obtain the multicast/broadcast service information, and finally enjoy the multicast/broadcast service.

多播/广播业务中需要使用多个密钥,这些密钥在多播/广播业务中的生成是分不同层次的,如图2所示,多播/广播业务中生成各种密钥的过程包括以下步骤:Multicast/broadcast services need to use multiple keys, and these keys are generated at different levels in multicast/broadcast services. As shown in Figure 2, the process of generating various keys in multicast/broadcast services Include the following steps:

步骤201:多播/广播业务用户加入多播/广播业务时,多播/广播服务器和多播/广播业务用户之间进行认证,在认证过程中通过鉴权和密钥协商协议(AKA),多播/广播服务器和多播/广播业务用户同时生成相同的根密钥RK。不同多播/广播业务用户的RK是互不相同的。RK可为多播/广播业务用户在签约多播/广播业务时由运营商分配的,多播/广播业务用户每次加入多播/广播业务都使用该RK;RK也可为多播/广播业务用户每次加入多播/广播业务时,在认证过程中多播/广播服务器和多播/广播业务用户同时生成的,在多播/广播业务用户退出当前多播/广播业务之前一直有效,多播/广播业务用户下次加入多播/广播业务时,和多播/广播服务器一同生成新的RK。Step 201: when the multicast/broadcast service user joins the multicast/broadcast service, authentication is performed between the multicast/broadcast server and the multicast/broadcast service user, and authentication and key agreement (AKA) is passed during the authentication process, The multicast/broadcast server and the multicast/broadcast service user simultaneously generate the same root key RK. The RKs of different multicast/broadcast service users are different from each other. RK can be assigned by the operator when the multicast/broadcast service user subscribes to the multicast/broadcast service, and the multicast/broadcast service user will use the RK every time he joins the multicast/broadcast service; RK can also be multicast/broadcast Each time a service user joins a multicast/broadcast service, it is generated simultaneously by the multicast/broadcast server and the multicast/broadcast service user during the authentication process, and is valid until the multicast/broadcast service user quits the current multicast/broadcast service. When the multicast/broadcast service user joins the multicast/broadcast service next time, a new RK is generated together with the multicast/broadcast server.

步骤202:多播/广播服务器和多播/广播业务用户生成RK后,共同生成相同的用于加密群组共享密钥BAK的TK。生成TK的过程可为:多播/广播服务器生成用于生成TK的随机数,然后将该随机数发送给多播/广播业务用户,多播/广播服务器和多播/广播业务用户根据RK和随机数共同生成相同的TK。不同多播/广播业务用户的TK是互不相同的。为提高TK的安全性,可在TK加密BAK后,就对TK进行更新,即多播/广播服务器和多播/广播业务用户一同生成新的TK。Step 202: After the multicast/broadcast server and the multicast/broadcast service user generate RK, they jointly generate the same TK for encrypting the group shared key BAK. The process of generating TK can be: the multicast/broadcast server generates a random number for generating TK, and then sends the random number to the multicast/broadcast service user, the multicast/broadcast server and the multicast/broadcast service user according to RK and The random numbers collectively generate the same TK. The TKs of different multicast/broadcast service users are different from each other. In order to improve the security of TK, TK can be updated after TK encrypts BAK, that is, the multicast/broadcast server and multicast/broadcast service users can generate a new TK together.

步骤203~步骤205:多播/广播服务器生成用来加密群组加密密钥的群组共享密钥BAK,然后使用TK加密BAK,并将加密的BAK发送给多播/广播业务用户。多播/广播业务用户收到加密的BAK后,使用自身存储的TK解密BAK,获取并存储BAK。Steps 203 to 205: the multicast/broadcast server generates the group shared key BAK used to encrypt the group encryption key, then encrypts the BAK with TK, and sends the encrypted BAK to the multicast/broadcast service users. After receiving the encrypted BAK, the multicast/broadcast service user decrypts the BAK with its own stored TK, obtains and stores the BAK.

步骤206:生成用于加密多播/广播业务信息的群组加密密钥TEK。生成TEK的可为:多播/广播服务器生成用于生成TEK的随机数,然后将该随机数发送给多播/广播业务用户,多播/广播服务器和多播/广播业务用户根据BAK和随机数共同生成相同的TEK。生成TEK的过程也可为:多播/广播服务器生成用于生成TEK的随机数,根据BAK和随机数生成TEK后,使用BAK加密TEK,并将加密的TEK发送给多播/广播业务用户。多播/广播业务用户收到加密的TEK后,使用自身存储的BAK解密TEK,获取TEK。Step 206: Generate a group encryption key TEK for encrypting multicast/broadcast service information. The generation of TEK can be: the multicast/broadcast server generates a random number for generating TEK, and then sends the random number to the multicast/broadcast service user, the multicast/broadcast server and the multicast/broadcast service user Numbers together generate the same TEK. The process of generating the TEK can also be: the multicast/broadcast server generates a random number for generating the TEK, generates the TEK according to the BAK and the random number, encrypts the TEK with the BAK, and sends the encrypted TEK to the multicast/broadcast service user. After receiving the encrypted TEK, the multicast/broadcast service user decrypts the TEK with its own stored BAK to obtain the TEK.

为防止群组外的用户享受多播/广播业务的服务,用于加密多播/广播业务信息的TEK不是一成不变的,需要经常更新,在实际应用中,可使每次加密多播/广播业务信息的TEK都不相同,即多播/广播服务器使用不同的TEK加密每次向多播/广播业务用户发送的多播/广播业务信息的数据包,这样可大大增加多播/广播业务信息的安全性。In order to prevent users outside the group from enjoying multicast/broadcast services, the TEK used to encrypt multicast/broadcast service information is not static and needs to be updated frequently. In practical applications, each encrypted multicast/broadcast service can be encrypted The TEKs of the information are different, that is, the multicast/broadcast server uses different TEKs to encrypt the data packets of the multicast/broadcast service information sent to the multicast/broadcast service users each time, which can greatly increase the security of the multicast/broadcast service information. safety.

为提高TK的保密性,可在TK加密BAK后,就对TK进行更新,即多播/广播服务器和多播/广播业务用户共同生成新的TK。In order to improve the confidentiality of TK, TK can be updated after TK encrypts BAK, that is, the multicast/broadcast server and multicast/broadcast service users jointly generate a new TK.

图3为现有技术一群组加密密钥的获取过程示意图,如图3所示,多播/广播业务用户获取群组加密密钥的过程包括以下步骤:FIG. 3 is a schematic diagram of the process of obtaining a group encryption key in the prior art. As shown in FIG. 3 , the process for a multicast/broadcast service user to obtain a group encryption key includes the following steps:

步骤301~步骤303:多播/广播服务器生成用来加密群组加密密钥的群组共享密钥BAK,然后使用TK加密BAK,并将加密的BAK发送给多播/广播业务用户。多播/广播业务用户收到加密的BAK后,使用自身存储的TK解密BAK,获取并存储BAK。Steps 301 to 303: the multicast/broadcast server generates a group shared key BAK for encrypting the group encryption key, then encrypts the BAK with TK, and sends the encrypted BAK to the multicast/broadcast service users. After receiving the encrypted BAK, the multicast/broadcast service user decrypts the BAK with its own stored TK, obtains and stores the BAK.

