[go: up one dir, main page]

WO2008145621A2 - Method and system for allocating security key for multicast transmission - Google Patents

Method and system for allocating security key for multicast transmission Download PDF

Info

Publication number
WO2008145621A2
WO2008145621A2 PCT/EP2008/056393 EP2008056393W WO2008145621A2 WO 2008145621 A2 WO2008145621 A2 WO 2008145621A2 EP 2008056393 W EP2008056393 W EP 2008056393W WO 2008145621 A2 WO2008145621 A2 WO 2008145621A2
Authority
WO
WIPO (PCT)
Prior art keywords
security key
user equipment
service
key
multicast service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2008/056393
Other languages
French (fr)
Other versions
WO2008145621A3 (en
Inventor
Li Zhu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Publication of WO2008145621A2 publication Critical patent/WO2008145621A2/en
Publication of WO2008145621A3 publication Critical patent/WO2008145621A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention relates to network security technology, in particular to a method and a system for allocating a security key for a multimedia broadcast/multicast service (MBMS) in an internet protocol (IP) multimedia sub-system (IMS) .
  • MBMS multimedia broadcast/multicast service
  • IP internet protocol
  • IMS multimedia sub-system
  • An IMS system is a mobile network based on IP, which is increasingly evolved towards flatting. It provides multi- media services as well as platforms based in packet switch, and makes it possible for service providers and end users to obtain faster and more flexible applications from the innovation in the multi-media services.
  • the WCDMA/GSM global standardization organization 3GPP has proposed standards for multimedia broadcast/multicast service (MBMS) .
  • MBMS achieves in mobile networks the services of one-point to multi-point which transmit data from a data source to a plurality of users, so as to realize the sharing of network resources, to improve the utilization rate of network resources, and especially free interface resources.
  • a part of the data service can be accomplished via multicasting so as to save bandwidth.
  • the security mechanism based on existing IMS system is capable of providing a secure channel between user equipment (UE) and an application server (AS) to ensure the point-to- point communication between the UE and the AS; however, the MBMS service is a one point-to-multipoint service, the existing IMS security mechanism is incapable of ensuring the security of MBMS service data.
  • a common practice is to encrypt the MBMS service data packets transmitted from the AS, and then to transmit the encrypted data packets to various UE that use the service.
  • the user enjoying the MBMS service need to decrypt successfully the data packets transmitted from the AS, they need to get the multicast transmitting security key (MTK) corresponding to the service. Therefore, how to accomplish the case that the users utilizing the same service have the identical security key is a problem which needs urgent solution to ensure the safe applications of MBMS services in the IMS system.
  • MTK multicast transmitting security key
  • the main object of the present invention is to provide a method for allocating a security key for a multicast transmission, and by applying the method provided in the present invention it is possible to allocate the security key for the multicast transmission to user equipment for receiving MBMS data packets.
  • the present invention provides a method for allocating a security key for a multicast transmission, and this method comprises the following steps:
  • step B the operation of said application server to allocate the security key for multicast transmission according to the MBMS service requested by the user equipment comprises: determining by said application server the security key for the multicast transmission according to the MBMS service requested by the user equipment, and transmitting the same to said user equipment .
  • the method further comprises: allocating in advance by the application server a security key for multicast transmission to each MBMS service provided thereby; and wherein said step for determining by the application server the security key for multicast transmission comprises: determining by said application server the security key for multicast transmission corresponding to said MBMS service according to the security key for multicast transmission allocated in advance.
  • said request for the security key carries therein a service identification of the MBMS service requested by the user equipment; and said step for determining by the application server the security key for multicast transmission comprises: generating the security key for multicast transmission according to the service identification of the MBMS carried in the request for the security key by said application server by using an algorithm for generating the security key corresponding to the MBMS service.
  • said operation for the application server to allocate the security key for multicast transmission according to the MBMS service requested by the user equipment comprises: transmitting by said application server to the user equipment the security key generating information required for generating the security key for multicast transmission, and then generating by the user equipment the security key for multicast transmission.
  • said security key generating information comprises a security key generating parameter and a basic security key; and the operation for said user equipment to generate the security key for multicast transmission is that the user equipment generates the security key for multicast transmission according to the security key generating parameter and the basic security key.
  • said basic security key is generated according to shared information; and said operation for the user equipment to generate the security key for multicast transmission is that: the user equipment calculates the security key for multicast transmission according to its own shared information by eliminating from the basic security key an element of the shared information using the security key generating parameter .
  • said transmitting by the application server the security key generating information to the user equipment comprises: transmitting by said application server the security key generating parameter and the basic security key respectively to the user equipment; and after confirming that the user equipment has received one of them, further transmitting the other piece of information to the user equipment.
  • said user equipment requests for the security key by transmitting a service request message to said application server .
  • the method further comprises : establishing by the IMS system a secure channel between the user equipment and the IMS system when the user equipment registers in the IMS system; and carrying out said operations for transmitting the request for the security key and allocating the security key for multicast transmission on said established secure channel.
  • another main object of the present invention is to provide a system for allocating a security key for a multicast transmission, and the system may allocate a security key for multicast transmission to user equipment requesting the MBMS service.
  • the system for allocating the security key for multicast transmission comprises at least user equipment and an application server; wherein said user equipment is configured to request the security key from the application server corresponding to a MBMS service requested by the user equipment itself, and to receive the security key for multicast transmission allocated by the application server; and said application server is configured to receive the request for the security key transmitted by the user equipment, allocate according to the MBMS service currently requested by the user equipment the security key for multicast transmission corresponding to the service, and transmitting the same to the user equipment.
  • said application server is configured to transmit the security key generating information for generating the security key for multicast transmission to the user equipment; and said user equipment is configured to generate the security key for multicast transmission according to the received security key generating information.
  • the system further comprises: a proxy call session control function (P-CSCF) for connecting the user equipment to the application server; said user equipment is configured to interact with the application server via a secure connection between the user equipment itself and the P-CSCF; and said application server is configured to interact with the user equipment via a secure connection between the application server itself and the P-CSCF.
  • P-CSCF proxy call session control function
  • Another object of the present invention is to provide a user terminal, and the user terminal can obtain the security key for multicast transmission required for decrypting the MBMS service.
  • the user terminal comprises at least: a control unit, a transmitting unit and a receiving unit; wherein said control unit, which is connected with the transmitting unit and the receiving unit, is configured to request via the transmitting unit a security key from an application server corresponding to a requested MBMS service, and to receive via the receiving unit the security key for multicast transmission allocated by the application server; said transmitting unit, which is connected with the control unit, is configured to transmit the request for the security key according to an instruction from the control unit; and said receiving unit, which is connected with the control unit, is configured to transmit the received security key for multicast transmission to the control unit.
  • the user terminal further comprises a calculation unit; said receiving unit is configured to transmit received information for generating the security key to the calculation unit; and said calculation unit is configured to calculate the security key for multicast transmission according to the security key generating information transmitted from the receiving unit, and transmit the same to the control unit.
  • said transmitting unit and receiving unit are respectively configured to transmit to said application server and receive from said application server a message for allocating the security key for multicast transmission via secure connections between themselves and a proxy call session control function.
  • Another object of the present invention is to provide an application server for allocating a security key for multicast transmissions, and the application server can allocate to the users the security key for multicast transmission required to ensure the security of MBMS service.
  • said transmitting unit and receiving unit are respectively configured to transmit to said application server and receive from said application server a message for allocating the security key for multicast transmission via secure connections between themselves and a proxy call session control function.
  • the application server allocates for the user equipment a security key for multicast transmission in order to decrypt MBMS service data packets according to the MBMS service requested by the user equipment.
  • an application server allocates for the user equipment a security key for multicast transmission so as to decrypt the MBMS service packet, which ensures that the users using the same MBMS service have the same security key.
  • the present invention also provides a system for allocating security key for multicast transmissions, a user terminal, and an application server for allocating security key for multicast transmissions in the IMS network.
