WO2011063557A1

WO2011063557A1 - Multicast key management method and system in a wireless metropolitan area network

Info

Publication number: WO2011063557A1
Application number: PCT/CN2009/075102
Authority: WO
Inventors: 庞辽军; 曹军; 铁满霞
Original assignee: China Iwncomm Co Ltd
Current assignee: China Iwncomm Co Ltd
Priority date: 2009-11-24
Filing date: 2009-11-24
Publication date: 2011-06-03
Anticipated expiration: 2012-05-24

Abstract

A multicast key management method and system in a wireless metropolitan area network are provided, the method includes the following steps: 1) multicast private key distribution: 1.1) an applicant entity transmits a multicast private key application packet to a responder entity; 1.2) the responder entity transmits a multicast private key response packet to the applicant entity; and 1.3) the application entity transmits a multicast private key confirmation packet to the responder entity; 2) multicast key encryption key distribution or update: 2.1) the responder entity broadcasts a multicast key encryption key broadcast packet to all applicant entities; 2.2) the applicant entity decrypts the multicast key encryption key from the multicast key encryption key broadcast packet. Therefore, the problems of low security of multicast key management basic keys and low efficiency of multicast key update in the wireless metropolitan area network are solved.

Description

一种无线城域网组播密钥管理方法及系统 Wireless metropolitan area network multicast key management method and system

发明领域 Field of invention

本发明涉及无线通信技术领域，尤其涉及一种无线城域网组播密钥管理方法及系统。 The present invention relates to the field of wireless communication technologies, and in particular, to a wireless metropolitan area network multicast key management method and system.

背景技术 Background technique

无线网络的安全问题远比有线以太网严重。美国电气及电子工程师学会 IEEE在 802.11和 802.16系列标准中提出了安全机制来增强无线局域网和无线城域网的安全性，提供移动终端 MT到基站 BS的安全接入，中国也在 2003年 5 月份颁布了无线局域网国家标准 GB15629.il , 通常称为 WAPI (无线局域网鉴别与保密基础架构）协议。宽带无线多媒体 BWM网络融合了数据通信和广播通信，是一种新的无线网络体系结构，同样需要解决安全接入和保密通信问题。 The security of wireless networks is far more serious than wired Ethernet. The IEEE Institute of Electrical and Electronics Engineers has introduced security mechanisms in the 802.11 and 802.16 series of standards to enhance the security of wireless LANs and wireless metropolitan area networks, and to provide secure access from mobile terminals MT to base station BS. China also in May 2003. The national standard for wireless local area networks, GB15629.il, has been enacted, commonly referred to as the WAPI (Wireless Local Area Network Authentication and Privacy Infrastructure) protocol. Broadband Wireless Multimedia The BWM network combines data communication and broadcast communication. It is a new wireless network architecture that also needs to address security access and secure communication.

不管是无线网络还是有线网络，一般都包含两种通信模式：点对点的通信和组播（或广播）方式。安全组播需要保证组播实体和消息的合法性和保密性，同时，对接收组播的终端也需要一定的权限限制，保证只有获得授权的终端可以正确地读出所组播的消息，这要求必须首先有效解决组播密钥安全分发问题。如何有效管理组播密钥是解决安全组播的关键问题之一。 Whether it is a wireless network or a wired network, there are two modes of communication: point-to-point communication and multicast (or broadcast). Secure multicast needs to ensure the legality and confidentiality of multicast entities and messages. At the same time, it also needs certain restrictions on the terminals that receive multicasts, ensuring that only authorized terminals can correctly read the multicast messages. It is required that the multicast key security distribution problem must be effectively solved first. How to effectively manage multicast keys is one of the key issues to solve secure multicast.

IEEE802.il标准使用了有线等效保密协议 WEP实现 WLAN的安全性，它的密钥管理非常简单，即手工在移动终端和接入点之间设置共享密钥。此时， IEEE802.11还没有涉及组播密钥管理问题。 The IEEE 802.il standard uses the Wired Equivalent Privacy Protocol (WEP) to implement WLAN security. Its key management is very simple, that is, manually setting a shared key between the mobile terminal and the access point. At this time, IEEE802.11 has not yet dealt with multicast key management issues.

因为 WEP加密协议存在严重的安全漏洞。 IEEE提出了 802. lli标准试图解决 WEP的安全问题。中国也提出了无线局域网中国国家标准 GB15629.il，即 WAPI协议，克服了 WEP存在的一些弊病。 802. lli和 WAPI尽管认证机制不同，但在组播密钥管理方面却十分相似：组播会话密钥 GSK的分发是由事先建立的单播会话密钥 USK加密分发的。也就是说，基站会选取一个组播会话密钥，然后，分别用自己与每一个终端共享的单播会话密钥进行加密，并逐个发送给相应的终端。每个终端接收到加密的組播会话密钥消息后，可以用自己与基站共享的单播会话密钥解密得到组播会话密钥。当每个终端都接收到同样的组播会话密钥后，基站就可以进行安全组播。如果要更新组播会话密钥，则需要重复上述过程。 There is a serious security hole in the WEP encryption protocol. The IEEE proposed the 802.lli standard to try to solve the security problem of WEP. China has also proposed the WLAN China National Standard GB15629.il, the WAPI protocol, which overcomes some of the shortcomings of WEP. Although 802.lli and WAPI have different authentication mechanisms, they are very similar in terms of multicast key management: the distribution of the multicast session key GSK is encrypted and distributed by the previously established unicast session key USK. That is to say, the base station selects a multicast session key, and then encrypts it with the unicast session key shared by each terminal and sends it to the phase one by one. The terminal should be. After receiving the encrypted multicast session key message, each terminal can decrypt the multicast session key by using the unicast session key shared by the terminal with the base station. When each terminal receives the same multicast session key, the base station can perform secure multicast. If you want to update the multicast session key, you need to repeat the above process.

该方法的缺点是效率比较低，特别是当进行组播会话密钥更新时，基站需要重复上述组播会话密钥分发过程：基站选取一个组播会话密钥，分别用自己与每一个终端共享的单播会话密钥进行加密，并逐个发送给相应的终端。 The disadvantage of this method is that the efficiency is relatively low, especially when the multicast session key is updated, the base station needs to repeat the above multicast session key distribution process: The base station selects a multicast session key and shares it with each terminal by itself. The unicast session keys are encrypted and sent to the corresponding terminals one by one.

在美国 IEEE提出的无线城域网标准即 802.16标准中，其组播密钥管理借鉴了 802.11i。但在 IEEE提出的 802.16e标准中，关于安全组播密钥管理问题，提出了新的设计理念，引入了组播密钥加密密钥 GKEK, 建立起了组播密钥加密密钥 GKEK和组播会话密钥 GSK两级的管理方法。其思想为：首先，基站利用与每个终端建立的单播会话密钥逐个加密 GKEK并发送给相应终端；终端收到该消息后，利用单播会话密钥解密得到 GKEK; 然后，基站利用 GKEK作为密钥加密 GSK, 并对所有终端进行广播；拥有 GKEK的每一个终端可以得到相同的 GSK。这时，组播会话密钥过程完成。在进行组播会话密钥更新时，采用同样的过程：即基站利用 GKEK作为密钥加密 GSK, 并对所有终端进行广播。 In the wireless metropolitan area network standard proposed by the IEEE in the United States, namely the 802.16 standard, its multicast key management borrows from 802.11i. However, in the 802.16e standard proposed by IEEE, a new design concept is proposed for the security multicast key management problem. The multicast key encryption key GKEK is introduced, and the multicast key encryption key GKEK and group are established. Two-level management method for broadcasting session key GSK. The idea is as follows: First, the base station encrypts the GKEK one by one by using the unicast session key established with each terminal and sends it to the corresponding terminal; after receiving the message, the terminal decrypts the GKEK by using the unicast session key; then, the base station utilizes GKEK The GSK is encrypted as a key and broadcast to all terminals; each terminal with GKEK can get the same GSK. At this point, the multicast session key process is complete. The same procedure is used when performing multicast session key update: The base station uses GKEK as the key to encrypt the GSK and broadcasts to all terminals.

而 802.116e中的组播密钥管理方法的缺点是：采用时间同步方式，状态管理复杂；新密钥的启用、禁用都依赖时间判断，在一个分布式系统中维护同步时钟比较复杂。 The disadvantages of the multicast key management method in 802.116e are: Time synchronization is adopted, and state management is complicated; the activation and deactivation of new keys are time-dependent, and maintaining a synchronous clock in a distributed system is complicated.

针对这种情况，中国在无线城域网和宽带无线多媒体领域，提出了具有类似思想的组播会话密钥管理方法。 In response to this situation, China has proposed a multicast session key management method with similar ideas in the field of wireless metropolitan area network and broadband wireless multimedia.

但这种方法具有以下缺点： But this method has the following disadvantages:

1、尽管采用了 GKEK和 GSK两级的管理方法，但对所有终端来说，它们的 GKEK和 GSK是相同的，不具备密钥分级管理的优势和特点； 1. Although the GKEK and GSK management methods are adopted, their GKEK and GSK are the same for all terminals, and they do not have the advantages and features of key hierarchical management;

2、因为 GKEK对所有终端来说是相同的，这会使得终端更容易将 GKEK 泄漏给其他终端，安全性不高； 2. Because GKEK is the same for all terminals, it will make it easier for the terminal to leak GKEK to other terminals, and the security is not high;

3、没有涉及 GKEK的更新方法。因为 GKEK作为基础密钥对所有终端来说是相同的，安全性不高，因此，需要经常更换 GKEK; 3. There is no update method related to GKEK. Because GKEK is the base key for all terminals It is the same, the security is not high, therefore, it is necessary to change the GKEK frequently;

4、没有提供有效的 GKEK更新方法，只能和組播密钥加密密钥分发方法相同，由基站逐个加密、逐个发送给终端； 4, does not provide a valid GKEK update method, can only be the same as the multicast key encryption key distribution method, the base station encrypts one by one, and sends them to the terminal one by one;

5、在上述情况 4中，这种更新可能需要较长时间，该时间长短由终端数目决定。这可能会导致在密钥更新时，出现组播中断现象。 5. In the above case 4, such an update may take a long time, and the length of time is determined by the number of terminals. This may result in a multicast outage when the key is updated.

发明内容 Summary of the invention

本发明为解决背景技术中无线城域网组播密钥管理基础密钥安全不高和組播密钥更新的效率低下问题，而提供一种无线城域网组播密钥管理方法及系统。 The invention solves the problem that the base key of the wireless metropolitan area network multicast key management is not high and the multicast key update is low in the background art, and provides a wireless metropolitan area network multicast key management method and system.

本发明的技术解决方案是：本发明为一种无线城域网組播密钥管理方法，其特殊之处在于：该方法包括以下步骤： The technical solution of the present invention is: The present invention is a wireless metropolitan area network multicast key management method, which is special in that: the method comprises the following steps:

1 )组播私钥分发： 1) Multicast private key distribution:

1.1 )请求者实体发送组播私钥请求分组给响应者实体； 1.1) The requester entity sends a multicast private key request packet to the responder entity;

1.2 ) 响应者实体发送组播私钥响应分组给请求者实体； 1.2) The responder entity sends a multicast private key response packet to the requester entity;

1.3 )请求者实体发送组播私钥确认分组给响应者实体； 1.3) The requester entity sends a multicast private key confirmation packet to the responder entity;

2 )组播密钥加密密钥分发（或更新）： 2) Multicast key encryption key distribution (or update):

2.1 ) 响应者实体向所有请求者实体广播组播密钥加密密钥广播分组； 2.2 )请求者实体从组播密钥加密密钥广播分組中解密出组播密钥加密密钥。 2.1) The responder entity broadcasts the multicast key encryption key broadcast packet to all requester entities; 2.2) The requester entity decrypts the multicast key encryption key from the multicast key encryption key broadcast packet.

上述步骤 1 )之前还包括由响应者实体建立系统参数的步骤。 The above step 1) also includes the step of establishing system parameters by the responder entity.

上述系统参数包括：设和 ((¾,·)为两个阶均为 p的循环群，为素数，且满足 Diffie-Hellman计算问题为困难问题；令为(^的生成元；令 e为和 (¾上的双线性变换，即^ ^ (^→(¾；令是一个单向 hash函数。 The above system parameters include: Set and ((3⁄4,·) are cyclic groups with two orders of p, which are prime numbers, and satisfy the Diffie-Hellman calculation problem as a difficult problem; let (^ the generator element; let e be the sum (The bilinear transformation on 3⁄4, ie ^ ^ (^→(3⁄4; is a one-way hash function).

上述步骤 1 )之前，请求者实体和响应者实体进行认证及单播密钥协商；建立一个共享的单播会话密钥。 Before the above step 1), the requester entity and the responder entity perform authentication and unicast key negotiation; establish a shared unicast session key.

上述步骤 1.1 ) 中的组播私钥请求分组包括以下内容： The multicast private key request packet in the above step 1.1) includes the following contents:

AE RE N1 MIC 其中： AE RE N1 MIC among them:

AE字段：请求者实体的身份信息； AE field: identity information of the requester entity;

RE字段：响应者实体的身份信息； RE field: identity information of the responder entity;

N1字段：请求者实体产生的随机数； N1 field: a random number generated by the requester entity;

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 USKL MIC field: Indicates that the MIC value is obtained for all fields before the field, where the integrity check key is USKL

上述步骤 1.2 ) 中当响应者实体收到组播私钥请求分组后，重新计算 MIC, 并与接收到的 MIC进行比较，如果不相等，则丟弃该分组；如果相等，则构造组播私钥响应分组发送给请求者实体。 In the above step 1.2), after the responder entity receives the multicast private key request packet, the MIC is recalculated and compared with the received MIC, if not equal, the packet is discarded; if equal, the multicast private is constructed. The key response packet is sent to the requester entity.

上述步骤 1.2 ) 中的组播私钥响应分组包括以下内容：

The multicast private key response packet in step 1.2) above includes the following:

其中： among them:

N2字段：响应者实体产生的随机数； N2 field: a random number generated by the responder entity;

C字段：响应者实体分发给请求者实体的组播私钥 GKx的密文信息，加密密钥为 USKE; C field: ciphertext information of the multicast private key GKx distributed by the responder entity to the requester entity, the encryption key is USKE;

上述 C字段的计算过程如下： The calculation process of the above C field is as follows:

1.2.1 ) 响应者实体在中随机选择 w-l 大于等于 2 ) 个不同的元素 v₀, Vj,…，^^？；以及元素^^^^, 同时，随机构造 W-1次秘密多项式 /(Jt)eZ_fW。接着，计算如下信息： 2 =/(0)/⁾£(7₁和 =/( ) ³( = 0，1，. 1.2.1) The responder entity randomly selects wl greater than or equal to 2) different elements v ₀ , Vj,..., ^^? ; and the element ^^^^, at the same time, randomly construct the W-1 secret polynomial / (Jt) eZ _f W. Next, calculate the following information: 2 =/(0)/ ⁾ £(7 ₁ and =/( ) ³ ( = 0,1,.

