[go: up one dir, main page]

WO2007109994A1 - Method and apparatus for generating sequence number of encryption key in network - Google Patents

Method and apparatus for generating sequence number of encryption key in network Download PDF

Info

Publication number
WO2007109994A1
WO2007109994A1 PCT/CN2007/000973 CN2007000973W WO2007109994A1 WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1 CN 2007000973 W CN2007000973 W CN 2007000973W WO 2007109994 A1 WO2007109994 A1 WO 2007109994A1
Authority
WO
WIPO (PCT)
Prior art keywords
bits
sequence number
master key
key sequence
subkey
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2007/000973
Other languages
French (fr)
Chinese (zh)
Inventor
Changhong Shan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN200610070939.0A external-priority patent/CN101043325B/en
Priority claimed from CN 200610070937 external-priority patent/CN101043324A/en
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2007109994A1 publication Critical patent/WO2007109994A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for generating a key sequence number in a network. Background of the invention
  • the key generated during the authentication process is generally generated by a parent key.
  • the serial number of the subkey should be equivalent to the parent key serial number.
  • each parent key maintains its own key sequence number, how to generate the subkey serial number, and no specific solution is given at present. . Summary of the invention
  • the purpose of the embodiments of the present invention is to provide a method and a device for generating a key sequence number in a network, so as to generate a subkey serial number in the network, thereby improving network security.
  • An embodiment of the present invention provides a method for generating a key sequence number in a network, including: a user equipment and a network side key generator respectively generate a first master key sequence number and a second master key sequence number;
  • the bits in the first master key sequence number and the second master key sequence number are added or bit-connected to obtain a subkey sequence number of the user equipment and the network side.
  • An embodiment of the present invention provides a device for generating a key sequence number in a network, including: a master key sequence number obtaining unit, configured to acquire a first time generated by a user equipment and a network side key generator in an authentication process Master key serial number and second master key serial number;
  • a sub-key sequence number generating unit configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit, Obtain the subkey serial number of the user equipment and the network side.
  • the embodiment of the present invention provides a method and an apparatus for generating a subkey serial number by using two parent key serial numbers, where specifically, the bits in two serial numbers generated by the authentication process are added or connected, thereby obtaining The required subkey serial number can be provided in the wireless network system, thereby improving the security of the network.
  • FIG. 1 is a flowchart of generating a universal key sequence number in an embodiment of the present invention
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a network authentication process according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
  • the authentication process is to mutually authenticate the terminal device and the network device by interacting with the authentication message between the terminal and the network device.
  • determining the sequence number of the subkey needs to be generated from the sequence numbers of the two parent keys, and providing an implementation scheme for deriving the sequence number of the subkey from the sequence numbers of the two parent keys.
  • An implementation solution provided by the embodiment of the present invention adds the key sequence numbers generated by the two authentications to obtain the authorized key sequence numbers of the user equipment and the network side. The implementation will be described below in conjunction with two specific application embodiments.
  • the corresponding first master key sequence number is RK1 - SN (4 bits); the second authentication process is at the user equipment and the secret
  • the key RK2 generated by the key generator, the corresponding second master key sequence number is RK2-SN (4 bits); the subkey is the authorization key AK, and the serial number of the authorization key AK is AK_SN.
  • RK1-SN and RK2_SN must start from an initial value. Initialization, if initialized with 0, 1, 2 or 3; When re-authentication, the values of RK1_SN and RK2-SN are respectively increased by one.
  • RK1_SN uses the lower two bits
  • RK2_SN uses the lower two bits
  • RK1-SN uses two bits higher, RK2-SN uses two bits higher; or,
  • RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
  • the key generators on the terminal and network side respectively generate a 2-bit authorized key sequence number according to the above formula.
  • FIG. 1 A flowchart for generating a serial number on the terminal and the network side is shown in FIG. 1 , wherein after the network side generates the license key serial number, the generator (such as an authenticator) may distribute the serial number of the subkey to use the Authorizer (such as a base station) that authorizes the key sequence number AK-SN.
  • the generator such as an authenticator
  • the Authorizer such as a base station
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
  • the sequence number generation method in this embodiment includes the following steps:
  • AK SN (PMK_SN + PMK2_SN) modulo 4
  • the obtained authorization key AK has a sequence number of 2 bits.
  • PMK-SN uses the lower two bits
  • PMK2-SN uses the upper two bits
  • PMK—SN uses the lower two bits
  • PMK2-SN uses the lower two bits
  • PMK—SN uses two bits higher
  • PMK2—SN uses two bits higher
  • PMK The SN uses the upper two bits, and the PMK2—SN uses the lower two bits.
  • PMK-SN For example, if both PMK-SN and PMK2-SN use two lower bits, if PMK-SN is lower two bits are 01; if PMK2_SN lower two bits is 00, then (01 +00) modulo 4 - 01, that is, get 2 bits Authorization key serial number AK-SN.
  • the serial number of the authorization key is obtained on the subscription station and the authenticator, respectively.
  • the network side authenticator sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
  • a negotiation of a new authorized key sequence number is performed between the subscribing station and the base station. Specifically, it can be negotiated with reference to the standards defined in IEEE802.16e-D12. Since the distribution of the key sequence number and the negotiation process of the serial number are the same as those of the prior art, they are not described herein.
  • the key RK1 generated by the first authentication process has the sequence number RK1_SN (4 bits); the key RK2 generated by the second authentication process, the sequence number is RK2_SN (4 bits); the subkey is the authorization The key AK, the serial number of the authorization key AK is AK_SN.
  • RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization.
  • RK1—SN always uses two bits that are meaningless
  • RK2—SN always uses two bits that are meaningful (signal bits, including MSB (most significant bit) and LSB (least significant bit)).
  • the meaningless two bits of the RM-SN and the meaningful two-bit value of the RK2-SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then Mode 4. Or, for the same reason, it is also possible to always use meaningful two bits for RM SN, and RK2_SN always uses two bits that are meaningless.
  • the method of obtaining AK-SN is that the meaningless two bits of RK1-SN are added to the meaningful two bits of RK2-SN:
  • AK_SN RK1_SN + RK2 - SN.
  • the method for generating the license key serial number includes the following steps:
  • the meaningless two bits are always used, and the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
  • the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
  • AK_SN PMK_SN + PMK2_SN.
  • the meaningless two bits of the PMK-SN are the lower two bits
  • the meaningful two bits of the PMK2-SN are two bits higher. If the initial values of the two authentications are 0 and 3 respectively, the meaningless two bits of PMK_SN are from the initial value (0).
  • the force p 1 is the modulo 4, which is ' ⁇ ; the meaningful two bits of PMK2_SN are from the initial value.
  • serial number of the 2-bit authorization key is obtained on the subscription station and the authentication server respectively.
  • the steps after the authorization serial number is generated are the same as in the first embodiment.
  • the embodiment of the present invention may further add RK2_SN to RK2_SN to obtain a 4-bit subkey sequence number, wherein only two bits or two bits lower may be used.
  • the basic principle of another implementation solution provided by the embodiment of the present invention is that the key sequence numbers generated by the two authentications are bit-connected to obtain the user equipment and the network side key sequence number. The implementation will be described below in conjunction with two specific application embodiments.
  • the key RM generated by the first authentication process has the serial number RK1_SN; the key RK2 generated by the second authentication process, the serial number is RK2_SN; the subkey is the authorization key AK, and the sequence of the authorization key AK
  • the number is AK-SN.
  • the serial numbers are all 4 bits.
  • both RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization. The meaningless two bits are always used for RK1-SN, and RK2_SN always uses meaningful two bits.
  • the meaningless two bits of the RK1 - SN and the meaningful two bit values of the RK2_SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then the modulo 4 . Or, for the same reason, it is also possible to use meaningful two bits for RK1-SN, and RK2-SN always uses meaningless ⁇ two bits.
  • the method of obtaining AK-SN is that the meaningless two bits of RK1_SN are connected with the meaningful two bits of RK2-SN:
  • AK_SN RK1_SN + RK2_SN , where "+” is the connector (1).
  • a 4-bit key sequence number is generated on the terminal and the network side according to the above formula (1), respectively, wherein only the upper two bits or the lower two bits can be used.
  • FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention.
  • the sequence number generation method in this embodiment includes the following steps:
  • the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;
  • the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.
  • the network side authentication server sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.
  • the serial number is RK1_SN
  • the second authentication process is generated by the user equipment and the key generator RK2
  • the serial number is RK2_SN
  • the subkey is the authorization key AK
  • the serial number of the authorization key AK is AK__SN.
  • the serial numbers are all 4 bits.
  • the method of obtaining AK_SN is to connect two bits using each sequence number, that is,
  • AK_SN ( RK1 — SN+RK2 — SN ), where “+” is the connector ( 2 )
  • RK1 the SN uses the lower two bits, and the RK2-SN uses the lower two bits;
  • RK1-SN uses two bits higher, and RK2-SN uses two bits higher; or,
  • RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.
  • the key generators at the terminal and the network side respectively generate a 4-bit authorized key sequence number in which only the upper two bits or the lower two bits are used.
  • the flow chart for generating the serial number on the terminal and network side is shown in Figure 1.
  • the serial number of the subkey is distributed to the user (e.g., base station) by the generator (e.g., the authenticator) on the network side.
  • the generator e.g., the authenticator
  • the authorization key serial number generation method includes the following steps:
  • AK Authorization Key
  • AK SN (PMK_SN + PMK2_SN), "+" is the connector, and the obtained authorization key AK has a serial number of 4 bits.
  • PMK-SN uses the lower two bits
  • PMK2-SN uses the upper two bits
  • PMK—SN uses the lower two bits
  • PMK2—SN uses the lower two bits
  • PMK-SN uses two bits higher, PMK2-SN uses two bits higher; or,
  • the PMK-SN uses the upper two bits, and the PMK2_SN uses the lower two bits.
  • a 4-bit authorized key sequence number AK_SN is obtained, wherein, specifically, only two bits high or two bits of four bits can be used.
  • the embodiment of the present invention further provides a device for generating a key sequence number in a network.
  • the specific structure is as shown in FIG. 3, and includes the following processing units:
  • the unit is configured to obtain a first master key sequence number and a second master key sequence number generated by the user equipment and the network side key generator in an authentication process (such as an EAP authentication process, etc.), and provide the sub-secret A key sequence number generating unit for generating a subkey sequence number.
  • an authentication process such as an EAP authentication process, etc.
  • the unit is configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit to obtain user equipment and Subkey serial number on the network side;
  • the subkey serial number generating unit may specifically include an adding or connecting unit and a modulo unit, where:
  • the adding or connecting unit is configured to add or connect two bits of the first master key sequence number and the second bit of the second master key sequence number, and add the added
  • the result is sent to the modulo unit, and the connected result is directly used as the subkey sequence ⁇
  • the adding or connecting unit is further in communication with the bit information extracting unit, the bit information extracting unit is configured to extract the lower two bits of the first master key sequence number, and the second two of the second master key sequence number Or; extract the lower two bits of the first master key sequence number, the lower two bits of the second master key sequence number; or, extract the upper two bits of the first master key sequence number, the second time The lower two bits of the master key sequence number; or, the upper two bits of the first master key sequence number, and the upper two bits of the second master key sequence number;
  • first master key sequence number two meaningless two bits are used, and for the second master key sequence number, meaningful two bits are used; or, for the first master a key sequence number, using meaningful two bits, using two meaningless two bits for the second master key sequence number;
  • the modulo unit is configured to perform modulo 4 processing on the added result obtained by the adding or connecting unit to obtain a subkey sequence number of the user equipment and the network side.
  • the apparatus further includes the unit, configured to send the subkey sequence number generated by the network side key generator to the user through the key material transmission message.
  • the apparatus provided by the embodiment of the present invention may be specifically, but not limited to, being configured in a WiMAX network.
  • the terminal is a mobile station MS
  • the network side key generator is an authenticator
  • the RK1 is a dual master key.
  • PMK, RK2 is the second dual master key PMK2;
  • the sequence numbers corresponding to the PMK and PMK2 are PMK_SN and PMK2-SN, respectively, and the entity using the subkey serial number is the base station.
  • the embodiments of the present invention are applicable not only to WiMAX networks, but also to other network systems.
  • the embodiment of the present invention provides a method and apparatus for generating a subkey sequence number from two parent key serial numbers, which ensures the security of data transmission in the network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and an apparatus for generating the sequence number of the encryption key in the network. The user equipment and the encryption key generator in the network side generate the sequence number RK1_SN of the first primary encryption key and the sequence number RK2_SN of the second primary encryption key respectively. The bits in RK1_SN and RK2_SN are added or connected to obtain the sub encryption key for the user equipment and the network side. The method and apparatus for generating the sequence number of the sub encryption key by the sequence numbers of two parent encryption keys can increase the security of the network