  • the security key for multicast transmission required for receiving the MBMS can be allocated to user equipment using the same MBMS.
  • the safety can be further ensured during the process of allocating the security key for multicast transmission on the basis of being capable to achieve the allocation of the security key for multicast transmission by the solution of the present invention.
  • Fig. 1 is a schematic flowchart of a method of the present invention
  • Fig. 2 is a schematic structural diagram of a system of the present invention
  • FIG. 3 is a flowchart of a first preferred embodiment of the method of the present invention
  • Fig. 4 is a structural diagram of the first preferred embodiment of the system of the present invention
  • Fig. 5 is a flowchart of a second preferred embodiment of the method of the present invention.
  • Fig. 6 is a structural diagram of the second preferred embodiment of the system of the present invention.
  • the main technical solution adopted in the embodiments of the present invention is that, when a user equipment requests a MBMS service from an application server in the IMS network, the application server allocates for the user equipment a security key for multicast transmission to decrypt the MBMS service data packets according to the MBMS service requested by the user equipment.
  • the application server when user equipment requests a MBMS service, the application server, by allocating for the user equipment the security key for multicast transmission to decrypt the MBMS service packets, which ensures that the users requesting the same MBMS service shall have the same security key.
  • Fig. 1 is a schematic flowchart of the method of the present invention.
  • the particular flow is as following: in step 101, after a user equipment has determined a MBMS service to be accessed by itself, the user equipment transmits a request message for the security key to an application server in the IMS network corresponding to the MBMS service; in step 102, after the application server has received the request message for the security key transmitted by the user equipment, it allocates according to the current MBMS service requested by the user equipment a security key for multicast transmission corresponding to the service.
  • said request message for the security key can be a service request message for requesting a multicast service from the application server by the user equipment.
  • Fig. 2 is a schematic structural diagram of the system of the present invention.
  • the system comprises: user equipment 21 and an application server 22.
  • the user equipment 21 is configured to transmit to the application server 22 a request message for the security key corresponding to the MBMS service after it has determined the MBMS service to be accessed by itself, and to receive the security key for multicast transmission allocated by the application server 22.
  • the application server 22 is configured to allocate the security key for multicast transmission corresponding to the service according to the MBMS currently requested by the user equipment 21 after having received the request message for the security key transmitted by the user equipment 21, and to transmit the same to the user equipment 21.
  • the technical solution of the present invention are described in detail.
  • the first preferred embodiment to be described is mainly the case of generating the security key for multicast transmission by the application server; and the second preferred embodiment to be described is about generating the security key for multicast transmission by the user equipment according to the security key parameters determined by the application server.
  • this is a flowchart of the method of the first preferred embodiment of the present invention. It comprises in particular the following steps:
  • step 301 after having determined the MBMS service to be used by it, the user equipment transmits a service request message to the application server.
  • step 302 after having received the request message transmitted by the user equipment, the application server allocates the security key for multicast transmission to the user equipment according to the MBMS service requested by the user equipment and returns it to the user equipment, and the security key for multicast transmission can carry a 200 OK response message returned from the application server.
  • the 200 OK response message is a standard session initiation protocol message, acknowledging the receipt of the service request message.
  • the allocation of the security key for multicast transmission by the application server to the user equipment can be achieved by using the following method. For example, when the application server only provides one MBMS service, the application server may allocate a corresponding security key for multicast transmission in advance for the MBMS service provided thereby; when user equipment requests the MBMS service, the security key for multicast transmission allocated to the MBMS service in advance is transmitted to the user equipment.
  • the application server can allocate a security key for multicast transmission in advance for each of the MBMS services, and determine the security key for multicast transmission to the user equipment according to an MBMS service identification carried in the request message from the user equipment .
  • an application server can provide a plurality of MBMS services
  • the security key generation algorithm herein should be the same for the same requested MBMS service.
  • step 303 after the user equipment has received the security key for multicast transmission, it will return an ACK message to the application server.
  • the ACK message herein is to acknowledge to the other party.
  • the application server When the application server has received the message transmitted from the user equipment, then it can be determined that the user equipment has received the security key allocated to it. Then, the user equipment can use the security key for multicast transmission to decrypt the MBMS service data packets transmitted from the application server.
  • the security of the process for allocating the security key for multicast transmission itself cannot be overlooked.
  • a secure channel which is set up with the network side when the user equipment is registered with the IMS network to transmit the message during the allocation of the security key for multicast transmission.
  • P-CSCF proxy call session control function
  • the connections between the network entities belonging to the IMS network are safe. Therefore, as long as a secure channel is established between the user equipment and the P-CSCF, the secure channels to the network entities in the IMS network are established, including the application server providing the MBMS service to the user equipment.
  • the system comprises at least: a user equipment 41 and an application server 42.
  • the user equipment 41 is configured to transmit to the application server 42 a request message for the security key for the corresponding MBMS service after having determined the MBMS service to be accessed by it, and to receive the security key for multicast transmission allocated by the application server 42.
  • the application server 42 is configured to allocat the security key for multicast transmission corresponding to the MBMS service requested by the user equipment 41 after having received the request message for the security key transmitted by the user equipment 41, and to transmit the same to the user equipment 41.
  • the system further comprises: a P-CSCF 43, which is configured to connect the user equipment 41 to the application server 42.
  • the user equipment 41 is configured to interact with the application server 42, receive and transmit the messages with the application server 42 via the secure link between itself and P-CSCF 43; and the application server 42 is configured to interact with the user equipment 41, receive and transmit the messages with the user equipment 41 via the secure link between itself and P-CSCF 43.
  • the user equipment 41 comprises a control unit 411, a transmitting unit 412 and a receiving unit 413.
  • the control unit 411 is configured to transmit to the application server 42 a request message for the security key corresponding to the MBMS service via the transmitting unit 412, after the user equipment 41 in which the control unit 411 is located has determined the MBMS service to be accessed by itself; and to receiving the security key for multicast transmission allocated by the application server 42 via the receiving unit 413.
  • the transmitting unit 412 is configured to transmit the request message for the security key according to an instruction of the control unit 411; and the receiving unit 413 is configured to transmit the received security key for multicast transmission to the control unit 411.
  • the transmitting unit 412 and the receiving unit 413 can be respectively configured to transmit a message for allocating the security key for multicast transmission to the application server 42 and receive a message for allocating the security key for multicast transmission transmitted from the application server 42 via the secure link between themselves and the P-CSCF.
  • the application server 42 comprises a processing unit 422, a transmitting unit 423 and a receiving unit 421.
  • the processing unit 422 is configured to receive a request for the security key transmitted by the user equipment 41 via the receiving unit 421, to generating the security key for multicast transmission for the MBMS service requested by the user equipment 41 or to generate a security key generating parameter required for generating the security key for multicast transmission, and transmit the same to the user equipment 41 via the transmitting unit 423;
  • the receive unit 421 is configured to transmit the received request message for the security key to the processing unit 422;
  • the transmitting unit 423 is configured to transmit the security key for multicast transmission to the user equipment 41 according to an instruction of the processing unit 422.
  • the transmitting unit 423 and the receiving unit 421 can be respectively configured to transmit a message for allocating the security key for multicast transmission to the user equipment 41 and to receiving a message for allocating the security key for multicast transmission transmitted from the user equipment 41 via the secure link between themselves and the P-CSCF.
  • Fig. 5 is a flowchart of the method of a second preferred embodiment of the present invention.
  • the particular method used is to transmit the information for generating the security key for multicast transmission to the user equipment by the application server, and the security key for multicast transmission is generated by the user equipment itself.
  • the method can ensure the security of the process for allocating and transmitting the security key because the security key is not transmitted directly in the transmission process. It comprises the following steps:
  • step 501 the details of implementing step 501 are the same as that of step 201, thus will not be repeated herein.
  • the message usually will carry a Session Initial Protocol (SIP) identification of the MBMS service selected by the user equipment, and a Global Routable UA URI identification presenting its own linking address.
  • SIP Session Initial Protocol
  • step 502 the application server returns the multicast medium information and the security key generating parameter to the user equipment, and the information and parameter can be returned to the user equipment by 200 OK.
  • a security key calculation algorithm is included in the security key generating parameter.