1.2.2)对请求者实体，

= f(AE)(Q_{1 +}Q₂) ; 1.2.2) For the requester entity,

= f(AE)(Q _{1 +} Q ₂ ) ;

1.2.3) C = (Q_K,Q₁,Q₂,v₀,...,v_n_₂,V₀,...,V_n_₂)\\E(USKE;GK_x) ₀ 1.2.3) C = (Q _K , Q ₁ , Q ₂ , v ₀ ,..., v _n _ ₂ , V ₀ ,...,V _n _ ₂ )\\E(USKE;GK _x ) ₀

上述步骤 1.3 ) 中当请求者实体收到组播私钥响应分组后，重新计算 MIC, 并与接收到的 MIC进行比较，如果不相等，则丢弃该分组；如果相等，则判断 N1是否请求者实体选取的随机数；如果不是则丢弃该分组，如果是则利用密钥 USKE解密 (fA¾¾;G Q获得組播私钥 GKx, 最后，构造组播私钥确认分组发送给响应者实体。 In step 1.3) above, when the requester entity receives the multicast private key response packet, the MIC is recalculated. And comparing with the received MIC, if not equal, discarding the packet; if equal, determining whether N1 is a random number selected by the requester entity; if not, discarding the packet, and if so, decrypting with the key USKE (fA3⁄43⁄4 GQ obtains the multicast private key GKx, and finally, constructs a multicast private key confirmation packet to send to the responder entity.

上述步骤 1.3 ) 中的组播私钥确认分组包括以下内容：

The multicast private key confirmation packet in step 1.3) above includes the following contents:

其中： among them:

MIC字段：表示对该字段之前的所有字段以及解密得到的组播私钥 GKx所求 MIC值，这里完整性校验密钥是 USKI; MIC field: indicates the MIC value of all the fields before the field and the decrypted multicast private key GKx, where the integrity check key is USKI;

上述步骤 1.3 ) 中当响应者实体收到组播私钥确认分组后，重新计算 MIC, 并与接收到的 MIC进行比较；如果不相等，则丟弃该分组；如果相等，则判断 N2是否响应者实体选取的随机数；如果不是则丢弃该分组，如果是，组播私钥分发成功。 In step 1.3) above, when the responder entity receives the multicast private key confirmation packet, it recalculates the MIC and compares it with the received MIC; if not, discards the packet; if equal, determines whether N2 responds The random number selected by the entity; if not, the packet is discarded, and if so, the multicast private key is successfully distributed.

上述步骤 2.1 ) 中的组播密钥加密密钥广播分组包括以下内容：

The multicast key encryption key broadcast packet in the above step 2.1) includes the following contents:

其中： among them:

Flag字段：表示广播类别； Flag field: indicates the broadcast category;

Time字段：当前系统时间，用于区分是否为重复信息； Time field: Current system time, used to distinguish whether it is duplicate information;

C1字段：响应者实体广播的组播密钥加密密钥的密文信息； C1 field: ciphertext information of the multicast key encryption key broadcast by the responder entity;

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 GKEKI (由组播密钥加密密钥导出的完整性校验密钥）。上述 C1字段的计算方法如下：假设响应者实体选择了組播密钥加密密钥 GKEKe G₂ , 响应者实体随机选择整数 reZ:, 并如下计算： MIC field: Indicates that the MIC value is obtained for all fields preceding the field, where the integrity check key is GKEKI (the integrity check key derived by the multicast key encryption key). The above C1 field is calculated as follows: Assuming that the responder entity selects the multicast key encryption key GKEKe G ₂ , the responder entity randomly selects the integer reZ: and computes as follows:

Cl =

= (rP,rQ_l,e(Q_K,Q₂yGKEK,rV₀,...,rV_n_₂) 上述步骤 2.2) 中当请求者实体接收到该分组后，按如下方法解密出组播密钥加密密钥： Cl =

= (rP,rQ _l ,e(Q _K ,Q ₂ yGKEK,rV ₀ ,...,rV _n _ ₂ ) In step 2.2) above, when the requester entity receives the packet, it decrypts the multicast as follows: Key encryption key:

2.2.1) 首先，请求者实体利用公开信息和自己的设备识别信息构造集合： 2.2.1) First, the requester entity constructs a collection using public information and its own device identification information:

T = {e₀,e₁,...e_n_₁} = {v₀,...,v_n_₂,AE] T = {e ₀ , e ₁ ,...e _n _ ₁ } = {v ₀ ,...,v _n _ ₂ ,AE]

2.2.2 ) 然后 , 并对每个 e Γ算出 σ^_Γ = Π -； 2.2.2) Then, and for each e Γ calculate σ^ _Γ = Π -;

2.2.3)接着，计算组播密钥加密密钥如下： 2.2.3) Next, calculate the multicast key encryption key as follows:

e(Q ,Q_K)U 。 e(Q ,Q _K )U .

GKE = GKE =

{Q, + Q₂,∑ a_{ei T}V;)e(G_e^ _TGK_x,P') 上述步骤 2.2) 中当请求者实体计算出组播密钥加密密钥后，导出完整性校验密钥和加密密钥来；然后，利用完整性校验密钥重新计算 MIC, 判断分組是否有效；同时，根据 Time字段判断是否系统重复消息。 {Q, + Q ₂ , ∑ a _{ei T} V;)e(G _e ^ _T GK _x , P') In the above step 2.2), after the requester entity calculates the multicast key encryption key, the integrity school is derived. The key is verified and the encryption key is used; then, the MIC is recalculated using the integrity check key to determine whether the packet is valid; and at the same time, it is determined according to the Time field whether the system repeats the message.

上述步骤 2)之后还包括步骤 3)组播会话密钥分发（或更新）： Step 2) above also includes step 3) multicast session key distribution (or update):

3.1 ) 响应者实体向所有请求者实体广播组播会话密钥广播分组； 3.1) The Responder entity broadcasts a multicast session key broadcast packet to all requester entities;

3.2)请求者实体从组播会话密钥广播分組中解密出组播会话密钥。 3.2) The requester entity decrypts the multicast session key from the multicast session key broadcast packet.

上述步骤 3.1 ) 中的组播会话密钥广播分组包括以下内容：

The multicast session key broadcast packet in the above step 3.1) includes the following contents:

其中： among them:

C2字段：响应者实体广播的组播会话密钥的密文信息，加密密钥为 GKEKE; MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 GKEKI。 C2 field: ciphertext information of the multicast session key broadcast by the responder entity, the encryption key is GKEKE; MIC field: Indicates that the MIC value is obtained for all fields before the field, where the integrity check key is GKEKI.

上述步骤 3.2 ) 中当请求者实体接收到组播会话密钥广播分组后，利用完整性校验密钥 GKEKI重新计算 MIC, 判断分组是否有效；同时，根据 Time字段判断是否系统重复消息；如果都有效，利用加密密钥 GKEKE解密 C2得到组播会话密钥 GSK。 After receiving the multicast session key broadcast packet in the above step 3.2), the requester entity recalculates the MIC by using the integrity check key GKEKI to determine whether the packet is valid. Meanwhile, according to the Time field, it is determined whether the system repeats the message; Effectively, the encryption session key GKEKE is used to decrypt C2 to obtain the multicast session key GSK.

上述响应者实体和请求者实体可以利用组播会话密钥 GSK可以导出组播会话加密密钥 GSKE和組播会话完整性校验密钥 GSKI,响应者实体进行组播业务。 The above responder entity and the requester entity can use the multicast session key GSK to derive the multicast session encryption key GSKE and the multicast session integrity check key GSKI, and the responder entity performs the multicast service.

一种无线城域网组播密钥管理系统，包括请求者实体和响应者实体，其中 , 所述请求者实体，用于向响应者实体发送组播私钥请求分组，并在接收到响应者实体返回的组播私钥响应分组后，向响应者实体发送组播私钥确认分组；并在接收到响应者实体广播的组播密钥加密密钥广播分组后，从组播密钥加密密钥广播分组中解密出组播密钥加密密钥；所述响应者实体，用于在接收到请求者实体发送的组播私钥请求分組后，向请求者实体返回组播私钥响应分组；并在接收到请求者实体发送的组播私钥确认分组后，向所有请求者实体广播组播密钥加密密钥广播分组。 A wireless metropolitan area network multicast key management system includes a requester entity and a responder entity, wherein the requester entity is configured to send a multicast private key request packet to a responder entity, and receive the responder After the multicast private key returned by the entity responds to the packet, the multicast private key acknowledgement packet is sent to the responder entity; and after receiving the multicast key encryption key broadcast packet broadcast by the responder entity, the multicast key is encrypted. Decrypting the multicast key encryption key in the key broadcast packet; the responder entity, configured to: after receiving the multicast private key request packet sent by the requester entity, return a multicast private key response packet to the requester entity; And after receiving the multicast private key confirmation packet sent by the requester entity, the multicast key encryption key broadcast packet is broadcast to all requester entities.

上述响应者实体还用于建立系统参数。 The above responder entity is also used to establish system parameters.

上述请求者实体和响应者实体还用于进行二者之间的认证及单播密钥协商，以建立一个共享的单播会话密钥。 The requester entity and the responder entity are also used to perform authentication and unicast key negotiation between the two to establish a shared unicast session key.

上述响应者实体还用于向所有请求者实体广播组播会话密钥广播分组；上述请求者实体还用于从组播会话密钥广播分组中解密出组播会话密钥。 The above responder entity is further configured to broadcast a multicast session key broadcast packet to all requester entities; the requester entity is further configured to decrypt the multicast session key from the multicast session key broadcast packet.

本发明具有以下优点： The invention has the following advantages:

1、釆用两级或三级的组播密钥管理方法，基础密钥对不同终端来说是不相同的，系统安全性更高。 1. The two-level or three-level multicast key management method is adopted. The basic key is different for different terminals, and the system security is higher.

2、算法的安全性依赖于椭圓曲线离散对数问题，安全性更强。 2. The security of the algorithm depends on the elliptic curve discrete logarithm problem, and the security is stronger.

3、組播密钥加密密钥和组播会话密钥的分发或更新只需要一次組播即可。 4、充分地利用了组播信道，提高了系统通信效率。 3. The multicast key encryption key and multicast session key distribution or update only need one multicast. 4. Fully utilize the multicast channel to improve system communication efficiency.

附图说明 DRAWINGS

图 1为本发明的组播私钥分发示意图； 1 is a schematic diagram of multicast private key distribution according to the present invention;

图 2为本发明的组播密钥加密密钥分发示意图； 2 is a schematic diagram of multicast key encryption key distribution according to the present invention;

图 3为本发明的组播会话密钥分发示意图。 FIG. 3 is a schematic diagram of multicast session key distribution according to the present invention.

具体实施方式 detailed description

名词解释： Glossary:

RE: 响应者实体，如基站，接入点，路由器； RE: Responder entity, such as base station, access point, router;

AE: 请求者实体，如终端； AE: requester entity, such as a terminal;

Nonce: 一次 4生随机数； Nonce: once 4 random numbers;

GKx: 请求者实体 X的组播私钥，即基础密钥； GKx: the multicast private key of the requester entity X, that is, the base key;

GKE : 组播密钥加密密钥； GKE: multicast key encryption key;

GKEKI 和 GKEKE: 由 GKEK导出的完整性校验密钥和加密密钥； GKEKI and GKEKE: integrity check keys and encryption keys derived by GKEK;

GSK: 组播会话密钥； GSK: multicast session key;

GSKI 和 GSKE: 由 GSK导出的完整性校验密钥和加密密钥。 GSKI and GSKE: The integrity check key and encryption key derived by GSK.

参见图 1、 2、 3 , 本发明一种无线城域网组播密钥管理方法的具体步驟如下： Referring to Figures 1, 2, and 3, the specific steps of a wireless metropolitan area network multicast key management method of the present invention are as follows:

1 ) 由响应者实体建立系统参数，系统参数包括：设 ( +)和 (<¾，·）为两个阶均为 p的循环群， p为素敫, 且满足 t Diffie-Hellman计算问题为困难问题；令为(^的生成元；令 e为 (^和(¾上的双线性变换，即 ^ (7 (^→(¾；令是一个单向 hash函数。 1) The system parameters are established by the responder entity. The system parameters include: Let (+) and (<3⁄4,·) be a cyclic group with two orders of p, p is prime, and satisfy the t Diffie-Hellman calculation problem. Difficult problem; let (the generator of ^; let e be (^ and (3⁄4 on the bilinear transformation, ie ^ (7 (^→(3⁄4;) is a one-way hash function.

该步骤只是在首次应用时来建立系统参数，建立好后，在以后的重复应用中则无须该步骤； This step is only to establish the system parameters when the first application is applied. After the establishment, the step is not needed in the subsequent repeated application;

2 )请求者实体和响应者实体进行认证及单播密钥协商；建立一个共享的单播会话密钥 USK, 由该密钥 USK可以导出单播会话加密密钥 USKE和单播会话完整性校验密钥 USKI , 所采用的认证及单播密钥协商方法，可以是 W API 或者 802.1 li等任何方法 , 也可以通过手工设置预共享密钥方法实现；系统中的响应者实体与每一个请求者实体行未进行安全认证和单播会话密钥 USK协商时需要该步骤，若系统中的响应者实体与每一个请求者实体已经进行了安全认证和单播会话密钥 USK的协商则无需该步骤； 2) The requester entity and the responder entity perform authentication and unicast key negotiation; establish a shared unicast session key USK, from which the unicast session encryption key USKE and the unicast session integrity school can be derived The authentication key and the unicast key negotiation method may be any method such as W API or 802.1 li, or may be implemented by manually setting a pre-shared key method; This step is required when the responder entity in the system does not perform security authentication and unicast session key USK negotiation with each requester entity row. If the responder entity and each requester entity in the system have already performed security authentication and single The negotiation of the broadcast session key USK does not require this step;

3 )組播私钥分发： 3) Multicast private key distribution:

3.1 )请求者实体发送组播私钥请求分組给响应者实体； 3.1) The requester entity sends a multicast private key request packet to the responder entity;

该组播私钥请求分組包括以下内容：

The multicast private key request packet includes the following:

其中： among them:

当响应者实体收到組播私钥请求分组后，重新计算 MIC, 并与接收到的 MIC进行比较，如果不相等，则丢弃该分组；如果相等，则构造组播私钥响应分组发送给请求者实体。 After receiving the multicast private key request packet, the responder entity recalculates the MIC and compares it with the received MIC. If not, discards the packet; if equal, constructs a multicast private key response packet and sends the request to the request. Entity.

3.2 ) 响应者实体发送组播私钥响应分组给请求者实体； 3.2) The responder entity sends a multicast private key response packet to the requester entity;

该组播私钥响应分組包括以下内容：

The multicast private key response packet includes the following:

其中： among them:

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 USKI。 MIC field: Indicates the MIC value for all fields before the field, here the integrity check key It is USKI.

