CN1777094A - Key reconsul tation trigger method in general pilot system - Google Patents
Key reconsul tation trigger method in general pilot system Download PDFInfo
- Publication number
- CN1777094A CN1777094A CN 200410091012 CN200410091012A CN1777094A CN 1777094 A CN1777094 A CN 1777094A CN 200410091012 CN200410091012 CN 200410091012 CN 200410091012 A CN200410091012 A CN 200410091012A CN 1777094 A CN1777094 A CN 1777094A
- Authority
- CN
- China
- Prior art keywords
- key
- lifetime
- function module
- soft
- subscriber equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种通用引导体系中密钥重协商的触发方法,包括以下方面:将原生命期作为密钥的硬生命期,设置一个比硬生命期小的期限作为密钥的软生命期;当到达软生命期时触发协商;协商成功后,可立即使用新的密钥,删除原有的旧密钥;或者继续使用旧的密钥,待过期后,才使用新的密钥。本发明克服了现有技术存在的用户设备与网络应用功能模块间的通信不连续导致的无线通信系统无法稳定运行的缺点,能够保持用户设备与网络应用功能模块间连续稳定通信。
The invention discloses a method for triggering key renegotiation in a general guidance system, including the following aspects: the original lifetime is used as the hard lifetime of the key, and a period smaller than the hard lifetime is set as the soft lifetime of the key ; Negotiation is triggered when the soft lifetime is reached; after the negotiation is successful, the new key can be used immediately and the old key can be deleted; or the old key can be used continuously, and the new key can be used only after it expires. The present invention overcomes the shortcoming in the prior art that the wireless communication system cannot run stably due to discontinuous communication between the user equipment and the network application function module, and can maintain continuous and stable communication between the user equipment and the network application function module.
Description
Technical field
The present invention relates to wireless communication field, relate in particular to Wideband Code Division Multiple Access (WCDMA) (WCDMA, Wideband Code Division Multiple Access) key management method in system's general guide system (GBA, Generic Bootstrapping Architecture).
Background technology
The WCDMA standard is worked out by third generation partner program tissue (3GPP, 3rd GenerationPartnership Project), and existing R99, R4, three versions of R5 are finished final version, and present stage is being carried out the formulation work of R6 version.Consider that most of mobile terminal devices needed to recognize each other card with application server before communicating by letter, the notion of universal authentication framework (Generic Authentication Architecture) has therefore been proposed in the R6 version, provide unified authentication mechanism for terminal with based on the application of IP agreement, replace the method for in the past using a kind of certificate scheme.GBA is based on the certificate scheme of wildcard among the GAA.
The network entity of GBA reference model and the interface between them have been listed in the accompanying drawing 1.Wherein subscriber equipment (UE, User Equipment) needs certain application on the visit NAF (Network ApplicationFunction, network application function), but this application need uses key to protect.And key is by UE and boortstrap server function (BSF, Bootstrapping Server Function) obtain by the described HTTP Digest AKA protocol negotiation of RFC2617 " HTTP Authentication:Basic and Digest AccessAuthentication ", UE and BSF have also finished the entity authentication of terminal and network simultaneously.Preserved all information of cipher key shared between core net and subscriber equipment and other relevant users on the home subscriber system (HSS, Home SubscriberSystem), it provides these data necessary for BSF in negotiation.After negotiation was finished, NAF can ask key to BSF, and at this moment BSF utilizes the secure tunnel between them that key is passed to NAF.Communicating by letter between follow-up UE and NAF will use this key to protect.
In cipher key agreement process, BSF can pass to UE with the life time value (can be the time, also can be flow, perhaps the value of other types) of generation key by message.NAF is when BSF obtains key, and BSF also can inform the lifetime of its key, and identical with the value of notice UE.