  • the information for generating the security key for multicast transmission can be a SIP session identification and/or GRUU, and so on.
  • step 503 after the user equipment has received the message , it returns an ACK message to the application server to confirm the receipt of the message transmitted in step 503.
  • step 504 the application server generates a basic security key and transmits it to the user equipment, and the basic security key can be carried in Info message for transmission .
  • the security key for multicast transmission can be calculated.
  • the basic security key and the security key generating parameter are collectively called security key generating information.
  • the composition of the basic security key can be arbitrary and random numbers; it also can be a code string which is capable to uniquely identify this time of the MBMS service
  • a shared information between the application server and the user equipment is added into the basic information, namely the basic security key is generated according to the share information; while at the user equipment side, the user equipment calculates the security key for multicast transmission by eliminating elements in the shared information from the basic security key by using the security key generating parameter according to the user equipment and the application server.
  • the shared information can be the user' s information; it can also be information of a MBMS service.
  • the basic security key then can be calculated as follows: ⁇ " ' . Wherein, X
  • the user equipment can be by way of exchange transmission between the user equipment and the application server; also it can be the information which has been known by both the user equipment and the application server in advance.
  • step 505 after the user equipment has received the message , it returns an ACK message to the application server, to confirm the receipt of the message transmitted in step 504.
  • step 506 the user equipment generates the security key for multicast transmission according to the security key calculating parameter received in step 502, and the basic security key received in step 505. Since the security key for multicast transmission is used by all the users using the same service, if the user equipment's own information is carried in the basic security key, then it is necessary to eliminate from it the elements of user equipment's own in the algorithm of generating the security key for multicast transmission. For example, when the basic
  • the application server After the application server has received the message transmitted from the user equipment, it can then determine that the user equipment has received the security key allocated to it. After this, the user equipment can use the security key for multicast transmission to decrypt the MBMS service data packets transmitted from the application server.
  • the security key generating parameter and the basic security key are separately transmitted twice.
  • the security key generating parameter and the basic security key can also be transmitted in one transmission.
  • the security key generating parameter is transmitted first, and then the basic security key is transmitted; after confirming that the information transmitted in the first time has been received by the other end, the second transmitting is then performed, so as to avoid that too much security information is intercepted by a prying party thus allowing the prying party to gather enough data for analyzing the intercepted information.
  • Fig. 6 is a structural diagram of the method of the second preferred embodiment of the present invention.
  • the user equipment 61 is configured to transmit to the application server 62 a request message for the security key corresponding to the MBMS service after having determined an MBMS service to be accessed by the user equipment 61, and to generate the security key for multicast transmission according to the received security key generating information.
  • the application server 62 is configured to allocate the security key for multicast transmission corresponding to the MBMS service requested by the user equipment 61 after having received the request message for the security key transmitted by the user equipment 61, and to transmit to the user equipment 61 the security key generating information for generating the security key for multicast transmission .
  • the system further comprises: a P-CSCF63, which is configured to connect the user equipment 61 and the application server 62.
  • the user equipment 61 is configured to interact with the application server 62, to receive/transmit the messages from/to the application server 62 via the secure link between itself and P-CSCF63; and the application server 62 is configured to interact with the user equipment 61, to receive/transmit the messages from/to the user equipment 61 via the secure link between itself and P-CSCF63.
  • the user equipment 61 comprises a control unit 611, a transmitting unit 612, a receiving unit 613 and a calculating unit 614.
  • the control unit 611 is configured to transmit to the application server 62 the request message for the security key corresponding to the MBMS service via the transmitting unit 612 after the user equipment 61 has determined the MBMS service to be accessed by itself.
  • the transmitting unit 612 is configured to transmit the request message for the security key according to an instruction of the control unit 611.
  • the receiving unit 613 is configured to transmit the received security key generating information to the calculating unit 614.
  • the calculating unit 614 is configured to calculate the security key for multicast transmission according to the security key generating information transmitted by the receiving unit 613, and transmit the same to the control unit 611.
  • the transmitting unit 612 and the receiving unit 613 are respectively configured to transmit the message for allocating the security key for multicast transmission to the application server 62 and receive the message for allocating the security key for multicast transmission transmitted from the application server 62 via the secure link between themselves and the P-CSCF.
  • the application server 62 comprises at least a processing unit 622, a transmitting unit 623 and a receiving unit 621.
  • the processing unit 622 is configured to receive the request for the security key transmitted by the user equipment 61 via the receiving unit 621, generate the security key generating parameter for the security key for the MBMS service requested by the user equipment 61, and transmit the same to the user equipment 61 via the transmitting unit 623.
  • the receiving unit 621 is configured to transmit the received request message for the security key to the processing unit 622.
  • the transmitting unit 623 is configured to transmit the security key for multicast transmission to the user equipment 61 according to an instruction of the processing unit 622.
  • the transmitting unit 623 and the receiving unit 621 in the application server 62 can also be used respectively for transmitting a message for allocating the security key for multicast transmission to the user equipment 61, and to receive a message for allocating the security key for multicast transmission transmitted from the user equipment 61 via a secure link between themselves and the P-CSCF.
  • the method for allocating the security key for multicast transmission by the application server in the present invention can be used at any stage before the user equipment receives the MBMS data packets and after the time of having determined the MBMS service to be used thereby. For example, it can be after the user equipment has finished the registration with the IMS network or the activation procedure of the MBMS service.
  • the present invention by using the application server, at the time that the user equipment requests a MBMS service, to allocate to the user equipment the security key for multicast transmission for decrypting the service, it therefore ensures that the users using the same MBMS service have the same security key.
  • the present invention also provides a system for allocating the security key for multicast transmission, a user terminal, and an application server for in the IMS network. By using the technical solutions provided by the present invention, it is possible to allocate the security key for multicast transmission required for receiving the MBMS service to all the user equipment using the same MBMS service.
  • the security can be further ensured during the process for allocating the security key for multicast transmission on the basis that the technical solution of the present invention is capable of accomplishing the allocation of the security key for multicast transmission.
  • a user equipment may issue a multicast service request to a server, e.g. an IMS application server (AS) .
  • the request may be transmitted to the IMS AS by using a session initiation protocol (SIP) message, e.g. INVITE.
  • SIP session initiation protocol
  • the IMS AS may respond with information relating to multicast media and security by using a SIP message, e.g. 200 OK.
  • Said information may comprise an algorithm needed for the multicast service and possible some other information such as the contact address of the UE, additional shared information relating to SIP dialog, GRUU, etc.
  • the UE may acknowledge the receipt of the information transited by the IMS AS.
  • the IMA AS may provide a MBMS service key (MSK) to the UE via, e.g. a SIP message Info.
  • MSK MBMS service key
  • this message may be spared by delivering the MSK together with the information relating to multicast media and security to the UE when IMS AS responds to the service request.
  • the UE may issue an acknowledgement to the IMS AS through, e.g. a SIP message 200 OK.
  • the delivery of the MSK is combined with the response to the UE' s service request transmitted by the IMS AS, the acknowledgement is not needed.
  • the UE may use the received algorithm and the MSK to generate a MBMS traffic key (MTK) , which may be used to decrypt multicast data relating to the requested multicast service.
  • MTK MBMS traffic key
  • the multicast service may be provided by the same IMS AS or by a different server.
  • Functions of the user equipment described above may be implemented by code means, as software, and loaded into memory of a computer, for example into a mobile phone.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a method for allocating a security key for a multicast transmission, which method comprises: A. requesting by user equipment for the security key for the multicast transmission corresponding to a multimedia broadcast/multicast service (MBMS) requested by the user equipment itself from an Multimedia Sub-System (IMS) application server based on an Internet protocol; and B. allocating by said application server to the user equipment according to the MBMS service currently requested by the user equipment the security key for multicast transmission corresponding to the service. In addition, the present invention also provides a system for allocating a security key for multicast transmission, a user terminal, and an application server. By utilizing the technical solutions provided by the present invention, it is capable of allocating the security key for multicast transmission required for receiving the MBMS to user equipment using the same MBMS. When adopting the technical solutions of the present invention, by allocating the security key for multicast transmission via a secure channel between the user equipment and the application server, it can further ensure security during the process of allocating the security key for multicast transmission on the basis of accomplishing the allocation of the security key for multicast transmission.