其中 c字段的计算过程如下： The calculation process of the c field is as follows:

3.2.1 ) 响应者实体在 Z_? '中随机选择 w-l 大于等于 2 ) 个不同的元素 v₀, j,…，！^^^以及元素^^^^, 同时，随机构造次秘密多项式 /( (；) _ez。[ C]。接着，计算如下信息：

= /(v_i)_JP( = 0，l，...，w-2); 这一步响应者实体对所有请求者实体只做一次，对下一个请求者实体来说，就不需要重复处理； 3.2.1) The responder entity randomly selects wl greater than or equal to 2 in the Z _? ') different elements v ₀ , j,...,! ^^^ and the element ^^^^, at the same time, randomly construct the sub-secret polynomial / ( (;) _e z. [ C]. Next, calculate the following information:

= /(v _i ) _J P( = 0,l,...,w-2); In this step the responder entity does only once for all requester entities, and does not need to repeat for the next requester entity. deal with;

3.2.2)对请求者实体 AE, 计算 <¾Γ = /(Α£)(β_{1 +}β₂); 3.2.2) For the requester entity AE, calculate <3⁄4Γ = /(Α£)(β _{1 +} β ₂ );

3.2.3 ) C = (Q_K,Q₁,Q₂,v₀,...,v_n_₂,V₀,...,V_n_₂)\\E(USKE;GK_x) ₀ 3.2.3) C = (Q _K , Q ₁ , Q ₂ , v ₀ ,..., v _n _ ₂ , V ₀ ,...,V _n _ ₂ )\\E(USKE;GK _x ) ₀

当请求者实体收到组播私钥响应分组后，重新计算 MIC, 并与接收到的 When the requester entity receives the multicast private key response packet, it recalculates the MIC and receives the received

MIC进行比较，如果不相等，则丟弃该分组；相等，判断 N1是否自己选取的随机数；如果不是则丟弃该分组，如果是则利用密钥 USKE解密 Z?(f/ ;GQ获得組播私钥 GKx , 最后，构造组播私钥确认分组发送给响应者实体。 The MIC compares, if not equal, discards the packet; equal, determines whether N1 randomly selects the random number; if not, discards the packet, and if so, decrypts Z with the key USKE (f/; GQ obtains the group The private key GKx is broadcast, and finally, the multicast private key confirmation packet is constructed and sent to the responder entity.

3.3 )请求者实体发送组播私钥确认分组给响应者实体； 3.3) The requester entity sends a multicast private key confirmation packet to the responder entity;

该组播私钥确认分組包括以下内容：

The multicast private key confirmation packet includes the following:

其中： among them:

当响应者实体收到組播私钥确认分组后，重新计算 MIC, 并与接收到的 MIC进行比较；如果不相等，则丟弃该分组；相等，判断 N2是否自己选取的随机数；如果不是则丢弃该分組，如果是，组播私钥分发成功。 After receiving the multicast private key confirmation packet, the responder entity recalculates the MIC and compares it with the received MIC; if not, discards the packet; equal, determines whether N2 selects the random number by itself; if not The packet is discarded, and if so, the multicast private key is successfully distributed.

上述步骤 1 ) 、 2) 、 3)请参见图 1。 The above steps 1), 2), 3), please refer to Figure 1.

4)组播密钥加密密钥分发（或更新）过程（图 2) 4.1 ) 响应者实体向所有请求者实体广播組播密钥加密密钥广播分组；当响应者实体需要分发（或更新）组播密钥加密密钥 GKEK时，向所有请求者实体广播组播密钥加密密钥广播分组，该组播密钥加密密钥广播分组包括以下内容：

4) Multicast key encryption key distribution (or update) process (Figure 2) 4.1) The Responder entity broadcasts the multicast key encryption key broadcast packet to all requester entities; when the Responder entity needs to distribute (or update) the multicast key encryption key GKEK, it broadcasts the multicast secret to all requester entities. The key encryption key broadcast packet, the multicast key encryption key broadcast packet includes the following:

其中： among them:

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 GKEKI (由组播密钥加密密钥导出的完整性校验密钥）。其中 C1字段的计算方法如下：假设响应者实体选择了组播密钥加密密钥 GKEK eG₂, 响应者实体随机选择整数 reZ^ 并如下计算： Cl =

= (rP,rQ_l,e(Q_K,Q₂yGKEK,_rV₀,...,rV_n_₂) MIC field: Indicates that the MIC value is obtained for all fields preceding the field, where the integrity check key is GKEKI (the integrity check key derived by the multicast key encryption key). The calculation method of the C1 field is as follows: Assume that the responder entity selects the multicast key encryption key GKEK eG ₂ , and the responder entity randomly selects the integer reZ^ and calculates as follows: Cl =

= (rP,rQ _l ,e(Q _K ,Q ₂ yGKEK, _r V ₀ ,...,rV _n _ ₂ )

4.2)请求者实体从组播密钥加密密钥广播分組中解密出组播密钥加密密钥。 4.2) The requester entity decrypts the multicast key encryption key from the multicast key encryption key broadcast packet.

当任意请求者实体 AE接收到该分组后，如下方法解密出 GKEK: When any requester entity AE receives the packet, the following method decrypts GKEK:

4.2.1) 首先，请求者实体利用公开信息和自己的设备识别信息构造集合： r = {e₀,i'₁,...i'_B_₁} = {v₀,...,v_B_₂,AE} 4.2.1) First, the requester entity constructs a set using the public information and its own device identification information: r = {e ₀ , i' ₁ ,...i' _B _ ₁ } = {v ₀ ,...,v _B _ ₂ , AE}

2.2.2) 然后，并对每个2.2.2) Then, and for each

2.2.3)接着，计算组播密钥加密密钥如下： GKEK = iQ Q.W 。2.2.3) Next, calculate the multicast key encryption key as follows: GKEK = iQ QW.

β】 + Q₂,∑ σ_{Βί Τ}ν;)β(σ_{Βη ί ΐ}ΟΚ_χ,Ρ') 当请求者实体计算出组播密钥加密密钥 GKEK后，导出完整性校验密钥 GKEKI和加密密钥 GKEKE来；然后，利用完整性校验密钥 GKEKI重新计算 MIC, 判断分組是否有效；同时，根据 Time字段判断是否系统重复消息。 β] + Q ₂ , ∑ σ _{Βί Τ} ν;)β(σ _{Βη ί ΐ} ΟΚ _χ ,Ρ') After the requester entity calculates the multicast key encryption key GKEK, it derives the integrity check key GKEKI and The encryption key GKEKE is used; then, the MIC is recalculated by using the integrity check key GKEKI to determine whether the packet is valid; meanwhile, it is determined according to the Time field whether the system repeats the message.

5 )组播会话密钥分发 (或更新）过程（图 3 ) 5) Multicast session key distribution (or update) process (Figure 3)

5.1 ) 响应者实体向所有请求者实体广播组播会话密钥广播分组；当响应者实体需要分发（或更新 )组播会话密钥 GSK时，向所有请求者实体广播组播会话密钥广播分組，该组播会话密钥广播分組包括以下内容：

5.1) The Responder entity broadcasts a multicast session key broadcast packet to all requester entities; broadcasts a multicast session key broadcast packet to all requester entities when the responder entity needs to distribute (or update) the multicast session key GSK The multicast session key broadcast packet includes the following:

其中： among them:

C2字段：响应者实体广播的组播会话密钥的密文信息，加密密钥为 GKEKE; C2 field: ciphertext information of the multicast session key broadcast by the responder entity, the encryption key is GKEKE;

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 GKEKI。 MIC field: Indicates that the MIC value is obtained for all fields before the field, where the integrity check key is GKEKI.

5.2)请求者实体从组播会话密钥广播分組中解密出组播会话密钥。 5.2) The requester entity decrypts the multicast session key from the multicast session key broadcast packet.

当任意请求者实体接收到组播会话密钥广播分组后，利用完整性校验密钥 GKEKI重新计算 MIC, 判断分组是否有效；同时，根据 Time字段判断是否系统重复消息；如果都有效，利用加密密钥 GKEKE解密 C2得到组播会话密钥 GSK。 After receiving the multicast session key broadcast packet, the arbitrary requester entity recalculates the MIC by using the integrity check key GKEKI to determine whether the packet is valid. Meanwhile, it is determined according to the Time field whether the system repeats the message; if all are valid, the encryption is used. The key GKEKE decrypts C2 to get the multicast session key GSK.

响应者实体和每一个请求者实体可以利用组播会话密钥 GSK可以导出组播会话加密密钥 GSKE和组播会话完整性校验密钥 GSKI, 接着，响应者实体就可以开始组播业务。 The responder entity and each requester entity can use the multicast session key GSK to derive the multicast session encryption key GSKE and the multicast session integrity check key GSKI, and then the responder entity can start the multicast service.

值得说明的是：上述步骤 5) 是可选的。这样就包括两种方法：（a) 当步骤 5 )被选取时，密钥管理为 GKx - GKE - GSK三级密钥管理，主要为了兼容现有的 WMAN和 BWM组播密钥管理机制。但该方法在更新 GKEK时更为有效，只需要一次广播即可； ( b )当步骤 5 )不被选取时，密钥管理为 GKx - GKEK, 这时我们可以把 GKEK当成是 GSK, 直接用于组播会话业务，这样的好处是提高了组播密钥分发效率，但是不能兼容现有的 WMAN和 BWM组播密钥管理机制。 It is worth noting that: Step 5) above is optional. This includes two methods: (a) When step 5) is selected, the key management is GKx-GKE-GSK level 3 key management, mainly for Existing WMAN and BWM multicast key management mechanisms. However, this method is more effective when updating GKEK, only one broadcast is required; (b) When step 5) is not selected, the key management is GKx - GKEK, then we can treat GKEK as GSK, directly For multicast session services, this has the advantage of improving multicast key distribution efficiency, but it is not compatible with existing WMAN and BWM multicast key management mechanisms.

下面将本发明应用到无线城域网中为例，响应者实体即为基站 BS, 请求者实体即为终端 MTx, 对本发明做进一步的详细描述： The present invention is applied to a wireless metropolitan area network as an example. The responder entity is the base station BS, and the requester entity is the terminal MTx. The present invention is further described in detail:

1 )组播私钥分发过程 1) Multicast private key distribution process

1.1 )组播私钥请求分组：由 MTx发送给 BS。 1.1) Multicast private key request packet: sent by the MTx to the BS.

该组播私钥请求分組包括以下内容：

The multicast private key request packet includes the following:

其中： among them:

MTx字段：终端的身份信息； MTx field: identity information of the terminal;

BS字段：基站的身份信息； BS field: identity information of the base station;

N1字段：终端产生的随机数； N1 field: a random number generated by the terminal;

当 BS收到組播私钥请求分组后，重新计算 MIC, 并与接收到的 MIC进行比较。如果不相等，则丟弃该分组；否则，构造组播私钥响应分组发送给 MTx。 When the BS receives the multicast private key request packet, it recalculates the MIC and compares it with the received MIC. If not equal, the packet is discarded; otherwise, the multicast private key response packet is constructed and sent to MTx.

1.2 )组播私钥响应分组：由 BS发送给 MTx。 1.2) Multicast private key response packet: sent by the BS to MTx.

该组播私钥响应分组包括以下内容：

The multicast private key response packet includes the following:

其中： among them:

N1字段：终端产生的随机数; N1 field: a random number generated by the terminal;

N2字段：基站产生的随机数; C字段：基站分发给终端的组播私钥 GKx的密文信息，加密密钥为 USKE;N2 field: a random number generated by the base station; C field: ciphertext information of the multicast private key GKx distributed by the base station to the terminal, and the encryption key is USKE;

C字段的计算过程如下： The calculation process of the C field is as follows:

1.2.1 ) 基站在中随机选择 /2-1 大于等于 2) 个不同的元素 v₀, vj, ..., 2€2;以及元素¾,2₂ (7₁, 同时，随机构造《-1次秘密多项式 /WeZ^W。接着，计算如下信息：

= /(V_;)P( = 0， .,M- 2)。这一步基站对所有终端只做一次，对下一个终端来说，就不需要重复处理。 1.2.1) The base station randomly selects /2-1 greater than or equal to 2) different elements v ₀ , vj, ..., 2 € 2; and elements 3⁄4, 2 ₂ (7 ₁ , at the same time, random construction "- 1 secret polynomial / WeZ^W. Next, calculate the following information:

= /(V _; )P( = 0, ., M- 2). In this step, the base station does only once for all terminals, and for the next terminal, there is no need to repeat processing.

1.2.2 )对终端 MTx,

= /(Mrx)(¾ +β₂)。 1.2.2) For the terminal MTx,

= /(Mrx)(3⁄4 +β ₂ ).

1.2.3) C = (Q_K,Q₁,Q₂,v₀,...,v_n_₂,V₀,...,V_n_₂)\\E(USKE;GK ₀ 1.2.3) C = (Q _K , Q ₁ , Q ₂ , v ₀ ,..., v _n _ ₂ , V ₀ ,...,V _n _ ₂ )\\E(USKE;GK ₀

当 MTx收到组播私钥响应分组后，重新计算 MIC, 并与接收到的 MIC进行比较。如果不相等，则丟弃该分组；否则，判断 N1是否自己选取的随机数。如果不是则丢弃该分组，如果是，则利用密钥 USKE解密 (tA½¾G7Q获得组播私钥 GKx。最后，构造组播私钥确认分组发送给 BS。 When the MTx receives the multicast private key response packet, it recalculates the MIC and compares it with the received MIC. If they are not equal, the packet is discarded; otherwise, it is determined whether N1 is a random number selected by itself. If not, the packet is discarded, and if so, the key USKE is used to decrypt (tA1⁄23⁄4G7Q obtains the multicast private key GKx. Finally, the multicast private key is constructed to acknowledge the packet is sent to the BS.

1.3 )组播私钥确认分组：由 MTx发送给 BS。 1.3) Multicast private key acknowledgement packet: sent by the MTx to the BS.

该组播私钥确认分组包括以下内容：

The multicast private key confirmation packet includes the following:

其中： among them:

N2字段： BS产生的随机数； N2 field: a random number generated by the BS;

MIC字段：表示对该字段之前的所有字段以及解密得到的组播私钥 GKx所求 MIC值，这里完整性校验密钥是 USKL MIC field: Indicates the MIC value of all the fields before the field and the decrypted multicast private key GKx, where the integrity check key is USKL

当 BS收到组播私钥确认分组后，重新计算 MIC, 并与接收到的 MIC进行比较。如果不相等，则丢弃该分组；否则，判断 N2是否自己选取的随机数。如果不是则丢弃该分组，如果是，说明组播私钥分发成功。 When the BS receives the multicast private key acknowledgment packet, it recalculates the MIC and compares it with the received MIC. If they are not equal, the packet is discarded; otherwise, it is determined whether N2 is a random number selected by itself. If not, the packet is discarded. If yes, the multicast private key is successfully distributed.

2)组播密钥加密密钥分发（或更新）过程 2.1 ) 当 BS需要分发（或更新）組播密钥加密密钥 GKEK时，向所有终端广播组播密钥加密密钥广播分组，该组播密钥加密密钥广播分组包括以下内容.'2) Multicast key encryption key distribution (or update) process 2.1) When the BS needs to distribute (or update) the multicast key encryption key GKEK, the multicast key encryption key broadcast packet is broadcast to all terminals, and the multicast key encryption key broadcast packet includes the following contents.

其中： among them:

C1字段：基站广播的 GKEK的密文信息； C1 field: ciphertext information of the GKEK broadcast by the base station;

MIC字段：表示对该字段之前的所有字段求 MIC值，这里完整性校验密钥是 GKEKI (由 GKEK导出的完整性校验密钥）。其中 C1字段的计算方法：假设基站选择了 GKEK_e G₂。基站随机选择整数 W_p, 并如下计算：

MIC field: Indicates the MIC value for all fields preceding this field, where the integrity check key is GKEKI (the integrity check key derived by GKEK). The calculation method of the C1 field: Assume that the base station selects GKEK _e G ₂ . The base station randomly selects the integer W _p and calculates as follows:

2.2) 当任意终端 MTx接收到该分组后，按如下方法解密出 GKEK: 2.2) When any terminal MTx receives the packet, decrypt the GKEK as follows:

2.2.1) 首先，终端 MTx利用公开信息和自己的设备识别信息构造集合： 2.2.1) First, the terminal MTx constructs a collection using public information and its own device identification information:

Γ = {ί-₀,ί>₁,...έ'_ΐί_₁} = {ν₀,...,ν_Β_₂,ΜΤχ} Γ = {ί- ₀ , ί> ₁ ,...έ' _ΐί _ ₁ } = {ν ₀ ,...,ν _Β _ ₂ ,ΜΤχ}

2.2.2) 然后，并对每个 ^算出 Π ^- 2.2.2) Then, calculate Π ^- for each ^

GKEK = (Q Q_K u 。当 i十算出 GKEK后，导出 GKEKI和 GKEKE来。然后，利用 GKEKI重新 i十算 MIC, 判断分组是否有效。同时，根据 Time字段判断是否系统重复消息。 GKEK = (QQ _K u. After calculating GKEK, I will export GKEKI and GKEKE. Then, use GKEKI to recalculate the MIC and judge whether the packet is valid. At the same time, judge whether the system repeats the message according to the Time field.

3)组播会话密钥分发（或更新）过程 3.1 ) 当 BS需要分发（或更新）組播会话密钥 GSK时，向所有终端广播组播会话密钥广播分组，该組播会话密钥广播分组包括以下内容：3) Multicast session key distribution (or update) process 3.1) When the BS needs to distribute (or update) the multicast session key GSK, the multicast session key broadcast packet is broadcast to all terminals, and the multicast session key broadcast packet includes the following contents:

其中： among them:

C2字段：基站广播的 GSK的密文信息，加密密钥为 GKEKE; C2 field: ciphertext information of the GSK broadcast by the base station, and the encryption key is GKEKE;

3.2 ) 当任意终端 MTx接收到该分组后，利用 GKEKI重新计算 MIC, 判断分组是否有效。同时，根据 Time字段判断是否系统重复消息。如果都有效，利用密钥 GKEKE解密 C2得到组播会话密钥 GSK。 3.2) When any terminal MTx receives the packet, it uses GKEKI to recalculate the MIC to determine whether the packet is valid. At the same time, it is determined according to the Time field whether the system repeats the message. If both are valid, use the key GKEKE to decrypt C2 to get the multicast session key GSK.

基站和每一个终端可以利用 GSK可以导出组播会话加密密钥 GSKE和组播会话完整性校验密钥 GSKI, 接着，基站就可以开始组播业务。 The base station and each terminal can use the GSK to derive the multicast session encryption key GSKE and the multicast session integrity check key GSKI, and then the base station can start the multicast service.

与上述方法相对应，本发明还提供一种无线城域网组播密钥管理系统，该系统包括请求者实体和响应者实体，其中： Corresponding to the above method, the present invention further provides a wireless metropolitan area network multicast key management system, the system comprising a requester entity and a responder entity, wherein:

请求者实体用于向响应者实体发送组播私钥请求分組，并在接收到响应者实体返回的组播私钥响应分组后，向响应者实体发送组播私钥确认分组；并在接收到响应者实体广播的組播密钥加密密钥广播分组后，从组播密钥加密密钥广播分组中解密出组播密钥加密密钥； The requester entity is configured to send a multicast private key request packet to the responder entity, and after receiving the multicast private key response packet returned by the responder entity, send the multicast private key confirmation packet to the responder entity; and receive After the multicast key encryption key broadcast packet broadcast by the responder entity, the multicast key encryption key is decrypted from the multicast key encryption key broadcast packet;

响应者实体用于在接收到请求者实体发送的组播私钥请求分组后，向请求者实体返回组播私钥响应分组；并在接收到请求者实体发送的组播私钥确认分組后，向所有请求者实体广播组播密钥加密密钥广播分組。 The responder entity is configured to: after receiving the multicast private key request packet sent by the requester entity, return a multicast private key response packet to the requester entity; and after receiving the multicast private key confirmation packet sent by the requester entity, The multicast key encryption key broadcast packet is broadcast to all requester entities.

优选地，响应者实体还用于建立系统参数；并且，请求者实体和响应者实体还用于进行二者之间的认证及单播密钥协商，以建立一个共享的单播会话密钥。并且，响应者实体还用于向所有请求者实体广播組播会话密钥广播分组；请求者实体还用于从組播会话密钥广播分组中解密出組播会话密钥。 Preferably, the responder entity is further configured to establish system parameters; and, the requester entity and the responder entity are further configured to perform authentication and unicast key negotiation between the two to establish a shared unicast session key. And, the responder entity is further configured to broadcast the multicast session key broadcast packet to all requester entities; The requester entity is also used to decrypt the multicast session key from the multicast session key broadcast packet.

对于本发明提供的无线城域网组播密钥管理系统的具体实现细节，可参见上面的方法具体实施例，此处不再赘述。 For details of the specific implementation of the wireless metropolitan area network multicast key management system provided by the present invention, refer to the specific method in the foregoing method, and details are not described herein again.

可见，在本发明中，通过采用两级或三级的组播密钥管理方式，基础密钥对不同终端来说是不相同的，系统安全性更高；并且，算法的安全性依赖于椭圆曲线离散对数问题，安全性更强；组播密钥加密密钥和组播会话密钥的分发或更新只需要一次组播即可；充分地利用了组播信道，提高了系统通信效率。 It can be seen that, in the present invention, by adopting a two-level or three-level multicast key management manner, the basic key is different for different terminals, and the system security is higher; and the security of the algorithm depends on the ellipse. The curve discrete logarithm problem is more secure; the multicast key encryption key and the multicast session key can only be distributed once or only once; the full use of the multicast channel improves the communication efficiency of the system.

Claims

Rights request

1. A wireless metropolitan area network multicast key management method, characterized in that: the method includes the following steps:

1) Multicast private key distribution:

1.1) The requester entity sends a multicast private key request packet to the responder entity;

1.2) The responder entity sends a multicast private key response packet to the requester entity;

1.3) The requester entity sends a multicast private key confirmation packet to the responder entity;

2) Multicast key encryption key distribution or update:

2.1) The responder entity broadcasts the multicast key encryption key broadcast group to all requester entities; 2.2) The requester entity decrypts the multicast key encryption key from the multicast key encryption key broadcast group.

2. The wireless metropolitan area network multicast key management method according to claim 1, characterized in that: the step 1) further includes the step of establishing system parameters by the responder entity.

3. The wireless metropolitan area network multicast key management method according to claim 2, characterized in that: the system parameters include: assuming ((^,+) and (G ₂ ,.) are two orders of The cyclic group of p, p is a prime number, and satisfies

The Diffie-Hellman calculation problem in G is a difficult problem; let f be the generator of ; let e be the bilinear transformation on (^ and (¾, that is, ^ (?^ (¾→(^ ₂ ; let /ζ( ·) is a one-way hash function.

4. The wireless metropolitan area network multicast key management method according to claim 1 or 2 or 3, characterized in that: before step 1), the requester entity and the responder entity perform authentication and unicast encryption. Key negotiation to establish a shared unicast session key.