Require NAF constantly to check the lifetime of sharing key between it and the UE in the present standard,, will send the request of negotiation again, end the agreement of using on the Ua interface simultaneously to UE when finding that key crosses after date.After UE receives request, will consult a new key again with BSF.As can be seen, present key reconsul consult flow process be expired with the lifetime of key be trigger condition, key is in a single day expired, can not continue to use, therefore corresponding application protocol also must stop, directly influence communication continuity between UE and NAF, thereby further influenced the stable operation of wireless communication system.
Summary of the invention
Technical problem to be solved by this invention be the UE that exists of prior art with NAF between the discontinuous wireless communication system that causes of communicating by letter can't stable operation shortcoming, a kind ofly can keep the triggering method that key reconsul is consulted in continous-stable is communicated by letter between UE and NAF the general guide system in the hope of proposing.
The triggering method that key reconsul is consulted in the general guide system of the present invention comprises following aspect:
With the hard lifetime of progenote phase, be set the soft lifetime of little time limit hard lifetime of ratio as key as key;
When arriving soft lifetime, trigger and consult;
After consulting successfully, can use new key immediately, delete original old key; Perhaps continue to use old key, treated after date, just use new key.
The method of the invention further may further comprise the steps:
The first step: BSF and UE carry out first cipher key agreement process;
Second step: consult successfully, BSF gives UE with the lifetime of key by message notifying, UE with the life time value as the hard lifetime, and calculate the soft lifetime according to local policy that (concrete method is not limit, but principle is that the soft lifetime is littler than the hard lifetime, and in the soft lifetime to hard lifetime, can finish once successful key agreement in the ordinary course of things, so that key is when arriving hard lifetime, existing new key is available, and the ordinary circumstance here refers to that equipment operation is normal, the network operation normal, configuration is correct etc.);
Soft lifetime Calculation Method can be following these methods, but is not limited to these methods:
A) deducted a suitable fixing value the hard lifetime as the soft lifetime;
B) the hard lifetime be multiply by certain percentage, as 90%, as the soft lifetime;
C) deducted a suitable random value the hard lifetime as the soft lifetime, can be to random value
Scope is done qualification.
The key that the 3rd step: NAF is consulted to BSF request, BSF are also informed the lifetime of key when sending key, NAF also with key as the hard lifetime, the soft lifetime of computation key, calculate principle and second and go on foot identical;
The 4th step: UE and NAF constantly check the lifetime of key, if UE at first finds key and arrives the soft lifetime, then send notice (notification) to NAF, NAF returns corresponding heavy message of negotiation request (Bootstrapping Renegotiation Request), at this moment U E and BSF can carry out the key agreement second time, between period of negotiation, UE and NAF can continue to use original cryptographic key protection application data;
The 5th step: arrive the soft lifetime if NAF at first finds key, then send heavy message of negotiation request (Bootstrapping Renegotiation Request) to UE, at this moment UE also will carry out the key agreement second time with BSF, same, between period of negotiation, UE and NAF can continue to use original cryptographic key protection application data;
The 6th step: when consulting to complete successfully, and after NAF obtained key, UE and NAF can use new key immediately; Perhaps continue to use original cipher key, cross after date up to key and re-use new key; If consult to fail, then UE and NAF continue to use original key, arrive the hard lifetime up to key, and the local policy of whether initiating again to consult by UE and NAF determines during this period;
The 7th step: UE and NAF recomputate the soft lifetime of new key again, repeat the operation of preceding step four to step 6, up to sign off.
The method of the invention is because with the hard lifetime of original lifetime as key, and be set the soft lifetime of little time limit hard lifetime of ratio as key, thereby effectively solve the problem that triggering mode in the prior art causes communication disruption, can guarantee communication continuity, thereby further guarantee the stable operation of system.
Description of drawings
Fig. 1 is the reference model figure of GBA.
Fig. 2 be UE when at first arriving soft lifetime the NAF loopback consult to trigger the message schematic diagram.
Fig. 3 is that NAF sends to UE when at first arriving soft lifetime and consults to trigger the message schematic diagram.
