[go: up one dir, main page]

CN102281139B - Based on Verification System and the method for IKMP - Google Patents

Based on Verification System and the method for IKMP Download PDF

Info

Publication number
CN102281139B
CN102281139B CN201010200007.XA CN201010200007A CN102281139B CN 102281139 B CN102281139 B CN 102281139B CN 201010200007 A CN201010200007 A CN 201010200007A CN 102281139 B CN102281139 B CN 102281139B
Authority
CN
China
Prior art keywords
module
key
authentication
session key
long term
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010200007.XA
Other languages
Chinese (zh)
Other versions
CN102281139A (en
Inventor
端时立
王鸿彦
韦银星
陈浩然
周晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Innovation Polymerization LLC
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010200007.XA priority Critical patent/CN102281139B/en
Priority to PCT/CN2010/079246 priority patent/WO2011153794A1/en
Publication of CN102281139A publication Critical patent/CN102281139A/en
Application granted granted Critical
Publication of CN102281139B publication Critical patent/CN102281139B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of Verification System based on IKMP and method, wherein, should comprise based on the Verification System of IKMP: identity module, key management module, authentication module, cipher key storage block, Routing Protocol Module, wherein, above-mentioned authentication module is connected with above-mentioned cipher key storage block, for obtaining authentication information from above-mentioned cipher key storage block, and according to above-mentioned authentication information, certification is carried out to communication entity.The invention solves communicating pair in prior art and cannot carry out the problem of certification to the other side, ensure that the fail safe of communication.

