[go: up one dir, main page]

WO2018137202A1 - Procédé, appareil et système pour transmettre des données - Google Patents

Procédé, appareil et système pour transmettre des données Download PDF

Info

Publication number
WO2018137202A1
WO2018137202A1 PCT/CN2017/072674 CN2017072674W WO2018137202A1 WO 2018137202 A1 WO2018137202 A1 WO 2018137202A1 CN 2017072674 W CN2017072674 W CN 2017072674W WO 2018137202 A1 WO2018137202 A1 WO 2018137202A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal device
data type
parameter value
target data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/072674
Other languages
English (en)
Chinese (zh)
Inventor
诸华林
李�赫
靳维生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to PCT/CN2017/072674 priority Critical patent/WO2018137202A1/fr
Publication of WO2018137202A1 publication Critical patent/WO2018137202A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • the present application relates to the field of wireless communication technologies, and in particular, to a method, an apparatus, and a system for transmitting data.
  • a network device that establishes a mobile network often includes a security management device (such as an authentication, authorization and accounting server (AAA sever), or a Home Subscriber Server (HSS)), and a network control device (such as MulteFire).
  • a security management device such as an authentication, authorization and accounting server (AAA sever), or a Home Subscriber Server (HSS)
  • HSS Home Subscriber Server
  • MulteFire Network Neutral Host Mobility Management Entity
  • NH MME Network Neutral Host Mobility Management Entity
  • security termination device such as Packet Data Network Gateway (PDN GW), Service Capability Exposure Function (SCEF) network Equipment, Evolved Packet Data Gateway (ePDG), etc.
  • PDN GW Packet Data Network Gateway
  • SCEF Service Capability Exposure Function
  • ePDG Evolved Packet Data Gateway
  • the terminal device can transmit data to the server through the mobile network.
  • the Internet of Things data for example, temperature, humidity, etc.
  • the terminal device and the server transmit the Internet of Things data transmission method: the terminal device can send the uplink Internet of Things data to the server, that is, the terminal device can transmit the Internet of Things data to the network control device (such as the NH MME), and the network control device receives the After the IoT data is transmitted, it can be transmitted to the secure termination device, and the secure termination device sends the received IoT data to the server.
  • the network control device such as the NH MME
  • the server may also send the downlink IoT data to the terminal device, that is, the server may transmit the IoT data to the security termination device, and after receiving the IoT data, the security termination device may transmit the data to the network control device (such as the NH MME), and then The network control device sends the received Internet of Things data to the terminal device.
  • the network control device such as the NH MME
  • some enterprises or units may independently deploy network control devices of the mobile network.
  • the terminal device transmits data according to some network control devices and servers deployed by enterprises or units with poor reliability, the network control device may It will steal data transmitted by the terminal device and the server, resulting in poor security of data transmission.
  • the embodiments of the present application provide a method, an apparatus, and a system for transmitting data.
  • the technical solution is as follows:
  • a first aspect provides a method for transmitting data, where the method includes: the security management device can determine a transmission data type of the terminal device; and when the transmission data type of the terminal device includes a preset target data type, the key can be obtained. The parameter value is derived, the first key is obtained according to the key derivation parameter value, and the first key is sent to the security termination device.
  • the security management device in the authentication process, can determine the type of transmission data of the terminal device, and in the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the security management device The key derivation parameter value can be obtained. Further, the first key can be derived based on the obtained key derivation parameter value. Once the first key is determined, it can be sent to the secure termination device. In this way, the security termination device can encrypt the data of the target data type transmitted by the server to the terminal device, so that the network control device can steal the data, thereby The security of data transmission can be guaranteed.
  • the security management device determines the transmission data type of the terminal device, including: determining, according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device, the type of the transmission data of the terminal device; or The transmission data type of the terminal device is determined according to the correspondence between the pre-stored device identifier and the transmission data type and the device identifier sent by the terminal device.
  • the target data type may be an Internet of Things data type
  • the indication information may be an IoT optimization architecture support indication information
  • the method further includes: the security management device sends a key derivation parameter value to the terminal device, where the key derivation parameter value is used by the terminal device to acquire the first key.