另外,多播/广播服务器可针对不同范围的多播/广播业务信息,同时生成多个BAK,此时,多播/广播服务器为生成的BAK分配标识,然后使用TK加密BAK,并将加密的BAK及BAK标识发送给多播/广播业务用户。这样,多播/广播业务用户存储了一系列BAK。In addition, the multicast/broadcast server can simultaneously generate multiple BAKs for different ranges of multicast/broadcast service information. BAK and BAK identifier are sent to multicast/broadcast service users. In this way, the multicast/broadcast service user stores a series of BAKs.

步骤304:多播/广播服务器生成用于生成TEK的随机数,根据BAK和随机数生成TEK。Step 304: The multicast/broadcast server generates a random number for generating TEK, and generates TEK according to the BAK and the random number.

步骤305~步骤307:多播/广播服务器使用TEK加密多播/广播业务信息,并使用BAK加密该TEK,然后向多播/广播业务用户发送加密的多播/广播业务信息和加密的TEK。多播/广播业务用户收到加密的多播/广播业务信息和加密的TEK后,使用自身存储的BAK解密TEK,获取TEK;然后使用该TEK解密多播/广播业务信息,获取多播/广播业务信息。Steps 305 to 307: the multicast/broadcast server encrypts the multicast/broadcast service information with TEK, encrypts the TEK with BAK, and then sends the encrypted multicast/broadcast service information and encrypted TEK to the multicast/broadcast service user. After receiving the encrypted multicast/broadcast service information and encrypted TEK, the multicast/broadcast service user decrypts the TEK with its own stored BAK to obtain the TEK; then uses the TEK to decrypt the multicast/broadcast service information to obtain the multicast/broadcast business information.

如果多播/广播业务用户存储有一系列BAK,则多播/广播服务器向多播/广播业务用户发送加密的多播/广播业务信息和加密的TEK的同时,还需向多播/广播业务用户发送BAK标识,以使多播/广播业务用户根据BAK标识和自身存储的BAK与BAK标识的对应关系,确定当前加密TEK的BAK。If the multicast/broadcast service user stores a series of BAKs, the multicast/broadcast server needs to send the encrypted multicast/broadcast service information and encrypted TEK to the multicast/broadcast service user The BAK identifier is sent, so that the multicast/broadcast service user determines the BAK of the current encrypted TEK according to the BAK identifier and the corresponding relationship between the BAK and the BAK identifier stored by itself.

通过对上述过程的描述可见:多播/广播服务器在向多播/广播业务用户发送加密的多播/广播业务信息时,还需发送加密的TEK。通常,TEK至少为128字节(bit),将TEK与多播/广播业务信息一同发送,会使TEK过多地占用固定传输带宽中的传输空间,大大减小了传输多播/广播业务信息时能够使用的传输空间,无法使多播/广播业务信息有效地使用传输空间。另外,多播/广播业务信息与TEK一同发送,为多播/广播业务信息的安全性带来了隐患,大大降低了多播/广播业务信息的安全性。此外,在每次传输多播/广播业务信息时都需要使用BAK加密TEK,BAK的频繁使用也为BAK的安全性带来了威胁。From the description of the above process, it can be seen that when the multicast/broadcast server sends encrypted multicast/broadcast service information to multicast/broadcast service users, it also needs to send an encrypted TEK. Usually, TEK is at least 128 bytes (bit). Sending TEK together with multicast/broadcast service information will cause TEK to occupy too much transmission space in the fixed transmission bandwidth, greatly reducing the transmission of multicast/broadcast service information. The transmission space that can be used at that time cannot make the multicast/broadcast service information effectively use the transmission space. In addition, the multicast/broadcast service information is sent together with the TEK, which brings hidden dangers to the security of the multicast/broadcast service information and greatly reduces the security of the multicast/broadcast service information. In addition, the BAK needs to be used to encrypt the TEK every time the multicast/broadcast service information is transmitted, and the frequent use of the BAK also poses a threat to the security of the BAK.

图4为现有技术二群组加密密钥的获取过程示意图,如图4所示,多播/广播业务用户获取群组加密密钥的过程包括以下步骤:FIG. 4 is a schematic diagram of the acquisition process of two group encryption keys in the prior art. As shown in FIG. 4, the process for a multicast/broadcast service user to obtain a group encryption key includes the following steps:

步骤401~步骤403与步骤301~步骤303基本相同。Steps 401 to 403 are basically the same as steps 301 to 303.

步骤404与步骤304基本相同。Step 404 is basically the same as step 304 .

步骤405~步骤407:多播/广播服务器使用TEK加密多播/广播业务信息,然后向多播/广播业务用户发送加密的多播/广播业务信息和生成的随机数。多播/广播业务用户收到加密的多播/广播业务信息和随机数后,根据自身存储的BAK和随机数生成TEK;然后使用生成的TEK解密多播/广播业务信息,获取多播/广播业务信息。Steps 405 to 407: the multicast/broadcast server uses TEK to encrypt the multicast/broadcast service information, and then sends the encrypted multicast/broadcast service information and the generated random number to the multicast/broadcast service user. After multicast/broadcast service users receive encrypted multicast/broadcast service information and random numbers, they generate TEK according to their stored BAK and random numbers; then use the generated TEK to decrypt multicast/broadcast service information and obtain multicast/broadcast business information.

如果多播/广播业务用户存储有一系列BAK,则多播/广播服务器向多播/广播业务用户发送加密的多播/广播业务信息和用于生成TEK的随机数的同时,还需向多播/广播业务用户发送BAK标识,以使多播/广播业务用户根据BAK标识和自身存储的BAK与BAK标识的对应关系,确定当前使用的用于生成TEK的BAK。If the multicast/broadcast service user stores a series of BAKs, the multicast/broadcast server needs to send the encrypted multicast/broadcast service information and the random number used to generate the TEK to the multicast/broadcast service user. The /broadcast service user sends the BAK identifier, so that the multicast/broadcast service user can determine the currently used BAK for generating the TEK according to the BAK identifier and the corresponding relationship between the BAK and the BAK identifier stored by itself.

通过对上述过程的描述可见:多播/广播服务器在向多播/广播业务用户发送加密的多播/广播业务信息时,还需发送用于生成TEK的随机数。通常,随机数至少为32bits,将随机数与多播/广播业务信息一同发送,会使随机数占用固定传输带宽中的传输空间,减小了传输多播/广播业务信息时能够使用的传输空间,无法使多播/广播业务信息有效地使用传输空间。From the description of the above process, it can be seen that when the multicast/broadcast server sends encrypted multicast/broadcast service information to the multicast/broadcast service user, it also needs to send a random number for generating TEK. Usually, the random number is at least 32 bits. Sending the random number together with the multicast/broadcast service information will cause the random number to occupy the transmission space in the fixed transmission bandwidth, reducing the transmission space that can be used when transmitting the multicast/broadcast service information. , it is impossible to make the multicast/broadcast service information effectively use the transmission space.

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供一种用户通过业务数据携带密钥信息的方式获取密钥的方法,使多播/广播业务信息有效使用传输空间。In view of this, the main purpose of the present invention is to provide a method for a user to obtain a key by carrying key information in service data, so that the multicast/broadcast service information can effectively use the transmission space.

为了达到上述目的,本发明提供了一种用户通过业务数据携带密钥信息的方式获取密钥的方法,该方法包含以下步骤:In order to achieve the above object, the present invention provides a method for a user to obtain a key by carrying key information in business data, the method includes the following steps:

A、多播/广播服务器与多播/广播业务用户预先建立密钥参数与密钥参数标识的对应关系;A. The multicast/broadcast server and the multicast/broadcast service user pre-establish the corresponding relationship between key parameters and key parameter identifiers;

B、多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和密钥参数标识,多播/广播业务用户根据收到的密钥参数标识和存储的密钥参数与密钥参数标识的对应关系,获取当前群组加密密钥。B. The multicast/broadcast server sends encrypted multicast/broadcast service information and key parameter identification to the multicast/broadcast service user at the same time, and the multicast/broadcast service user uses the received key parameter identification and stored key parameter Corresponding relationship with the key parameter identifier to obtain the current group encryption key.