Embodiment
Below in conjunction with the drawings and specific embodiments the method for the invention is described further.
The triggering method that key reconsul is consulted among the GBA proposed by the invention is with the hard lifetime of original lifetime as key, the soft lifetime of little time limit hard lifetime of ratio as key is set, when arriving soft lifetime, just trigger and consult, after consulting successfully, can use new key immediately, delete original old key, also can continue to use old key, up to crossing after date, just use new key.Communication just can continually go on like this.
Specify as follows: do not have cipher key shared between NAF and UE, so BSF and UE carry out first cipher key agreement process; As consult success, BSF gives UE with the lifetime of key by message notifying, UE with the life time value as the hard lifetime, and calculate the soft lifetime according to local policy, concrete method is not limit, but principle is that the soft lifetime is littler than the hard lifetime, and in the soft lifetime to hard lifetime, can finish once successful key agreement in the ordinary course of things, so that key is when arriving hard lifetime, existing new key is available, and the ordinary circumstance here refers to that equipment operation is normal, the network operation normal, configuration is correct etc.; Soft lifetime Calculation Method can be following these methods, but is not limited to these methods: (1) deducts a suitable fixing value as the soft lifetime with the hard lifetime; (2) the hard lifetime be multiply by certain percentage, as 90%, as the soft lifetime; (3) deducted a suitable random value the hard lifetime as the soft lifetime, can do qualification the scope of random value.The key consulted to BSF request of NAF then, BSF also informs the lifetime of key when sending key, NAF also with key as the hard lifetime, the soft lifetime of computation key, the calculating principle is with noted earlier identical.
UE and NAF constantly check the lifetime of key; if UE at first finds key and arrives the soft lifetime; then send notice (notify) to NAF; NAF can return corresponding negotiation and trigger message; at this moment UE and BSF can carry out the key agreement second time; between period of negotiation, UE and NAF can continue to use original cryptographic key protection application data.Arrive the soft lifetime if NAF at first finds key, then send to UE and consult to trigger message, at this moment UE also will carry out the key agreement second time with BSF, and is same, and between period of negotiation, UE and NAF can continue to use original cryptographic key protection application data.When consulting to complete successfully, and after NAF obtained key, UE and NAF can use new key immediately; Perhaps continue to use original cipher key, cross after date up to key and re-use new key; If consult to fail, then UE and NAF continue to use original key, arrive the hard lifetime up to key, and the local policy of whether initiating again to consult by UE and NAF determines during this period.At last, UE and NAF recomputate the soft lifetime of new key again, constantly check all that from UE and NAF the lifetime step of key begins the repetition preceding step up to sign off.
Adopt the present invention, can effectively solve the problem that original triggering mode causes communication disruption, method is easy, realizes easily.
Claims (6)
1, the triggering method that key reconsul is consulted in a kind of general guide system is characterized in that, comprises following aspect:
With the hard lifetime of progenote phase, be set the soft lifetime of little time limit hard lifetime of ratio as key as key;
When arriving soft lifetime, trigger and consult;
After consulting successfully, can use new key immediately, delete original old key; Perhaps continue to use old key, treated after date, just use new key.