Description

一种网络中的密钥序列号的生成方法及装置 技术械  Method and device for generating key serial number in network

本发明涉及网络安全技术领域, 尤其涉及一种网络中的密钥序列号的 生成方法及装置。 发明背景  The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for generating a key sequence number in a network. Background of the invention

目前网珞认证过程中产生的密钥, 一般来说是由一个父密钥产生子密 钥, 子密钥的序列号应该等价于父密钥序列号。 但是若子密钥由两个父密 钥经过某个算法共同产生, 且每个父密钥各自维护自己的密钥序列号, 则 如何产生子密钥序列号, 目前并没有给出具体的解决方法。 发明内容  Currently, the key generated during the authentication process is generally generated by a parent key. The serial number of the subkey should be equivalent to the parent key serial number. However, if the subkey is generated by two parent keys through an algorithm, and each parent key maintains its own key sequence number, how to generate the subkey serial number, and no specific solution is given at present. . Summary of the invention

本发明实施例的目的在于提供一种网络中的密钥序列号的生成方法及 装置, 以生成网络中的子密钥序列号, 提高网络的安全性。  The purpose of the embodiments of the present invention is to provide a method and a device for generating a key sequence number in a network, so as to generate a subkey serial number in the network, thereby improving network security.

本发明实施例提供了一种网络中的密钥序列号的生成方法, 包括: 用户设备和网络侧密钥生成器各自生成第一次主密钥序列号和第二次 主密钥序列号;  An embodiment of the present invention provides a method for generating a key sequence number in a network, including: a user equipment and a network side key generator respectively generate a first master key sequence number and a second master key sequence number;

对所述第一次主密钥序列号和第二次主密钥序列号中的比特(bit )相 加或比特相连, 得到用户设备和网络侧的子密钥序列号。  The bits in the first master key sequence number and the second master key sequence number are added or bit-connected to obtain a subkey sequence number of the user equipment and the network side.

本发明实施例提供了一种网络中的密钥序列号的生成装置, 包括: 主密钥序列号获取单元, 用于获取认证过程中用户设备和网络侧密钥 生成器各自生成的第一次主密钥序列号和第二次主密钥序列号;  An embodiment of the present invention provides a device for generating a key sequence number in a network, including: a master key sequence number obtaining unit, configured to acquire a first time generated by a user equipment and a network side key generator in an authentication process Master key serial number and second master key serial number;

子密钥序列号生成单元, 用于对所述主密钥序列号获取单元获取的所 述第一次主密钥序列号及第二次主密钥序列号中的比特相加或比特相连, 得到用户设备和网络侧的子密钥序列号。 本发明实施例提供了由两个父密钥序列号产生子密钥序列号的方法及 装置中, 其中, 具体是通过对认证过程产生的两个序列号中的比特相加或 相连获得, 从而可以为无线网络系统中提供需要的子密钥序列号, 进而提 高网络的安全性。 附图简要说明 a sub-key sequence number generating unit, configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit, Obtain the subkey serial number of the user equipment and the network side. The embodiment of the present invention provides a method and an apparatus for generating a subkey serial number by using two parent key serial numbers, where specifically, the bits in two serial numbers generated by the authentication process are added or connected, thereby obtaining The required subkey serial number can be provided in the wireless network system, thereby improving the security of the network. BRIEF DESCRIPTION OF THE DRAWINGS

图 1为本发明实施例中的通用密钥序列号生成流程图;  1 is a flowchart of generating a universal key sequence number in an embodiment of the present invention;

图 2为本发明实施例应用于网络认证过程的密钥序列号生成流程图; 图 3为本发明实施例提供的装置的结构示意图。 实施本发明的方式 在通信过程中, 鉴权过程是通过在终端和网絡设备之间交互认证消息, 从而达到相互确认终端设备和网絡设备的目的。 本发明实施例中确定子密 钥的序列号需要从两个父密钥的序列号中产生, 并提供了从两个父密钥的 序列号中得出子密钥的序列号的实现方案, 以提高网络通信过程的安全性。 本发明实施例提供的一种实现方案是通过对两次认证产生的密钥序列 号进行相加, 以得到用户设备和网絡侧的授权密钥序列号。 下面将结合两 个具体应用实施例对该实现方案进行说明。  FIG. 2 is a flowchart of a key sequence number generation process applied to a network authentication process according to an embodiment of the present invention; FIG. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. Mode for Carrying Out the Invention In the communication process, the authentication process is to mutually authenticate the terminal device and the network device by interacting with the authentication message between the terminal and the network device. In the embodiment of the present invention, determining the sequence number of the subkey needs to be generated from the sequence numbers of the two parent keys, and providing an implementation scheme for deriving the sequence number of the subkey from the sequence numbers of the two parent keys. To improve the security of the network communication process. An implementation solution provided by the embodiment of the present invention adds the key sequence numbers generated by the two authentications to obtain the authorized key sequence numbers of the user equipment and the network side. The implementation will be described below in conjunction with two specific application embodiments.