所述步骤A之前进一步包括:Further include before the step A:

A0、多播/广播服务器生成一个以上的密钥参数,并为所述密钥参数分配标识,然后向多播/广播业务用户发送密钥参数与密钥参数标识的对应关系。A0. The multicast/broadcast server generates more than one key parameter, assigns an identifier to the key parameter, and then sends the correspondence between the key parameter and the key parameter identifier to the multicast/broadcast service user.

步骤A中所述密钥参数是用于生成群组加密密钥的随机数,所述密钥参数标识是随机数标识,The key parameter in step A is a random number used to generate a group encryption key, and the key parameter identifier is a random number identifier,

所述步骤B进一步包括:多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和随机数标识,多播/广播业务用户根据收到的随机数标识和存储的随机数与随机数标识的对应关系,找到随机数,然后根据存储的群组共享密钥和所述随机数生成当前群组加密密钥。The step B further includes: the multicast/broadcast server simultaneously sends encrypted multicast/broadcast service information and random number identification to the multicast/broadcast service user, and the multicast/broadcast service user receives the random number identification and stored The corresponding relationship between the random number and the random number identifier, finding the random number, and then generating the current group encryption key according to the stored group shared key and the random number.

所述步骤A0之前进一步包括:多播/广播服务器生成一个以上的群组共享密钥,并为所述群组共享密钥分配标识,然后向多播/广播业务用户发送加密的群组共享密钥与群组共享密钥标识的对应关系,多播/广播业务用户预先存储解密的群组共享密钥与群组共享密钥标识的对应关系;Before the step A0, it further includes: the multicast/broadcast server generates more than one group shared key, and assigns an identifier to the group shared key, and then sends the encrypted group shared key to the multicast/broadcast service user. The corresponding relationship between the key and the group shared key identifier, and the corresponding relationship between the group shared key stored and decrypted in advance by the multicast/broadcast service user and the group shared key identifier;

步骤B中所述多播/广播业务用户根据存储的群组共享密钥和所述随机数生成当前群组加密密钥之前,进一步包括:多播/广播服务器向多播/广播业务用户发送的多播/广播业务信息中携带群组共享密钥标识,多播/广播业务用户根据收到的群组共享密钥标识和存储的群组共享密钥与群组共享密钥标识的对应关系,找到所述群组共享密钥。Before the multicast/broadcast service user generates the current group encryption key according to the stored group shared key and the random number in step B, it further includes: the multicast/broadcast server sends the multicast/broadcast service user The multicast/broadcast service information carries the group shared key identifier, and the multicast/broadcast service user, according to the received group shared key identifier and the stored corresponding relationship between the group shared key and the group shared key identifier, Find the group shared secret.

所述步骤B之前进一步包括:多播/广播服务器根据选定的随机数和存储的群组共享密钥生成当前群组加密密钥,然后使用所述当前群组加密密钥加密多播/广播业务信息。Before the step B, it further includes: the multicast/broadcast server generates the current group encryption key according to the selected random number and the stored group shared key, and then uses the current group encryption key to encrypt the multicast/broadcast business information.

步骤A中所述密钥参数是多播/广播服务器生成的群组加密密钥,所述密钥参数标识是群组加密密钥标识,The key parameter in step A is the group encryption key generated by the multicast/broadcast server, and the key parameter identifier is the group encryption key identifier,

所述步骤B包括:多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和群组加密密钥标识,多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系,找到当前群组加密密钥。The step B includes: the multicast/broadcast server simultaneously sends encrypted multicast/broadcast service information and group encryption key identification to the multicast/broadcast service user, and the multicast/broadcast service user Find the current group encryption key based on the corresponding relationship between the key identifier and the stored group encryption key and the group encryption key identifier.

所述步骤A0之前进一步包括步骤A00:多播/广播服务器生成群组共享密钥,向多播/广播业务用户发送加密的所述群组共享密钥,多播/广播服务器和多播/广播业务用户预先存储解密的群组共享密钥;Step A00 is further included before the step A0: the multicast/broadcast server generates the group shared key, and sends the encrypted group shared key to the multicast/broadcast service user, the multicast/broadcast server and the multicast/broadcast The business user pre-stores the decrypted group shared key;

步骤A0中所述多播/广播服务器向多播/广播业务用户发送群组加密密钥与群组加密密钥标识的对应关系之前,进一步包括步骤A01:多播/广播服务器使用存储的群组共享密钥加密群组加密密钥;Before the multicast/broadcast server in step A0 sends the correspondence between the group encryption key and the group encryption key identifier to the multicast/broadcast service user, step A01 is further included: the multicast/broadcast server uses the stored group shared key encryption group encryption key;

步骤B中所述多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系找到当前群组加密密钥之后,进一步包括:多播/广播业务用户使用存储的群组共享密钥解密所述群组加密密钥。After the multicast/broadcast service user in step B finds the current group encryption key according to the received group encryption key identifier and the stored correspondence between the group encryption key and the group encryption key identifier, further include : The multicast/broadcast service user uses the stored group shared key to decrypt the group encryption key.

所述步骤A00进一步包括:多播/广播服务器生成一个以上的群组共享密钥,并为所述群组共享密钥分配标识,然后向多播/广播业务用户发送群组共享密钥与群组共享密钥标识的对应关系,多播/广播业务用户预先存储群组共享密钥与群组共享密钥标识的对应关系;The step A00 further includes: the multicast/broadcast server generates more than one group shared key, and assigns an identifier to the group shared key, and then sends the group shared key and the group shared key to the multicast/broadcast service user. The corresponding relationship between group shared key identifiers, multicast/broadcast service users pre-store the corresponding relationship between group shared keys and group shared key identifiers;

所述步骤A01包括:多播/广播服务器使用存储的不同群组共享密钥加密不同群组加密密钥,然后向多播/广播业务用户发送加密的群组加密密钥和群组加密密钥标识的对应关系,多播/广播服务器存储群组共享密钥标识与所述群组共享密钥加密的群组加密密钥标识的对应关系;The step A01 includes: the multicast/broadcast server encrypts different group encryption keys using different stored group shared keys, and then sends the encrypted group encryption key and the group encryption key to the multicast/broadcast service user The corresponding relationship of the identification, the multicast/broadcast server stores the corresponding relationship between the group shared key identification and the group encryption key identification encrypted by the group shared key;

步骤B中所述多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系找到当前群组加密密钥之前,进一步包括:多播/广播服务器向多播/广播业务用户发送多播/广播业务信息时携带群组共享密钥标识,多播/广播业务用户根据收到的群组共享密钥标识和存储的群组共享密钥与群组共享密钥标识的对应关系,找到所述群组共享密钥。Before the multicast/broadcast service user in step B finds the current group encryption key according to the received group encryption key ID and the stored correspondence between the group encryption key and the group encryption key ID, it further includes : When the multicast/broadcast server sends the multicast/broadcast service information to the multicast/broadcast service user, it carries the group shared key identifier, and the multicast/broadcast service user uses the received group shared key identifier and stored group The corresponding relationship between the shared key and the group shared key identifier is used to find the group shared key.