  • the security management device acquires the key deduction parameter value, including: when the transmission data type of the terminal device includes the target data type, the security management device Obtain the key derivation parameter value sent by the terminal device.
  • the terminal device and the security termination device can obtain the first key, so as to encrypt or decrypt the data of the target data type transmitted by the terminal device and the server, thereby ensuring the security of data transmission.
  • the sending the first key to the security termination device includes: encrypting the first key based on a predefined public key, obtaining the encrypted first key; and sending the encrypted first terminal to the security termination device The encrypted first key.
  • the security management device may encrypt the first key based on the predefined public key to obtain the encrypted first key, and further, to the security termination device. Send the encrypted first key. In this way, the security of the first key transmission can be enhanced.
  • the sending the encrypted first key to the security termination device includes: sending, by using the network control device, the encrypted first key to the security termination device, so that the network control device is safe.
  • the terminating device sends the encrypted first key.
  • the security management device may send the encrypted first key to the network control device, and the network control device receives the encrypted first key, and may send the encrypted first key. To the safety termination device.
  • the network control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key to the security termination device, including: The control device sends the encrypted first key to the security termination device, so that the network control device sends the encrypted first key when sending the connection establishment request to the security termination device.
  • the network control device may send the encrypted terminal to the security termination device when sending the connection establishment request to the security termination device.
  • a key that is, a connection establishment request, may carry the encrypted first key. In this way, the network control device is not required to transmit the encrypted first key, and the data transmission with the secure termination device is increased once.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • a second aspect provides a method for transmitting data, where the method includes: determining, by a terminal device, a terminal device, a type of transmission data of the terminal device; and when the transmission data type of the terminal device includes a target data type, obtaining the data. a key derivation parameter value; obtaining a first key according to the key derivation parameter value, wherein the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data After The data of the standard data type is decrypted.
  • the terminal device when the transmission data type of the terminal device includes the target data type, the terminal device may obtain the same key derivation parameter value as the security management device, and further, derive the parameter value and the density based on the obtained key. Key material, deriving the first key.
  • the data of the target data type is transmitted to the server, the data may be encrypted, or when the data of the encrypted target data type is received, the received data is decrypted.
  • the method further includes: the terminal device may send, to the security management device, the device identifier of the terminal device and/or the indication information used to indicate the type of the transmission data of the terminal device.
  • the target data type may be an Internet of Things data type
  • the indication information may be an IoT optimization architecture support indication information
  • the terminal device when the transmission data type of the terminal device includes the target data type, acquires the key derivation parameter value, including: when the transmission data type of the terminal device includes the target data type, the terminal device acquires the security. Manage the value of the key derivation parameter sent by the device.
  • the method further includes: the terminal device sends the generated key derivation parameter value to the security management device, where the key derivation parameter value is used by the security management device to acquire the first key.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to decrypt the received data of the target data type, including
  • the first key is used for encrypting data of the target data type to be transmitted by the terminal device, or decrypting the data of the received target data type; or the first key is used for the terminal device based on the first key
  • the key is used to obtain the second key; the second key is used to encrypt the data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type.
  • a third aspect provides a method for transmitting data, the method comprising: receiving, by a security termination device, a first key sent by a security management device, where the first key is used by the security termination device based on the first key pair terminal
  • the data of the encrypted target data type sent by the device is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the security termination device can receive the first key.
  • the encrypted data may be decrypted based on the first key, and when receiving the data of the target data type sent by the server to the terminal device, The data is encrypted based on the first key.
  • the security termination device receives the first key sent by the security management device, including: the security termination device receives the encrypted first key sent by the security management device; and the method further includes: pre- The stored private key decrypts the encrypted first key to obtain the first key.
  • the first key is used by the security termination device to decrypt the data of the encrypted target data type sent by the terminal device based on the first key, or the target data type sent to the terminal device by the server.
  • the data is encrypted, including: the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or the data of the target data type sent by the server to the terminal device is encrypted; or The first key is used by the security termination device to obtain the second key based on the first key; the second key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device, or send the data to the server.
  • the data of the target data type is encrypted.
  • a security management device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the first aspect by executing the instructions The method of transferring data.