Description

Based on Verification System and the method for IKMP
Technical field
The present invention relates to technical field of communication safety and comprising, in particular to one based on the Verification System of IKMP (KeyManagementProtocol, be called for short KMP) and method.
Background technology
The safety of Routing Protocol is a crucial technology, has a lot of working group to study and standardization it in ietf, and wherein authentication techniques in route technology and key management required in certification are mainly studied by KARP working group.In KARP working group, propose the concept of a KMP, wherein, KMP operates between two communication entities performing Routing Protocol, for these two communication entities provide certification, and generation session key and more new session key.Why important KMP is is because artificial key managing project depends on the work of keeper more, once network size becomes large, keeper feels simply helpless to the key management of complexity.
As shown in Figure 1, it comprises the current system based on KMP: identification module (Identifier) 102, key management module 104, authentication module (IdentityProof) 106, cipher key storage block (Keystore) 108 and Routing Protocol Module 110.
In working order, identification module 102 provides the ID value of opposite end needing communication to key management module 104, key management module 104 obtains root key and is used for session key generation deliver the Routing Protocol Module 110 of required key from cipher key storage block 108.Cipher key storage block 108 storage root key, session key.
But, in above-mentioned system architecture, owing to the root key and session cipher key separation that are used for certification and generation session key not being opened, thus cause when accessing each key of KMP agreement, all need to carry out alternately with the cipher key storage block 108 in Fig. 1, this may cause larger pressure to cipher key storage block.Meanwhile, owing to using same database to come storage root key and session key, thus all may obtain when module accesses database or destroy root key, like this, leaving the chance that can attack to hacker.
In addition, said method also may cause another one problem: because authentication module 106 is not mutual with cipher key storage block 108, thus the root key that cipher key storage block 108 preserves cannot be obtained, like this, authentication module cannot producing authentication information, thus make communicating pair cannot carry out certification to the other side, reduce the fail safe of communication.
Summary of the invention
Main purpose of the present invention is to provide a kind of Verification System based on IKMP and method, cannot carry out certification, thus reduce the safety issue of communication at least to solve communicating pair in prior art to the other side.
According to an aspect of the present invention, provide a kind of Verification System based on IKMP, it comprises: identity module, key management module, authentication module, cipher key storage block, Routing Protocol Module, wherein, above-mentioned authentication module is connected with above-mentioned cipher key storage block, for obtaining authentication information from above-mentioned cipher key storage block, and according to above-mentioned authentication information, certification is carried out to communication entity.
Further, above-mentioned cipher key storage block is for preserving the long term keys relevant to user identity, and the above-mentioned long term keys corresponding to the identification information of user generates the above-mentioned authentication information being used for certification.
Further, above-mentioned key management module be used for by produce according to above-mentioned authentication information or send to above-mentioned cipher key storage block from the session key that above-mentioned authentication module receives, above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block, wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, above-mentioned key management module be used for by produce according to above-mentioned authentication information or send to above-mentioned Routing Protocol Module from the session key that above-mentioned authentication module receives, wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, above-mentioned cipher key storage block also for storing long term keys material and ephemeral keys material, wherein, above-mentioned long term keys material comprise following one of at least: the root key of user, certificate; Above-mentioned ephemeral keys material is generated by long term keys.
According to a further aspect in the invention, provide a kind of Verification System based on IKMP, it comprises: key management module, authentication module, Routing Protocol Module, identity module, long term keys memory module and ephemeral keys memory module, wherein, above-mentioned authentication module is for receiving the identification information of the communication entity of above-mentioned key management module transmission, the authentication message carrying above-mentioned identification information is sent to above-mentioned long term keys memory module, receive the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module, and use above-mentioned authentication information to carry out certification.
Further, above-mentioned session key also for generation of the session key for communicating, and is sent to above-mentioned key management module by above-mentioned authentication module, and wherein, above-mentioned key management module is used for above-mentioned session key to send to Routing Protocol Module; Or, above-mentioned authentication module is also for notifying that above-mentioned key management module produces above-mentioned session key, wherein, above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module, and above-mentioned ephemeral keys memory module is for receiving and preserving the above-mentioned session key from above-mentioned authentication module or above-mentioned key management module.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: above-mentioned authentication module obtains authentication information from cipher key storage block, and carries out certification according to above-mentioned authentication information to communication entity.
Further, above-mentioned certification mould certainly comprises from cipher key storage block acquisition authentication information: above-mentioned cipher key storage block obtains the long term keys corresponding with the identification information of above-mentioned communication entity; Above-mentioned cipher key storage block generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned authentication information is sent to above-mentioned authentication module by above-mentioned cipher key storage block.
Further, in certification by afterwards, also comprise: above-mentioned authentication module produces the session key for communicating, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned key management module; Or above-mentioned authentication module notifies that above-mentioned key management module produces above-mentioned session key, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module.