所述步骤B之前进一步包括:多播/广播服务器使用选定的群组加密密钥加密多播/广播业务信息。Before the step B, it further includes: the multicast/broadcast server encrypts the multicast/broadcast service information with the selected group encryption key.

多播/广播服务器通过广播方式向多播/广播业务用户发送加密的多播/广播业务信息和同时携带的密钥参数标识。The multicast/broadcast server sends the encrypted multicast/broadcast service information and the key parameter identifier carried at the same time to the multicast/broadcast service user by broadcasting.

如果所述多播/广播业务信息划分成一个以上数据包发送,其特征在于,各数据包携带不同密钥参数标识。If the multicast/broadcast service information is divided into more than one data packet and sent, it is characterized in that each data packet carries a different key parameter identifier.

本发明提出:预先在多播/广播服务器和多播/广播业务用户中存储密钥参数与密钥参数标识的对应关系;多播/广播服务器向多播/广播业务用户发送加密的多播/广播业务信息时,一同发送密钥参数标识;多播/广播业务用户收到加密的多播/广播业务信息和密钥参数标识后,根据密钥参数标识和自身存储的密钥参数与密钥参数标识的对应关系获取TEK。这样,只需发送密钥参数标识,就可使多播/广播业务用户获取TEK,通常,密钥参数标识只需占用传输带宽的几个bit,相对密钥的128bit或随机数的32bit要少的多,从而使多播/广播业务信息能够有效使用传输空间。另外,本发明中,只有在多播/广播业务用户获取TEK的过程中会使用BAK,在每次传输多播/广播业务信息时不再使用BAK,因此显著提高了BAK的安全性。此外,本发明中可通过不断变换密钥参数标识,使多播/广播业务用户获取不同的TEK,实现对TEK的更新。The present invention proposes: store the corresponding relationship between the key parameter and the key parameter identifier in the multicast/broadcast server and the multicast/broadcast service user in advance; the multicast/broadcast server sends the encrypted multicast/broadcast service user When broadcasting service information, the key parameter identifier is sent together; after the multicast/broadcast service user receives the encrypted multicast/broadcast service information and key parameter identifier, according to the key parameter identifier and the key parameter and key stored in itself, The corresponding relationship identified by the parameter obtains the TEK. In this way, multicast/broadcast service users can obtain TEK by only sending the key parameter identification. Usually, the key parameter identification only needs to occupy a few bits of the transmission bandwidth, which is less than 128 bits of the key or 32 bits of the random number more, so that the multicast/broadcast service information can effectively use the transmission space. In addition, in the present invention, the BAK is only used when the multicast/broadcast service user obtains the TEK, and the BAK is not used every time the multicast/broadcast service information is transmitted, thus significantly improving the security of the BAK. In addition, in the present invention, the user of the multicast/broadcast service can acquire different TEKs by continuously changing the key parameter identifier, so as to realize the updating of the TEK.

附图说明Description of drawings

图1为多播/广播业务示意图;FIG. 1 is a schematic diagram of a multicast/broadcast service;

图2为多播/广播业务密钥层次示意图;Fig. 2 is a schematic diagram of multicast/broadcast service key hierarchy;

图3为现有技术一群组加密密钥的获取过程示意图;Fig. 3 is a schematic diagram of the acquisition process of a group encryption key in the prior art;

图4为现有技术二群组加密密钥的获取过程示意图;Fig. 4 is a schematic diagram of the acquisition process of two groups of encryption keys in the prior art;

图5为本发明中群组加密密钥的获取过程示意图;Fig. 5 is a schematic diagram of the acquisition process of the group encryption key in the present invention;

图6为本发明中一实施例示意图;Fig. 6 is a schematic diagram of an embodiment of the present invention;

图7为本发明中另一实施例示意图。Fig. 7 is a schematic diagram of another embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面结合附图对本发明作进一步的详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

本发明中,预先在多播/广播服务器和多播/广播业务用户中存储密钥参数与密钥参数标识的对应关系;多播/广播服务器向多播/广播业务用户发送加密的多播/广播业务信息时,一同发送密钥参数标识;多播/广播业务用户收到加密的多播/广播业务信息和密钥参数标识后,根据密钥参数标识和自身存储的密钥参数与密钥参数标识的对应关系获取TEK,然后使用TEK解密多播/广播业务信息,获取多播/广播业务信息。通常,密钥参数标识只需占用传输带宽的几个bit,相对密钥的128bit或随机数的32bit要少的多,从而使多播/广播业务信息能够有效使用传输空间。In the present invention, the correspondence between the key parameter and the key parameter identifier is stored in the multicast/broadcast server and the multicast/broadcast service user in advance; the multicast/broadcast server sends the encrypted multicast/broadcast service user to the multicast/broadcast service user. When broadcasting service information, the key parameter identifier is sent together; after the multicast/broadcast service user receives the encrypted multicast/broadcast service information and key parameter identifier, according to the key parameter identifier and the key parameter and key stored in itself, The corresponding relationship of the parameter identification obtains the TEK, and then uses the TEK to decrypt the multicast/broadcast service information to obtain the multicast/broadcast service information. Usually, the key parameter identification only needs to occupy a few bits of the transmission bandwidth, which is much less than 128 bits of the key or 32 bits of the random number, so that the multicast/broadcast service information can effectively use the transmission space.

图5为本发明中群组加密密钥的获取过程示意图,如图5所示,多播/广播业务用户获取群组加密密钥的过程包括以下步骤:Fig. 5 is a schematic diagram of the acquisition process of the group encryption key in the present invention. As shown in Fig. 5, the process for the multicast/broadcast service user to obtain the group encryption key includes the following steps:

步骤501~步骤502:多播/广播服务器向多播/广播业务用户发送密钥参数与密钥参数标识的对应关系。多播/广播业务用户对收到的密钥参数与密钥参数标识的对应关系进行存储。Steps 501 to 502: the multicast/broadcast server sends the correspondence between key parameters and key parameter identifiers to multicast/broadcast service users. The multicast/broadcast service user stores the corresponding relationship between the received key parameter and the key parameter identifier.

步骤503~步骤505:多播/广播服务器使用TEK加密多播/广播业务信息,然后向多播/广播业务用户发送加密的多播/广播业务信息和对应于该TEK的密钥参数标识。多播/广播业务用户收到多播/广播业务信息和密钥参数标识后,根据密钥参数标识和自身存储的密钥参数与密钥参数标识的对应关系,获取加密多播/广播业务信息的TEK;然后使用该TEK解密多播/广播业务信息,获取多播/广播业务信息。Steps 503 to 505: the multicast/broadcast server encrypts the multicast/broadcast service information with the TEK, and then sends the encrypted multicast/broadcast service information and the key parameter identifier corresponding to the TEK to the multicast/broadcast service user. After the multicast/broadcast service user receives the multicast/broadcast service information and the key parameter identifier, according to the key parameter identifier and the corresponding relationship between the key parameter and the key parameter identifier stored by itself, obtain the encrypted multicast/broadcast service information The TEK; then use the TEK to decrypt the multicast/broadcast service information to obtain the multicast/broadcast service information.

由于使用目的或使用时间的不同,例如每个BAK针对不同范围的多播/广播业务信息,或为确保不断变换BAK以增加BAK的安全性,多播/广播服务器可同时生成多个BAK,此时,多播/广播服务器为生成的BAK分配标识,然后使用TK加密BAK,并将加密的BAK及BAK标识发送给多播/广播业务用户,因此,多播/广播业务用户存储有一系列BAK,通过BAK标识对不同BAK进行区分。Due to different usage purposes or usage time, for example, each BAK is aimed at different ranges of multicast/broadcast service information, or to ensure that the BAK is constantly changed to increase the security of the BAK, the multicast/broadcast server can generate multiple BAKs at the same time. , the multicast/broadcast server assigns an identifier to the generated BAK, then encrypts the BAK with TK, and sends the encrypted BAK and BAK identifier to the multicast/broadcast service user. Therefore, the multicast/broadcast service user stores a series of BAKs. Different BAKs are distinguished by BAK identification.