  • a terminal device comprising a processor, a transmitter and a receiver, the processor being configured to execute an instruction stored in the memory; the processor implementing the instruction provided by the second aspect The method of transmitting data.
  • a security termination device comprising a processor and a communication interface, the processor being configured to execute instructions stored in the memory; and the processor implementing the instructions provided by the third aspect by executing the instructions The method of transferring data.
  • a security management device comprising at least one module, the at least one module for implementing the method for transmitting data provided by the first aspect.
  • a terminal device comprising at least one module, the at least one module configured to implement the method for transmitting data provided by the second aspect.
  • the ninth aspect provides a security termination device, where the security termination device includes at least one module, and the at least one module is configured to implement the method for transmitting data provided by the foregoing third aspect.
  • the technical effects obtained by the fourth and seventh aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the first aspect, and are not described herein again.
  • the technical effects obtained by the fifth and eighth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the second aspect, and are not described herein again.
  • the technical effects obtained by the sixth and ninth aspects of the embodiments of the present application are similar to those obtained by the corresponding technical means in the third aspect, and are not described herein again.
  • a tenth aspect provides a system for transmitting data, the system comprising a security management device, a terminal device, and a security termination device, wherein: a security management device is configured to determine a transmission data type of the terminal device; and a transmission data type of the terminal device When the target data type is included, the security management device obtains the key derivation parameter value; and obtains the first key according to the key derivation parameter value, where the first key is used by the security termination device to encrypt the terminal device based on the first key.
  • the data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; the security management device sends the first key to the security termination device; and the terminal device is used to determine the terminal device a transmission data type; when the transmission data type of the terminal device includes a target data type, acquiring a key derivation parameter value; and acquiring a first key according to the key derivation parameter value, wherein the first key Number of target data types to be transmitted by the terminal device based on the first security key Encryption, or encrypted target data type of the received data is decrypted.
  • the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • FIG. 1(a) is a schematic diagram of a system framework provided by an embodiment of the present application.
  • FIG. 1(b) is a schematic diagram of a system framework provided by an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a security termination device according to an embodiment of the present application.
  • FIG. 5 is a flowchart of a method for transmitting data according to an embodiment of the present application.
  • FIG. 6 is a flowchart of a method for acquiring a first key according to an embodiment of the present application
  • FIG. 7 is a flowchart of a method for acquiring a first key according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a security management device according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a security termination device according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of a security termination device according to an embodiment of the present application.
  • the terminal device may include a User Equipment (UE), a Mobile Station ("MS” for short), a Mobile Terminal (Mobile Terminal), and the like.
  • the terminal device may also be a mobile phone (or "cellular” phone), a computer with a mobile terminal, or the like.
  • the terminal device can also be a portable, pocket, handheld, computer built-in or vehicle-mounted mobile device, sensor. They exchange language and/or data with the radio access network to communicate with one or more core networks via a Radio Access Network (“RAN").
  • RAN Radio Access Network
  • the security management device may be an authentication authorization accounting server, a home subscription server, or a functional unit that is jointly performed by the authentication authorization accounting server and the home subscription server.
  • the network control device can be a neutral host mobility management entity of the MulteFire network.
  • the security termination device may be a packet data gateway, a capability open function network device, or an evolved packet data gateway.
  • the server can be a network server for the terminal device server.
  • the security management device may obtain the key derivation parameter value when determining the transmission data type of the terminal device, including the preset target data type, and further deriving the first key based on the obtained key derivation parameter value, and Sended to the security termination device, the security termination device can receive the first key sent by the security management device.
  • the terminal device can also obtain the same key derivation parameter value as the security management device, and derive the first key based on the obtained key derivation parameter value.
  • the terminal device can send data of a target data type (which may be referred to as uplink data) to the server through the network control device and the security termination device.
  • the server may send data of a target data type (which may be referred to as downlink data) to the terminal device through the security terminating device or the network control device, as shown in FIG. 1(a).
  • the network architecture of the mobile network to which the embodiment of the present application is applicable may be as shown in FIG. 1(b), where the MF AP is an access network device and is responsible for direct communication with the UE; the oval frame is a Neutral Host Core Network (neutral host core network) ) is the core network part of the MulteFire network, which may be a network provided by a non-service provider, where the NH MME is responsible for the establishment of the network connection, the mobility management function, and as the Neutral Host Core Network and the service provider network device (SP).