2, the triggering method of consulting according to key reconsul in the described general guide system of claim 1 is characterized in that, further may further comprise the steps:
The first step: boortstrap server function module and subscriber equipment carry out first cipher key agreement process;
Second step: consults successfully, the boortstrap server function module with lifetime of key by message notifying to subscriber equipment, subscriber equipment as lifetime firmly, and calculates the soft lifetime according to local policy with the life time value;
The 3rd step: the key that the network application function module is consulted to the request of boortstrap server function module, when sending key, the boortstrap server function module informs the lifetime of key, network application function module module with key as the hard lifetime, and soft lifetime of computation key;
The 4th step: subscriber equipment and network application function module are all constantly checked the lifetime of key, if subscriber equipment is at first found key and is arrived the soft lifetime, then send notice to the network application function module, the network application function module is returned corresponding negotiation and is triggered message, subscriber equipment and boortstrap server function module are carried out the key agreement second time simultaneously, between period of negotiation, subscriber equipment and network application function module continue to use original cryptographic key protection application data;
The 5th step: arrive the soft lifetime if the network application function module is at first found key, then send and consult to trigger message to subscriber equipment, subscriber equipment and boortstrap server function module are carried out the key agreement second time simultaneously, between period of negotiation, subscriber equipment and network application function module continue to use original cryptographic key protection application data;
The 6th step: when consulting to complete successfully, and after the network application function module obtained key, subscriber equipment and network application function module were used new key immediately; Perhaps continue to use original cipher key, cross after date up to key and re-use new key; If consult to fail, then subscriber equipment and network application function module continue to use original key, arrive the hard lifetime up to key, and the local policy of whether initiating again to consult by subscriber equipment and network application function module determines during this period;
The 7th step: subscriber equipment and network application function module recomputate the soft lifetime of new key again, repeat the operation that front the 4th went on foot for the 6th step, up to sign off.
3, the triggering method that key reconsul is consulted in the general guide system according to claim 2, it is characterized in that, principle at local policy described in second step and the 3rd step is: the soft lifetime is littler than the hard lifetime, and can finish once successful key agreement under the situation normal at equipment operation, that the network operation normal, configuration is correct in the soft lifetime to hard lifetime.
4, the triggering method of consulting according to key reconsul in claim 2 or the 3 described general guide systems is characterized in that, soft lifetime Calculation Method is in second step and the 3rd step: the hard lifetime is deducted a fixed value as the soft lifetime.
5, the triggering method of consulting according to key reconsul in claim 2 or the 3 described general guide systems is characterized in that, soft lifetime Calculation Method is in second step and the 3rd step: the hard lifetime be multiply by certain percentage as the soft lifetime.
6, the triggering method of consulting according to key reconsul in claim 2 or the 3 described general guide systems is characterized in that, soft lifetime Calculation Method is in second step and the 3rd step: the hard lifetime is deducted a random value as the soft lifetime.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410091012 CN1777094A (en) | 2004-11-15 | 2004-11-15 | Key reconsul tation trigger method in general pilot system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410091012 CN1777094A (en) | 2004-11-15 | 2004-11-15 | Key reconsul tation trigger method in general pilot system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1777094A true CN1777094A (en) | 2006-05-24 |
Family
ID=36766424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410091012 Pending CN1777094A (en) | 2004-11-15 | 2004-11-15 | Key reconsul tation trigger method in general pilot system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1777094A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009043294A1 (en) * | 2007-09-28 | 2009-04-09 | Huawei Technologies Co., Ltd. | The method and device for updating the key in the active state |
| CN101183939B (en) * | 2006-11-14 | 2010-06-09 | 中兴通讯股份有限公司 | Re-authorization method based on multi-factor authentication |
| CN101207478B (en) * | 2006-12-18 | 2010-07-14 | 中兴通讯股份有限公司 | A cross-domain multi-gatekeeper end-to-end session key negotiation method |
| CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
| CN101675677B (en) * | 2007-05-15 | 2013-02-20 | 诺基亚公司 | Method, device, system for rekeying |
| CN101296496B (en) * | 2007-04-29 | 2013-06-05 | 中兴通讯股份有限公司 | Method for preventing false resource release in tracing section updating or switching course |
| CN108199837A (en) * | 2018-01-23 | 2018-06-22 | 新华三信息安全技术有限公司 | A kind of cryptographic key negotiation method and device |
| WO2019232692A1 (en) * | 2018-06-05 | 2019-12-12 | Ebay Inc. | Automated key and encryption system |
-
2004
- 2004-11-15 CN CN 200410091012 patent/CN1777094A/en active Pending
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183939B (en) * | 2006-11-14 | 2010-06-09 | 中兴通讯股份有限公司 | Re-authorization method based on multi-factor authentication |
| CN101207478B (en) * | 2006-12-18 | 2010-07-14 | 中兴通讯股份有限公司 | A cross-domain multi-gatekeeper end-to-end session key negotiation method |
| CN101296496B (en) * | 2007-04-29 | 2013-06-05 | 中兴通讯股份有限公司 | Method for preventing false resource release in tracing section updating or switching course |
| CN101675677B (en) * | 2007-05-15 | 2013-02-20 | 诺基亚公司 | Method, device, system for rekeying |
| US8144877B2 (en) | 2007-09-28 | 2012-03-27 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US8300827B2 (en) | 2007-09-28 | 2012-10-30 | Huawei Technologies Co., Ltd. | Method and apparatus for updating key in an active state |
| WO2009043294A1 (en) * | 2007-09-28 | 2009-04-09 | Huawei Technologies Co., Ltd. | The method and device for updating the key in the active state |
| US8023658B2 (en) | 2007-09-28 | 2011-09-20 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US9031240B2 (en) | 2007-09-28 | 2015-05-12 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US10057769B2 (en) | 2007-09-28 | 2018-08-21 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US10999065B2 (en) | 2007-09-28 | 2021-05-04 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| CN102761553A (en) * | 2012-07-23 | 2012-10-31 | 杭州华三通信技术有限公司 | IPSec SA consultation method and device |
| CN108199837A (en) * | 2018-01-23 | 2018-06-22 | 新华三信息安全技术有限公司 | A kind of cryptographic key negotiation method and device |
| CN108199837B (en) * | 2018-01-23 | 2020-12-25 | 新华三信息安全技术有限公司 | Key negotiation method and device |
| WO2019232692A1 (en) * | 2018-06-05 | 2019-12-12 | Ebay Inc. | Automated key and encryption system |
| US12081662B2 (en) | 2018-06-05 | 2024-09-03 | Ebay Inc. | Automated key and encryption system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100592678C (en) | Key management for network elements | |
| CN105897782B (en) | A kind of processing method and processing device of the call request for interface | |
| JP5490874B2 (en) | Identity management services provided by network operators | |
| CN101317359B (en) | Method and device for generating local interface cryptographic key | |
| US20050009517A1 (en) | Roaming across different access mechanisms and network technologies | |
| US7103659B2 (en) | System and method for monitoring information in a network environment | |
| CN101227339B (en) | Method for monitoring data traffic based on contents and/or IP address | |
| CA2545229A1 (en) | Method for verifying the validity of a user | |
| CN1777094A (en) | Key reconsul tation trigger method in general pilot system | |
| EP1698197B1 (en) | Authentication in a communication network | |
| CN111260475B (en) | Data processing method, block link point equipment and storage medium | |
| WO2024227354A1 (en) | Web-based remote management method and system for intelligent gateway device in wide area network | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN1659558A (en) | Mediator-based interworking using hierarchical certificates | |
| US20080133775A1 (en) | Method, Apparatus and Computer Program Product for Providing Intelligent Synchronization | |
| Yan et al. | A mechanism for trust sustainability among trusted computing platforms | |
| EP1317159A1 (en) | Authentication, authorisation and accounting for a roaming user terminal | |
| WO2008078889A1 (en) | Method of controlling the session for the oma dm protocol | |
| CN101366037A (en) | Computer program product, device and method for secure HTTP digest response verification and integrity protection in mobile terminal | |
| CN114553419B (en) | Quantum identity authentication method and system based on continuous variable quantum key distribution | |
| CN1921682A (en) | Method for enhancing key negotiation in universal identifying framework | |
| CN101599878A (en) | Re-authentication method, system and authentication device | |
| CN118573381A (en) | Processing method, device and equipment for collaborative digital signature data | |
| CN115883233A (en) | A terminal long connection recovery method, device, electronic equipment and storage medium | |
| CN100512137C (en) | A method for deleting session transaction ID and related information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20060524 |