Description

Description
Title
Method and System for Allocating Security Key for Multicast
Transmission
Technical Field
The present invention relates to network security technology, in particular to a method and a system for allocating a security key for a multimedia broadcast/multicast service (MBMS) in an internet protocol (IP) multimedia sub-system (IMS) .
Background
An IMS system is a mobile network based on IP, which is increasingly evolved towards flatting. It provides multi- media services as well as platforms based in packet switch, and makes it possible for service providers and end users to obtain faster and more flexible applications from the innovation in the multi-media services. At the same time, in the prior art, in order to make effective use of the resources of mobile networks, the WCDMA/GSM global standardization organization 3GPP has proposed standards for multimedia broadcast/multicast service (MBMS) . MBMS achieves in mobile networks the services of one-point to multi-point which transmit data from a data source to a plurality of users, so as to realize the sharing of network resources, to improve the utilization rate of network resources, and especially free interface resources.
In the prior art, when a new application mode demands a part of media stream of IMS service, such as the multimedia push- to-talk over cellular (PoC) services including voice, video, and data services, to be transmitted via the broadcast and multicast network framework in an existing mobile network, a part of the data service can be accomplished via multicasting so as to save bandwidth. In such an application, although the security mechanism based on existing IMS system is capable of providing a secure channel between user equipment (UE) and an application server (AS) to ensure the point-to- point communication between the UE and the AS; however, the MBMS service is a one point-to-multipoint service, the existing IMS security mechanism is incapable of ensuring the security of MBMS service data.
Therefore, in order to ensure the safe transmitting of MBMS service data packets, a common practice is to encrypt the MBMS service data packets transmitted from the AS, and then to transmit the encrypted data packets to various UE that use the service. However, if the user enjoying the MBMS service need to decrypt successfully the data packets transmitted from the AS, they need to get the multicast transmitting security key (MTK) corresponding to the service. Therefore, how to accomplish the case that the users utilizing the same service have the identical security key is a problem which needs urgent solution to ensure the safe applications of MBMS services in the IMS system.
Summary of the Invention
In view of this situation, the main object of the present invention is to provide a method for allocating a security key for a multicast transmission, and by applying the method provided in the present invention it is possible to allocate the security key for the multicast transmission to user equipment for receiving MBMS data packets.
The present invention provides a method for allocating a security key for a multicast transmission, and this method comprises the following steps:
A. requesting by a user equipment for a security key corresponding to a MBMS service requested from an IMS application server; and B. allocating by said application server for the user equipment the security key corresponding to the multicast transmission service.
Preferably, in step B, the operation of said application server to allocate the security key for multicast transmission according to the MBMS service requested by the user equipment comprises: determining by said application server the security key for the multicast transmission according to the MBMS service requested by the user equipment, and transmitting the same to said user equipment .
Preferably, the method further comprises: allocating in advance by the application server a security key for multicast transmission to each MBMS service provided thereby; and wherein said step for determining by the application server the security key for multicast transmission comprises: determining by said application server the security key for multicast transmission corresponding to said MBMS service according to the security key for multicast transmission allocated in advance.
Preferably, said request for the security key carries therein a service identification of the MBMS service requested by the user equipment; and said step for determining by the application server the security key for multicast transmission comprises: generating the security key for multicast transmission according to the service identification of the MBMS carried in the request for the security key by said application server by using an algorithm for generating the security key corresponding to the MBMS service.
Preferably, in step B, said operation for the application server to allocate the security key for multicast transmission according to the MBMS service requested by the user equipment comprises: transmitting by said application server to the user equipment the security key generating information required for generating the security key for multicast transmission, and then generating by the user equipment the security key for multicast transmission.
Preferably, said security key generating information comprises a security key generating parameter and a basic security key; and the operation for said user equipment to generate the security key for multicast transmission is that the user equipment generates the security key for multicast transmission according to the security key generating parameter and the basic security key.
Preferably, said basic security key is generated according to shared information; and said operation for the user equipment to generate the security key for multicast transmission is that: the user equipment calculates the security key for multicast transmission according to its own shared information by eliminating from the basic security key an element of the shared information using the security key generating parameter .
Preferably, said transmitting by the application server the security key generating information to the user equipment comprises: transmitting by said application server the security key generating parameter and the basic security key respectively to the user equipment; and after confirming that the user equipment has received one of them, further transmitting the other piece of information to the user equipment. Preferably, said user equipment requests for the security key by transmitting a service request message to said application server .
Preferably, before carrying out step A, the method further comprises : establishing by the IMS system a secure channel between the user equipment and the IMS system when the user equipment registers in the IMS system; and carrying out said operations for transmitting the request for the security key and allocating the security key for multicast transmission on said established secure channel.
In addition, another main object of the present invention is to provide a system for allocating a security key for a multicast transmission, and the system may allocate a security key for multicast transmission to user equipment requesting the MBMS service.
According to this aspect of the present invention, the system for allocating the security key for multicast transmission provided in the present invention comprises at least user equipment and an application server; wherein said user equipment is configured to request the security key from the application server corresponding to a MBMS service requested by the user equipment itself, and to receive the security key for multicast transmission allocated by the application server; and said application server is configured to receive the request for the security key transmitted by the user equipment, allocate according to the MBMS service currently requested by the user equipment the security key for multicast transmission corresponding to the service, and transmitting the same to the user equipment.
Preferably, said application server is configured to transmit the security key generating information for generating the security key for multicast transmission to the user equipment; and said user equipment is configured to generate the security key for multicast transmission according to the received security key generating information.
Preferably, the system further comprises: a proxy call session control function (P-CSCF) for connecting the user equipment to the application server; said user equipment is configured to interact with the application server via a secure connection between the user equipment itself and the P-CSCF; and said application server is configured to interact with the user equipment via a secure connection between the application server itself and the P-CSCF.
Further, another object of the present invention is to provide a user terminal, and the user terminal can obtain the security key for multicast transmission required for decrypting the MBMS service.
The user terminal provided by the present invention comprises at least: a control unit, a transmitting unit and a receiving unit; wherein said control unit, which is connected with the transmitting unit and the receiving unit, is configured to request via the transmitting unit a security key from an application server corresponding to a requested MBMS service, and to receive via the receiving unit the security key for multicast transmission allocated by the application server; said transmitting unit, which is connected with the control unit, is configured to transmit the request for the security key according to an instruction from the control unit; and said receiving unit, which is connected with the control unit, is configured to transmit the received security key for multicast transmission to the control unit. Preferably, the user terminal further comprises a calculation unit; said receiving unit is configured to transmit received information for generating the security key to the calculation unit; and said calculation unit is configured to calculate the security key for multicast transmission according to the security key generating information transmitted from the receiving unit, and transmit the same to the control unit.