如果多播/广播业务用户存储有一系列BAK,则多播/广播服务器向多播/广播业务用户发送加密的多播/广播业务信息和密钥参数标识的同时,还需向多播/广播业务用户发送BAK标识,以使多播/广播业务用户根据BAK标识和自身存储的BAK与BAK标识的对应关系,确定当前使用的BAK。If the multicast/broadcast service user stores a series of BAKs, while the multicast/broadcast service user sends the encrypted multicast/broadcast service information and key parameter identification to the multicast/broadcast service user, it also needs to send The user sends the BAK identifier, so that the multicast/broadcast service user determines the currently used BAK according to the BAK identifier and the corresponding relationship between the BAK and the BAK identifier stored in itself.

图6为本发明中一实施例示意图,如图6所示,本实施例中多播/广播业务用户获取群组加密密钥的过程包括以下步骤:FIG. 6 is a schematic diagram of an embodiment of the present invention. As shown in FIG. 6, the process for a multicast/broadcast service user to obtain a group encryption key in this embodiment includes the following steps:

步骤601~步骤605与步骤201~步骤205基本相同。Steps 601 to 605 are basically the same as steps 201 to 205.

在本实施例中,多播/广播服务器同时生成多个BAK,多播/广播服务器为生成的BAK分配标识,然后使用TK加密BAK,并将加密的BAK及BAK标识发送给多播/广播业务用户,多播/广播业务用户存储BAK与BAK标识的对应关系。In this embodiment, the multicast/broadcast server generates multiple BAKs at the same time, and the multicast/broadcast server assigns identifiers to the generated BAKs, then uses TK to encrypt the BAKs, and sends the encrypted BAKs and BAK identifiers to the multicast/broadcast service User, multicast/broadcast service user stores the corresponding relationship between BAK and BAK ID.

步骤606~步骤608:多播/广播服务器生成多个随机数,并为生成的随机数分配标识,存储随机数与随机数标识的对应关系,然后向多播/广播业务用户发送随机数与随机数标识的对应关系。多播/广播业务用户对收到的随机数与随机数标识的对应关系进行存储。Steps 606 to 608: The multicast/broadcast server generates multiple random numbers, assigns identifiers to the generated random numbers, stores the correspondence between random numbers and random number identifiers, and then sends the random numbers and random numbers to multicast/broadcast service users. Corresponding relationship of number identification. The multicast/broadcast service user stores the corresponding relationship between the received random number and the random number identifier.

步骤609~步骤612:多播/广播服务器需要向多播/广播业务用户发送多播/广播业务信息时,为当前发送的多播/广播业务信息选定BAK和随机数,然后根据选定的BAK和随机数生成TEK,使用TEK加密当前需要发送的多播/广播业务信息,然后向多播/广播业务用户发送加密的多播/广播业务信息、选定随机数的标识和BAK标识。多播/广播服务器可将加密的多播/广播业务信息、选定随机数的标识和BAK标识通过广播方式发送给多播/广播业务用户。多播/广播业务用户收到加密的多播/广播业务信息、选定随机数的标识和BAK标识后,根据BAK标识和自身存储的BAK与BAK标识的对应关系找到相应的BAK,同时根据随机数标识和自身存储的随机数与随机数标识的对应关系找到相应的随机数,然后根据找到的BAK和随机数生成TEK,使用该TEK加密多播/广播业务信息,获取多播/广播业务信息。Step 609 to Step 612: When the multicast/broadcast server needs to send multicast/broadcast service information to multicast/broadcast service users, select BAK and random number for the currently sent multicast/broadcast service information, and then according to the selected BAK and random number generate TEK, use TEK to encrypt the current multicast/broadcast service information to be sent, and then send the encrypted multicast/broadcast service information, the identifier of the selected random number and the BAK identifier to the multicast/broadcast service user. The multicast/broadcast server can broadcast the encrypted multicast/broadcast service information, the identifier of the selected random number and the BAK identifier to the multicast/broadcast service users in a broadcast manner. After the multicast/broadcast service user receives the encrypted multicast/broadcast service information, the identifier of the selected random number and the BAK identifier, he finds the corresponding BAK according to the corresponding relationship between the BAK identifier and the stored BAK and BAK identifier, Find the corresponding random number according to the corresponding relationship between the number ID and the random number stored in itself and the random number ID, and then generate a TEK according to the found BAK and random number, use the TEK to encrypt multicast/broadcast service information, and obtain multicast/broadcast service information .

由于受到传输带宽的限制,当前需要发送的多播/广播业务信息可能需要分段发送,即当前需要发送的多播/广播业务信息需要分成多个数据包发送,才能使多播/广播业务用户获取完整的多播/广播业务信息,此时,多播/广播服务器可根据当前需要发送的多播/广播业务信息对安全性的要求选定一个随机数或多个随机数,如果当前需要发送的多播/广播业务信息对安全性的要求较高,则多播/广播服务器为发送的每个数据包选定不同的随机数;如果当前需要发送的多播/广播业务信息对安全性的要求较低,则多播/广播服务器为发送的每个数据包选定相同的随机数,无论多播/广播服务器为当前需要发送的多播/广播业务信息选定一个随机数还是多个随机数,每次向多播/广播业务用户发送加密的数据包的同时,都需要向多播/广播业务用户发送随机数标识。Due to the limitation of transmission bandwidth, the multicast/broadcast service information that needs to be sent currently may need to be sent in segments, that is, the multicast/broadcast service information that needs to be sent currently needs to be sent in multiple data packets, so that the multicast/broadcast service users can Obtain complete multicast/broadcast service information. At this time, the multicast/broadcast server can select a random number or multiple random numbers according to the security requirements of the multicast/broadcast service information that needs to be sent currently. If the multicast/broadcast service information has high security requirements, the multicast/broadcast server selects a different random number for each data packet sent; If the requirements are low, the multicast/broadcast server selects the same random number for each data packet sent, regardless of whether the multicast/broadcast server selects one random number or multiple random numbers for the current multicast/broadcast service information to be sent. number, each time an encrypted data packet is sent to a multicast/broadcast service user, a random number identifier needs to be sent to the multicast/broadcast service user.

多播/广播服务器基本上已将存储的随机数都作了选择后,或多播/广播服务器认为安全性不够时,可再次生成多个新的随机数,并为这些随机数分配标识,然后将新的随机数与随机数标识的对应关系发送给多播/广播业务用户,多播/广播业务用户对收到的随机数与随机数标识的对应关系进行存储。After the multicast/broadcast server has basically selected all the stored random numbers, or when the multicast/broadcast server thinks that the security is not enough, it can generate multiple new random numbers again, and assign identities to these random numbers, and then The new correspondence between the random number and the random number identifier is sent to the multicast/broadcast service user, and the multicast/broadcast service user stores the received correspondence between the random number and the random number identifier.

图7为本发明中另一实施例示意图,如图7所示,本实施例中多播/广播业务用户获取群组加密密钥的过程包括以下步骤:FIG. 7 is a schematic diagram of another embodiment of the present invention. As shown in FIG. 7, the process for a multicast/broadcast service user to obtain a group encryption key in this embodiment includes the following steps:

步骤701~步骤705与步骤201~步骤205基本相同。Steps 701 to 705 are basically the same as steps 201 to 205.