Further, after certification is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key is sent to above-mentioned key management module, above-mentioned session key is sent to above-mentioned cipher key storage block and preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block; Or above-mentioned authentication module notifies that above-mentioned key management module produces session key, above-mentioned session key is sent to above-mentioned cipher key storage block and preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned cipher key storage block.
Further, after above-mentioned Routing Protocol Module obtains the session key for communicating, also comprise: above-mentioned Routing Protocol Module uses above-mentioned session key to protect protocol massages.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: authentication module receives the identification information of the communication entity that key management module sends; Above-mentioned authentication module sends authentication request message to long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information; Above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module; Above-mentioned authentication module uses above-mentioned authentication information to carry out certification.
Further, above-mentioned authentication module also comprises before receiving the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module: above-mentioned long term keys memory module obtains the long term keys corresponding with above-mentioned identification information; Above-mentioned long term keys memory module generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned authentication information is sent to above-mentioned authentication module by above-mentioned long term keys memory module.
Further, above-mentioned long term keys is root key.
Further, in certification by afterwards, also comprise: above-mentioned authentication module produces the session key for communicating, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned key management module; Or above-mentioned authentication module notifies that above-mentioned key management module produces above-mentioned session key, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned key management module.
Further, after certification is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key is sent to above-mentioned key management module, above-mentioned session key is sent to ephemeral keys memory module and preserves by above-mentioned key management module, and above-mentioned session key is sent to Routing Protocol Module by above-mentioned ephemeral keys memory module; Or above-mentioned authentication module notifies that above-mentioned key management module produces session key, above-mentioned session key is sent to ephemeral keys storage mould and certainly preserves by above-mentioned key management module, and above-mentioned session key is sent to above-mentioned Routing Protocol Module by above-mentioned ephemeral keys memory module.
Further, after above-mentioned Routing Protocol Module obtains the session key for communicating, also comprise: above-mentioned Routing Protocol Module uses above-mentioned session key to protect protocol massages.
The present invention has following beneficial effect:
1) because authentication module can obtain certified Information in cipher key storage block, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
2) due to by long term keys (such as, root key) database with deposit ephemeral keys (such as, session key) database separately, thus can only in the case of necessary (such as, session key generation) just access the database of long term keys, and when transfer of data, only need access deposit the database of ephemeral keys and can session key be obtained.Like this, specific module (e.g., authentication module etc.) is only had long term keys could to be accessed (such as, root key) database, obtain the root key that level of security is higher, other module then cannot access the database of long term keys, thus can improve security performance.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram of the KMP framework according to correlation technique;
Fig. 2 is the flow chart of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 3 is a kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 4 is the another kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 5 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 6 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 7 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 8 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention;
Fig. 9 is according to the another kind of the embodiment of the present invention flow chart based on the authentication method of IKMP;
Figure 10 is the schematic diagram of the Verification System based on IKMP according to the embodiment of the present invention;
Figure 11 is the preferred schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention;
Figure 12 is according to the another kind of the embodiment of the present invention preferred schematic diagram based on the Verification System of IKMP.
Embodiment
Hereinafter also describe the present invention in detail with reference to accompanying drawing in conjunction with the embodiments.It should be noted that, when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
Fig. 2 is the flow chart of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
S202, authentication module receives the identification information of the communication entity that key management module sends;
S204, above-mentioned authentication module sends authentication request message to long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information;
S206, above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module;
S208, above-mentioned authentication module uses above-mentioned authentication information to carry out certification.
In the prior art, authentication module is not mutual with cipher key storage block, thus cannot obtain the root key that cipher key storage block preserves, and like this, communicating pair cannot carry out certification to the other side, thus reduces the fail safe of communication.Review the embodiment of the present invention, because authentication module can obtain certified Information from long term keys memory module, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
Preferably, described authentication module also comprises before receiving the authentication information corresponding with described identification information from described long term keys memory module: described long term keys memory module obtains the long term keys corresponding with described identification information; Described long term keys memory module generates described authentication information according to described long term keys; Described long term keys stores mould and certainly described authentication information is sent to described authentication module.
Preferably, described long term keys is root key.
Preferably, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to described key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module.