Preferably, said transmitting unit and receiving unit are respectively configured to transmit to said application server and receive from said application server a message for allocating the security key for multicast transmission via secure connections between themselves and a proxy call session control function.
Finally, another object of the present invention is to provide an application server for allocating a security key for multicast transmissions, and the application server can allocate to the users the security key for multicast transmission required to ensure the security of MBMS service.
According to this aspect of the present invention, the application server provided by the present invention comprises: a processing unit, a transmitting unit and a receiving unit; wherein said processing unit, which is connected with the transmitting unit and the receiving unit, is configured to receive via the receiving unit a request for the security key transmitted by user equipment, generate the security key for multicast transmission for a MBMS service requested by the user equipment, or generate a security key generating parameter required for generating the security key for multicast transmission, and transmit the same to said user equipment via the transmitting unit; said receiving unit, which is connected with the processing unit, is configured to transmit the received message requesting the security key to the processing unit; and said transmitting unit, which is connected with the processing unit, is configured to transmit the security key for multicast transmission to said user equipment according to an instruction of the processing unit.
Preferably, said transmitting unit and receiving unit are respectively configured to transmit to said application server and receive from said application server a message for allocating the security key for multicast transmission via secure connections between themselves and a proxy call session control function.
In the method provided in the present invention for allocating security key for multicast transmissions, when user equipment requests a MBMS service from an application server, the application server allocates for the user equipment a security key for multicast transmission in order to decrypt MBMS service data packets according to the MBMS service requested by the user equipment. In the technical solution of the present invention, when user equipment requests a MBMS service, an application server allocates for the user equipment a security key for multicast transmission so as to decrypt the MBMS service packet, which ensures that the users using the same MBMS service have the same security key. In addition, the present invention also provides a system for allocating security key for multicast transmissions, a user terminal, and an application server for allocating security key for multicast transmissions in the IMS network. By using the technical solution provided by the present invention, the security key for multicast transmission required for receiving the MBMS can be allocated to user equipment using the same MBMS. At the same time, in the technical solution of the present invention, by allocating the security key for multicast transmission in a secure channel between the user equipment and the application server, the safety can be further ensured during the process of allocating the security key for multicast transmission on the basis of being capable to achieve the allocation of the security key for multicast transmission by the solution of the present invention.
Brief Description of the Drawings
The aforementioned and other features and advantages of the present invention can be made more apparent to those skilled in the art by the exemplary embodiments of the present invention described in detail below with reference to the drawings, in which:
Fig. 1 is a schematic flowchart of a method of the present invention;
Fig. 2 is a schematic structural diagram of a system of the present invention;
Fig. 3 is a flowchart of a first preferred embodiment of the method of the present invention; Fig. 4 is a structural diagram of the first preferred embodiment of the system of the present invention;
Fig. 5 is a flowchart of a second preferred embodiment of the method of the present invention; and
Fig. 6 is a structural diagram of the second preferred embodiment of the system of the present invention;
Detailed Description of the Preferred Embodiments
In order to achieve the object of the present invention, the main technical solution adopted in the embodiments of the present invention is that, when a user equipment requests a MBMS service from an application server in the IMS network, the application server allocates for the user equipment a security key for multicast transmission to decrypt the MBMS service data packets according to the MBMS service requested by the user equipment. In the technical solution of the present invention, when user equipment requests a MBMS service, the application server, by allocating for the user equipment the security key for multicast transmission to decrypt the MBMS service packets, which ensures that the users requesting the same MBMS service shall have the same security key.
Referring to Fig. 1, which is a schematic flowchart of the method of the present invention. The particular flow is as following: in step 101, after a user equipment has determined a MBMS service to be accessed by itself, the user equipment transmits a request message for the security key to an application server in the IMS network corresponding to the MBMS service; in step 102, after the application server has received the request message for the security key transmitted by the user equipment, it allocates according to the current MBMS service requested by the user equipment a security key for multicast transmission corresponding to the service. Here, said request message for the security key can be a service request message for requesting a multicast service from the application server by the user equipment.
Referring to Fig. 2, which is a schematic structural diagram of the system of the present invention. The system comprises: user equipment 21 and an application server 22. In which, the user equipment 21 is configured to transmit to the application server 22 a request message for the security key corresponding to the MBMS service after it has determined the MBMS service to be accessed by itself, and to receive the security key for multicast transmission allocated by the application server 22. The application server 22 is configured to allocate the security key for multicast transmission corresponding to the service according to the MBMS currently requested by the user equipment 21 after having received the request message for the security key transmitted by the user equipment 21, and to transmit the same to the user equipment 21. Regarding the method for allocating the security key for multicast transmission to the user equipment by the application server, by way of example of two preferred embodiments, the technical solution of the present invention are described in detail. Here, the first preferred embodiment to be described is mainly the case of generating the security key for multicast transmission by the application server; and the second preferred embodiment to be described is about generating the security key for multicast transmission by the user equipment according to the security key parameters determined by the application server.
Referring to Fig. 3, this is a flowchart of the method of the first preferred embodiment of the present invention. It comprises in particular the following steps:
In step 301, after having determined the MBMS service to be used by it, the user equipment transmits a service request message to the application server.
In step 302, after having received the request message transmitted by the user equipment, the application server allocates the security key for multicast transmission to the user equipment according to the MBMS service requested by the user equipment and returns it to the user equipment, and the security key for multicast transmission can carry a 200 OK response message returned from the application server. Wherein the 200 OK response message is a standard session initiation protocol message, acknowledging the receipt of the service request message.
Here, the allocation of the security key for multicast transmission by the application server to the user equipment can be achieved by using the following method. For example, when the application server only provides one MBMS service, the application server may allocate a corresponding security key for multicast transmission in advance for the MBMS service provided thereby; when user equipment requests the MBMS service, the security key for multicast transmission allocated to the MBMS service in advance is transmitted to the user equipment. When an application server provides a plurality of MBMS services, the application server can allocate a security key for multicast transmission in advance for each of the MBMS services, and determine the security key for multicast transmission to the user equipment according to an MBMS service identification carried in the request message from the user equipment .
In addition, when an application server can provide a plurality of MBMS services, it is not necessary for the application server to allocate a corresponding security key for multicast transmission to each of the MBMS services provided thereby, but instead to use a security key generation algorithm to generate a security key for multicast transmission according to the MBMS service identification carried in the request message from the user equipment, and then to transmit the security key for multicast transmission to the user equipment. In order to ensure that the users requesting the same service will use the same security key, the security key generation algorithm herein should be the same for the same requested MBMS service.