在本实施例中,多播/广播服务器同时生成多个BAK,并为生成的BAK分配标识,然后使用TK加密BAK,存储BAK与BAK标识的对应关系,并将加密的BAK及BAK标识发送给多播/广播业务用户,多播/广播业务用户存储BAK与BAK标识的对应关系。In this embodiment, the multicast/broadcast server generates multiple BAKs at the same time, and assigns identifications to the generated BAKs, then uses TK to encrypt the BAKs, stores the correspondence between BAKs and BAK identifications, and sends the encrypted BAKs and BAK identifications to For multicast/broadcast service users, the multicast/broadcast service users store the correspondence between BAKs and BAK identifiers.

步骤706~步骤708:多播/广播服务器生成多个用于生成TEK的随机数,根据BAK和随机数生成多个TEK,然后使用BAK加密TEK,并为加密的TEK分配标识。这些TEK可根据不同的BAK生成,可使用不同的BAK进行加密,此时,多播/广播服务器存储有TEK、TEK标识与加密该TEK的BAK间的对应关系。使用不同的BAK加密TEK,可增强多个TEK的安全性,避免非多播/广播业务用户获取加密的多个TEK,使用一个BAK成功解密后,使用该BAK成功解密其他TEK。如果不希望对TEK的管理过于复杂,则可使用同一个BAK加密TEK。多播/广播服务器向多播/广播业务用户发送加密的TEK与TEK标识的对应关系,多播/广播业务用户对收到的加密的TEK与TEK标识的对应关系进行存储。此时,多播/广播业务用户可不对TEK进行解密,而是直接存储。Steps 706 to 708: the multicast/broadcast server generates multiple random numbers for generating TEKs, generates multiple TEKs according to the BAK and random numbers, then encrypts the TEKs with the BAKs, and assigns identifiers to the encrypted TEKs. These TEKs can be generated according to different BAKs, and different BAKs can be used for encryption. At this time, the multicast/broadcast server stores the corresponding relationship between the TEK, the TEK identifier and the BAK that encrypts the TEK. Using different BAKs to encrypt TEKs can enhance the security of multiple TEKs and prevent non-multicast/broadcast service users from obtaining encrypted multiple TEKs. After successfully decrypting with one BAK, use this BAK to successfully decrypt other TEKs. If you don't want the management of TEK to be too complicated, you can use the same BAK to encrypt TEK. The multicast/broadcast server sends the encrypted correspondence between the TEK and the TEK identifier to the multicast/broadcast service user, and the multicast/broadcast service user stores the received encrypted correspondence between the TEK and the TEK identifier. At this time, the multicast/broadcast service user does not need to decrypt the TEK, but directly stores it.

步骤709~步骤712:多播/广播服务器需要向多播/广播业务用户发送多播/广播业务信息时,为当前发送的多播/广播业务信息选定TEK,使用该TEK加密当前需要发送的多播/广播业务信息,根据自身存储的TEK、TEK标识与加密TEK的BAK间的对应关系,找到BAK标识,然后向多播/广播业务用户发送加密的多播/广播业务信息、选定TEK的标识和BAK标识。多播/广播服务器将加密的多播/广播业务信息、选定TEK的标识和BAK标识通过广播方式发送给多播/广播业务用户。多播/广播业务用户收到加密的多播/广播业务信息、选定TEK的标识和BAK标识后,根据BAK标识和自身存储的BAK与BAK标识的对应关系找到相应的BAK,同时根据TEK标识和自身存储的TEK与TEK标识的对应关系找到相应的加密的TEK,使用BAK对加密的TEK进行解密,获取TEK,然后使用该TEK解密多播/广播业务信息,获取多播/广播业务信息。Step 709 to Step 712: When the multicast/broadcast server needs to send multicast/broadcast service information to the multicast/broadcast service user, select a TEK for the currently sent multicast/broadcast service information, and use this TEK to encrypt the current message to be sent For multicast/broadcast service information, find the BAK identifier according to the corresponding relationship between the stored TEK and TEK identifier and the BAK of the encrypted TEK, and then send the encrypted multicast/broadcast service information and selected TEK to the multicast/broadcast service user logo and BAK logo. The multicast/broadcast server broadcasts the encrypted multicast/broadcast service information, the selected TEK identifier and the BAK identifier to the multicast/broadcast service user. After the multicast/broadcast service user receives the encrypted multicast/broadcast service information, selects the TEK ID and BAK ID, it finds the corresponding BAK according to the BAK ID and the corresponding relationship between the BAK and BAK ID stored in itself, and at the same time, according to the TEK ID Find the corresponding encrypted TEK with the corresponding relationship between the TEK and the TEK identifier stored in itself, use the BAK to decrypt the encrypted TEK, obtain the TEK, and then use the TEK to decrypt the multicast/broadcast service information to obtain the multicast/broadcast service information.

由于受到传输带宽的限制,当前需要发送的多播/广播业务信息可能需要分段发送,即当前需要发送的多播/广播业务信息需要分成多个数据包发送,才能使多播/广播业务用户获取完整的多播/广播业务信息,此时,多播/广播服务器可根据当前需要发送的多播/广播业务信息对安全性的要求选定一个TEK或多个TEK,如果当前需要发送的多播/广播业务信息对安全性的要求较高,则多播/广播服务器为发送的每个数据包选定不同的TEK;如果当前需要发送的多播/广播业务信息对安全性的要求较低,则多播/广播服务器为发送的每个数据包选定相同的TEK,无论多播/广播服务器为当前需要发送的多播/广播业务信息选定一个TEK还是多个TEK,每次向多播/广播业务用户发送加密的数据包的同时,都需要向多播/广播业务用户发送TEK标识。Due to the limitation of transmission bandwidth, the multicast/broadcast service information that needs to be sent currently may need to be sent in segments, that is, the multicast/broadcast service information that needs to be sent currently needs to be sent in multiple data packets, so that the multicast/broadcast service users can Obtain complete multicast/broadcast service information. At this time, the multicast/broadcast server can select one TEK or multiple TEKs according to the security requirements of the multicast/broadcast service information that needs to be sent currently. If the multicast/broadcast service information has high security requirements, the multicast/broadcast server selects a different TEK for each data packet sent; if the current multicast/broadcast service information to be sent has low security requirements , the multicast/broadcast server selects the same TEK for each data packet to be sent, regardless of whether the multicast/broadcast server selects one TEK or multiple TEKs for the current multicast/broadcast service information that needs to be sent. When the multicast/broadcast service user sends the encrypted data packet, it needs to send the TEK identifier to the multicast/broadcast service user.

多播/广播服务器基本上已将存储的TEK都作了选择后,或多播/广播服务器认为安全性不够时,可再次生成多个新的TEK,并为这些TEK分配标识,使用BAK加密新的TEK,然后将新的加密的TEK与TEK标识的对应关系发送给多播/广播业务用户,多播/广播业务用户对收到的TEK与TEK标识的对应关系进行存储。After the multicast/broadcast server has basically selected all the stored TEKs, or when the multicast/broadcast server thinks that the security is not enough, it can generate multiple new TEKs again, assign identities to these TEKs, and use BAK to encrypt the new TEKs. TEK, and then send the newly encrypted correspondence between the TEK and the TEK identifier to the multicast/broadcast service user, and the multicast/broadcast service user stores the received correspondence between the TEK and the TEK identifier.