Preferably, after certification is passed through, also comprise: described authentication module produces session key, and described session key is sent to described key management module, described session key is sent to ephemeral keys memory module and preserves by described key management module, and described session key is sent to Routing Protocol Module by described ephemeral keys memory module; Or described authentication module notifies that described key management module produces session key, described session key is sent to ephemeral keys memory module and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described ephemeral keys memory module.
According to above-mentioned preferred embodiment, use different databases to deposit long term keys (such as, root key) and ephemeral keys (such as, session key) respectively.Because the safe class of long term keys is different from ephemeral keys, therefore, under the design that this database is separated, only just can access the database of long term keys in the case of necessary, thus can security performance be improve.
In above-mentioned two kinds of preferred embodiments, after described Routing Protocol Module obtains the session key for communicating, described Routing Protocol Module uses described session key to protect protocol massages.
The authentication method process under the scene shown in Fig. 2 is described in detail in below in conjunction with accompanying drawing.
Embodiment 1
Fig. 3 is a kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S302: key management module receives identity information (id information).
Step S304: key management module sends authentication request to authentication module.
Step S306: authentication module and long term keys memory module alternately, obtain authentication information.
Step S308: authentication module sends authentication response to key management module.
Step S310: key management module produces session key.
Step S312: key management module sends session key to ephemeral keys memory module.
Step S314: ephemeral keys memory module sends session key to Routing Protocol Module.
Step S316: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 2
Fig. 4 is the another kind of preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S402: Routing Protocol Module sends request session key message to ephemeral keys memory module.
Step S404: ephemeral keys memory module sends request session key message to key management module.
Step S406: key management module and identity module alternately, obtain identity information.
Step S408: key management module and long term keys memory module alternately, obtain authentication information.
Step S410: key management module carries out identifying procedure.
Step S412: key management module produces session key.
Step S414: key management module sends session key to ephemeral keys memory module.
Step S416: ephemeral keys memory module sends close session key to Routing Protocol Module.
Step S418: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 3
Fig. 5 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S502: Routing Protocol Module sends request session key message to key management module.
Step S504: key management module and identity module alternately, obtain identity information.
Step S506: key management module and long term keys memory module alternately, obtain authentication information.
Step S508: key management module carries out identifying procedure.
Step S510: key management module produces session key.
Step S512: key management module sends session key to ephemeral keys management mould certainly.
Step S514: ephemeral keys administration module sends close session key to Routing Protocol Module.
Step S516: Routing Protocol Module session key is protected routing protocol packet.
Present invention also offers the another kind of authentication method based on IKMP, as shown in Figure 9, it comprises the steps:
S902, above-mentioned authentication module obtains authentication information from cipher key storage block;
S904, above-mentioned authentication module carries out certification according to above-mentioned authentication information to communication entity.
In the above-described embodiment, because authentication module can obtain certified Information from cipher key storage block, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, and when certification is passed through just session key generation, thus ensure that the fail safe of communication.
Preferably, described authentication module comprises from cipher key storage block acquisition authentication information: described cipher key storage block obtains the long term keys corresponding with described identification information; Described cipher key storage block generates described authentication information according to described long term keys; Described authentication information is sent to described authentication module by described cipher key storage block.
Preferably, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to described key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module.
Preferably, in certification by afterwards, also comprise: described authentication module produces session key, and described session key is sent to described key management module, described session key is sent to described cipher key storage block and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described cipher key storage block; Or described authentication module notifies that described key management module produces session key, described session key is sent to described cipher key storage block and preserves by described key management module, and described session key is sent to described Routing Protocol Module by described cipher key storage block.
Preferably, after described Routing Protocol Module obtains the session key for communicating, also comprise: described Routing Protocol Module uses described session key to protect protocol massages.
The authentication method process under the scene shown in Fig. 9 is described in detail in below in conjunction with accompanying drawing.
Embodiment 4
Fig. 6 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S602: key management module receives identity information (id information).
Step S604: key management module sends authentication request to authentication module.
Step S606: authentication module and cipher key storage block alternately, obtain authentication information.
Step S608: authentication module sends authentication response.
Step S610: key management module produces session key.
Step S612: key management module sends session key to cipher key storage block.
Step S614: cipher key storage block sends session key to Routing Protocol Module.
Step S616: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 5
Fig. 7 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S702: Routing Protocol Module sends request session key message to cipher key storage block.
Step S704: cipher key storage block sends request session key message to key management module.
Step S706: key management module and identity module alternately, obtain identity information.
Step S708: key management mould is certainly mutual with cipher key storage block, obtains authentication information.
Step S710: key management module carries out identifying procedure.
Step S712: key management module produces session key.
Step S714: key management module sends session key to cipher key storage block.
Step S716: cipher key storage block sends close session key to Routing Protocol Module.
Step S718: Routing Protocol Module session key is protected routing protocol packet.
Embodiment 6
Fig. 8 is another preferred flow charts of the authentication method based on IKMP according to the embodiment of the present invention, and it comprises the steps:
Step S802: Routing Protocol Module sends request session key message to key management module.
Step S804: key management module and identity module alternately, obtain identity information.
Step S806: key management module and cipher key storage block alternately, obtain authentication information.
Step S808: key management module carries out identifying procedure.
Step S810: key management module produces session key.
Step S812: key management module sends session key to cipher key storage block.
Step S814: cipher key storage block sends close session key to Routing Protocol Module.
Step S816: Routing Protocol Module session key is protected routing protocol packet.
Present invention also offers a kind of Verification System based on KMP, it can be suitable for above-mentioned authentication method.
Figure 10 shows above-mentioned Verification System, and it comprises: the first identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018, second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020.
First identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018 communication process each other with reference to accompanying drawing 6-8, can not repeat them here.Equally, the second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020 communication process each other with reference to accompanying drawing 6-8, can not repeat them here yet.
According to the embodiment of the present invention, because authentication module can obtain certified Information in calm key memory module, thus make communicating pair can carry out mutual certification according to the authentication information of the other side, the ability session key generation when certification is passed through, thus ensure that the fail safe of communication.
Figure 11 is the schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention, it comprises: identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol Module 1112, wherein, described authentication module 1106 is connected with described cipher key storage block 1110, for obtaining authentication information from described cipher key storage block 1110, and according to described authentication information, certification is carried out to communication entity.
Preferably, in the embodiment shown in fig. 11, as shown in figure 11, communication process each other can with reference to accompanying drawing 6-8 for identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol Module 1112 annexation each other.
Preferably, described cipher key storage block 1110 is for preserving the long term keys relevant to user identity, and the described long term keys corresponding to the identification information of user generates the described authentication information being used for certification.
Preferably, described key management module 1104 for by produce according to described authentication information or send to described cipher key storage block 1110 from the session key that described authentication module 1106 receives, described session key is sent to described Routing Protocol Module 1112 by described cipher key storage block 1110, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, described key management module 1104 for by produce according to described authentication information or send to described Routing Protocol Module 1112 from the session key that described authentication module 1106 receives, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, described cipher key storage block 1110 also for storing long term keys material and ephemeral keys material, wherein, described long term keys material comprise following one of at least: the root key of user, certificate; Described ephemeral keys material is generated by long term keys.
Figure 12 is the schematic diagram of a kind of Verification System based on IKMP according to the embodiment of the present invention, and it comprises: identity module 1202, key management module 1204, authentication module (certificate server) 1206, long term keys memory module 1208, ephemeral keys memory module 1210, Routing Protocol Module 1212.Wherein, described authentication module 1206 is for receiving the identification information of the communication entity of described key management module 1204 transmission, the authentication message carrying described identification information is sent to described long term keys memory module 1208, receive the authentication information corresponding with described identification information from described long term keys memory module 1208, and use described authentication information to carry out certification.
Preferably, described session key also for generation of the session key for communicating, and is sent to described key management module 1204 by described authentication module 1206, and described session key is sent to Routing Protocol Module 1212 by described key management module 1204; Or described authentication module 1206 is also for notifying that described key management module 1204 produces described session key, and described session key is sent to described Routing Protocol Module 1212 by described key management module 1204; Described ephemeral keys memory module 1210 is for receiving and preserving the described session key from described authentication module 1206 or described key management module 1204.
The database depositing long-term master key is separated with the database depositing short-term session key by the embodiment of the present invention, following several benefit can be produced like this: the 1) division of safe class, the safe class of long term keys is far away higher than the session key of short-term, the session key of short-term is destroyed the safety just affecting this time session, and the result that long term keys is affected to be following safety certification all can be forged.So being separately necessary by these two cipher key storage block, is also meet the principle that safety classification ensures; 2) because two databases are separated, interface API can separately design, also can ensure the ID authenticator that is only necessary like this when access keys and need the KMP module of key material can touch the database depositing long-term master key, Routing Protocol Module then can touch the database depositing short-term session key, thus further increases the fail safe of communication.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on network that multiple calculation element forms, alternatively, they can realize with the executable program code of calculation element, thus, they can be stored and be performed by calculation element in the storage device, and in some cases, step shown or described by can performing with the order be different from herein, or they are made into each integrated circuit modules respectively, or the multiple module in them or step are made into single integrated circuit module to realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. based on a Verification System for IKMP, comprising: identity module, key management module, authentication module, cipher key storage block, Routing Protocol Module, is characterized in that,
Described authentication module is connected with described cipher key storage block, for obtaining authentication information from described cipher key storage block, and carries out certification according to described authentication information to communication entity;
Wherein, described cipher key storage block is for preserving the long term keys relevant to user identity, and the described long term keys corresponding to the identification information of user generates the described authentication information being used for certification;
Wherein, described key management module be used for by produce according to described authentication information or send to described Routing Protocol Module from the session key that described authentication module receives, wherein, described authentication module produces described session key according to described authentication information, or, described key management module is used for described session key to send to described cipher key storage block, described session key is sent to described Routing Protocol Module by described cipher key storage block, wherein, described authentication module produces described session key according to described authentication information.
2. system according to claim 1, is characterized in that, described cipher key storage block also for storing long term keys material and ephemeral keys material, wherein, described long term keys material comprise following one of at least: the root key of user, certificate; Described ephemeral keys material is generated by long term keys.
3. based on a Verification System for IKMP, comprising: key management module, authentication module, Routing Protocol Module, identity module, is characterized in that, also comprises: long term keys memory module, ephemeral keys memory module, wherein,
Described authentication module is for receiving the identification information of the communication entity of described key management module transmission, the authentication message carrying described identification information is sent to described long term keys memory module, receive the authentication information corresponding with described identification information from described long term keys memory module, and use described authentication information to carry out certification;
Wherein, described session key also for generation of the session key for communicating, and is sent to described key management module by described authentication module, and wherein, described key management module is used for described session key to send to Routing Protocol Module; Or, described authentication module is also for notifying that described key management module produces described session key, wherein, described key management module is used for described session key to send to described Routing Protocol Module, and described ephemeral keys memory module is for receiving and preserving the described session key from described authentication module or described key management module.
4. based on an authentication method for IKMP, it is characterized in that, comprising:
Authentication module obtains authentication information from cipher key storage block, and carries out certification according to described authentication information to communication entity;
Wherein, described authentication module comprises from cipher key storage block acquisition authentication information: described cipher key storage block obtains the long term keys corresponding with the identification information of described communication entity; Described cipher key storage block generates described authentication information according to described long term keys; Described authentication information is sent to described authentication module by described cipher key storage block;
Wherein, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module, or, described session key is sent to described cipher key storage block by described key management module, described session key is sent to described Routing Protocol Module by described cipher key storage block, wherein, described authentication module produces described session key according to described authentication information.
5. method according to claim 4, is characterized in that, after described Routing Protocol Module obtains the session key for communicating, also comprises:
Described Routing Protocol Module uses described session key to protect protocol massages.
6. based on an authentication method for IKMP, it is characterized in that, comprising:
Authentication module receives the identification information of the communication entity that key management module sends;
Described authentication module sends authentication request message to long term keys memory module, and wherein, described authentication request message carries described identification information;
Described authentication module receives the authentication information corresponding with described identification information from described long term keys memory module;
Described authentication module uses described authentication information to carry out certification;
Wherein, in certification by afterwards, also comprise: described authentication module produces the session key for communicating, and described session key is sent to described key management module, and described session key is sent to Routing Protocol Module by described key management module; Or described authentication module notifies that described key management module produces described session key, and described session key is sent to described Routing Protocol Module by described key management module, or, described session key is sent to described cipher key storage block by described key management module, described session key is sent to ephemeral keys memory module and preserves by described cipher key storage block, described session key is sent to Routing Protocol Module by described ephemeral keys memory module, wherein, described authentication module produces described session key according to described authentication information.
7. method according to claim 6, is characterized in that, described authentication module also comprises before receiving the authentication information corresponding with described identification information from described long term keys memory module:
Described long term keys memory module obtains the long term keys corresponding with described identification information;
Described long term keys memory module generates described authentication information according to described long term keys;
Described authentication information is sent to described authentication module by described long term keys memory module.
8. method according to claim 7, is characterized in that, described long term keys is root key.
9. method according to claim 6, is characterized in that, after described Routing Protocol Module obtains the session key for communicating, also comprises:
Described Routing Protocol Module uses described session key to protect protocol massages.
CN201010200007.XA 2010-06-10 2010-06-10 Based on Verification System and the method for IKMP Expired - Fee Related CN102281139B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010200007.XA CN102281139B (en) 2010-06-10 2010-06-10 Based on Verification System and the method for IKMP
PCT/CN2010/079246 WO2011153794A1 (en) 2010-06-10 2010-11-29 Authentication system and method based on key management protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010200007.XA CN102281139B (en) 2010-06-10 2010-06-10 Based on Verification System and the method for IKMP

Publications (2)

Publication Number Publication Date
CN102281139A CN102281139A (en) 2011-12-14
CN102281139B true CN102281139B (en) 2016-02-10

Family

ID=45097488

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010200007.XA Expired - Fee Related CN102281139B (en) 2010-06-10 2010-06-10 Based on Verification System and the method for IKMP

Country Status (2)

Country Link
CN (1) CN102281139B (en)
WO (1) WO2011153794A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107733639B (en) * 2017-08-24 2020-08-04 深圳壹账通智能科技有限公司 Key management method, device and readable storage medium
CN112150312A (en) * 2020-10-06 2020-12-29 广州云莫凡信息科技有限公司 Quality monitoring data maintenance method and system for building construction engineering

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1305159A (en) * 1999-11-01 2001-07-25 城市集团发展中心有限公司 Method and system of safety communication used on self-help financial transaction terminal
CN1599338A (en) * 2003-09-19 2005-03-23 皇家飞利浦电子股份有限公司 Method of improving safety, for radio local network
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015608A1 (en) * 2003-07-16 2005-01-20 Pkware, Inc. Method for strongly encrypting .ZIP files

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1305159A (en) * 1999-11-01 2001-07-25 城市集团发展中心有限公司 Method and system of safety communication used on self-help financial transaction terminal
CN1599338A (en) * 2003-09-19 2005-03-23 皇家飞利浦电子股份有限公司 Method of improving safety, for radio local network
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Also Published As

Publication number Publication date
WO2011153794A1 (en) 2011-12-15
CN102281139A (en) 2011-12-14

Similar Documents

Publication Publication Date Title
US20230231711A1 (en) Blockchain-implemented method and system
CN113783836B (en) IoT data access control method and system based on block chain and IBE algorithm
CN111639361B (en) A block chain key management method, multi-person co-signature method and electronic device
CN112953727B (en) Internet of things-oriented equipment anonymous identity authentication method and system
Karim et al. BSDCE-IoV: Blockchain-based secure data collection and exchange scheme for IoV in 5G environment
CN109194702B (en) Medical data recording method, system, computer device and storage medium
US20180144341A1 (en) Encryption system, encryption key wallet and method
CN101867530A (en) Internet of things gateway system and data interaction method based on virtual machine
CN106961336A (en) A kind of key components trustship method and system based on SM2 algorithms
CN112199726A (en) A blockchain-based alliance trust distributed identity authentication method and system
CN106254324A (en) A kind of encryption method storing file and device
Meshram et al. A robust smart card and remote user password-based authentication protocol using extended chaotic maps under smart cities environment
CN102780698A (en) User terminal safety communication method in platform of Internet of Things
KR102483369B1 (en) The user data storage and sharing system based on DID
Li et al. A Lightweight Fine‐Grained Searchable Encryption Scheme in Fog‐Based Healthcare IoT Networks
Picazo-Sanchez et al. Two RFID Standard-based Security protocols for healthcare environments
Sarvabhatla et al. A secure biometric-based user authentication scheme for heterogeneous WSN
Meng et al. A lightweight group authentication protocol for blockchain-based vehicular edge computing networks
Duan et al. Design of anonymous authentication scheme for vehicle fog services using blockchain
CN101783732B (en) Offline mutual authentication method and system based on pre-shared key
Songshen et al. Hash-based signature for flexibility authentication of IoT devices
CN102281139B (en) Based on Verification System and the method for IKMP
Priya et al. Disseminated and decentred blockchain secured balloting: apropos to India
Wu et al. EF-CRT: Group key update and batch verification based on euler function and chinese remainder theorem for edge-fog computing networks
CN112839329B (en) Verification method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20180425

Address after: California, USA

Patentee after: Global innovation polymerization LLC

Address before: No. 55, Nanshan District science and technology road, Nanshan District, Shenzhen, Guangdong

Patentee before: ZTE Corp.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160210