In step 303, after the user equipment has received the security key for multicast transmission, it will return an ACK message to the application server. The ACK message herein is to acknowledge to the other party.
When the application server has received the message transmitted from the user equipment, then it can be determined that the user equipment has received the security key allocated to it. Then, the user equipment can use the security key for multicast transmission to decrypt the MBMS service data packets transmitted from the application server.
In addition, since the allocation of the security key for multicast transmission is vitally important to the security of the whole MBMS service, the security of the process for allocating the security key for multicast transmission itself cannot be overlooked. In order to ensure the security of the allocation procedure for the security key for multicast transmission, it can be assisted by a secure channel which is set up with the network side when the user equipment is registered with the IMS network to transmit the message during the allocation of the security key for multicast transmission. When the user equipment is registered with the IMS network, the IMS network will set up a secure link between the user equipment and a proxy call session control function (P-CSCF) , namely a secure link from the user equipment to the boundary of the IMS core network. Also due to an IMS network' s own security mechanism, the connections between the network entities belonging to the IMS network are safe. Therefore, as long as a secure channel is established between the user equipment and the P-CSCF, the secure channels to the network entities in the IMS network are established, including the application server providing the MBMS service to the user equipment.
Referring to Fig. 4, which is a structural diagram of the system of the first preferred embodiment of the present invention. The system comprises at least: a user equipment 41 and an application server 42. Wherein, the user equipment 41 is configured to transmit to the application server 42 a request message for the security key for the corresponding MBMS service after having determined the MBMS service to be accessed by it, and to receive the security key for multicast transmission allocated by the application server 42. The application server 42 is configured to allocat the security key for multicast transmission corresponding to the MBMS service requested by the user equipment 41 after having received the request message for the security key transmitted by the user equipment 41, and to transmit the same to the user equipment 41. At the same time, in order to ensure the secure communication between the user equipment 41 and the application server 42, also the system further comprises: a P-CSCF 43, which is configured to connect the user equipment 41 to the application server 42. Correspondingly, the user equipment 41 is configured to interact with the application server 42, receive and transmit the messages with the application server 42 via the secure link between itself and P-CSCF 43; and the application server 42 is configured to interact with the user equipment 41, receive and transmit the messages with the user equipment 41 via the secure link between itself and P-CSCF 43.
Wherein, the user equipment 41 comprises a control unit 411, a transmitting unit 412 and a receiving unit 413. The control unit 411 is configured to transmit to the application server 42 a request message for the security key corresponding to the MBMS service via the transmitting unit 412, after the user equipment 41 in which the control unit 411 is located has determined the MBMS service to be accessed by itself; and to receiving the security key for multicast transmission allocated by the application server 42 via the receiving unit 413. The transmitting unit 412 is configured to transmit the request message for the security key according to an instruction of the control unit 411; and the receiving unit 413 is configured to transmit the received security key for multicast transmission to the control unit 411. At the same time, the transmitting unit 412 and the receiving unit 413 can be respectively configured to transmit a message for allocating the security key for multicast transmission to the application server 42 and receive a message for allocating the security key for multicast transmission transmitted from the application server 42 via the secure link between themselves and the P-CSCF.
In addition, the application server 42 comprises a processing unit 422, a transmitting unit 423 and a receiving unit 421. Wherein, the processing unit 422 is configured to receive a request for the security key transmitted by the user equipment 41 via the receiving unit 421, to generating the security key for multicast transmission for the MBMS service requested by the user equipment 41 or to generate a security key generating parameter required for generating the security key for multicast transmission, and transmit the same to the user equipment 41 via the transmitting unit 423; the receive unit 421 is configured to transmit the received request message for the security key to the processing unit 422; and the transmitting unit 423 is configured to transmit the security key for multicast transmission to the user equipment 41 according to an instruction of the processing unit 422. At the same time, the transmitting unit 423 and the receiving unit 421 can be respectively configured to transmit a message for allocating the security key for multicast transmission to the user equipment 41 and to receiving a message for allocating the security key for multicast transmission transmitted from the user equipment 41 via the secure link between themselves and the P-CSCF.
Referring to Fig. 5, which is a flowchart of the method of a second preferred embodiment of the present invention. In the second preferred embodiment, the particular method used is to transmit the information for generating the security key for multicast transmission to the user equipment by the application server, and the security key for multicast transmission is generated by the user equipment itself. To certain extent, the method can ensure the security of the process for allocating and transmitting the security key because the security key is not transmitted directly in the transmission process. It comprises the following steps:
In step 501, the details of implementing step 501 are the same as that of step 201, thus will not be repeated herein.
The message usually will carry a Session Initial Protocol (SIP) identification of the MBMS service selected by the user equipment, and a Global Routable UA URI identification presenting its own linking address.
In step 502, the application server returns the multicast medium information and the security key generating parameter to the user equipment, and the information and parameter can be returned to the user equipment by 200 OK.
Wherein, a security key calculation algorithm is included in the security key generating parameter. In addition, according to the difference of the particular method for generating the security key for multicast transmission, it is also possible to carry the information for generating the security key for multicast transmission in the security key generating parameter. The information can be a SIP session identification and/or GRUU, and so on.
In step 503, after the user equipment has received the message , it returns an ACK message to the application server to confirm the receipt of the message transmitted in step 503.
In step 504, the application server generates a basic security key and transmits it to the user equipment, and the basic security key can be carried in Info message for transmission .
In this case, when the user equipment receives the basic security key and the security key generating parameter, the security key for multicast transmission can be calculated. In the present invention, the basic security key and the security key generating parameter are collectively called security key generating information.
The composition of the basic security key can be arbitrary and random numbers; it also can be a code string which is capable to uniquely identify this time of the MBMS service Alternatively, in order to improve the security in the process of allocating the security key for multicast transmission, a shared information between the application server and the user equipment is added into the basic information, namely the basic security key is generated according to the share information; while at the user equipment side, the user equipment calculates the security key for multicast transmission by eliminating elements in the shared information from the basic security key by using the security key generating parameter according to the user equipment and the application server. The shared information can be the user' s information; it can also be information of a MBMS service. For example for GRUU, the basic security key then can be calculated as follows: ^ " ' . Wherein, X
I YWf^RTITI I represents a random number, and ^ " ' means that logic
AND operation is performed between X and GRUU. Then, the following algorithm can be adopted to eliminate the elements of the shared information from the basic security key to obtain:
Figure imgf000019_0001
As to the way that the user equipment obtains the shared information, it can be by way of exchange transmission between the user equipment and the application server; also it can be the information which has been known by both the user equipment and the application server in advance.
In step 505, after the user equipment has received the message , it returns an ACK message to the application server, to confirm the receipt of the message transmitted in step 504.