总之,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (11)

1、一种用户通过业务数据携带密钥信息的方式获取密钥的方法,其特征在于该方法包含以下步骤:1. A method for a user to obtain a key by means of carrying key information in business data, characterized in that the method comprises the following steps: A、多播/广播服务器与多播/广播业务用户预先建立密钥参数与密钥参数标识的对应关系;A. The multicast/broadcast server and the multicast/broadcast service user pre-establish the corresponding relationship between key parameters and key parameter identifiers; B、多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和密钥参数标识,多播/广播业务用户根据收到的密钥参数标识和存储的密钥参数与密钥参数标识的对应关系,获取当前群组加密密钥。B. The multicast/broadcast server sends encrypted multicast/broadcast service information and key parameter identification to the multicast/broadcast service user at the same time, and the multicast/broadcast service user uses the received key parameter identification and stored key parameter Corresponding relationship with the key parameter identifier to obtain the current group encryption key. 2、根据权利要求1所述的方法,其特征在于,所述步骤A之前进一步包括:2. The method according to claim 1, characterized in that before the step A, further comprising: A0、多播/广播服务器生成一个以上的密钥参数,并为所述密钥参数分配标识,然后向多播/广播业务用户发送密钥参数与密钥参数标识的对应关系。A0. The multicast/broadcast server generates more than one key parameter, assigns an identifier to the key parameter, and then sends the correspondence between the key parameter and the key parameter identifier to the multicast/broadcast service user. 3、根据权利要求2所述的方法,其特征在于,3. The method of claim 2, wherein: 步骤A中所述密钥参数是用于生成群组加密密钥的随机数,所述密钥参数标识是随机数标识,The key parameter in step A is a random number used to generate a group encryption key, and the key parameter identifier is a random number identifier, 所述步骤B进一步包括:多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和随机数标识,多播/广播业务用户根据收到的随机数标识和存储的随机数与随机数标识的对应关系,找到随机数,然后根据存储的群组共享密钥和所述随机数生成当前群组加密密钥。The step B further includes: the multicast/broadcast server simultaneously sends encrypted multicast/broadcast service information and random number identification to the multicast/broadcast service user, and the multicast/broadcast service user receives the random number identification and stored The corresponding relationship between the random number and the random number identifier, finding the random number, and then generating the current group encryption key according to the stored group shared key and the random number. 4、根据权利要求3所述的方法,其特征在于,4. The method of claim 3, wherein: 所述步骤A0之前进一步包括:多播/广播服务器生成一个以上的群组共享密钥,并为所述群组共享密钥分配标识,然后向多播/广播业务用户发送加密的群组共享密钥与群组共享密钥标识的对应关系,多播/广播业务用户预先存储解密的群组共享密钥与群组共享密钥标识的对应关系;Before the step A0, it further includes: the multicast/broadcast server generates more than one group shared key, and assigns an identifier to the group shared key, and then sends the encrypted group shared key to the multicast/broadcast service user. The corresponding relationship between the key and the group shared key identifier, and the corresponding relationship between the group shared key stored and decrypted in advance by the multicast/broadcast service user and the group shared key identifier; 步骤B中所述多播/广播业务用户根据存储的群组共享密钥和所述随机数生成当前群组加密密钥之前,进一步包括:多播/广播服务器向多播/广播业务用户发送的多播/广播业务信息中携带群组共享密钥标识,多播/广播业务用户根据收到的群组共享密钥标识和存储的群组共享密钥与群组共享密钥标识的对应关系,找到所述群组共享密钥。Before the multicast/broadcast service user generates the current group encryption key according to the stored group shared key and the random number in step B, it further includes: the multicast/broadcast server sends the multicast/broadcast service user The multicast/broadcast service information carries the group shared key identifier, and the multicast/broadcast service user, according to the received group shared key identifier and the stored corresponding relationship between the group shared key and the group shared key identifier, Find the group shared secret. 5、根据权利要求3所述的方法,其特征在于,5. The method of claim 3, wherein: 所述步骤B之前进一步包括:多播/广播服务器根据选定的随机数和存储的群组共享密钥生成当前群组加密密钥,然后使用所述当前群组加密密钥加密多播/广播业备信息。Before the step B, it further includes: the multicast/broadcast server generates the current group encryption key according to the selected random number and the stored group shared key, and then uses the current group encryption key to encrypt the multicast/broadcast Business preparation information. 6、根据权利要求2所述的方法,其特征在于,6. The method of claim 2, wherein: 步骤A中所述密钥参数是多播/广播服务器生成的群组加密密钥,所述密钥参数标识是群组加密密钥标识,The key parameter in step A is the group encryption key generated by the multicast/broadcast server, and the key parameter identifier is the group encryption key identifier, 所述步骤B包括:多播/广播服务器向多播/广播业务用户同时发送加密的多播/广播业务信息和群组加密密钥标识,多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系,找到当前群组加密密钥。The step B includes: the multicast/broadcast server simultaneously sends encrypted multicast/broadcast service information and group encryption key identification to the multicast/broadcast service user, and the multicast/broadcast service user Find the current group encryption key based on the corresponding relationship between the key identifier and the stored group encryption key and the group encryption key identifier. 7、根据权利要求6所述的方法,其特征在于,7. The method of claim 6, wherein: 所述步骤A0之前进一步包括步骤A00:多播/广播服务器生成群组共享密钥,向多播/广播业务用户发送加密的所述群组共享密钥,多播/广播服务器和多播/广播业务用户预先存储解密的群组共享密钥;Step A00 is further included before the step A0: the multicast/broadcast server generates the group shared key, and sends the encrypted group shared key to the multicast/broadcast service user, the multicast/broadcast server and the multicast/broadcast The business user pre-stores the decrypted group shared key; 步骤A0中所述多播/广播服务器向多播/广播业务用户发送群组加密密钥与群组加密密钥标识的对应关系之前,进一步包括步骤A01:多播/广播服务器使用存储的群组共享密钥加密群组加密密钥;Before the multicast/broadcast server in step A0 sends the correspondence between the group encryption key and the group encryption key identifier to the multicast/broadcast service user, step A01 is further included: the multicast/broadcast server uses the stored group shared key encryption group encryption key; 步骤B中所述多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系找到当前群组加密密钥之后,进一步包括:多播/广播业务用户使用存储的群组共享密钥解密所述群组加密密钥。After the multicast/broadcast service user in step B finds the current group encryption key according to the received group encryption key identifier and the stored correspondence between the group encryption key and the group encryption key identifier, further include : The multicast/broadcast service user uses the stored group shared key to decrypt the group encryption key. 8、根据权利要求7所述的方法,其特征在于,8. The method of claim 7, wherein: 所述步骤A00进一步包括:多播/广播服务器生成一个以上的群组共享密钥,并为所述群组共享密钥分配标识,然后向多播/广播业务用户发送群组共享密钥与群组共享密钥标识的对应关系,多播/广播业务用户预先存储群组共享密钥与群组共享密钥标识的对应关系;The step A00 further includes: the multicast/broadcast server generates more than one group shared key, and assigns an identifier to the group shared key, and then sends the group shared key and the group shared key to the multicast/broadcast service user. The corresponding relationship between group shared key identifiers, multicast/broadcast service users pre-store the corresponding relationship between group shared keys and group shared key identifiers; 所述步骤A01包括:多播/广播服务器使用存储的不同群组共享密钥加密不同群组加密密钥,然后向多 播/广播业务用户发送加密的群组加密密钥和群组加密密钥标识的对应关系,多播/广播服务器存储群组共享密钥标识与所述群组共享密钥加密的群组加密密钥标识的对应关系;The step A01 includes: the multicast/broadcast server encrypts different group encryption keys using different stored group shared keys, and then sends the encrypted group encryption key and the group encryption key to the multicast/broadcast service user The corresponding relationship of the identification, the multicast/broadcast server stores the corresponding relationship between the group shared key identification and the group encryption key identification encrypted by the group shared key; 步骤B中所述多播/广播业务用户根据收到的群组加密密钥标识和存储的群组加密密钥与群组加密密钥标识的对应关系找到当前群组加密密钥之前,进一步包括:多播/广播服务器向多播/广播业务用户发送多播/广播业务信息时携带群组共享密钥标识,多播/广播业务用户根据收到的群组共享密钥标识和存储的群组共享密钥与群组共享密钥标识的对应关系,找到所述群组共享密钥。Before the multicast/broadcast service user in step B finds the current group encryption key according to the received group encryption key ID and the stored correspondence between the group encryption key and the group encryption key ID, it further includes : When the multicast/broadcast server sends the multicast/broadcast service information to the multicast/broadcast service user, it carries the group shared key identifier, and the multicast/broadcast service user uses the received group shared key identifier and stored group The corresponding relationship between the shared key and the group shared key identifier is used to find the group shared key. 9、根据权利要求6所述的方法,其特征在于,9. The method of claim 6, wherein: 所述步骤B之前进一步包括:多播/广播服务器使用选定的群组加密密钥加密多播/广播业务信息。Before the step B, it further includes: the multicast/broadcast server encrypts the multicast/broadcast service information with the selected group encryption key. 10、根据权利要求5或9所述的方法,其特征在于,多播/广播服务器通过广播方式向多播/广播业务用户发送加密的多播/广播业务信息和同时携带的密钥参数标识。10. The method according to claim 5 or 9, characterized in that the multicast/broadcast server sends the encrypted multicast/broadcast service information and the key parameter identifier carried at the same time to the multicast/broadcast service user by broadcasting. 11、根据权利要求1所述的方法,如果所述多播/广播业务信息划分成一个以上数据包发送,其特征在于,各数据包携带不同密钥参数标识。11. The method according to claim 1, if the multicast/broadcast service information is divided into more than one data packet for transmission, it is characterized in that each data packet carries a different key parameter identifier.
CN 03154459 2003-09-29 2003-09-29 Method for acquiring key by user through service data carried key information Pending CN1604534A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 03154459 CN1604534A (en) 2003-09-29 2003-09-29 Method for acquiring key by user through service data carried key information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 03154459 CN1604534A (en) 2003-09-29 2003-09-29 Method for acquiring key by user through service data carried key information