5. The wireless metropolitan area network multicast key management method according to claim 1, characterized in that: the multicast private key request group in step 1.1) includes the following content:

in:

AE field: Identity information of the requester entity;

RE field: Identity information of the responder entity;

N1 field: Random number generated by the requester entity; MIC field: means to calculate the MIC value for all fields before this field, where the integrity check key is USKL

6. The wireless metropolitan area network multicast key management method according to claim 5, characterized in that: in step 1.2), when the responder entity receives the multicast private key request group, it recalculates the MIC and compares it with the The received MICs are compared, and if they are not equal, the packet is discarded; if they are equal, a multicast private key response packet is constructed and sent to the requester entity.

7. The wireless metropolitan area network multicast key management method according to claim 5 or 6, characterized in that: the multicast private key response packet in step 1.2) includes the following content:

in:

RE field: Identity information of the responder entity;

AE field: Identity information of the requester entity;

N1 field: Random number generated by the requester entity;

N2 field: Random number generated by the responder entity;

C field: The ciphertext information of the multicast private key GKx distributed by the responder entity to the requester entity, and the encryption key is USKE;

MIC field: means to find the MIC value for all fields before this field, where the integrity check key is USKL

8. The wireless metropolitan area network multicast key management method according to claim 7, characterized in that: the calculation process of the C field is as follows:

1.2.1) The responder entity randomly selects <-1 greater than or equal to 2) different elements v ₀ in Z _g ',

Vj,…,^^^ and elements^^^^, at the same time, randomly construct "-1 degree secret polynomial/WeZ W; then, calculate the following information: β

= /(v _; )P( = 0,l,...,"- 2);

1.2.2) For the requester entity, i- -GK _x = f(AE)(Q _{1 +} Q ₂ );

1.2.3 ) C = (Q _K ,Q ₁ ,Q ₂ ,v ₀ ,...,v _n _ ₂ ,V ₀ ,...,V _n _ ₂ )\\E(USKE;GK _x ) ₀

9. The wireless metropolitan area network multicast key management method according to claim 8, characterized in that: in step 1.3), when the requester entity receives the multicast private key response packet, it recalculates the MIC and compares it with the multicast private key response packet. Compare the received MICs, and if they are not equal, discard the packet; if equal, determine whether N1 is a random number selected by the requester entity; if not, discard the packet, and if so, use the key USKE to decrypt E(JUSKE GK Obtain the multicast private key GKx. Finally, construct the multicast private key confirmation packet and send it to the responder entity.

10. The wireless metropolitan area network multicast key management method according to claim 9, characterized in that: the multicast private key confirmation group in step 1.3) includes the following content:

in:

AE field: Identity information of the requester entity;

RE field: Identity information of the responder entity;

N2 field: Random number generated by the responder entity;

MIC field: Indicates the MIC value obtained by all fields before this field and the decrypted multicast private key GKx, where the integrity check key is USKI.

11. The wireless metropolitan area network multicast key management method according to claim 10, characterized in that: in step 1.3), when the responder entity receives the multicast private key confirmation group, it recalculates the MIC and compares it with the Compare the received MICs; if not equal, discard the packet; if equal, determine whether N2 is a random number selected by the responder entity; if not, discard the packet, and if so, the multicast private key is distributed successfully.

12. The wireless metropolitan area network multicast key management method according to claim 11, characterized in that: the multicast key encryption key broadcast group in step 2.1) includes the following content:

in:

RE field: Identity information of the responder entity;

Flag field: indicates the broadcast category;

Time field: Current system time, used to distinguish whether it is duplicate information;

C1 field: Ciphertext information of the multicast key encryption key broadcast by the responder entity;

MIC field: means to calculate the MIC value of all fields before this field, here the integrity check key Is GKEKI (integrity check key derived from multicast key encryption key).

13. The wireless metropolitan area network multicast key management method according to claim 12, characterized in that: the calculation method of the C1 field is as follows:

Assuming that the responder entity selects the multicast key encryption key GKEK eG ₂ , the responder entity randomly selects the integer reZ^ and performs the following calculation:

CI = CP*, β, K,…' K*— ₂ ) = (^, , , 2 ₂ :, rV.,…, „— ₂ ).

14. The wireless metropolitan area network multicast key management method according to claim 13, characterized in that: in step 2.2), when the requester entity receives the group, it decrypts the encrypted multicast key as follows: Key: 2.2.1) First, the requestor entity constructs a set using public information and its own device identification information: r = {e ₀ ,e ₁ ,... _en _ ₁ } = {v ₀ ,..., v _n _ ₂ ,A^}

2.2.2) Then, calculate ,^ Π for each ^

≠ _i e _j -e _i

2.2.3) Next, calculate the multicast key encryption key as follows:

GKEK = _n — "' ^QU .

e(Q, + Q ₂ ,∑ a^ _r V;)e(a _e ^ _r GK _x ,P') 15. The wireless metropolitan area network multicast key management method according to claim 14, characterized in that : In step 2.2), after the requester entity calculates the multicast key encryption key, it derives the integrity check key and encryption key; then, uses the integrity check key to recalculate the MIC and determine the grouping Whether it is valid; At the same time, it is judged whether the system is repeating the message based on the Time field.

16. The wireless metropolitan area network multicast key management method according to claim 1, characterized in that: after step 2), it also includes: step 3) multicast session key distribution or update; step 3) includes:

3.1) The responder entity broadcasts the multicast session key broadcast packet to all requester entities;

3.2) The requestor entity decrypts the multicast session key from the multicast session key broadcast packet.

17. The wireless metropolitan area network multicast key management method according to claim 1, characterized in that: The multicast session key broadcast packet in step 3.1) includes the following content:

in:

RE field: Identity information of the responder entity;

Flag field: indicates the broadcast category;

C2 field: The ciphertext information of the multicast session key broadcast by the responder entity, the encryption key is GKEKE;

MIC field: means to find the MIC value for all fields before this field, where the integrity check key is GKEKI.

18. The wireless metropolitan area network multicast key management method according to claim 16 or 17, characterized in that: in step 3.2), after the requester entity receives the multicast session key broadcast packet, the integrity is used The verification key GKEKI recalculates the MIC to determine whether the group is valid; at the same time, it determines whether the system is repeating messages based on the Time field; if both are valid, use the encryption key GKEKE to decrypt C2 to obtain the multicast session key GSK.

19. The wireless metropolitan area network multicast key management method according to claim 18, characterized in that: the responder entity and the requester entity use the multicast session key GSK to derive the multicast session encryption key GSKE and the group Broadcast session integrity check key GSKI, the responder entity performs multicast services.

20. A wireless metropolitan area network multicast key management system, including a requester entity and a responder entity, characterized by:

The requester entity is configured to send a multicast private key request packet to the responder entity, and after receiving the multicast private key response packet returned by the responder entity, send a multicast private key confirmation packet to the responder entity; and After receiving the multicast key encryption key broadcast group broadcast by the responder entity, decrypt the multicast key encryption key from the multicast key encryption key broadcast group;

The responder entity is configured to return a multicast private key response packet to the requester entity after receiving the multicast private key request packet sent by the requester entity; and after receiving the multicast private key confirmation sent by the requester entity After grouping, the multicast key encryption key broadcast group is broadcast to all requester entities.

21. The system according to claim 20, characterized in that the responder entity is also used to establish system parameters.

22. The system according to claim 20 or 21, characterized in that, the requester entity and the responder entity are also used to perform authentication and unicast key negotiation between them to establish a shared unicast session. key.

23. The system according to claim 20 or 21, characterized in that,

The responder entity is further configured to broadcast the multicast session key broadcast packet to all requester entities; the requester entity is further configured to decrypt the multicast session key from the multicast session key broadcast packet.