  • the MF AP is an access network device and is responsible for direct communication with the UE
  • the oval frame is a Neutral Host Core Network (neutral host core network)
  • the MulteFire network which may be a network provided by a non-service provider
  • the NH MME is responsible for the establishment of the network connection, the mobility management function, and as the Neutral Host Core Network and the service provider network device (SP).
  • SP Service provider network device
  • AAA an intermediate network element that interacts
  • the Local AAA Proxy is an intermediate network device that the Neutral Host Core Network interacts with a Service Provider Network Equipment (SP AAA);
  • the NH GW is a gateway device;
  • the ePDG belongs to a network device deployed by a service provider, and Used in the non-trusted access architecture, the role is to establish an IPSec tunnel between the UE and the ePDG.
  • the content transmitted in the tunnel is encrypted and is invisible to the network devices in the Neutral Host Core Network.
  • the SP AAA is a network device used by a service provider to authenticate an authenticated UE and provide a secure encryption key.
  • PDN GateWay is the gateway device of the service provider, and data will eventually enter and exit from this gateway device.
  • the security management device may include a processor 210 and a communication interface 220.
  • the processor 210 may be connected to the communication interface 220 and the receiver 230, as shown in FIG.
  • the processor 210 may be a control center of the security management device that performs various functions and processing data of the security management device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory.
  • the processor 210 may be configured to acquire related processing of the first key.
  • the processor 210 may include one or more processing units; the processor 210 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP Processor, etc.), and the like.
  • DSP Signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM and may also include non-volatile memory, such as at least one disk storage.
  • the processor 210 executes program code stored in the memory to implement various functions.
  • the terminal device may include a processor 310, a transmitter 320, and a receiver 330.
  • the processor 310 may be respectively connected to the transmitter 320 and the receiver 330. As shown in FIG. 3, the transmitter 320 and the receiver 330 may be collectively referred to as a transceiver.
  • the transmitter 320 can be used to transmit messages or data.
  • the transmitter 320 can include, but is not limited to, at least one amplifier, a tuner, one or more oscillators, a coupler, an LNA (Low Noise Amplifier), a duplexer. Wait.
  • the processor 310 can be a control center of the terminal device that performs various functions and processing data of the terminal device by running or executing software programs and/or modules stored in the memory, and recalling data stored in the memory.
  • processor 310 can be used in related processing to encrypt or decrypt data.
  • the processor 310 may include one or more processing units; the processor 310 may be a general purpose processor, including a central processing unit, a network processor, etc.; or may be a digital signal processor, an application specific integrated circuit, a field programmable gate array, or the like. Programmable logic devices, etc.
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM or It can also include a non-volatile memory, such as at least one disk storage.
  • the processor 310 executes program code stored in the memory to implement various functions.
  • the security termination device can include a processor 410 and a communication interface 420, which can be coupled to the communication interface 420, as shown in FIG.
  • the processor 410 can be a control center for the secure termination device that performs various functions and processing data of the secure termination device by running or executing software programs and/or modules stored in the memory, as well as invoking data stored in the memory.
  • the processor 410 may be used for related processing of encrypting or decrypting data
  • the processor 410 may include one or more processing units;
  • the processor 410 may be a general purpose processor including a central processing unit, a network processor Etc.; can also be a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device.
  • the program can include program code, the program code including computer operating instructions.
  • the memory can be used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory may contain RAM and may also include non-volatile memory, such as at least one disk storage.
  • the processor 410 executes program code stored in the memory to implement various functions.
  • the technical solution of the embodiment of the present application may be used to establish an end-to-end secure network architecture using a non-tunnel mode, such as a MulteFire network, or a Long Term Evolution (LTE) network, or a home base station network, or a non-third generation cooperation.
  • a non-tunnel mode such as a MulteFire network, or a Long Term Evolution (LTE) network, or a home base station network, or a non-third generation cooperation.
  • 3GPP for example, mobile network with WIreless-FIdelity (WIFI) access
  • GSM Global System for Mobile communication
  • WCDMA Wideband Code Division Multiple Access
  • Step 501 The terminal device determines a transmission data type of the terminal device.