Publications (1)

Publication Number Publication Date
CN1604534A true CN1604534A (en) 2005-04-06

Family

ID=34659992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 03154459 Pending CN1604534A (en) 2003-09-29 2003-09-29 Method for acquiring key by user through service data carried key information

Country Status (1)

Country Link
CN (1) CN1604534A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007140677A1 (en) * 2006-05-30 2007-12-13 Huawei Technologies Co., Ltd. A method for decryption cipher switching, decryption apparatus and terminal device
WO2008131662A1 (en) * 2007-04-26 2008-11-06 Huawei Technologies Co., Ltd. An encrypted key updating system, method thereof and a transmitting terminal and a receiving terminal
CN101521670B (en) * 2009-03-30 2012-07-04 北京握奇数据系统有限公司 Method and system for acquiring application data
WO2015145319A1 (en) * 2014-03-27 2015-10-01 Chan Kam Fu Token key infrastructure and method
CN105409287A (en) * 2013-08-06 2016-03-16 松下电器(美国)知识产权公司 Wireless communication method and user equipment for device-to-device communication
CN106131934A (en) * 2016-08-24 2016-11-16 桂林信通科技有限公司 A kind of WLAN is utilized to carry out the system and method that information is mutual
CN108306872A (en) * 2018-01-24 2018-07-20 腾讯科技(深圳)有限公司 Network request processing method, device, computer equipment and storage medium

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007140677A1 (en) * 2006-05-30 2007-12-13 Huawei Technologies Co., Ltd. A method for decryption cipher switching, decryption apparatus and terminal device
WO2008131662A1 (en) * 2007-04-26 2008-11-06 Huawei Technologies Co., Ltd. An encrypted key updating system, method thereof and a transmitting terminal and a receiving terminal
CN101296358B (en) * 2007-04-26 2011-06-22 华为技术有限公司 Broadcast enciphering and updating system and method
CN101521670B (en) * 2009-03-30 2012-07-04 北京握奇数据系统有限公司 Method and system for acquiring application data
CN105409287A (en) * 2013-08-06 2016-03-16 松下电器(美国)知识产权公司 Wireless communication method and user equipment for device-to-device communication
CN105409287B (en) * 2013-08-06 2019-11-29 太阳专利信托公司 Wireless communication method, user equipment and integrated circuit for device-to-device communication
WO2015145319A1 (en) * 2014-03-27 2015-10-01 Chan Kam Fu Token key infrastructure and method
CN106560006A (en) * 2014-03-27 2017-04-05 陈锦夫 Token key infrastructure and method
US10411893B2 (en) 2014-03-27 2019-09-10 Kam Fu Chan Token key infrastructure and method
CN106131934A (en) * 2016-08-24 2016-11-16 桂林信通科技有限公司 A kind of WLAN is utilized to carry out the system and method that information is mutual
CN108306872A (en) * 2018-01-24 2018-07-20 腾讯科技(深圳)有限公司 Network request processing method, device, computer equipment and storage medium
CN108306872B (en) * 2018-01-24 2022-03-18 腾讯科技(深圳)有限公司 Network request processing method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN1237843A (en) System, method and medium for broadcasting service content
CN1184833C (en) Method of determining encrypted algorithm in secret communication based on mobile national code
CN1265676C (en) Method for realizing roaming user to visit network inner service
CN1465159A (en) Secure packet-based data broadcasting architecture
CN101039180A (en) Method and system for generating and transmitting key
CN1236517A (en) Method and arrangement for encrypting radio traffic in a telecommunications network
CN101061666A (en) Method for managing digital rights in broadcast/multicast services
CN1633778A (en) Method and apparatus for security within a data processing system
CN1241862A (en) Data transmission control method and data transmission system
CN1300974C (en) Method for realizing multimedia broadcasting / multicasting service key dispensing
CN1859084A (en) Enciphering and deenciphering method for request broadcast stream media data of mocro soft media format
CN1549595A (en) An information transmission method and device for an interactive digital broadcast television system
CN1780413A (en) Packet broadcasting service key controlling method
CN1922582A (en) Apparatus and method for broadcast services transmission and reception
CN1993920A (en) Security method and device in data processing system
CN1758593A (en) Service key updating method of multimedium playing service
CN1604534A (en) Method for acquiring key by user through service data carried key information
CN1567812A (en) A method for implementing sharing key update
CN1929371A (en) Method for User and Peripheral to Negotiate a Shared Key
CN1918914A (en) System for selective data transmission
CN1864386A (en) Naming of 802.11 group keys to allow support of multiple broadcast and multicast domains
CN100337442C (en) A method of data integrity protection in WLAN
CN1700639A (en) Method for leading-in and leading-out WLAN authentication and privacy infrastructure certificate information
CN1630404A (en) Method for managing, distributing, and transferring keys when switching users in a digital cellular mobile communication system
CN1744706A (en) Method for protecting broadband video-audio broadcasting content

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication