CN1953369A - A method, system and device to initiate and identify secret key update request - Google Patents
A method, system and device to initiate and identify secret key update request Download PDFInfo
- Publication number
- CN1953369A CN1953369A CN 200610159711 CN200610159711A CN1953369A CN 1953369 A CN1953369 A CN 1953369A CN 200610159711 CN200610159711 CN 200610159711 CN 200610159711 A CN200610159711 A CN 200610159711A CN 1953369 A CN1953369 A CN 1953369A
- Authority
- CN
- China
- Prior art keywords
- key
- unit
- authentication
- authentication parameter
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种发起更新密钥请求的方法,该方法包括:当网络需要更新密钥时,产生新密钥,根据所产生的新密钥获取鉴权参数,并将所获取的鉴权参数发送给终端。本发明还公开了一种识别是否请求更新密钥的方法,该方法包括:终端接收到网络发送的鉴权参数后,分别根据自身所保存的第一密钥和自身所产生的第一新密钥,判断所接收到的鉴权参数的一致性,并确定网络是否请求更新密钥。本发明还公开了一种实现更新密钥请求的系统、发起更新密钥请求的装置以及识别是否请求更新密钥的装置。根据本发明公开的方法、系统以及装置,网络按照现有的鉴权过程发起更新密钥的请求,终端识别网络是否请求更新密钥。
The invention discloses a method for initiating a key update request. The method includes: when the network needs to update the key, generate a new key, obtain authentication parameters according to the generated new key, and use the obtained authentication key Parameters are sent to the terminal. The present invention also discloses a method for identifying whether to request to update the key. The method includes: after the terminal receives the authentication parameter sent by the network, according to the first key stored by itself and the first new key generated by itself, key, judge the consistency of the received authentication parameters, and determine whether the network requests to update the key. The invention also discloses a system for implementing key update request, a device for initiating a key update request and a device for identifying whether to request a key update. According to the method, system and device disclosed in the present invention, the network initiates a key update request according to the existing authentication process, and the terminal identifies whether the network requests to update the key.
Description
技术领域technical field
本发明涉及鉴权技术,特别是指一种在鉴权过程中发起与识别更新密钥请求的方法、系统和装置。The invention relates to authentication technology, in particular to a method, system and device for initiating and identifying a key update request in the authentication process.
背景技术Background technique
在现有的无线通信系统中,如在WCDMA系统中,在终端中保存国际移动用户标识(IMSI)、鉴权密钥(KI)和序列号(SQN),网络侧的HLR/AUC中,保存有针对该终端的IMSI、KI和SQN,以用于终端和网络相互鉴权。In the existing wireless communication system, such as in the WCDMA system, the International Mobile Subscriber Identity (IMSI), Authentication Key (KI) and Serial Number (SQN) are stored in the terminal, and the HLR/AUC on the network side stores There are IMSI, KI and SQN for the terminal for mutual authentication between the terminal and the network.
下面给出在现有的无线通信系统中,实现鉴权的过程,如图1所示,包括以下步骤:The following provides the process of implementing authentication in the existing wireless communication system, as shown in Figure 1, including the following steps:
步骤101:网络根据自身所保存的密钥产生鉴权参数,并将所产生的鉴权参数发送给终端。Step 101: the network generates authentication parameters according to the key stored by itself, and sends the generated authentication parameters to the terminal.
在此,网络产生的鉴权参数中包括随机数(RAND)、序列号、消息鉴权编码(MAC-A)。其中,网络得到鉴权参数中的MAC-A的步骤为:网络侧首先产生随机数,并根据所产生的随机数、自身所保存的密钥和序列号计算得到MAC-A。Here, the authentication parameters generated by the network include random numbers (RAND), serial numbers, and message authentication codes (MAC-A). Wherein, the steps for the network to obtain the MAC-A in the authentication parameters are as follows: the network side first generates a random number, and calculates the MAC-A according to the generated random number, the key and the serial number stored by itself.
步骤102:终端根据自身所保存的当前密钥对所接收到的鉴权参数进行一致性验证,如果一致,则执行步骤103;否则,执行步骤106。Step 102: The terminal performs consistency verification on the received authentication parameters according to the current key stored by itself, and if they are consistent, execute step 103; otherwise, execute step 106.
在此,终端接收到鉴权参数后,根据自身所保存的密钥和所接收到的鉴权参数中的随机数和序列号,产生鉴权参数,并判断所接收到的鉴权参数和自身所产生的鉴权参数是否一致。Here, after the terminal receives the authentication parameters, it generates the authentication parameters according to the key stored by itself and the random number and serial number in the received authentication parameters, and judges the received authentication parameters and its own Whether the generated authentication parameters are consistent.
步骤103:终端判断所接收到的鉴权参数中的序列号是否属于可接受的范围,如果是,则执行步骤104;否则,执行步骤105。Step 103: The terminal judges whether the serial number in the received authentication parameter is within an acceptable range, and if yes, executes step 104; otherwise, executes step 105.
在此,终端可以判断所接收到的鉴权参数中的序列号和自身所保存的序列号的差值是否在一定的范围内,例如,两者的差值是否大于零,或者是否大于0且小于65536等范围内,如果所述差值在所述范围内,则确定所接收到的鉴权参数中的序列号可接受,否则,确定所接收到的鉴权参数中的序列号不可接受。Here, the terminal can determine whether the difference between the serial number in the received authentication parameter and the serial number stored by itself is within a certain range, for example, whether the difference between the two is greater than zero, or whether it is greater than 0 and less than 65536, etc., if the difference is within the range, it is determined that the serial number in the received authentication parameter is acceptable; otherwise, it is determined that the serial number in the received authentication parameter is not acceptable.
步骤104:终端确定对网络的鉴权成功,并根据所接收到的鉴权参数中的序列号更新自身的序列号,结束本流程。Step 104: The terminal determines that the authentication to the network is successful, and updates its own serial number according to the serial number in the received authentication parameter, and ends this process.
步骤105:终端确定网络的序列号与自身的序列号失去同步,发起同步序列号流程,然后结束本流程。Step 105: The terminal determines that the serial number of the network is out of synchronization with its own serial number, initiates a process of synchronizing the serial number, and then ends the process.
步骤106:终端确定对网络的鉴权失败,结束本流程。Step 106: the terminal determines that the authentication to the network fails, and ends this process.
关于WCDMA的鉴权流程,可以参见3GPP相关协议规范,这里不再赘述。For the authentication process of WCDMA, refer to the relevant protocol specifications of 3GPP, and details will not be repeated here.
现有的鉴权方法中,网络和终端采用固定的根密钥,即在鉴权过程中所使用的密钥始终保持不变。这种采用固定根密钥的方式,虽然实现和管理相对简单,但是,但却存在很大的安全隐患。In the existing authentication method, the network and the terminal use a fixed root key, that is, the key used in the authentication process remains unchanged all the time. Although the method of using a fixed root key is relatively simple to implement and manage, it has great security risks.
根密钥容易泄密。当根密钥是由卡商写入时,在这过程中有可能泄漏根密钥;当根密钥是由运营商运营时写入时,也有可能泄漏根密钥;在进行HLR/AUC的维护过程中,也有可能泄漏根密钥;黑客攻击HLR/AUC获取根密钥;从空中接口截获一定数量的用于鉴权过程中的鉴权参数,以及终端返回的鉴权响应,并通过某种算法推算根密钥。在上述情况下,用户根本就无法发现根密钥泄密,这时,用户的合法利益也得不到保护。因为,这些用户被黑客盗用自身的根密钥来执行非法通信。在现有的方法中,只要根密钥失密,则没有有效的补救措施,只能是同时更换用户卡和HLR/AUC中相关用户的数据。The root key is easily leaked. When the root key is written by the card manufacturer, the root key may be leaked during the process; when the root key is written by the operator, the root key may also be leaked; when performing HLR/AUC During the maintenance process, the root key may also be leaked; hackers attack HLR/AUC to obtain the root key; intercept a certain number of authentication parameters used in the authentication process from the air interface, and the authentication response returned by the terminal, and pass a certain algorithm to calculate the root key. Under the above circumstances, the user simply cannot find out that the root key is leaked, and at this time, the legitimate interests of the user cannot be protected. Because, these users are hacked to use their own root key to perform illegal communication. In the existing method, as long as the root key is lost, there is no effective remedy, only to replace the user card and the relevant user data in the HLR/AUC at the same time.
为了解决上述问题,在现有的鉴权过程中,需要提供一种密钥更新的机制。这时,密钥更新的请求通常是由网络发起,网络通常是在现有的鉴权参数中增加请求更新密钥的信息,终端只能根据该信息识别网络是否请求更新密钥。这种向终端表达请求更新密钥信息的方式有如下缺点:In order to solve the above problems, in the existing authentication process, it is necessary to provide a key update mechanism. At this time, the request for key update is usually initiated by the network, and the network usually adds information requesting key update to the existing authentication parameters, and the terminal can only identify whether the network requests key update based on the information. This method of expressing a request to update key information to the terminal has the following disadvantages:
1、会增加鉴权参数携带的内容,影响正常鉴权流程的效率;1. It will increase the content carried by the authentication parameters and affect the efficiency of the normal authentication process;
2、在鉴权参数无法扩展的情况下,也无法完成通过鉴权参数携带所述请求更新密钥信息;2. In the case that the authentication parameter cannot be expanded, it is also impossible to complete the request to update the key information through the authentication parameter;
3、如果使用明文在鉴权参数中携带请求更新密钥信息,则请求更新密钥的信息容易被截获,导致更新密钥的操作意图被泄漏,从而降低安全性。3. If the key update request information is carried in the authentication parameter in plain text, the key update request information is easily intercepted, resulting in the leakage of the key update operation intention, thereby reducing security.
发明内容Contents of the invention
有鉴于此,本发明的第一个主要目的在于提供一种发起更新密钥请求的方法,网络能够按照现有的鉴权过程发起更新密钥的请求。In view of this, the first main purpose of the present invention is to provide a method for initiating a key update request, so that the network can initiate a key update request according to the existing authentication process.
本发明的第二个主要目的在于提供一种识别是否请求更新密钥的方法,当网络按照现有的鉴权过程发起更新密钥的请求时,终端能够识别网络是否请求更新密钥。The second main purpose of the present invention is to provide a method for identifying whether to request a key update. When the network initiates a key update request according to the existing authentication process, the terminal can identify whether the network requests a key update.
本发明的第三个目的在于提供一种实现更新密钥请求的系统,当网络按照现有的鉴权过程发起更新密钥的请求时,终端识别网络是否请求更新密钥。The third object of the present invention is to provide a system for implementing key update request. When the network initiates a key update request according to the existing authentication process, the terminal identifies whether the network requests key update.
本发明的第四个目的在于提供一种发起更新密钥请求的装置,网络能够按照现有的鉴权过程发起更新密钥的请求。The fourth object of the present invention is to provide a device for initiating a key update request, so that the network can initiate a key update request according to the existing authentication process.
本发明的第五个主要目的在于提供一种识别是否请求更新密钥的装置,当网络按照现有的鉴权过程发起更新密钥的请求时,可以识别网络是否请求更新密钥。The fifth main purpose of the present invention is to provide a device for identifying whether to request a key update. When the network initiates a key update request according to the existing authentication process, it can identify whether the network requests a key update.
为了达到上述第一个目的,本发明提供一种发起更新密钥请求的方法,该方法包括:In order to achieve the first purpose above, the present invention provides a method for initiating a key update request, the method comprising:
网络判断是否需要更新密钥,如果确定需要更新密钥,则产生新密钥,然后根据所产生的新密钥获取鉴权参数,并将所获取的鉴权参数发送给终端。The network judges whether the key needs to be updated, and if it is determined that the key needs to be updated, a new key is generated, and then the authentication parameter is obtained according to the generated new key, and the obtained authentication parameter is sent to the terminal.
所述网络中保存有密钥;A key is stored in the network;
所述网络产生新密钥为:网络产生随机数RAND,并根据所产生的RAND和自身所保存的密钥产生新密钥。The network generates a new key as follows: the network generates a random number RAND, and generates a new key according to the generated RAND and the key stored by itself.
所述网络获取鉴权参数为:网络产生RAND,并根据所产生的RAND和新密钥产生鉴权参数;或者,网络产生RAND,设置序列号SQN,并根据所产生的RAND、所设置的SQN以及新密钥产生鉴权参数。The network acquisition authentication parameters are: the network generates RAND, and generates authentication parameters according to the generated RAND and a new key; or, the network generates RAND, sets the serial number SQN, and generates And the new key generates authentication parameters.
所述网络判断是否需要更新密钥,如果确定不需要更新密钥,则根据自身所保存的密钥获取鉴权参数,并将所获取的鉴权参数发送给终端。The network judges whether it is necessary to update the key, and if it is determined that the key does not need to be updated, then obtains the authentication parameter according to the stored key, and sends the obtained authentication parameter to the terminal.
所述网络根据RAND和新密钥所产生的鉴权参数为:消息鉴权编码MAC-A;所述网络获取的鉴权参数包括:所述RAND和MAC-A。The authentication parameter generated by the network according to the RAND and the new key is: message authentication code MAC-A; the authentication parameter obtained by the network includes: the RAND and the MAC-A.
所述网络获取鉴权参数为:网络产生RAND,设置序列号SQN,并根据所产生的RAND、所设置的SQN以及新密钥产生鉴权参数。The acquisition of authentication parameters by the network is as follows: the network generates RAND, sets a serial number SQN, and generates authentication parameters according to the generated RAND, the set SQN and the new key.
所述网络根据RAND、SQN以及新密钥所产生的鉴权参数为:MAC-A;所述网络获取的鉴权参数包括:所述RAND、所述SQN和所述MAC-A。The authentication parameter generated by the network according to the RAND, the SQN and the new key is: MAC-A; the authentication parameter obtained by the network includes: the RAND, the SQN and the MAC-A.
为了达到上述第二个目的,本发明提供一种识别更新密钥请求的方法,该方法包括:In order to achieve the second purpose above, the present invention provides a method for identifying a rekey request, the method comprising:
终端接收到网络发送的鉴权参数后,根据自身所保存的第一密钥判断所接收到的鉴权参数的一致性,如果一致性通过,则确定网络没有请求更新密钥;如果一致性不通过,则产生第一新密钥,并根据自身所产生的第一新密钥判断所接收到的鉴权参数的一致性,如果一致性通过,则确定网络请求更新密钥。After receiving the authentication parameters sent by the network, the terminal judges the consistency of the received authentication parameters according to the first key stored by itself. If the consistency passes, it is determined that the network does not request to update the key; if the consistency is not If it passes, the first new key is generated, and the consistency of the received authentication parameters is judged according to the first new key generated by itself. If the consistency passes, it is determined that the network requests to update the key.
所述终端接收到网络发送的鉴权参数为:网络获取鉴权参数,并向终端发送鉴权参数。When the terminal receives the authentication parameter sent by the network, the network acquires the authentication parameter and sends the authentication parameter to the terminal.
所述网络获取的鉴权参数包括:RAND;所述终端中保存有第一密钥;所述终端产生第一新密钥为:终端根据所接收到的鉴权参数中的RAND和自身所保存的第一密钥产生第一新密钥。The authentication parameters acquired by the network include: RAND; the first key is stored in the terminal; the terminal generates the first new key as follows: the terminal according to the RAND in the received authentication parameters and the stored key The first key generates the first new key.
所述终端根据第一密钥判断所接收到的鉴权参数的一致性为:终端根据第一密钥获取期望消息鉴权编码XMAC-A,并判断所述XMAC-A和所接收到的鉴权参数是否一致;The terminal judges the consistency of the received authentication parameters according to the first key as follows: the terminal obtains the expected message authentication code XMAC-A according to the first key, and judges that the XMAC-A and the received authentication Whether the weight parameters are consistent;
所述终端根据第一新密钥判断所接收到的鉴权参数的一致性为:终端根据第一新密钥获取XMAC-A,并判断所述XMAC-A和所接收到的鉴权参数是否一致。The terminal judges the consistency of the received authentication parameters according to the first new key as follows: the terminal obtains XMAC-A according to the first new key, and judges whether the XMAC-A and the received authentication parameters are unanimous.
所述网络获取的鉴权参数进一步包括:MAC-A;The authentication parameters acquired by the network further include: MAC-A;
所述终端根据第一新密钥获取XMAC-A为:终端根据第一新密钥和所接收到的RAND,产生所述XMAC-A;The terminal obtains the XMAC-A according to the first new key as follows: the terminal generates the XMAC-A according to the first new key and the received RAND;
所述终端根据第一密钥获取XMAC-A为:终端根据第一密钥和所接收到的RAND,产生所述XMAC-A。The obtaining of the XMAC-A by the terminal according to the first key is as follows: the terminal generates the XMAC-A according to the first key and the received RAND.
所述网络获取的鉴权参数进一步包括:SQN和MAC-A;The authentication parameters acquired by the network further include: SQN and MAC-A;
所述终端根据第一新密钥获取XMAC-A为:终端根据第一新密钥和所接收到的RAND和SQN,产生所述XMAC-A;The terminal obtains the XMAC-A according to the first new key as follows: the terminal generates the XMAC-A according to the first new key and the received RAND and SQN;
所述终端根据第一密钥获取XMAC-A为:终端根据第一密钥和所接收到的RAND和SQN,产生所述XMAC-A。The acquisition of the XMAC-A by the terminal according to the first key is as follows: the terminal generates the XMAC-A according to the first key and the received RAND and SQN.
所述判断XMAC-A和所接收到的鉴权参数是否一致为:终端判断所接收的MAC-A和自身所产生的XMAC-A是否一致。The judging whether the XMAC-A is consistent with the received authentication parameter is: the terminal judges whether the received MAC-A is consistent with the XMAC-A generated by itself.
所述终端根据自身所产生的第一新密钥确定所接收到的鉴权参数的一致性通过,则进一步包括:终端确定对网络鉴权成功;The terminal determines that the consistency of the received authentication parameters passes according to the first new key generated by itself, and further includes: the terminal determines that the network authentication is successful;
所述终端根据自身所产生的第一新密钥确定所接收到的鉴权参数的一致性不通过,则进一步包括:终端确定对网络鉴权失败。The terminal determines that the consistency of the received authentication parameters fails according to the first new key generated by itself, and the method further includes: the terminal determines that the network authentication fails.
所述终端进一步设置第一SQN;The terminal further sets a first SQN;
所述终端在确定网络请求更新密钥之前进一步包括:终端根据第一SQN判断所接收到的SQN是否可接受,如果是,则确定网络请求更新密钥。Before the terminal determines that the network requests to update the key, the terminal further includes: the terminal judges whether the received SQN is acceptable according to the first SQN, and if so, determines that the network requests to update the key.
所述终端确定所接收到的SQN可接受时,则进一步包括:终端确定对网络鉴权成功。When the terminal determines that the received SQN is acceptable, the method further includes: the terminal determines that the network authentication is successful.
为了达到上述第三个目的,本发明提供一种实现更新密钥请求的系统,该系统包括:密钥更新发起装置和密钥更新请求识别装置;In order to achieve the third purpose above, the present invention provides a system for implementing a key update request, the system comprising: a key update initiating device and a key update request identifying device;
所述密钥更新发起装置用于获取鉴权参数,并将所获取的鉴权参数发送给所述密钥更新请求识别装置;The key update initiating device is used to obtain authentication parameters, and send the obtained authentication parameters to the key update request identifying device;
所述密钥更新请求识别装置用于根据所接收到的鉴权参数,确定是否请求更新密钥。The key update request identification device is used for determining whether to request key update according to the received authentication parameters.
为了达到上述第四个目的,本发明提供一种发起更新密钥请求的装置,该装置包括:发起请求决定单元,第二密钥保存单元,第二新密钥产生单元,随机数产生单元,鉴权参数获取单元,鉴权参数发送单元;In order to achieve the above fourth object, the present invention provides a device for initiating a key update request, the device comprising: an initiation request determination unit, a second key storage unit, a second new key generation unit, a random number generation unit, An authentication parameter acquisition unit, an authentication parameter sending unit;
所述发起请求决定单元用于决定是否发起更新密钥请求,并将决定结果发送给所述鉴权参数获取单元;The initiation request decision unit is used to decide whether to initiate a key update request, and send the decision result to the authentication parameter acquisition unit;
所述第二密钥保存单元用于保存第二密钥;The second key storage unit is used to store the second key;
所述第二新密钥产生单元用于产生第二新密钥;The second new key generation unit is used to generate a second new key;
所述随机数产生单元用于产生随机数;The random number generating unit is used to generate random numbers;
所述鉴权参数获取单元用于根据从所述发起请求决定单元所得到的决定结果,从所述第二密钥保存单元获取第二密钥或从所述第二新密钥产生单元获取第二新密钥,从所述随机数产生单元获取随机数,并根据所获取的密钥和随机数产生鉴权参数,发送给所述鉴权参数发送单元;The authentication parameter obtaining unit is used to obtain the second key from the second key storage unit or obtain the second key from the second new key generation unit according to the determination result obtained from the initiation request determination unit. A new key, obtaining a random number from the random number generating unit, and generating an authentication parameter according to the obtained key and the random number, and sending it to the authentication parameter sending unit;
所述鉴权参数发送单元用于将所接收到的鉴权参数发送给所述密钥更新请求识别装置。The authentication parameter sending unit is used for sending the received authentication parameter to the key update request identification device.
该装置进一步包括:网络序列号设置单元,用于设置序列号;所述鉴权参数获取单元进一步用于从所述网络序列号设置单元获取序列号,并根据所获取的序列号和所述随机数以及所述密钥产生鉴权参数。The device further includes: a network serial number setting unit, configured to set a serial number; the authentication parameter acquisition unit is further configured to acquire a serial number from the network serial number setting unit, and according to the acquired serial number and the random number along with the key to generate authentication parameters.
为了达到上述第五个目的,本发明提供一种识别是否请求更新密钥的装置,该装置包括:鉴权参数接收单元,一致性验证单元,第一密钥保存单元,第一新密钥产生单元,识别单元;In order to achieve the above-mentioned fifth purpose, the present invention provides a device for identifying whether to request a key update, the device includes: an authentication parameter receiving unit, a consistency verification unit, a first key storage unit, and a first new key generation unit, identify unit;
其中,所述鉴权参数接收单元用于接收网络发送的鉴权参数;Wherein, the authentication parameter receiving unit is used to receive the authentication parameter sent by the network;
所述第一密钥保存单元用于保存第一密钥;The first key storage unit is used to store the first key;
所述一致性验证单元用于获取第一密钥保存单元所保存的第一密钥,或者获取所述第一新密钥产生单元所产生的第一新密钥,并根据所获取的密钥验证所述鉴权参数接收单元所接收到的鉴权参数的一致性,并将验证结果发送给所述识别单元和所述第一新密钥产生单元;The consistency verification unit is used to obtain the first key stored by the first key storage unit, or obtain the first new key generated by the first new key generation unit, and according to the obtained key Verifying the consistency of the authentication parameters received by the authentication parameter receiving unit, and sending the verification result to the identification unit and the first new key generation unit;
所述识别单元用于根据所接收到的验证结果,确定网络是否请求更新密钥;The identification unit is used to determine whether the network requests to update the key according to the received verification result;
所述第一新密钥产生单元用于根据所接收到的验证结果,产生第一新密钥。The first new key generation unit is used for generating a first new key according to the received verification result.
所述一致性验证单元包括:鉴权参数再生单元和鉴权参数比较单元;The consistency verification unit includes: an authentication parameter regeneration unit and an authentication parameter comparison unit;
所述鉴权参数再生单元用于根据从所述鉴权参数比较单元所接收的比较结果,从所述第一密钥保存单元获取第一密钥,或者从所述第一新密钥产生单元获取第一新密钥,并根据所获取的密钥获取鉴权参数,并将所获取的鉴权参数发送给所述鉴权参数比较单元;The authentication parameter regeneration unit is used to obtain the first key from the first key storage unit, or obtain the first key from the first new key generation unit according to the comparison result received from the authentication parameter comparison unit. Obtain a first new key, and obtain an authentication parameter according to the obtained key, and send the obtained authentication parameter to the authentication parameter comparison unit;
所述鉴权参数比较单元用于比较从所述鉴权参数再生单元所接收到的鉴权参数和所述鉴权参数接收单元所接收到的鉴权参数,并将比较结果发送给识别单元、所述第一新密钥产生单元和所述鉴权参数再生单元。The authentication parameter comparison unit is used to compare the authentication parameter received from the authentication parameter regeneration unit with the authentication parameter received by the authentication parameter receiving unit, and send the comparison result to the identification unit, The first new key generation unit and the authentication parameter regeneration unit.
该装置进一步包括:获取单元;The device further includes: an acquisition unit;
所述获取单元用于从所述鉴权参数接收单元所接收到的鉴权参数中获取随机数和序列号,并将所获取的随机数和序列号发送给所述鉴权参数再生单元;The obtaining unit is used to obtain a random number and a serial number from the authentication parameter received by the authentication parameter receiving unit, and send the obtained random number and serial number to the authentication parameter regeneration unit;
所述鉴权参数再生单元用于根据从所述第一密钥保存单元或所述第一新密钥产生单元所获取的密钥和从所述获取单元所接收到的随机数和序列号,获取鉴权参数。The authentication parameter regeneration unit is configured to use the key obtained from the first key storage unit or the first new key generation unit and the random number and sequence number received from the acquisition unit, Get authentication parameters.
该装置进一步包括:鉴权单元;The device further includes: an authentication unit;
所述鉴权单元用于从所述一致性验证单元获取一致性验证结果,并根据所获取的一致性验证结果,确定对网络的鉴权是否成功。The authentication unit is used to obtain a consistency verification result from the consistency verification unit, and determine whether the authentication to the network is successful according to the obtained consistency verification result.
该装置进一步包括:终端序列号设置单元,序列号可接受判断单元;The device further includes: a terminal serial number setting unit, and a serial number acceptable judging unit;
所述终端序列号设置单元用于设置终端的序列号,并发送给所述序列号可接受判断单元;The terminal serial number setting unit is used to set the serial number of the terminal, and send it to the acceptable judgment unit of the serial number;
所述获取单元用于从所述鉴权参数接收单元所接收到的鉴权参数中获取序列号,并将所获取的序列号发送给所述序列号可接受判断单元;The acquiring unit is configured to acquire a serial number from the authentication parameter received by the authentication parameter receiving unit, and send the acquired serial number to the serial number acceptable judging unit;
所述序列号可接受判断单元用于根据从所述终端序列号设置单元所接收的序列号判断从所述获取单元所接收的序列号是否可接受,并将判断结果发送给所述识别单元和所述鉴权单元;The serial number acceptance judgment unit is used to judge whether the serial number received from the acquisition unit is acceptable according to the serial number received from the terminal serial number setting unit, and send the judgment result to the identification unit and the authentication unit;
所述识别单元进一步用于根据从序列号可接受判断单元所得到的判断结果,确定网络是否请求更新密钥;The identifying unit is further used to determine whether the network requests to renew the key according to the judgment result obtained from the serial number acceptable judging unit;
所述鉴权单元进一步用于根据从序列号可接受判断单元所得到的判断结果,确定对网络的鉴权是否成功。The authenticating unit is further configured to determine whether the authentication to the network is successful according to the judgment result obtained from the serial number acceptable judging unit.
根据本发明提供的网络发起更新密钥请求的方法,网络当需要发起更新密钥请求时,产生新密钥并根据自身所产生的新密钥产生鉴权参数,而当网络不需要发起更新密钥请求时,根据自身所保存的密钥产生鉴权参数。因此,网络在发起更新密钥请求时,在现有的鉴权参数中并没有增加其它内容,以现有的鉴权过程发起更新密钥请求,从而,不影响正常的鉴权流程的效率。根据本发明,第三者即使获得了网络传送给终端的鉴权参数,也无法识别出网络是否传送了更新密钥请求信息,从而,在不占用鉴权参数信息资源的同时,使得网络在向终端传递更新密钥请求信息时不会泄漏。According to the method for the network to initiate a key update request provided by the present invention, when the network needs to initiate a key update request, it generates a new key and generates authentication parameters according to the new key generated by itself; When the key is requested, the authentication parameter is generated according to the key saved by itself. Therefore, when the network initiates a key update request, no other content is added to the existing authentication parameters, and the key update request is initiated through the existing authentication process, thereby not affecting the efficiency of the normal authentication process. According to the present invention, even if a third party obtains the authentication parameter sent by the network to the terminal, it cannot identify whether the network has sent the update key request information, thus, while not occupying the authentication parameter information resource, the network can send The terminal will not leak the rekey request information when passing it.
根据本发明提供的识别是否请求更新密钥的方法,终端接收到网络发送的鉴权参数后,先后根据自身所保存的密钥和所产生的新密钥,识别网络是否请求更新密钥。因此,当网络按照现有的鉴权过程发起更新密钥的请求时,终端不仅可以能够识别出网络是否请求更新密钥,同时还可以对网络进行鉴权。According to the method for identifying whether to request to update the key provided by the present invention, after receiving the authentication parameters sent by the network, the terminal identifies whether the network requests to update the key according to the stored key and the generated new key. Therefore, when the network initiates a key update request according to the existing authentication process, the terminal can not only identify whether the network requests to update the key, but also authenticate the network.
根据本发明提供的实现更新密钥请求的系统,现有的鉴权参数并没有增加其它内容,终端在完成对网络鉴权的同时识别出网络的请求更新密钥意图,在不增加正常鉴权流程负担的同时,隐藏了请求更新密钥意图,提高了系统的抗攻击能力。According to the system for implementing key update request provided by the present invention, no other content is added to the existing authentication parameters, and the terminal recognizes the network’s request to update the key while completing network authentication, without adding normal authentication While burdening the process, it hides the intention of requesting to update the key and improves the system's ability to resist attacks.
根据本发明提供的发起更新密钥请求的装置,网络可以按照现有的鉴权过程发起更新密钥的请求,同时能够有效的隐藏请求更新密钥意图,提高了系统的抗攻击能力。根据本发明提供的识别是否请求更新密钥的装置,当网络按照现有的鉴权过程发起更新密钥的请求时,可以识别网络是否请求更新密钥,进一步还可以判断对网络的鉴权是否成功。According to the device for initiating a key update request provided by the present invention, the network can initiate a key update request according to the existing authentication process, and at the same time, the intention of requesting key update can be effectively hidden, and the anti-attack capability of the system is improved. According to the device for identifying whether to request to update the key provided by the present invention, when the network initiates a request to update the key according to the existing authentication process, it can identify whether the network requests to update the key, and can further determine whether the authentication to the network is success.
附图说明Description of drawings
图1所示为现有技术中实现鉴权的流程图;Fig. 1 shows the flow chart of realizing authentication in the prior art;
图2所示为本发明实施方式中终端识别网络是否请求更新密钥的流程图;Fig. 2 is a flow chart showing whether the terminal identifies whether the network requests to update the key in the embodiment of the present invention;
图3所示为本发明实施例一中终端识别网络是否请求更新密钥的流程图;FIG. 3 is a flow chart showing whether the terminal identifies whether the network requests to update the key in Embodiment 1 of the present invention;
图4所示为本发明实施例二中终端识别网络是否请求更新密钥的流程图;FIG. 4 is a flow chart showing whether the terminal identifies whether the network requests to update the key in Embodiment 2 of the present invention;
图5所示为本发明中实现请求更新密钥的系统结构图;Fig. 5 shows that among the present invention, realizes the system structural diagram of requesting to update the key;
图6所示为本发明中密钥更新请求识别装置结构图。Fig. 6 is a structural diagram of a key update request identification device in the present invention.
具体实施方式Detailed ways
为使本发明的目的、技术方案和优点更加清楚明白,下面举具体实施例,对本发明作进一步详细的说明。In order to make the object, technical solution and advantages of the present invention clearer, specific examples are given below to further describe the present invention in detail.
本发明提供一种请求更新密钥的方法,其主要思想是:网络可以按照现有的鉴权过程发起更新密钥的请求;而终端接收到鉴权参数后,先后根据自身所保存的密钥和自身所产生的新密钥,识别网络是否请求更新密钥。在此,网络可通过采用自身所产生的新密钥产生鉴权参数的方式,向终端传递更新密钥请求信息。The present invention provides a method for requesting a key update, the main idea of which is: the network can initiate a key update request according to the existing authentication process; and after receiving the authentication parameters, the terminal successively And the new key generated by itself, identifying whether the network requests to update the key. Here, the network may transmit the key update request information to the terminal by using a new key generated by itself to generate an authentication parameter.
下面给出网络向终端发起更新密钥请求的方法,具体为:网络判断是否需要更新密钥,如果确定需要更新密钥,则产生新密钥,然后根据所产生的新密钥获取鉴权参数,并将所获取的鉴权参数发送给终端;否则,根据自身所保存的密钥获取鉴权参数,并将所获取的鉴权参数发送给终端。The method for the network to initiate a key update request to the terminal is given below, specifically: the network judges whether the key needs to be updated, if it is determined that the key needs to be updated, then generates a new key, and then obtains authentication parameters based on the generated new key , and send the obtained authentication parameters to the terminal; otherwise, obtain the authentication parameters according to the key saved by itself, and send the obtained authentication parameters to the terminal.
通常,网络保存有密钥,网络产生新密钥的方法为:网络产生RAND,并根据所产生的RAND和自身所保存的密钥产生新密钥。Usually, the network stores a key, and the method for the network to generate a new key is as follows: the network generates RAND, and generates a new key based on the generated RAND and the key stored by itself.
网络所获取的鉴权参数可以包括RAND和MAC-A,获取该鉴权参数的方法为:网络产生RAND,并根据所产生的RAND和密钥产生MAC-A。网络所获取的鉴权参数还可以包括RAND、SQN和MAC-A,获取该鉴权参数的方法为:网络产生RAND,设置SQN,并根据所产生的RAND、所设置的SQN以及密钥产生MAC-A。其中,当网络向终端发起更新密钥请求时,获取鉴权参数过程中所使用的密钥为网络所产生的新密钥;当网络不向终端发起更新密钥请求时,获取鉴权参数过程中所使用的密钥为网络所保存的密钥。The authentication parameters obtained by the network may include RAND and MAC-A. The method for obtaining the authentication parameters is as follows: the network generates RAND, and generates MAC-A according to the generated RAND and the key. The authentication parameters obtained by the network may also include RAND, SQN, and MAC-A. The method for obtaining the authentication parameters is as follows: the network generates RAND, sets SQN, and generates MAC according to the generated RAND, the set SQN, and the key. -A. Among them, when the network initiates a key update request to the terminal, the key used in the process of obtaining authentication parameters is a new key generated by the network; when the network does not initiate a key update request to the terminal, the process of obtaining authentication parameters The key used in is the key saved by the network.
下面,为了方便区分终端侧和网络侧的参数,对于终端侧,用第一密钥、第一新密钥、第一SQN描述;对于网络侧,用第二密钥、第二新密钥、第二SQN描述。Below, in order to facilitate the distinction between the parameters of the terminal side and the network side, for the terminal side, use the first key, the first new key, and the first SQN description; for the network side, use the second key, the second new key, Second SQN description.
图2所示为终端识别网络是否请求更新密钥的实施方式流程,包括以下步骤:Figure 2 shows the implementation process of the terminal identifying whether the network requests to update the key, including the following steps:
步骤201:网络获取鉴权参数,并向终端发送鉴权参数。Step 201: the network acquires authentication parameters, and sends the authentication parameters to the terminal.
步骤202:终端接收到网络发送的鉴权参数后,根据自身所保存的第一密钥判断所接收到的鉴权参数的一致性,如果一致性通过,则执行步骤203,如果一致性不通过,则执行步骤204。Step 202: After receiving the authentication parameters sent by the network, the terminal judges the consistency of the received authentication parameters according to the first key stored by itself, if the consistency passes, then execute
步骤203:终端确定网络没有请求更新密钥,结束本流程。Step 203: the terminal determines that the network does not request to update the key, and ends this process.
在本步骤203中,终端同时还可以确定对网络鉴权成功。In this
步骤204~205:终端产生第一新密钥,并根据自身所产生的第一新密钥判断所接收到的鉴权参数的一致性,如果一致性验证通过,则确定网络请求更新密钥。Steps 204-205: The terminal generates a first new key, and judges the consistency of the received authentication parameters according to the first new key generated by itself. If the consistency verification passes, it determines that the network requests to update the key.
在此,当一致性验证通过时,终端确定网络请求更新密钥的同时,还可以确定对网络鉴权成功。终端根据第一新密钥判断鉴权参数的一致性时,如果一致性验证不通过,则终端可以确定对网络鉴权失败。Here, when the consistency verification is passed, the terminal may also determine that the authentication to the network is successful while determining that the network requests to update the key. When the terminal judges the consistency of the authentication parameters according to the first new key, if the consistency verification fails, the terminal may determine that the network authentication fails.
从以上流程中可以看出,终端在识别网络是否请求更新密钥时,是通过第一密钥和第一新密钥对网络所传送的鉴权参数进行一致性验证来实现的,这种方式使得第三者即使获得了网络传送给终端的鉴权参数,也无法识别出网络是否传送了更新密钥请求信息,从而,在不占用鉴权参数信息资源的同时,使得网络在向终端传递更新密钥请求信息时不会泄漏。It can be seen from the above process that when the terminal identifies whether the network requests to update the key, it uses the first key and the first new key to verify the consistency of the authentication parameters transmitted by the network. Even if the third party obtains the authentication parameter sent by the network to the terminal, it cannot identify whether the network has sent the update key request information, so that while not occupying the information resources of the authentication parameter, the network can transmit the update key to the terminal. Information is not leaked when the key is requested.
上述实施例中,终端产生第一新密钥为:终端根据所接收到的鉴权参数中的RAND和自身所保存的第一密钥产生第一新密钥。In the above embodiment, generating the first new key by the terminal is as follows: the terminal generates the first new key according to the RAND in the received authentication parameter and the first key stored by itself.
上述实施方式中,所述终端根据第一密钥判断所接收到的鉴权参数的一致性为:终端根据第一密钥获取期望消息鉴权编码(XMAC-A),并判断所述XMAC-A和所接收到的鉴权参数是否一致;所述终端根据第一新密钥判断所接收到的鉴权参数的一致性为:终端根据第一新密钥获取XMAC-A,并判断所述XMAC-A和所接收到的鉴权参数是否一致。In the above embodiment, the terminal judges the consistency of the received authentication parameters according to the first key as follows: the terminal obtains the expected message authentication code (XMAC-A) according to the first key, and judges that the XMAC-A Whether A is consistent with the received authentication parameter; the terminal judges the consistency of the received authentication parameter according to the first new key as follows: the terminal obtains XMAC-A according to the first new key, and judges that the Whether XMAC-A is consistent with the received authentication parameters.
上述实施方式中,当网络向终端请求更新密钥时,所述网络获取鉴权参数为:产生RAND,并根据所产生的RAND和自身所保存的第二密钥产生第二新密钥,并根据所产生的第二新密钥产生MAC-A,此时,所述网络获取的鉴权参数包括所述RAND和MAC-A;当网络不向终端请求更新密钥时,所述网络获取鉴权参数为:产生RAND,并根据所产生的RAND和自身所保存的第二密钥产生MAC-A,此时,所述网络获取的鉴权参数包括所述RAND和MAC-A。所述终端判断XMAC-A和所接收到的鉴权参数是否一致为:终端判断接收的MAC-A和自身所产生的XMAC-A是否一致。In the above embodiment, when the network requests the terminal to update the key, the network obtains the authentication parameter as follows: generate RAND, and generate a second new key according to the generated RAND and the second key stored by itself, and Generate MAC-A according to the generated second new key. At this time, the authentication parameters obtained by the network include the RAND and MAC-A; when the network does not request the terminal to update the key, the network obtains the authentication parameter The authorization parameter is: generate RAND, and generate MAC-A according to the generated RAND and the second key stored by itself. At this time, the authentication parameters acquired by the network include the RAND and MAC-A. The terminal judging whether the XMAC-A is consistent with the received authentication parameter is as follows: the terminal judges whether the received MAC-A is consistent with the XMAC-A generated by itself.
上述实施方式中,所述网络可以进一步设置第二SQN,所述网络产生MAC-A时可以进一步根据所设置的第二SQN进行,所述网络获取的鉴权参数包括所述RAND、第二SQN和所述MAC-A。即,当网络向终端请求更新密钥时,网络根据自身所产生的RAND、第二新密钥和第二SQN产生MAC-A;当网络不向终端请求更新密钥时,网络根据自身所产生的RAND、第二密钥和第二SQN产生MAC-A。对应地,所述终端根据第一新密钥获取XMAC-A为:终端根据第一新密钥和所接收到的RAND和第二SQN,产生所述XMAC-A;所述终端根据第一密钥获取XMAC-A为:终端根据第一密钥和所接收到的RAND和第二SQN,产生所述XMAC-A。In the above embodiment, the network may further set a second SQN, and when the network generates MAC-A, it may further proceed according to the set second SQN, and the authentication parameters acquired by the network include the RAND, the second SQN and the MAC-A. That is, when the network requests the terminal to update the key, the network generates MAC-A according to the RAND, the second new key, and the second SQN generated by itself; when the network does not request the terminal to update the key, the network generates MAC-A according to the The RAND of , the second key and the second SQN generate MAC-A. Correspondingly, the terminal obtains the XMAC-A according to the first new key as follows: the terminal generates the XMAC-A according to the first new key and the received RAND and the second SQN; the terminal generates the XMAC-A according to the first key The key acquisition XMAC-A is: the terminal generates the XMAC-A according to the first key, the received RAND and the second SQN.
上述实施方式中,所述终端根据自身所产生的第一新密钥确定所接收到的鉴权参数的一致性通过,则进一步包括:终端确定对网络鉴权成功;所述终端根据自身所产生的第一新密钥确定所接收到的鉴权参数的一致性不通过,则进一步包括:终端确定对网络鉴权失败。In the above embodiment, the terminal determines that the consistency of the received authentication parameters passes according to the first new key generated by itself, and further includes: the terminal determines that the authentication to the network is successful; If the first new key determines that the consistency of the received authentication parameters fails, the method further includes: the terminal determines that the network authentication fails.
上述实施例中,所述终端中可以进一步设置第一SQN,所述终端确定对网络鉴权成功之前进一步包括:根据第一SQN判断所接收到的第二SQN是否可接受,如果是,则确定对网络鉴权成功,否则,确定第二SQN与第一SQN失去同步。In the above embodiment, the first SQN may be further set in the terminal, and before the terminal determines that the network authentication is successful, it further includes: judging whether the received second SQN is acceptable according to the first SQN, and if so, determining The network authentication is successful; otherwise, it is determined that the second SQN loses synchronization with the first SQN.
下面通过具体实施例,详细说明本发明中请求更新密钥的方法。The method for requesting key update in the present invention will be described in detail below through specific embodiments.
在下面的实施例中,在所述网络设置第二密钥和第二SQN,在所述终端对应地设置第一密钥和第一SQN。In the following embodiments, the second key and the second SQN are set on the network, and the first key and the first SQN are correspondingly set on the terminal.
图3所示为本发明第一实施例流程图,包括以下步骤:Fig. 3 shows the flowchart of the first embodiment of the present invention, including the following steps:
步骤301:网络获取鉴权参数,并向终端发送所获取的鉴权参数。Step 301: the network acquires authentication parameters, and sends the acquired authentication parameters to the terminal.
在此,网络获取的鉴权参数包括:自身所产生的RAND、自身所设置的第二SQN、以及自身所产生的MAC-A。获取鉴权参数的具体步骤可以为:网络首先产生RAND,如果网络需要更新密钥,则根据所产生的RAND和第二密钥生成第二新密钥,并根据RAND和所生成的第二新密钥产生所述MAC-A;如果网络不需要更新密钥,则根据RAND、第二SQN和设置的第二密钥产生所述MAC-A。Here, the authentication parameters obtained by the network include: the RAND generated by itself, the second SQN set by itself, and the MAC-A generated by itself. The specific steps for obtaining the authentication parameters may be as follows: the network first generates RAND, and if the network needs to update the key, then generate a second new key according to the generated RAND and the second key, and generate a second new key according to the RAND and the generated second new key. The key generates the MAC-A; if the network does not need to update the key, the MAC-A is generated according to the RAND, the second SQN and the set second key.
网络获取鉴权参数后,可以进一步更新第二SQN的值。更新SQN的值可以是将第二SQN增加一个随机增量。比如增加一个1到256之间的随机数来得到新的第二SQN值。After the network acquires the authentication parameter, the value of the second SQN may be further updated. Updating the value of the SQN may be to increase the second SQN by a random increment. For example, adding a random number between 1 and 256 to obtain a new second SQN value.
步骤302:终端接收到网络发送的鉴权参数后,根据自身所保存的第一密钥、接收到的RAND和第二SQN产生XMAC-A,并判断所接收到的MAC-A和产生的XMAC-A是否一致,例如判断MAC-A和XMAC-A是否相同,如果一致,则执行步骤303;如果不一致,则执行步骤306。Step 302: After receiving the authentication parameters sent by the network, the terminal generates XMAC-A according to the first key stored by itself, the received RAND and the second SQN, and judges the received MAC-A and the generated XMAC - Whether A is consistent, for example, judge whether MAC-A and XMAC-A are the same, if they are consistent, execute
步骤303:终端确定网络没有请求更新密钥,并进一步验证第二SQN是否可以接受,如果可以接受,则执行步骤304;否则,执行步骤305。Step 303: The terminal determines that the network does not request to update the key, and further verifies whether the second SQN is acceptable, and if acceptable, executes
终端验证第二SQN是否可以接受,可以是判断第一SQN和第二SQN的差值是否在一定的范围内,例如,判断(第一SQN-第二SQN)是否大于0,或者(第一SQN-第二SQN)是否大于0且小于65536,等等。如果差值在所述范围内,则确定第二SQN可以接受,否则,确定第二SQN不可以接受。The terminal verifies whether the second SQN is acceptable, which may be to determine whether the difference between the first SQN and the second SQN is within a certain range, for example, to determine whether (first SQN-second SQN) is greater than 0, or (first SQN - whether the second SQN) is greater than 0 and less than 65536, etc. If the difference is within the range, it is determined that the second SQN is acceptable, otherwise, it is determined that the second SQN is not acceptable.
终端对第二SQN的可接受性验证通过后,可以进一步根据第二SQN更新第一SQN,例如,将第一SQN的值设置为与第二SQN相等的值。After passing the acceptability verification of the second SQN, the terminal may further update the first SQN according to the second SQN, for example, set the value of the first SQN to be equal to the value of the second SQN.
步骤304:终端确定对网络鉴权成功,结束本流程。Step 304: The terminal determines that the authentication to the network is successful, and ends this procedure.
步骤305:终端确定第二SQN与第一SQN失去同步,结束本流程。Step 305: The terminal determines that the second SQN loses synchronization with the first SQN, and ends this process.
步骤306:终端产生第一新密钥,根据所产生的第一新密钥和接收到的RAND产生XMAC-A,并判断所接收到的MAC-A和所产生的XMAC-A是否一致,例如判断MAC-A和XMAC-A是否相同,如果一致,则执行步骤307;如果不一致,则执行步骤308。Step 306: The terminal generates the first new key, generates XMAC-A according to the generated first new key and the received RAND, and judges whether the received MAC-A is consistent with the generated XMAC-A, for example It is judged whether MAC-A and XMAC-A are the same, if they are consistent, execute
在此,终端产生第一新密钥为:终端根据所接收到的鉴权参数中的RAND和自身所保存的第一密钥产生第一新密钥。Here, the terminal generating the first new key is: the terminal generates the first new key according to the received RAND in the authentication parameter and the first key stored by itself.
步骤307:终端确定网络请求更新密钥,结束本流程。Step 307: The terminal determines that the network requests to update the key, and ends this process.
在本步骤307中,终端确定网络请求更新密钥的同时,进一步还可以确定对网络鉴权成功。In this
步骤308:终端确定对网络鉴权失败,结束本流程。Step 308: The terminal determines that the network authentication fails, and ends this process.
从以上流程中可以看出,终端在对网络鉴权的同时,还能够识别出网络是否请求更新密钥,使得网络在向终端传递更新密钥请求信息时不会泄漏。It can be seen from the above process that while authenticating the network, the terminal can also identify whether the network requests to update the key, so that the network will not leak the key update request information to the terminal.
上述步骤301中,在网络需要更新密钥时,产生所述MAC-A时,也可以进一步根据第二SQN进行;对应地,在步骤306中,产生所述XMAC-A时,进一步根据第二SQN进行。相应的,所述终端确定网络请求更新密钥之前进一步包括:根据第一SQN判断所接收到的第二SQN是否可接受,如果是,则确定网络请求更新密钥,否则,确定第二SQN与第一SQN失去同步。针对这种情况,在下述的第二实施例中详细介绍具体步骤。In the
下面给出第二实施例,即当网络需要更新密钥时,产生MAC-A时,在第一实施例中所述的根据RAND和第二新密钥的基础上,进一步根据第二SQN产生。针对这种情况,对应图4所示的流程图,包括以下步骤:The second embodiment is given below, that is, when the network needs to update the key, when generating MAC-A, based on the RAND and the second new key described in the first embodiment, it is further generated according to the second SQN . For this situation, corresponding to the flow chart shown in Figure 4, the following steps are included:
步骤401:网络获取鉴权参数,并向终端发送所获取的鉴权参数。Step 401: the network acquires authentication parameters, and sends the acquired authentication parameters to the terminal.
在此,网络获取的鉴权参数包括:产生的随机数RAND,设置的第二SQN,和产生的消息鉴权编码MAC-A。其中,网络首先产生随机数RAND,如果网络需要更新密钥,则根据随机数和第二密钥生成第二新密钥,并根据RAND、第二SQN和生成的第二新密钥产生所述MAC-A;如果网络不需要更新密钥,则根据RAND、第二SQN和设置的第二密钥产生所述MAC-A。Here, the authentication parameters acquired by the network include: the generated random number RAND, the set second SQN, and the generated message authentication code MAC-A. Wherein, the network first generates a random number RAND, and if the network needs to update the key, a second new key is generated according to the random number and the second key, and the second new key is generated according to the RAND, the second SQN and the generated second new key MAC-A; if the network does not need to update the key, then generate the MAC-A according to the RAND, the second SQN and the set second key.
网络获取鉴权参数后,可以进一步更新第二SQN的值。更新SQN的值可以是将第二SQN增加一个随机增量。比如增加一个1到256之间的随机数来得到第二SQN新值。After the network acquires the authentication parameter, the value of the second SQN may be further updated. Updating the value of the SQN may be to increase the second SQN by a random increment. For example, add a random number between 1 and 256 to obtain the new value of the second SQN.
步骤402:终端接收到网络发送的鉴权参数后,根据所保存的第一密钥、接收到的RAND和第二SQN产生XMAC-A,判断所接收到的MAC-A和产生的XMAC-A是否一致,例如判断MAC-A和XMAC-A是否相同,如果一致,则执行步骤403;如果不一致,则执行步骤405。Step 402: After receiving the authentication parameters sent by the network, the terminal generates XMAC-A according to the saved first key, received RAND and second SQN, and judges the received MAC-A and the generated XMAC-A Whether they are consistent, for example, judge whether MAC-A and XMAC-A are the same, if they are consistent, perform
步骤403:终端确定网络没有请求更新密钥,并进一步验证第二SQN是否可以接受,如果可以接受,则执行步骤404;否则,执行步骤408。Step 403: The terminal determines that the network does not request to update the key, and further verifies whether the second SQN is acceptable, and if acceptable, executes step 404; otherwise, executes
步骤404:终端确定对网络鉴权成功,结束本流程。Step 404: The terminal determines that the authentication to the network is successful, and ends this procedure.
步骤405:终端产生第一新密钥,根据产生的第一新密钥、接收到的RAND和第二SQN产生XMAC-A,判断所接收到的MAC-A和产生的是否一致,例如判断MAC-A和XMAC-A是否相同,如果一致,则执行步骤406;如果不一致,则执行步骤409。Step 405: The terminal generates the first new key, generates XMAC-A according to the generated first new key, the received RAND and the second SQN, and judges whether the received MAC-A is consistent with the generated one, for example, judging the MAC - Whether A and XMAC-A are the same, if they are consistent, go to step 406; if not, go to step 409.
在此,终端产生第一新密钥为:终端根据所接收到的鉴权参数中的RAND和自身所保存的第一密钥产生第一新密钥。Here, the terminal generating the first new key is: the terminal generates the first new key according to the received RAND in the authentication parameter and the first key stored by itself.
步骤406:终端验证第二SQN是否可以接受,如果可以接受,则执行步骤407;否则,执行步骤408。Step 406: The terminal verifies whether the second SQN is acceptable, and if acceptable, executes
在此,终端验证第二SQN是否可以接受,可以是判断第一SQN和第二SQN的差值是否在一定的范围内,例如,是否(第一SQN-第二SQN)大于0,或者是否(第一SQN-第二SQN)大于0且小于65536,等等。如果差值在所述范围内,则判断出第二SQN可以接受,否则,判断第二SQN不可以接受。Here, the terminal verifies whether the second SQN is acceptable, which may be to determine whether the difference between the first SQN and the second SQN is within a certain range, for example, whether (first SQN-second SQN) is greater than 0, or whether ( First SQN-Second SQN) is greater than 0 and less than 65536, and so on. If the difference is within the range, it is judged that the second SQN is acceptable; otherwise, it is judged that the second SQN is not acceptable.
在此,终端对第二SQN的可接受性验证通过后,可以进一步根据第二SQN更新第一SQN,例如,将第一SQN的值设置为与第二SQN相等的值。Here, after passing the acceptability verification of the second SQN, the terminal may further update the first SQN according to the second SQN, for example, set the value of the first SQN to be equal to the value of the second SQN.
步骤407:终端确定网络请求更新密钥,结束本流程。Step 407: The terminal determines that the network requests to update the key, and ends this process.
在本步骤407中,终端确定网络请求更新密钥的同时,还可以进一步确定对网络鉴权成功。In this
步骤408:终端确定第二SQN与第一SQN失去同步,结束本流程。Step 408: The terminal determines that the second SQN is out of synchronization with the first SQN, and ends this process.
步骤409:终端确定对网络鉴权失败,结束本流程。Step 409: The terminal determines that the network authentication fails, and ends this process.
本实施例中,步骤406也可以是:终端不执行所述验证第二SQN是否可以接受的操作,终端直接确认网络请求更新密钥并结束本流程,而不再执行步骤407和408。In this embodiment, step 406 may also be: the terminal does not perform the operation of verifying whether the second SQN is acceptable, and the terminal directly confirms that the network requests to update the key and ends this process without performing
上述生成第二新密钥、第一新密钥,以及产生MAC-A和XMAC-A值的计算可以是一些摘要计算或加密计算,例如可以是使用业界公知的一些算法来进行。The aforementioned calculations for generating the second new key, the first new key, and generating MAC-A and XMAC-A values may be some digest calculations or encryption calculations, for example, may be performed using some well-known algorithms in the industry.
上述第一密钥与第二密钥可以是一对对称密钥,实际当中,二者可以完全相同。The above-mentioned first key and the second key may be a pair of symmetric keys, and in practice, they may be completely the same.
下面给出实现请求更新密钥的系统,如图5所示,该系统包括:密钥更新发起装置和密钥更新请求识别装置。其中,所述密钥更新发起装置获取鉴权参数,并将所获取的鉴权参数发送给所述密钥更新请求识别装置;所述密钥更新请求识别装置根据所接收到的鉴权参数,确定是否请求更新密钥。A system for implementing a key update request is given below. As shown in FIG. 5 , the system includes: a key update initiating device and a key update request identifying device. Wherein, the key update initiating means acquires authentication parameters, and sends the acquired authentication parameters to the key update request identification means; the key update request identification means, according to the received authentication parameters, Determines whether to request a rekey.
下面详细介绍密钥更新发起装置和密钥更新请求识别装置的内部结构。The internal structures of the key update initiating device and the key update request identifying device are introduced in detail below.
密钥更新发起装置的内部结构见图5,如图5所示,密钥更新发起装置包括:发起请求决定单元500,第二密钥保存单元501,第二新密钥产生单元502,网络序列号设置单元503,随机数产生单元504,鉴权参数获取单元505,鉴权参数发送单元506。The internal structure of the key update initiation device is shown in Figure 5, as shown in Figure 5, the key update initiation device includes: an initiation request determination unit 500, a second key storage unit 501, a second new key generation unit 502, a network sequence A number setting unit 503, a random number generating unit 504, an authentication parameter acquiring unit 505, and an authentication parameter sending unit 506.
其中,所述发起请求决定单元500决定是否发起更新密钥请求,并将决定结果发送给所述鉴权参数获取单元;所述第二密钥保存单元501保存第二密钥;所述第二新密钥产生单元502产生第二新密钥;所述随机数产生单元504产生随机数;所述鉴权参数获取单元505根据从所述发起请求决定单元500所得到的决定结果,从所述第二密钥保存单元501获取第二密钥或从所述第二新密钥产生单元502获取第二新密钥,从所述随机数产生单元504获取随机数,并根据所获取的密钥和随机数产生鉴权参数,发送给所述鉴权参数发送单元506;所述鉴权参数发送单元506将所接收到的鉴权参数发送给所述密钥更新请求识别装置。所述网络序列号设置单元503设置序列号,此时,密钥更新发起装置从所述网络序列号设置单元503获取序列号,并在产生鉴权参数时,根据所获取的序列号,以及所述密钥和随机数产生。Wherein, the initiation request determination unit 500 determines whether to initiate a key update request, and sends the decision result to the authentication parameter acquisition unit; the second key storage unit 501 stores the second key; the second The new key generation unit 502 generates a second new key; the random number generation unit 504 generates a random number; The second key storage unit 501 obtains the second key or obtains the second new key from the second new key generation unit 502, obtains a random number from the random number generation unit 504, and according to the obtained key and the random number to generate an authentication parameter, and send it to the authentication parameter sending unit 506; the authentication parameter sending unit 506 sends the received authentication parameter to the key update request identification device. The network serial number setting unit 503 sets the serial number. At this time, the key update initiator obtains the serial number from the network serial number setting unit 503, and when generating authentication parameters, according to the acquired serial number and the obtained The above key and random number generation.
在该密钥更新发起装置中,所述第二新密钥产生单元502产生第二新密钥时,从所述随机数产生单元504获取随机数,从所述第二密钥保存单元501中获取第二密钥,并根据所获取的随机数和第二密钥产生所述第二新密钥。In the key update initiating device, when the second new key generation unit 502 generates a second new key, it obtains a random number from the random number generation unit 504, and obtains a random number from the second key storage unit 501 Obtain a second key, and generate the second new key according to the obtained random number and the second key.
在该密钥更新发起装置中,当所述发起请求决定单元500决定发起密钥更新时,所述鉴权参数获取单元505从所述第二新密钥产生单元502获取第二新密钥;当所述发起请求决定单元500决定不发起密钥更新时,所述鉴权参数获取单元505从所述第二密钥保存单元501获取第二密钥。In the key update initiating device, when the initiation request determining unit 500 decides to initiate a key update, the authentication parameter acquisition unit 505 acquires a second new key from the second new key generation unit 502; When the initiation request determining unit 500 decides not to initiate a key update, the authentication parameter obtaining unit 505 obtains a second key from the second key storage unit 501 .
下面给出所述密钥更新请求识别装置的内部结构图,如图6所示,该装置包括:鉴权参数接收单元601,一致性验证单元602,第一密钥保存单元603,第一新密钥产生单元604,识别单元605。该装置还可以进一步包括:获取单元606、鉴权单元607、终端序列号设置单元608、序列号可接受判断单元609。下面分别描述各单元完成的功能。The internal structure diagram of the key update request identification device is given below, as shown in Figure 6, the device includes: authentication
所述鉴权参数接收单元601接收所述鉴权参数发送单元506发送的鉴权参数;所述第一密钥保存单元603保存第一密钥;所述一致性验证单元602从所述第一密钥保存单元603获取第一密钥,或者从所述第一新密钥产生单元604获取第一新密钥,并根据所获取的密钥验证所述鉴权参数接收单元601所接收到的鉴权参数的一致性,并将验证结果发送给所述识别单元605和所述第一新密钥产生单元604;所述识别单元605根据所接收到的验证结果,确定网络是否请求更新密钥;所述第一新密钥产生单元604根据所接收到的验证结果,产生第一新密钥,当所接收到的验证结果为一致性验证不通过时,则产生第一新密钥。The authentication
所述一致性验证单元602包括:鉴权参数再生单元602-1和鉴权参数比较单元602-2。所述鉴权参数再生单元602-1根据从所述鉴权参数比较单元602-2所接收的比较结果,从所述第一密钥保存单元603获取第一密钥,或者从所述第一新密钥产生单元604获取第一新密钥,并根据所获取的密钥获取鉴权参数,并将所获取的鉴权参数发送给所述鉴权参数比较单元602-2;所述鉴权参数比较单元602-2比较从所述鉴权参数再生单元602-1所接收到的鉴权参数和所述鉴权参数接收单元601所接收到的鉴权参数,并将比较结果发送给识别单元605、第一新密钥产生单元604和所述鉴权参数再生单元602-1。这时,第一新密钥产生单元604根据所接收到的比较结果,产生第一新密钥,当所接收到的比较结果为不一致的结果时,则产生第一新密钥。The
在此,所述鉴权参数比较单元602-2将比较结果反馈给所述鉴权参数再生单元602-1;鉴权参数再生单元602-1根据反馈得到的比较结果,决定是否从第一新密钥产生单元604获取第一新密钥。鉴权参数再生单元602-1第一次从所述第一密钥保存单元603获取第一密钥,然后当从所述鉴权参数比较单元602-2接收到比较结果为不一致的结果时,从所述第一新密钥产生单元604获取第一新密钥。Here, the authentication parameter comparison unit 602-2 feeds back the comparison result to the authentication parameter regeneration unit 602-1; the authentication parameter regeneration unit 602-1 decides whether to start from the first new The
所述密钥更新请求识别装置中的所述获取单元606从所述鉴权参数接收单元601所接收到的鉴权参数中获取随机数和序列号,并将所获取的随机数和序列号发送给所述鉴权参数再生单元602-1;所述鉴权参数再生单元602-1用于根据从所述第一密钥保存单元603或所述第一新密钥产生单元604所获取的密钥和从所述获取单元606所接收到的随机数和序列号,获取鉴权参数。The
所述第一新密钥产生单元604产生第一新密钥时,从所述获取单元中606获取鉴权参数中的随机数,从所述第一密钥保存单元603中获取第一密钥,并根据所获取的随机数和第一密钥产生所述第一新密钥。When the first new
在此,获取单元606所实现的功能,可以通过鉴权参数接收单元601实现,即鉴权参数接收单元601从所接收到的鉴权参数中获取随机数和序列号,并分别发送给需要的单元,例如,所述鉴权参数再生单元602-1、所述第一新密钥产生单元604、鉴权参数比较单元602-2。Here, the functions realized by the obtaining
所述密钥更新请求识别装置进一步包括鉴权单元607,鉴权单元607从所述一致性验证单元602获取一致性验证结果,并根据所获取的一致性验证结果,确定对网络的鉴权是否成功。如果一致性验证结果为一致性验证通过,则确定对网络的鉴权成功,否则,确定对网络的鉴权失败。The device for identifying a key update request further includes an
所述密钥更新请求识别装置进一步包括:终端序列号设置单元608,序列号可接受判断单元609。所述终端序列号设置单元608设置终端的序列号,并发送给所述序列号可接受判断单元609;所述获取单元606从所述鉴权参数接收单元所接收到的鉴权参数中获取序列号,并将所获取的序列号发送给所述序列号可接受判断单元609;所述序列号可接受判断单元609根据从所述终端序列号设置单元608所接收的序列号判断从所述获取单元606所接收的序列号是否可接受,并将判断结果发送给所述识别单元605和所述鉴权单元607;所述识别单元605进一步根据从序列号可接受判断单元609所得到的判断结果,确定网络是否请求更新密钥;所述鉴权单元607进一步根据从序列号可接受判断单元609所得到的判断结果,确定对网络的鉴权是否成功。The device for identifying the key update request further includes: a terminal serial
以上所述的密钥更新发起装置可以设置在网络侧,以上所述的密钥更新请求识别装置可以设置在终端内部。所述密钥更新发起装置可以按照发起鉴权过程的方式发起密钥更新;而通过所述密钥更新请求识别装置,不仅能够识别网络是否请求更新密钥,同时还能够对网络进行鉴权。The above-mentioned key update initiating device may be set on the network side, and the above-mentioned key update request identifying device may be set inside the terminal. The key update initiating means can initiate key update in the manner of initiating an authentication process; and through the key update request identifying means, not only can identify whether the network requests key update, but also can authenticate the network.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.
Claims (31)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610159711 CN1953369A (en) | 2006-09-30 | 2006-09-30 | A method, system and device to initiate and identify secret key update request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610159711 CN1953369A (en) | 2006-09-30 | 2006-09-30 | A method, system and device to initiate and identify secret key update request |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1953369A true CN1953369A (en) | 2007-04-25 |
Family
ID=38059517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610159711 Pending CN1953369A (en) | 2006-09-30 | 2006-09-30 | A method, system and device to initiate and identify secret key update request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1953369A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101400059B (en) * | 2007-09-28 | 2010-12-08 | 华为技术有限公司 | A key update method and device in an active state |
| CN101640886B (en) * | 2008-07-29 | 2012-04-25 | 上海华为技术有限公司 | Authentication method, re-authentication method and communication device |
| CN101741497B (en) * | 2008-11-17 | 2012-05-09 | 财团法人资讯工业策进会 | Key updating device and method and wireless network system comprising device |
| WO2012065422A1 (en) * | 2010-11-19 | 2012-05-24 | 中兴通讯股份有限公司 | Method for updating key of mobile terminal, and mobile terminal |
| CN105722077A (en) * | 2016-01-29 | 2016-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Network residing method, network residing system and terminal |
-
2006
- 2006-09-30 CN CN 200610159711 patent/CN1953369A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101400059B (en) * | 2007-09-28 | 2010-12-08 | 华为技术有限公司 | A key update method and device in an active state |
| US8023658B2 (en) | 2007-09-28 | 2011-09-20 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US8144877B2 (en) | 2007-09-28 | 2012-03-27 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US8300827B2 (en) | 2007-09-28 | 2012-10-30 | Huawei Technologies Co., Ltd. | Method and apparatus for updating key in an active state |
| US9031240B2 (en) | 2007-09-28 | 2015-05-12 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US10057769B2 (en) | 2007-09-28 | 2018-08-21 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| US10999065B2 (en) | 2007-09-28 | 2021-05-04 | Huawei Technologies Co., Ltd. | Method and apparatus for updating a key in an active state |
| CN101640886B (en) * | 2008-07-29 | 2012-04-25 | 上海华为技术有限公司 | Authentication method, re-authentication method and communication device |
| CN101741497B (en) * | 2008-11-17 | 2012-05-09 | 财团法人资讯工业策进会 | Key updating device and method and wireless network system comprising device |
| WO2012065422A1 (en) * | 2010-11-19 | 2012-05-24 | 中兴通讯股份有限公司 | Method for updating key of mobile terminal, and mobile terminal |
| CN105722077A (en) * | 2016-01-29 | 2016-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Network residing method, network residing system and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105188055B (en) | wireless network access method, wireless access point and server | |
| CN100488280C (en) | Authentifying method and relative information transfer method | |
| CN101511084B (en) | Authentication and cipher key negotiation method of mobile communication system | |
| CN102036242B (en) | Access authentication method and system in mobile communication network | |
| CN108141355B (en) | Method and system for generating session keys using Diffie-Hellman procedure | |
| CN101194529B (en) | Method for agreeing on a security key between at least one first and one second communications station for securing a communications link | |
| CN109729523B (en) | Terminal networking authentication method and device | |
| CN107196920B (en) | A kind of key generation distribution method towards wireless communication system | |
| CN107820239B (en) | Information processing method and device | |
| JP2000078124A (en) | Method for establishing key while using aerial communication and password, and password protocol | |
| CN101867929A (en) | Authentication method, system, authentication server and terminal device | |
| CN106888092B (en) | Information processing method and device | |
| CN112312393A (en) | 5G application access authentication method and 5G application access authentication network architecture | |
| CN105871777A (en) | Wireless router access processing method, wireless router access method and device | |
| CN105323754A (en) | Distributed authentication method based on pre-shared key | |
| US8433918B2 (en) | Methods and systems for improving the security of password-based authentication protocols for IEEE 802.11 networks | |
| CN1973569A (en) | Method for securing an authentication and key agreement protocol | |
| CN101399603A (en) | Resynchronization method, authentication method and device | |
| CN112235799B (en) | Network access authentication method and system for terminal equipment | |
| CN1953369A (en) | A method, system and device to initiate and identify secret key update request | |
| CN100479569C (en) | Controlled key updating method | |
| CN115761954B (en) | A Bluetooth key connection method and device for a vehicle | |
| CN100461938C (en) | A Controlled Key Renewal Method | |
| CN102026184B (en) | Authentication method, authentication system and relevant device | |
| CN101160985B (en) | Authentication method and corresponding information transmission method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070425 |