实施例 1  Example 1

假定第一次认证过程在用户设备和密钥生成器产生的密钥 RM , 相应 的第一次主密钥序列号为 RK1— SN ( 4个比特); 第二次认证过程在用户设 备和密钥生成器产生的密钥 RK2,相应的第二次主密钥序列号为 RK2一 SN( 4 个比特); 子密钥为授权密钥 AK, 授权密钥 AK的序列号为 AK— SN。 当所作 的认证过程是初始认证时, RK1一 SN和 RK2_SN都要从某个初始值开始初 始化, 如使用 0, 1 , 2或者 3初始化; 重认证时, RK1— SN和 RK2— SN的 值分别加一。 Assuming that the first authentication process is generated by the user equipment and the key generator RM, the corresponding first master key sequence number is RK1 - SN (4 bits); the second authentication process is at the user equipment and the secret The key RK2 generated by the key generator, the corresponding second master key sequence number is RK2-SN (4 bits); the subkey is the authorization key AK, and the serial number of the authorization key AK is AK_SN. When the authentication process is initial authentication, RK1-SN and RK2_SN must start from an initial value. Initialization, if initialized with 0, 1, 2 or 3; When re-authentication, the values of RK1_SN and RK2-SN are respectively increased by one.

则得到 AK一 SN的方法为使用各个序列号的两比特相加后模 4, 即 AK_SN= ( RK1_SN+RK2_SN )模 4; ( 1 )  The method of obtaining AK-SN is to add the post-module 4 by using two bits of each sequence number, that is, AK_SN=( RK1_SN+RK2_SN ) modulo 4; (1)

在公式(1 ) 中, 仅使用 RK1—SN及 RK2—SN中的某两比特相加, 如对 RK1一 SN使用低两比特, RK2一 SN使用高两比特; 或者,  In equation (1), only two bits in RK1-SN and RK2-SN are added, such as using two bits lower for RK1-SN and two bits higher for RK2-SN; or

RK1_SN使用低两比特, RK2— SN使用低两比特; 或者,  RK1_SN uses the lower two bits, RK2_SN uses the lower two bits; or,

RK1一 SN使用高两比特, RK2— SN使用高两比特; 或者,  RK1-SN uses two bits higher, RK2-SN uses two bits higher; or,

RK1— SN使用高两比特, RK2— SN使用低两比特。  RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.

于是, 在终端和网絡侧的密钥生成器根据上面的公式分别生成了 2 比 特的授权密钥序列号。  Thus, the key generators on the terminal and network side respectively generate a 2-bit authorized key sequence number according to the above formula.

在终端和网络侧生成序列号的流程图如图 1 所示, 其中, 网络侧生成 授权密钥序列号后还可以由生成器(如鉴权器)将子密钥的序列号分发到 使用该授权密钥序列号 AK—SN的使用器(如基站)。  A flowchart for generating a serial number on the terminal and the network side is shown in FIG. 1 , wherein after the network side generates the license key serial number, the generator (such as an authenticator) may distribute the serial number of the subkey to use the Authorizer (such as a base station) that authorizes the key sequence number AK-SN.

下面以在 WiMAX网络中应用本发明实施例为例,对本发明实施例的具 体实现过程进行说明。其中, 图 2为本发明实施例的应用于 WiMAX网络认 证过程的密钥序列号生成流程图, 如图 2所示, 本实施例的序列号生成方 法包括如下步骤:  The specific implementation process of the embodiment of the present invention will be described below by taking an embodiment of the present invention in a WiMAX network as an example. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention. As shown in FIG. 2, the sequence number generation method in this embodiment includes the following steps:

(1 )订阅台和认证服务器之间的进行两次 EAP (扩展认证协议)认证 过程, 此过程之后, 在订阅台和鉴权器(Authenticator )上分別各自生成了 第一次的对偶主密钥 PMK及其序列号 PMK—SN 和第二次对偶主密钥 PMK2及其序列号 PMK2_SN, 其中 , 所述的 PMK— SN及 PMK2一 SN都为 4个比特。  (1) Perform two EAP (Extended Authentication Protocol) authentication procedures between the subscription station and the authentication server. After this process, the first dual master key is generated on the subscription station and the authenticator (Authenticator) respectively. PMK and its serial number PMK_SN and second dual master key PMK2 and its serial number PMK2_SN, wherein the PMK_SN and PMK2-SN are both 4 bits.

(2) 在订阅台 (移动台)和鉴权器上分别根据如下公式生成授权密钥 ( AK: Authorization Key ) 的序歹 'J号:  (2) Generate the serial number 'J number of the authorization key ( AK: Authorization Key ) on the subscription station (mobile station) and the authenticator according to the following formula:

使用各个序列号的两比特相加后模 4, 即: AK SN=(PMK_SN + PMK2_SN)模 4, 得到的授权密钥 AK的序列号 为 2个比特。 Add the modulo 4 using the two bits of each sequence number, ie: AK SN = (PMK_SN + PMK2_SN) modulo 4, and the obtained authorization key AK has a sequence number of 2 bits.

对于 PMK一 SN和 PMK2一 SN中的比特的选择,可以采用如下几种方式: For the selection of bits in PMK-SN and PMK2-SN, the following methods can be used:

PMK—SN使用低两比特, PMK2一 SN使用高两比特; 或者, PMK-SN uses the lower two bits, PMK2-SN uses the upper two bits; or,

PMK— SN使用低两比特, PMK2—SN使用低两比特; 或者,  PMK—SN uses the lower two bits, PMK2-SN uses the lower two bits; or,

PMK— SN使用高两比特, PMK2— SN使用高两比特; 或者,  PMK—SN uses two bits higher, PMK2—SN uses two bits higher; or,

PMK— SN使用高两比特, PMK2— SN使用低两比特。  PMK—The SN uses the upper two bits, and the PMK2—SN uses the lower two bits.

例如, 如果 PMK一 SN及 PMK2一 SN都使用低两比特, 则若 PMK一 SN 低两比特为 01 ; 若 PMK2_SN低两比特为 00, 则 (01 +00)模 4 - 01 , 即得 到 2比特的授权密钥序列号 AK—SN 。  For example, if both PMK-SN and PMK2-SN use two lower bits, if PMK-SN is lower two bits are 01; if PMK2_SN lower two bits is 00, then (01 +00) modulo 4 - 01, that is, get 2 bits Authorization key serial number AK-SN.

如此, 就在订阅台及鉴权器上分别得到了授权密钥的序列号。  Thus, the serial number of the authorization key is obtained on the subscription station and the authenticator, respectively.

接着, 网络侧鉴权器发送携带授权密钥序列号的密钥材料传输消息给 基站, 所述消息中还包括授权密钥、 及授权密钥的生命时间。  Then, the network side authenticator sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.

然后, 订阅台和基站之间进行新的授权密钥序列号的协商。 其具体可 以参照 IEEE802.16e-D12中定义的标准进行协商。 由于密钥序列号的分发 及序列号的协商过程与现有技术相同, 因此在此不作赘述。  Then, a negotiation of a new authorized key sequence number is performed between the subscribing station and the base station. Specifically, it can be negotiated with reference to the standards defined in IEEE802.16e-D12. Since the distribution of the key sequence number and the negotiation process of the serial number are the same as those of the prior art, they are not described herein.

实施例 2  Example 2

假定第一次认证过程产生的密钥 RK1,序列号为 RK1— SN( 4个比特); 第二次认证过程产生的密钥 RK2, 序列号为 RK2_SN ( 4个比特); 子密钥 为授权密钥 AK, 授权密钥 AK的序列号为 AK_SN。 当所作的认证过程是 初始认证时, RK1_SN和 RK2— SN都要从某个初始值开始初始化, 如使用 0, 1 , 2或者 3初始化。 RK1— SN总是使用无意义的两比特, 而 RK2— SN 总是使用有意义(有效位, 包括 MSB (最高有效位)和 LSB (最低有效位 ) ) 的两比特。所述 RM一 SN的无意义的两比特及所述 RK2一 SN的有意义的两 比特的值为从某个初始值(该初始值可以为 0, 1 , 2, 或 3 )开始累加, 然 后模 4。 或者, 同理, 也可以为 RM SN 总是使用有意义的两比特, 而 RK2_SN总是使用无意义的两比特。 Assume that the key RK1 generated by the first authentication process has the sequence number RK1_SN (4 bits); the key RK2 generated by the second authentication process, the sequence number is RK2_SN (4 bits); the subkey is the authorization The key AK, the serial number of the authorization key AK is AK_SN. When the authentication process is initial authentication, both RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization. RK1—SN always uses two bits that are meaningless, while RK2—SN always uses two bits that are meaningful (signal bits, including MSB (most significant bit) and LSB (least significant bit)). The meaningless two bits of the RM-SN and the meaningful two-bit value of the RK2-SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then Mode 4. Or, for the same reason, it is also possible to always use meaningful two bits for RM SN, and RK2_SN always uses two bits that are meaningless.

则得到 AK—SN的方法为 RK1一 SN的无意义的两比特与 RK2一 SN有意 义的两比特相加:  The method of obtaining AK-SN is that the meaningless two bits of RK1-SN are added to the meaningful two bits of RK2-SN:

AK_SN= RK1_SN + RK2— SN。  AK_SN = RK1_SN + RK2 - SN.

于是, 在终端和网络侧根据上面的公式分别生成 2比特的密钥序列号。 然后, 在网络侧由生成器(如鉴权服务器)将子密钥的序列号分发到 使用器(如基站)。 同样, 以应用于 WiMAX网络中为例,授权密钥序列号的生成方法包括 如下步骤:  Thus, a 2-bit key sequence number is generated on the terminal and the network side according to the above formula. Then, the serial number of the subkey is distributed to the user (e.g., base station) by the generator (e.g., the authentication server) on the network side. Similarly, in the case of being applied to a WiMAX network, the method for generating the license key serial number includes the following steps:

(1 )订阅台 (移动台)和认证服务器之间进行两次 EAP认证过程, 此 过程之后,在订阅台和鉴权器上分别生成了第一次的对偶主密钥 PMK及其 序列号 PMK— SN和第二次对偶主密钥 PMK2及其序列号 PMK2— SN。  (1) Two EAP authentication processes are performed between the subscription station (mobile station) and the authentication server. After this process, the first dual master key PMK and its sequence number PMK are generated on the subscription station and the authenticator, respectively. – SN and second dual master key PMK2 and their sequence number PMK2_SN.

在此, 对 PMK— SN, 总是使用无意义的两比特, 所述无意义的两比特 可以为低两比特或高两比特, 该两比特的值为从一初始值(如 0, 1 , 2, 或 3 ) 累加后模 4;  Here, for the PMK-SN, two meaningless two bits are always used, and the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;

对 PMK2— SN, 总是使用有意义的两比特, 所述有意义的两比特可以 为低两比特或高两比特, 该两比特的值为从一初始值(如 0, 1 , 2, 或 3 ) 累加后模 4。  For PMK2 - SN, always use meaningful two bits, the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.

(2)在订阅台和鉴权器上分別根据如下公式生成授权密钥 AK的序列号 AK_SN:  (2) Generate the authorization key AK serial number AK_SN on the subscription station and the authenticator according to the following formula:

AK的 SN等于 PMK— SN的无意义的两比特与 PMK2— SN有意义的两 比特相加, 即, AK— SN= PMK— SN + PMK2_SN。  The SN of AK is equal to the meaningless two bits of PMK-SN and the meaningful two-bit addition of PMK2-SN, ie, AK_SN = PMK_SN + PMK2_SN.

例如, 假设 PMK— SN的无意义的两比特为低两比特, PMK2一 SN的有 意义的两比特为高两比特。 如果二者认证时初始值分别为 0 和 3 , 则 PMK_SN 的无意义的两比特从初始值(0 ) 累力 p 1 后模 4, 即为' Ό ; PMK2_SN的有意义的两比特从初始值( 3 )加 1后模 4,即为' Ό0",则 AK— SN = 01 + 00 = 01。 For example, assuming that the meaningless two bits of the PMK-SN are the lower two bits, the meaningful two bits of the PMK2-SN are two bits higher. If the initial values of the two authentications are 0 and 3 respectively, the meaningless two bits of PMK_SN are from the initial value (0). The force p 1 is the modulo 4, which is 'Ό; the meaningful two bits of PMK2_SN are from the initial value. (3) Add 1 after the modulo 4, which is ' Ό 0', then AK - SN = 01 + 00 = 01.

如此, 就在订阅台及鉴权月艮务器上分别得到了 2比特的授权密钥的序 列号。 授权序列号生成后的步骤与实施例 1相同。  Thus, the serial number of the 2-bit authorization key is obtained on the subscription station and the authentication server respectively. The steps after the authorization serial number is generated are the same as in the first embodiment.

另外, 本发明实施例还可以 RK1_SN加上 RK2—SN, 以得到一 4比特 的子密钥序列号, 其中可只使用高两比特或低两比特。 本发明实施例提供的另一种实现方案的基本原理是通过对两次认证产 生的密钥序列号进行比特相连, 以得到用户设备和网络侧的 4吏权密钥序列 号。 下面将结合两个具体应用实施例对该实现方案进行说明。  In addition, the embodiment of the present invention may further add RK2_SN to RK2_SN to obtain a 4-bit subkey sequence number, wherein only two bits or two bits lower may be used. The basic principle of another implementation solution provided by the embodiment of the present invention is that the key sequence numbers generated by the two authentications are bit-connected to obtain the user equipment and the network side key sequence number. The implementation will be described below in conjunction with two specific application embodiments.

实施例 3  Example 3

假定第一次认证过程产生的密钥 RM, 序列号为 RK1一 SN; 第二次认 证过程产生的密钥 RK2, 序列号为 RK2_SN; 子密钥为授权密钥 AK, 授 权密钥 AK的序列号为 AK一 SN。 所述序列号都为 4个比特。 当所作的认证 过程是初始认证时, RK1—SN和 RK2— SN都要从某个初始值开始初始化, 如使用 0, 1 , 2或者 3初始化。 对 RK1—SN总是使用无意义的两比特, 而 RK2— SN总是使用有意义的两比特。 所述 RK1— SN的无意义的两比特及所 述 RK2_SN的有意义的两比特的值为从某个初始值(该初始值可以为 0, 1 , 2, 或 3 )开始累加, 然后模 4。 或者, 同理, 也可以为 RK1一 SN总是使用 有意义的两比特, 而 RK2— SN总是使用无意义^两比特。  Assume that the key RM generated by the first authentication process has the serial number RK1_SN; the key RK2 generated by the second authentication process, the serial number is RK2_SN; the subkey is the authorization key AK, and the sequence of the authorization key AK The number is AK-SN. The serial numbers are all 4 bits. When the authentication process is initial authentication, both RK1_SN and RK2_SN are initialized from an initial value, such as 0, 1, 2 or 3 initialization. The meaningless two bits are always used for RK1-SN, and RK2_SN always uses meaningful two bits. The meaningless two bits of the RK1 - SN and the meaningful two bit values of the RK2_SN are accumulated from an initial value (the initial value may be 0, 1, 2, or 3), and then the modulo 4 . Or, for the same reason, it is also possible to use meaningful two bits for RK1-SN, and RK2-SN always uses meaningless^two bits.

则得到 AK一 SN的方法为 RK1— SN的无意义的两比特与 RK2— SN有意 义的两比特相连接:  The method of obtaining AK-SN is that the meaningless two bits of RK1_SN are connected with the meaningful two bits of RK2-SN:

AK_SN= RK1_SN + RK2_SN , 这里的 "+"为连接符 (1 )。  AK_SN= RK1_SN + RK2_SN , where "+" is the connector (1).

于是, 在终端和网络侧根据上面的公式 (1 )分别生成 4比特的密钥序列 号, 其中可只使用高两比特或低两比特。  Thus, a 4-bit key sequence number is generated on the terminal and the network side according to the above formula (1), respectively, wherein only the upper two bits or the lower two bits can be used.

然后, 在网络侧由生成器 (如鉴权服务器)将子密钥的序列号分发到 使用器(如基站)。 下面以在 Wi MAX网络中应用本发明实施例为例,对本发明实施例的具 体实现过程进行说明。仍如图 2所示,图 2为本发明实施例的应用于 WiMAX 网络认证过程的密钥序列号生成流程图, 如图 2所示, 本实施例的序列号 生成方法包括如下步驟: Then, the serial number of the subkey is distributed to the user (such as the base station) by the generator (such as the authentication server) on the network side. The specific implementation process of the embodiment of the present invention is described below by taking an embodiment of the present invention in a WiMAX network as an example. As shown in FIG. 2, FIG. 2 is a flowchart of a key sequence number generation process applied to a WiMAX network authentication process according to an embodiment of the present invention. As shown in FIG. 2, the sequence number generation method in this embodiment includes the following steps:

(1 )订阅台 (移动台)和认证服务器之间进行两次 EAP认证过程, 此 过程之后,在订阅台和鉴权器上分别生成了第一次的对偶主密钥 PMK及其 序列号 PMK—SN和第二次对偶主密钥 PMK2及其序列号 PMK2—SN。  (1) Two EAP authentication processes are performed between the subscription station (mobile station) and the authentication server. After this process, the first dual master key PMK and its sequence number PMK are generated on the subscription station and the authenticator, respectively. - SN and second dual master key PMK2 and its sequence number PMK2 - SN.

在此, 对 PMK一 SN, 总是使用无意义的两比特, 所述无意义的两比特 可以为低两比特或高两比特, 该两比特的值为从一初始值(如 0, 1 , 2, 或 3 ) 累加后模 4;  Here, for PMK-SN, two bits of meaningless are always used, and the meaningless two bits may be two bits lower or two bits higher, and the values of the two bits are from an initial value (such as 0, 1 , 2, or 3) accumulate the back mode 4;

对 PMK2— SN, 总是使用有意义的两比特, 所述有意义的两比特可以 为低两比特或高两比特, 该两比特的值为从一初始值(如 0, 1 , 2, 或 3 ) 累加后模 4。  For PMK2 - SN, always use meaningful two bits, the meaningful two bits can be two bits lower or two higher, the value of the two bits from an initial value (such as 0, 1, 2, or 3) Add the back mode 4.

(2)在订阅台和鉴权器上分别根据如下公式生成授权密钥 AK的序列号 AK_SN:  (2) Generate the authorization key AK serial number AK_SN on the subscription station and the authenticator according to the following formula:

AK的 SN等于 PMK—SN的无意义的两比特与 PMK2— SN有意义的两 比特相连接, 即, AK—SN= PMK—SN + PMK2—SN, 这里的 "+"为连接符。  The SN of AK is equal to the meaningless two bits of PMK-SN connected to the meaningful two bits of PMK2-SN, ie, AK_SN = PMK-SN + PMK2 - SN, where "+" is the connector.

例如, 假设 PMK—SN的无意义的两比特为低两比特, PMK2一 SN的有 意义的两比特为高两比特。 如果认证时二者初始值分别为 0 和 3 , 则 PMK—SN 的无意义的两比特从初始值(0 ) 累加 1 后模 4, 即为' Ό ; PMK2—SN的有意义的两比特从初始值( 3 )加 1后模 4,即为' Ό0",则 AK—SN = 01 + 00 = 0100, 即得到 4个比特的授权密钥序列号, 其中可只使用高两 比特或氏两比特。  For example, suppose the meaningless two bits of the PMK-SN are the lower two bits, and the meaningful two bits of the PMK2-SN are the upper two bits. If the initial values of the two are 0 and 3 respectively, the meaningless two bits of PMK-SN are accumulated from the initial value (0) by 1 modulo 4, which is ' Ό ; meaningful two-bit from PMK2-SN The initial value (3) plus 1 modulo 4, which is ' Ό 0', then AK_SN = 01 + 00 = 0100, that is, the 4-bit authorized key sequence number is obtained, which can only use the upper two bits or two Bit.

接着, 网络侧鉴权服务器发送携带授权密钥序列号的密钥材料传输消 息给基站, 所述消息中还包括授权密钥、 及授权密钥的生命时间。  Then, the network side authentication server sends a key material transmission message carrying the authorized key sequence number to the base station, where the message further includes an authorization key and a lifetime of the authorization key.

然后, 订阅台和基站之间进行新的授权密钥序列号的协商。 其具体可 以参照 IEEE802.16e-D12中定义的标准进行协商。 由于密钥序列号的分发 及序列号的协商过程与现有技术相同, 因此在此不作赞述。 实施例 4 Then, a negotiation of a new authorized key sequence number is performed between the subscribing station and the base station. Specific Negotiation is made with reference to the standards defined in IEEE802.16e-D12. Since the distribution of the key sequence number and the negotiation process of the serial number are the same as those of the prior art, they are not mentioned here. Example 4

假定第一次认证过程在用户设备和密钥生成器产生的密钥 RK1 , 序列 号为 RK1— SN; 第二次认证过程在用户设备和密钥生成器产生的密钥 RK2, 序列号为 RK2_SN;子密钥为授权密钥 AK,授权密钥 AK的序列号为 AK__SN。 所述序列号都为 4个比特。 当所作的认证过程是初始认证时, RK1— SN和 RK2一 SN都要从某个初始值开始初始化, 如使用 0, 1 , 2或者 3初始化; 重认证时, RK1—SN和 RK2— SN的值分别加一。  Assume that the first authentication process is generated by the user equipment and the key generator RK1, the serial number is RK1_SN; the second authentication process is generated by the user equipment and the key generator RK2, the serial number is RK2_SN The subkey is the authorization key AK, and the serial number of the authorization key AK is AK__SN. The serial numbers are all 4 bits. When the authentication process is initial authentication, RK1_SN and RK2-SN must be initialized from an initial value, such as 0, 1, 2 or 3 initialization; when re-authentication, RK1-SN and RK2-SN Add one value to each.

则得到 AK_SN的方法为使用各个序列号的两比特相连接, 即  The method of obtaining AK_SN is to connect two bits using each sequence number, that is,

AK_SN= ( RK1— SN+RK2—SN ), 其中, "+ "为连接符 ( 2 )  AK_SN= ( RK1 — SN+RK2 — SN ), where “+” is the connector ( 2 )

在公式 (2 ) 中, 仅使用 RK1— SN及 RK2— SN中的某两比特相连接, 如 对 RK1— SN使用低两比特, RK2— SN使用高两比特; 或者,  In equation (2), only two bits in RK1_SN and RK2_SN are connected, such as using the lower two bits for RK1_SN and the upper two bits for RK2-SN; or

RK1— SN使用低两比特, RK2一 SN使用低两比特; 或者,  RK1—the SN uses the lower two bits, and the RK2-SN uses the lower two bits; or,

RK1一 SN使用高两比特, RK2一 SN使用高两比特; 或者,  RK1-SN uses two bits higher, and RK2-SN uses two bits higher; or,

RK1—SN使用高两比特, RK2— SN使用低两比特。  RK1 - SN uses the upper two bits, and RK2 - SN uses the lower two bits.

于是, 在终端和网络侧的密钥生成器根据分別生成了 4比特的授权密 钥序列号, 其中只使用高两比特或低两比特。 在终端和网络侧生成序列号 的流程图如图 1所示。  Thus, the key generators at the terminal and the network side respectively generate a 4-bit authorized key sequence number in which only the upper two bits or the lower two bits are used. The flow chart for generating the serial number on the terminal and network side is shown in Figure 1.

然后, 在网络侧由生成器(如鉴权器)将子密钥的序列号分发到使用 器(如基站)。  Then, the serial number of the subkey is distributed to the user (e.g., base station) by the generator (e.g., the authenticator) on the network side.

同样, 对于以 WiMAX网络为例 (如图 2所示), 授权密钥序列号生成 方法包括如下步驟:  Similarly, for the WiMAX network as an example (as shown in Figure 2), the authorization key serial number generation method includes the following steps:

(1 )订阅台和认证服务器之间的进行两次 EAP认证过程,此过程之后, 在订阅台和鉴权器( Authenticator )上分别各自生成了第一次的对偶主密钥 PMK 及其序列号 PMK— SN 和第二次对偶主密钥 PMK2 及其序列号 PMK2_SN, 所述的 PMK— SN及 PMK2一 SN都为 4个比特。 (1) Perform two EAP authentication procedures between the subscription station and the authentication server. After this process, the first dual master key PMK and its serial number are respectively generated on the subscription station and the authenticator (Authenticator). PMK-SN and second dual master key PMK2 and their serial numbers PMK2_SN, the PMK_SN and PMK2-SN are both 4 bits.

(2)在订阅台 (移动台)和養权器上分别才艮据如下公式生成授权密钥 ( AK: Authorization Key ) 序歹号:  (2) Generate the authorization key (AK: Authorization Key) according to the following formula on the subscription station (mobile station) and the power controller respectively.

使用各个序列号的两比特相连, 即:  Use two bits of each serial number to connect, ie:

AK SN=(PMK_SN + PMK2_SN), "+"为连接符,得到的授权密钥 AK 的序列号为 4个比特。  AK SN=(PMK_SN + PMK2_SN), "+" is the connector, and the obtained authorization key AK has a serial number of 4 bits.

对于 PMK—SN和 PMK2一 SN中的比特的选择,可以采用如下几种方式: For the selection of bits in PMK-SN and PMK2-SN, the following methods can be used:

PMK—SN使用低两比特, PMK2— SN使用高两比特; 或者, PMK-SN uses the lower two bits, PMK2-SN uses the upper two bits; or,

PMK— SN使用低两比特, PMK2— SN使用低两比特; 或者,  PMK—SN uses the lower two bits, PMK2—SN uses the lower two bits; or,

PMK一 SN使用高两比特, PMK2—SN使用高两比特; 或者,  PMK-SN uses two bits higher, PMK2-SN uses two bits higher; or,

PMK—SN使用高两比特, PMK2_SN使用低两比特。  The PMK-SN uses the upper two bits, and the PMK2_SN uses the lower two bits.

例如, 如果 PMK一 SN及 PMK2一 SN都使用低两比特, 则若 PMK—SN 低两比特为 01 ; 若 PMK2— SN低两比特为 00, 则 (01 +00) = 0100, "+,, 为 连接符, 即得到 4比特的授权密钥序列号 AK— SN, 其中, 具体可以只使用 高两比特或 4氏两比特。  For example, if both PMK-SN and PMK2-SN use lower two bits, then if PMK-SN is lower two bits is 01; if PMK2-SN lower two bits is 00, then (01 +00) = 0100, "+,, As a connector, a 4-bit authorized key sequence number AK_SN is obtained, wherein, specifically, only two bits high or two bits of four bits can be used.

之后, 相应的授权序列号生成后的步骤与实施例 3相同, 故在此不再 重复描述。 本发明实施例还提供了一种网络中的密钥序列号的生成装置, 其具体 结构如图 3所示, 包括以下处理单元:  Thereafter, the steps after the generation of the corresponding authorization sequence number are the same as those of Embodiment 3, and thus the description will not be repeated here. The embodiment of the present invention further provides a device for generating a key sequence number in a network. The specific structure is as shown in FIG. 3, and includes the following processing units:

( 1 )主密钥序列号获取单元  (1) Master key serial number acquisition unit

该单元用于获取认证过程 (如 EAP认证过程等) 中用户设备和网络侧 密钥生成器各自生成的第一次主密钥序列号和第二次主密钥序列号, 并提 供给子密钥序列号生成单元, 以便于进行子密钥序列号的生成。  The unit is configured to obtain a first master key sequence number and a second master key sequence number generated by the user equipment and the network side key generator in an authentication process (such as an EAP authentication process, etc.), and provide the sub-secret A key sequence number generating unit for generating a subkey sequence number.

( 2 )子密钥序列号生成单元  (2) Subkey serial number generation unit

该单元用于对所述主密钥序列号获取单元获取的所述第一次主密钥序 列号及第二次主密钥序列号中的比特相加或比特相连, 以获得用户设备和 网络侧的子密钥序列号; The unit is configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit to obtain user equipment and Subkey serial number on the network side;

所述子密钥序列号生成单元具体可以包括相加或相连单元和取模单 元, 其中:  The subkey serial number generating unit may specifically include an adding or connecting unit and a modulo unit, where:

( 21 )所述的相加或相连单元, 用于对第一次主密钥序列号中的两比 特和第二次主密钥序列号的两比特进行相加或相连操作, 相加后的结果送 到取模单元 , 相连后的结果直接作为所述子密钥序歹 |)号;  (21) The adding or connecting unit is configured to add or connect two bits of the first master key sequence number and the second bit of the second master key sequence number, and add the added The result is sent to the modulo unit, and the connected result is directly used as the subkey sequence 歹|) number;

而且, 所述的相加或相连单元还与比特信息提取单元通信, 该比特信 息提取单元用于提取第一次主密钥序列号的低两比特, 第二次主密钥序列 号的高两比特; 或者, 提取第一次主密钥序列号的低两比特, 第二次主密 钥序列号的低两比特; 或者, 提取第一次主密钥序列号的高两比特, 第二 次主密钥序列号的低两比特; 或者, 提取第一次主密钥序列号的高两比特, 第二次主密钥序列号的高两比特;  Moreover, the adding or connecting unit is further in communication with the bit information extracting unit, the bit information extracting unit is configured to extract the lower two bits of the first master key sequence number, and the second two of the second master key sequence number Or; extract the lower two bits of the first master key sequence number, the lower two bits of the second master key sequence number; or, extract the upper two bits of the first master key sequence number, the second time The lower two bits of the master key sequence number; or, the upper two bits of the first master key sequence number, and the upper two bits of the second master key sequence number;

再者, 对所述第一次主密钥序列号, 使用无意义的两比特, 对所述第 二次主密钥序列号, 使用有意义的两比特; 或者, 对所述第一次主密钥序 列号, 使用有意义的两比特, 对所述第二次主密钥序列号, 使用无意义的 两比特;  Furthermore, for the first master key sequence number, two meaningless two bits are used, and for the second master key sequence number, meaningful two bits are used; or, for the first master a key sequence number, using meaningful two bits, using two meaningless two bits for the second master key sequence number;

( 22 )所述的取模单元, 用于所述相加或相连单元获得的相加后的结 果进行取模 4的处理, 获得用户设备和网络侧的子密钥序列号。  (22) The modulo unit is configured to perform modulo 4 processing on the added result obtained by the adding or connecting unit to obtain a subkey sequence number of the user equipment and the network side.

( 3 )子密钥序列号发送单元  (3) Subkey serial number sending unit

可选地, 该装置还包括该单元, 以用于将网络侧密钥生成器生成的子 密钥序列号通过密钥材料传输消息发送给使用器。  Optionally, the apparatus further includes the unit, configured to send the subkey sequence number generated by the network side key generator to the user through the key material transmission message.

本发明实施例提供的该装置具体可以但不限于设置于 WiMAX网络,此 时, 所述终端为移动台 MS, 所述网络侧密钥生成器为鉴权器, 所述 RK1 为对偶主密钥 PMK, RK2为第二次对偶主密钥 PMK2;所述 PMK与 PMK2 对应的序列号分别为 PMK—SN与 PMK2一 SN, 且使用所述子密钥序列号的 实体为基站。 本发明实施例不仅适用于 WiMAX网络, 同样适用于其它网络系统。 如上所述, 本发明实施例提供了由两个父密钥序列号产生子密钥序列 号的方法及装置,, 保证了网络中数据传输的安全性。 The apparatus provided by the embodiment of the present invention may be specifically, but not limited to, being configured in a WiMAX network. In this case, the terminal is a mobile station MS, the network side key generator is an authenticator, and the RK1 is a dual master key. PMK, RK2 is the second dual master key PMK2; the sequence numbers corresponding to the PMK and PMK2 are PMK_SN and PMK2-SN, respectively, and the entity using the subkey serial number is the base station. The embodiments of the present invention are applicable not only to WiMAX networks, but also to other network systems. As described above, the embodiment of the present invention provides a method and apparatus for generating a subkey sequence number from two parent key serial numbers, which ensures the security of data transmission in the network.