In step 506, the user equipment generates the security key for multicast transmission according to the security key calculating parameter received in step 502, and the basic security key received in step 505. Since the security key for multicast transmission is used by all the users using the same service, if the user equipment's own information is carried in the basic security key, then it is necessary to eliminate from it the elements of user equipment's own in the algorithm of generating the security key for multicast transmission. For example, when the basic
I \Wf^7?TITI I security key is ^ " ', then the following algorithm can be adopted to get the security key for multicast transmission:
Figure imgf000020_0001
After the application server has received the message transmitted from the user equipment, it can then determine that the user equipment has received the security key allocated to it. After this, the user equipment can use the security key for multicast transmission to decrypt the MBMS service data packets transmitted from the application server.
According to the flow procedure of the method of the preferred embodiment, the security key generating parameter and the basic security key are separately transmitted twice. Certainly the security key generating parameter and the basic security key can also be transmitted in one transmission. However, when they are transmitted separately, as show by the preferred embodiment, the security key generating parameter is transmitted first, and then the basic security key is transmitted; after confirming that the information transmitted in the first time has been received by the other end, the second transmitting is then performed, so as to avoid that too much security information is intercepted by a prying party thus allowing the prying party to gather enough data for analyzing the intercepted information.
In the flowchart of the second preferred embodiment, likewise it is also suitable to ensure the safe establishment of the security key for multicast transmission between the user equipment and the application server by adopting the secure link between the user equipment and P-CSCF, and between P- CSCF and the application server.
Referring to Fig. 6, which is a structural diagram of the method of the second preferred embodiment of the present invention. In this system, it comprises at least: a user equipment 61 and an application server 62. Wherein, the user equipment 61 is configured to transmit to the application server 62 a request message for the security key corresponding to the MBMS service after having determined an MBMS service to be accessed by the user equipment 61, and to generate the security key for multicast transmission according to the received security key generating information. The application server 62 is configured to allocate the security key for multicast transmission corresponding to the MBMS service requested by the user equipment 61 after having received the request message for the security key transmitted by the user equipment 61, and to transmit to the user equipment 61 the security key generating information for generating the security key for multicast transmission .
At the same time, as described in the first preferred embodiment, in order to ensure the secure communication between the user equipment 61 and the application server 62, the system further comprises: a P-CSCF63, which is configured to connect the user equipment 61 and the application server 62. Correspondingly, the user equipment 61 is configured to interact with the application server 62, to receive/transmit the messages from/to the application server 62 via the secure link between itself and P-CSCF63; and the application server 62 is configured to interact with the user equipment 61, to receive/transmit the messages from/to the user equipment 61 via the secure link between itself and P-CSCF63.
Wherein, the user equipment 61 comprises a control unit 611, a transmitting unit 612, a receiving unit 613 and a calculating unit 614. Wherein, the control unit 611 is configured to transmit to the application server 62 the request message for the security key corresponding to the MBMS service via the transmitting unit 612 after the user equipment 61 has determined the MBMS service to be accessed by itself. The transmitting unit 612 is configured to transmit the request message for the security key according to an instruction of the control unit 611. The receiving unit 613 is configured to transmit the received security key generating information to the calculating unit 614. The calculating unit 614 is configured to calculate the security key for multicast transmission according to the security key generating information transmitted by the receiving unit 613, and transmit the same to the control unit 611. Here, the transmitting unit 612 and the receiving unit 613 are respectively configured to transmit the message for allocating the security key for multicast transmission to the application server 62 and receive the message for allocating the security key for multicast transmission transmitted from the application server 62 via the secure link between themselves and the P-CSCF.
In addition, the application server 62 comprises at least a processing unit 622, a transmitting unit 623 and a receiving unit 621. Wherein, the processing unit 622 is configured to receive the request for the security key transmitted by the user equipment 61 via the receiving unit 621, generate the security key generating parameter for the security key for the MBMS service requested by the user equipment 61, and transmit the same to the user equipment 61 via the transmitting unit 623. The receiving unit 621 is configured to transmit the received request message for the security key to the processing unit 622. The transmitting unit 623 is configured to transmit the security key for multicast transmission to the user equipment 61 according to an instruction of the processing unit 622. Here, the transmitting unit 623 and the receiving unit 621 in the application server 62 can also be used respectively for transmitting a message for allocating the security key for multicast transmission to the user equipment 61, and to receive a message for allocating the security key for multicast transmission transmitted from the user equipment 61 via a secure link between themselves and the P-CSCF.
The method for allocating the security key for multicast transmission by the application server in the present invention can be used at any stage before the user equipment receives the MBMS data packets and after the time of having determined the MBMS service to be used thereby. For example, it can be after the user equipment has finished the registration with the IMS network or the activation procedure of the MBMS service.
In the technical solution of the present invention, by using the application server, at the time that the user equipment requests a MBMS service, to allocate to the user equipment the security key for multicast transmission for decrypting the service, it therefore ensures that the users using the same MBMS service have the same security key. In addition, the present invention also provides a system for allocating the security key for multicast transmission, a user terminal, and an application server for in the IMS network. By using the technical solutions provided by the present invention, it is possible to allocate the security key for multicast transmission required for receiving the MBMS service to all the user equipment using the same MBMS service. At the same time, in the technical solution of the present invention, by allocating the security key for multicast transmission in a secure channel between the user equipment and the application server, the security can be further ensured during the process for allocating the security key for multicast transmission on the basis that the technical solution of the present invention is capable of accomplishing the allocation of the security key for multicast transmission.
What are mentioned above are merely some preferred embodiments of the present invention, and they are not to limit the present invention; thereof, any modification, equivalent substitution, improvement and so on within the spirit and principles of the present invention is to be included in the scope of protection for the present invention.
In one aspect of the invention, which is depicted in Fig.7, a user equipment (UE) may issue a multicast service request to a server, e.g. an IMS application server (AS) . The request may be transmitted to the IMS AS by using a session initiation protocol (SIP) message, e.g. INVITE. Upon receipt of the service request, the IMS AS may respond with information relating to multicast media and security by using a SIP message, e.g. 200 OK. Said information may comprise an algorithm needed for the multicast service and possible some other information such as the contact address of the UE, additional shared information relating to SIP dialog, GRUU, etc. The UE may acknowledge the receipt of the information transited by the IMS AS. After receiving the acknowledgement from the UE, the IMA AS may provide a MBMS service key (MSK) to the UE via, e.g. a SIP message Info. Alternatively, this message may be spared by delivering the MSK together with the information relating to multicast media and security to the UE when IMS AS responds to the service request. After receiving the MSK from the IMS AS, the UE may issue an acknowledgement to the IMS AS through, e.g. a SIP message 200 OK. As mentioned above, if the delivery of the MSK is combined with the response to the UE' s service request transmitted by the IMS AS, the acknowledgement is not needed. The UE may use the received algorithm and the MSK to generate a MBMS traffic key (MTK) , which may be used to decrypt multicast data relating to the requested multicast service. The multicast service may be provided by the same IMS AS or by a different server.
Functions of the user equipment described above may be implemented by code means, as software, and loaded into memory of a computer, for example into a mobile phone.