以上具体实施方式仅用于说明本发明, 而非用于限定本发明。 凡在本 发明的精神和原则之内, 所做的任何修改、 等同替换、 改进等, 均应包含 在本发明的保护范围之内。  The above specific embodiments are merely illustrative of the invention and are not intended to limit the invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request 1、 一种网絡中的密钥序列号的生成方法, 其特征在于包括如下步骤: 用户设备和网络侧密钥生成器各自生成第一次主密钥序列号和第二次 主密钥序列号;  A method for generating a key sequence number in a network, comprising the steps of: a user equipment and a network side key generator respectively generating a first master key sequence number and a second master key sequence number; ; 对所述第一次主密钥序列号和第二次主密钥序列号中的比特相加或比 特相连, 得到用户设备和网络侧的子密钥序列号。  The bits in the first master key sequence number and the second master key sequence number are added or connected to each other to obtain a subkey sequence number of the user equipment and the network side. 2、 根据权利要求 1所述的方法, 其特征在于, 所述的得到用户设备和 网絡侧生成器的子密钥序列号的步骤具体包括:  The method according to claim 1, wherein the step of obtaining the subkey serial number of the user equipment and the network side generator specifically includes: 使用第一次主密钥序列号中的两比特和第二次主密钥序列号的两比 特, 相加之后模 4, 作为用户设备和网络侧的子密钥序列号;  Using the two bits of the first master key sequence number and the second master key sequence number, add the modulo 4 as the sub-key sequence number of the user equipment and the network side; 或者,  Or, 使用第一次主密钥序列号的四比特和笫二次主密钥序列号的四比特相 加, 并将相加获得的四比特信息中的高两比特或低两比特作为用户设备和 网絡侧的子密钥序列号;  The four bits of the first master key sequence number and the four bits of the second master key sequence number are added, and the upper two bits or the lower two bits of the added four-bit information are used as the user equipment and the network. Side subkey serial number; 或者,  Or, 使用第一次主密钥序列号和第二次主密钥序列号中的各两比特 bit相 连, 并作为用户设备和网络侧的子密钥序列号。  The two primary bit numbers of the first master key sequence number and the second master key sequence number are used to be connected, and serve as a subkey sequence number of the user equipment and the network side. 3、 根据权利要求 2所述的方法, 其特征在于:  3. The method of claim 2, wherein: 对第一次主密钥序列号, 所述两比特为低两比特; 对第二次主密钥序 列号, 所述两比特为高两比特; 或  For the first master key sequence number, the two bits are two bits lower; for the second master key sequence number, the two bits are two bits higher; or 对第一次主密钥序列号, 所述两比特为低两比特; 对第二次主密钥序 列号, 所述两比特为低两比特; 或  For the first master key sequence number, the two bits are the lower two bits; for the second master key sequence number, the two bits are the lower two bits; or 对第一次主密钥序列号, 所述两比特为高两比特; 对第二次主密钥序 列号, 所述两比特为低两比特; 或  For the first master key sequence number, the two bits are two bits high; for the second master key sequence number, the two bits are two bits lower; or 对第一次主密钥序列号, 所述两比特为高两比特; 对第二次主密钥序 列号, 所述两比特为高两比特。 For the first master key sequence number, the two bits are two bits high; for the second master key sequence number, the two bits are two bits high. 4、 根据权利要求 1所述的方法, 其特征在于: 4. The method of claim 1 wherein: 生成第一次主密钥序列号的过程中, 在初始认证时, 第一次主密钥序 列号的值从 0, 1 , 2或 3开始初始化; 重认证时, 第一次主密钥序列号的 值分别加一;  During the process of generating the first master key sequence number, the initial master key sequence number starts from 0, 1, 2, or 3 during initial authentication; when re-authenticating, the first master key sequence The value of the number is increased by one; 生成第二次主密钥序列号的过程中, 在初始认证时, 第二次主密钥序 列号的值从 0, 1 , 2或 3开始初始化; 重认证时, 第二次主密钥序列号的 值分别加一。  In the process of generating the second master key sequence number, at the initial authentication, the value of the second master key sequence number is initialized from 0, 1, 2 or 3; when re-authenticating, the second master key sequence The value of the number is incremented by one. 5、 根据权利要求 1所述的方法, 其特征在于:  5. The method of claim 1 wherein: 对所述第一次主密钥序列号, 使用无意义的两比特, 对所述第二次主 密钥序列号, 使用有意义的两比特;  Using the meaningless two bits for the first master key sequence number and the meaningful two bits for the second master key sequence number; 或者,  Or, 对所述第一次主密钥序列号, 使用有意义的两比特, 对所述第二次主 密钥序列号, 使用无意义的两比特。  For the first master key sequence number, meaningful two bits are used, and for the second master key sequence number, meaningless two bits are used. 6、 根据权利要求 5所述的方法, 其特征在于:  6. The method of claim 5, wherein: 在认证时, 所述无意义的两比特的值为从 0, 1, 2或 3开始累加后模 At the time of authentication, the meaningless two-bit value is accumulated from 0, 1, 2 or 3 4; 4; 在认证时, 所述有意义的两比特的值为从 0, 1 , 2或 3开始累加后模 At the time of authentication, the meaningful two-bit value is accumulated from 0, 1, 2 or 3 4。 4. 7、 根据权利要求 5所述的方法, 其特征在于:  7. The method of claim 5 wherein: 所述第一次主密钥序列号的无意义的两比特为低两比特, 第二次主密 钥序列号的有意义的两比特为高两比特; 或者,  The meaningless two bits of the first master key sequence number are two bits lower, and the meaningful two bits of the second master key sequence number are two bits higher; or 所述第一次主密钥序列号的无意义的两比特为低两比特, 第二次主密 钥序列号的有意义的两比特为低两比特; 或者,  The meaningless two bits of the first master key sequence number are the lower two bits, and the meaningful two bits of the second master key sequence number are the lower two bits; or 所述第一次主密钥序列号的无意义的两比特为高两比特, 第二次主密 钥序列号的有意义的两比特为低两比特; 或者,  The meaningless two bits of the first master key sequence number are two bits high, and the meaningful two bits of the second master key sequence number are two bits lower; or 所述第一次主密钥序列号的无意义的两比特为高两比特, 第二次主密 钥序列号的有意义的两比特为高两比特。 The meaningless two bits of the first master key sequence number are two bits high, the second primary key The meaningful two bits of the key sequence number are two bits high. 8、 根据权利要求 1至 7中任一项所述的方法, 其特征在于, 在微波接入 全球互通 WiMAX网络中,所述用户设备为移动台 MS,所述网络侧密钥生成 器为鉴权器, 所述第一次主密钥序列号为对偶主密钥 PMK, 第二次主密钥 序列号为第二次对偶主密钥 PMK2; 所述 PMK与 PMK2对应的序列号分别为 PMK—SN与 PMK2— SN, 且使用所述子密钥序列号的实体为基站。  The method according to any one of claims 1 to 7, wherein in the microwave access global interworking WiMAX network, the user equipment is a mobile station MS, and the network side key generator is a reference The first master key sequence number is a dual master key PMK, and the second master key sequence number is a second dual master key PMK2; the serial numbers corresponding to the PMK and the PMK2 are respectively PMK - SN and PMK2 - SN, and the entity using the subkey sequence number is a base station. 9、 一种传送子密钥序列号的方法, 其特征在于, 包括:  A method for transmitting a subkey serial number, comprising: 网络侧密钥生成器生成子密钥序列号, 并通过密钥材料传输消息向使 用器传送所述子密钥序列号。  The network side key generator generates a subkey serial number and transmits the subkey serial number to the user through the key material transmission message. 10、 根据权利要求 9所述的方法, 其特征在于, 所述密钥材料传输消息 中包含: 授权密钥、 授权密钥序列号及授权密钥的生命时间。  The method according to claim 9, wherein the key material transmission message includes: an authorization key, an authorization key serial number, and a lifetime of the authorization key. 11、 一种网络中的密钥序列号的生成装置, 其特征在于, 包括: 主密钥序列号获取单元, 用于获取认证过程中用户设备和网络侧密钥 生成器各自生成的第一次主密钥序列号和第二次主密钥序列号;  A device for generating a key sequence number in a network, comprising: a master key sequence number obtaining unit, configured to acquire a first time generated by a user equipment and a network side key generator in an authentication process Master key serial number and second master key serial number; 子密钥序列号生成单元, 用于对所述主密钥序列号获取单元获取的所 述第一次主密钥序列号及第二次主密钥序列号中的比特相加或比特相连, 得到用户设备和网络侧的子密钥序列号。  a sub-key sequence number generating unit, configured to add or bit-connect the bits in the first master key sequence number and the second master key sequence number acquired by the master key sequence number obtaining unit, Obtain the subkey serial number of the user equipment and the network side. 12、 根据权利要求 11所述的装置, 其特征在于, 所述子密钥序列号生 成单元具体包括相加或相连单元和取模单元, 其中:  The apparatus according to claim 11, wherein the subkey serial number generating unit specifically includes an adding or connecting unit and a modulo unit, wherein: 相加或相连单元, 对第一次主密钥序列号中的两比特和第二次主密钥 序列号的两比特进行相加或相连, 相加后的结果送到取模单元, 相连后的 结果直接作为所述子密钥序列号;  Adding or connecting units, adding or connecting two bits in the first master key sequence number and the second master key sequence number, and adding the result to the modulo unit, after being connected The result is directly used as the subkey serial number; 取模单元, 用于所述相加或相连单元获得的相加后的结果进行取模 4 的处理, 获得用户设备和网络侧的子密钥序列号。  The modulo unit performs the modulo 4 processing on the added result obtained by the adding or connecting unit to obtain the subkey serial number of the user equipment and the network side. 13、根据权利要求 12所述的装置, 其特征在于, 所述的相加或相连单 元还与比特信息提取单元通信, 该比特信息提取单元用于提取第一次主密 钥序列号的低两比特, 第二次主密钥序列号的高两比特; 或者, 提取第一 次主密钥序列号的低两比特, 第二次主密钥序列号的低两比特; 或者, 提 取第一次主密钥序列号的高两比特, 第二次主密钥序列号的低两比特; 或 者, 提取第一次主密钥序列号的高两比特, 第二次主密钥序列号的高两比 特。 The apparatus according to claim 12, wherein the adding or connecting unit is further in communication with a bit information extracting unit, and the bit information extracting unit is configured to extract the first primary key The lower two bits of the key sequence number, the upper two bits of the second master key sequence number; or, the lower two bits of the first master key sequence number, and the lower two bits of the second master key sequence number; Or extracting the upper two bits of the first master key sequence number and the lower two bits of the second master key sequence number; or, extracting the upper two bits of the first master key sequence number, the second primary key The upper two bits of the key sequence number. 14、 根据权利要求 11所述的装置, 其特征在于,  14. Apparatus according to claim 11 wherein: 对所述第一次主密钥序列号, 使用无意义的两比特, 对所述第二次主 密钥序列号, 使用有意义的两比特;  Using the meaningless two bits for the first master key sequence number and the meaningful two bits for the second master key sequence number; 或者,  Or, 对所述第一次主密钥序列号, 使用有意义的两比特, 对所述第二次主 密钥序列号, 使用无意义的两比特。  For the first master key sequence number, meaningful two bits are used, and for the second master key sequence number, meaningless two bits are used. 15、 根据权利要求 11所述的装置, 其特征在于, 还包括子密钥序列号 发送单元, 用于将网络侧密钥生成器生成的子密钥序列号通过密钥材料传 输消息发送给使用器。  The device according to claim 11, further comprising a subkey serial number transmitting unit, configured to send the subkey serial number generated by the network side key generator to the use by using a key material transmission message Device. 16、 根据权利要求 11至 15任一项所述的装置, 其特征在于, 该装置 设置于 WiMAX网络, 所述用户设备为移动台 MS, 所述网络侧密钥生成器 为鉴权器,所述 RK1为对偶主密钥 PMK, RK2为第二次对偶主密钥 PMK2; 所述 PMK与 PMK2对应的序列号分别为 PMK— SN与 PMK2—SN, 且使用 所述子密钥序列号的实体为基站。  The device according to any one of claims 11 to 15, wherein the device is disposed in a WiMAX network, the user equipment is a mobile station MS, and the network side key generator is an authenticator. RK1 is the dual master key PMK, RK2 is the second dual master key PMK2; the sequence numbers corresponding to the PMK and PMK2 are PMK_SN and PMK2-SN, respectively, and the entity using the subkey serial number is used. For the base station.
PCT/CN2007/000973 2006-03-25 2007-03-26 Method and apparatus for generating sequence number of encryption key in network Ceased WO2007109994A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200610070939.0 2006-03-25
CN200610070939.0A CN101043325B (en) 2006-03-25 2006-03-25 Network identification method
CN 200610070937 CN101043324A (en) 2006-03-25 2006-03-25 Method for generating key sequence number of network
CN200610070937.1 2006-03-25