Claims

Claims
1. A method for generating a security key for a multicast service, said method comprising: transmitting a request for a multicast service to a server, receiving from the server an algorithm and a service key for calculating the security key, generating the security key based on the received algorithm and service key, receiving data relating to the requested multicast service, applying the security key for decrypting the received data relating to the multicast service.
2. The method according to claim 1, wherein transmitting the request for the multicast service to the server comprises transmitting a session initiation protocol message containing at least identification information of a user equipment to the server.
3. The method according to claim 1 or 2, wherein receiving from the server the algorithm and the service key comprises receiving a session initiation protocol message containing said algorithm and service key.
4. The method according to any of proceeding claim, wherein the multicast service comprises a multimedia broadcast/multicast service.
5. The method according to any of proceeding claim, wherein the security key comprises a multimedia broadcast/multicast service traffic key.
6. The method according to any of proceeding claim, wherein the service key comprises a multimedia broadcast/multicast service key.
7. The method according to any of proceeding claim, wherein the server comprises an internet protocol multimedia subsystem application server.
8. A user equipment comprising: a transmitting unit configured to transmit a request for a multicast service to a server, a receiving unit configured to receive from the server an algorithm and a service key for generating the security key, a calculating unit configured to generate the security key based on the received algorithm and service key, a multicast receiving unit configured to receive data relating to the requested multicast service, and a control unit configured to apply the security key for decrypting the received data relating to the multicast service .
9. The user equipment according to claim 8, wherein the transmitting the request for the multicast service to the server comprises transmiting a session initiation protocol message containing at least identification information of a user equipment to the server.
10. The user equipment according to claim 8 or 9, wherein the receiving from the server the algorithm and the service key comprises receiving a session initiation protocol message containing said algorithm and service key.
11. The user equipment according to any of claim 8-10, wherein the multicast service comprises a multimedia broadcast/multicast service.
12. The user equipment according to any of claim 8-10, wherein the security key comprises a multimedia broadcast/multicast service traffic key.
13. The user equipment according to any of claim 8-10, wherein the service key comprises a multimedia broadcast/multicast service key.
14. The user equipment according to any of claim 8-10, wherein the server comprises an internet protocol multimedia subsystem application server.
15. A system for arranging a security key for a multicast service, said system comprising a user equipment, a server and a multicast server, wherein
the user equipment is configured to transmit a request for a multicast service to the server, receive from the server an algorithm and a service key for generating the security key, generate the security key based on the received algorithm and service key, receive data relating to the requested multicast service, and apply the security key for decrypting the received data relating to the multicast service;
the server is configured to allocate for the user equipment an algorithm and a service key for generating the security key upon receipt of the request, and transmit the algorithm and the service key to the user equipment;
the multicast server is configured to transmit data relating to the multicast service to the user equipment.
16. The system according to claim 15, wherein the data relating to the multicast service comprises data encrypted by using the service key.
17. The system according to claim 15 or 16, wherein the multicast service comprises a multimedia broadcast/multicast service .
18. The system according to any of claims 15-17, wherein the security key comprises a multimedia broadcast/multicast service traffic key.
19. The system according to any of claims 15-18, wherein the service key comprises a multimedia broadcast/multicast service key.
20. A computer program product comprising code means adapted to produce the steps of any one of claims 1-7 when loaded into the memory of a computer.
PCT/EP2008/056393 2007-05-29 2008-05-26 Method and system for allocating security key for multicast transmission Ceased WO2008145621A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710106442.4 2007-05-29
CN 200710106442 CN101316437A (en) 2007-05-29 2007-05-29 Method and system for distributing multicast transmission cryptographic key

Publications (2)

Publication Number Publication Date
WO2008145621A2 true WO2008145621A2 (en) 2008-12-04
WO2008145621A3 WO2008145621A3 (en) 2009-04-09

Family

ID=40075577

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/056393 Ceased WO2008145621A2 (en) 2007-05-29 2008-05-26 Method and system for allocating security key for multicast transmission

Country Status (2)

Country Link
CN (1) CN101316437A (en)
WO (1) WO2008145621A2 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111159742A (en) * 2019-12-26 2020-05-15 Oppo广东移动通信有限公司 Key management method, service agent, terminal device, system, and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7400729B2 (en) * 2001-12-28 2008-07-15 Intel Corporation Secure delivery of encrypted digital content
KR100987207B1 (en) * 2003-08-02 2010-10-12 삼성전자주식회사 Encryption Method in Mobile Communication System Supporting Multimedia Broadcasting / Multicasting Service
GB2423221A (en) * 2005-02-14 2006-08-16 Ericsson Telefon Ab L M Key delivery method involving double acknowledgement

Also Published As

Publication number Publication date
CN101316437A (en) 2008-12-03
WO2008145621A3 (en) 2009-04-09

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
US20180146362A1 (en) Data transmission method for edge multimedia broadcast/multicast service (mbms) service and related device
KR101353209B1 (en) Securing messages associated with a multicast communication session within a wireless communications system
JP5550627B2 (en) Group communication in communication systems
CN100488139C (en) Method of establishing instant data transmission channel to realize instant message transmission
CN102546559B (en) The method, apparatus and system of end-to-end transmission data in limited network
EP4184821B1 (en) Ims data channel-based communication method and device
CN101379802B (en) Method and device for the encoded transmission of media data between the media server and the subscriber terminal
JP6937826B2 (en) Mission Critical Push-to-Talk Multimedia Broadcast Multicast Service Subchannel Control Message Protection
KR20070073343A (en) Method and apparatus for transmitting session setting protocol data of idle mode terminal in mobile communication IMS system
CN101317404A (en) Method and system for IP message transmission, negotiation bandwidth saving capability and saving network bandwidth
US20090106389A1 (en) Sharing Multimedia
WO2009129718A1 (en) A method, equipment and system for implementing file sharing in an audio/video conference
US20070071002A1 (en) Method and apparatus for verifying encryption of sip signalling
CN106850399A (en) A kind of communication means based on WebRTC technology instant messages
CN107925848A (en) Method and system for the mark management across multiple planes
EP2018756A2 (en) Address translation in a communication system
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
CN102255906B (en) Data transmission and receiving methods, equipment and systems
CN101227272A (en) A method and system for obtaining media stream protection key
CN101997846A (en) Session handling method and device as well as communication system
WO2010111938A1 (en) Method, apparatus and system for processing streaming media service
CN114900500B (en) Call control method, application server, communication system and storage medium
WO2008145621A2 (en) Method and system for allocating security key for multicast transmission
CN105553986A (en) UDP-based multi-addressing limited real-time node communication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08759992

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08759992

Country of ref document: EP

Kind code of ref document: A2