Publications (1)

Publication Number Publication Date
WO2007109994A1 true WO2007109994A1 (en) 2007-10-04

Family

ID=38540812

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000973 Ceased WO2007109994A1 (en) 2006-03-25 2007-03-26 Method and apparatus for generating sequence number of encryption key in network

Country Status (1)

Country Link
WO (1) WO2007109994A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105307159A (en) * 2014-06-25 2016-02-03 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service
CN105323725A (en) * 2014-05-26 2016-02-10 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data
CN1751533A (en) * 2003-02-20 2006-03-22 西门子公司 Method for forming and distributing encryption keys in a mobile radio system and mobile radio system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1751533A (en) * 2003-02-20 2006-03-22 西门子公司 Method for forming and distributing encryption keys in a mobile radio system and mobile radio system
CN1697374A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for sanding and receiving cipher data, device for distributing and receiving cipher data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105323725A (en) * 2014-05-26 2016-02-10 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service
CN105307159A (en) * 2014-06-25 2016-02-03 普天信息技术有限公司 Air interface encryption method for cluster communication group calling service

Similar Documents

Publication Publication Date Title
US9392453B2 (en) Authentication
JP5307191B2 (en) System and method for secure transaction of data between a wireless communication device and a server
JP4286224B2 (en) Method for secure and confidential communication used in a wireless local area network (WLAN)
US7760885B2 (en) Method of distributing encryption keys among nodes in mobile ad hoc network and network device using the same
CN100341290C (en) An authentication method for fast switching in wireless local area network
JP3863852B2 (en) Method of controlling access to network in wireless environment and recording medium recording the same
CN102948128A (en) Secure node admission in a communication network
JP2011139457A (en) System and method for secure transaction of data between wireless communication device and server
WO2011010432A1 (en) Base station and client device
JP2002247047A (en) Session shared key sharing method, wireless terminal authentication method, wireless terminal, and base station device
JP2012110009A (en) Methods and arrangements for secure linking of entity authentication and ciphering key generation
WO2007104248A1 (en) Method, system, apparatus and bsf entity for preventing bsf entity from attack
CN101208901A (en) Authentication system in communication system and method thereof
CN103795728A (en) EAP authentication method capable of hiding identities and suitable for resource-constrained terminal
CN100586067C (en) A Identity Authentication Method Compatible with 802.11i and WAPI
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
JP2007506329A (en) Method for improving WLAN security
CN1929371B (en) Method for User and Peripheral to Negotiate a Shared Key
CN101394395B (en) Authentication method, system and device
JP2005529525A5 (en)
WO2007109994A1 (en) Method and apparatus for generating sequence number of encryption key in network
CN118450380A (en) Terminal authentication method, device, apparatus, storage medium, and program product
CN114124513B (en) Identity authentication method, system, device, electronic equipment and readable medium
CN119316842A (en) Bluetooth transmitter and Bluetooth receiver
CN1301608C (en) Method for implementing peer-to-peer WLAN with center certification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07720547

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720547

Country of ref document: EP

Kind code of ref document: A1