  • the transmission data type of the terminal device includes the target data type
  • the terminal device acquires a key derivation parameter value.
  • the terminal device may send an attach request to the network control device when the terminal device is powered on.
  • the network control device may send a request for requesting the device identifier of the terminal device to the terminal device, and after receiving the request, the terminal device receives the request.
  • the device identification can be sent to the network control device.
  • the network control device can send it to the security management device.
  • the subsequent terminal device may perform an authentication process with the security management device, wherein the authentication method of the terminal device and the security management device may be an extended authentication protocol-implemented authentication and key agreement (EAP-AKA).
  • EAP-AKA extended authentication protocol-implemented authentication and key agreement
  • EAP-TLS Extensible Authentication Protocol
  • EAP-TTLS Extensible Authentication Protocol-Tunneled Transport Layer Security
  • the terminal device and the security termination device may determine a first key for transmitting data of the target data type, as follows:
  • the terminal device may determine the transmission data type of the terminal device.
  • the key derivation parameter value may be obtained, where the key deduction parameter value may be used by the terminal device to derive the first key.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • the terminal device may further send, to the security management device, indication information indicating the type of the transmission data of the terminal device.
  • the attach request may carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the network control device may send the indication information to the security management device.
  • the network control device can send it to the security management device.
  • the foregoing indication information may be a CP CIOT EPS optimization supported information.
  • step 501 based on the source of the key derivation parameter values, the processing of step 501 can be various, and several feasible processing methods are given below:
  • the terminal device acquires a key derivation parameter value sent by the security management device.
  • the security management device can generate a key derivation parameter value and send it to the terminal device, which will be specifically described later. After the security management device sends the key deduction parameter value to the terminal device, the terminal device may receive the key derivation parameter value sent by the security management device. Optionally, the terminal device may store the received key derivation parameter value.
  • the terminal device In the second manner, the terminal device generates a key derivation parameter value, and sends the generated key derivation parameter value to the security management device.
  • the terminal device can generate a key derivation parameter value and can send it to the security management device.
  • the terminal device may generate a key derivation parameter value, and send a generated secret to the authentication authorization accounting server when sending a client-hello message to the authentication authorization charging server.
  • the key derivation parameter value may be generated by EAP-TLS authentication.
  • Step 502 The terminal device acquires a first key according to the key derivation parameter value, where the first key is used by the terminal device to encrypt data of the target data type to be transmitted according to the first key, or to encrypt the received data.
  • the data of the target data type is decrypted.
  • the terminal device may derive the first key based on the obtained key derivation parameter value.
  • the terminal device can store the deduced first key.
  • the terminal device can encrypt the data to be transmitted based on the first key.
  • the received data can be decrypted based on the first key.
  • the terminal device may further derive the second key based on the first key.
  • the first key is used to encrypt data of the target data type to be transmitted by the terminal device, or to decrypt the received data of the target data type; or the first key is used by the terminal device
  • a key is used to derive the second key; the second key is used to securely terminate the data of the target data type to be transmitted by the device, or to decrypt the received data of the target data type.
  • Step 503 The security management device determines a transmission data type of the terminal device.
  • the security management device can determine the type of transmission data of the terminal device.
  • step 502 there is no clear relationship between step 502 and step 503, and may be in parallel, or step 502 may be preceded by step 503, or step 502 may be followed by step 503.
  • the process of step 503 may be as follows: according to the indication information that is sent by the terminal device to indicate the type of the transmission data of the terminal device. Determining a transmission data type of the terminal device; or determining a transmission data type of the terminal device according to a correspondence between the pre-acquired device identifier and the transmission data type.
  • the security management device may receive the device identifier of the terminal device sent by the terminal device and/or indicate the terminal. Indicates the type of data transmitted by the device. For indicating the terminal device sent by the receiving terminal device In the case of the indication information of the transmission data type, after receiving the indication information, the security management device can determine the transmission data type of the terminal device. For the case where the indication information sent by the terminal device is not received, the security management device may determine the transmission data type corresponding to the device identifier of the terminal device in the correspondence between the pre-stored device identifier and the transmission data type.
  • Step 504 When the transmission data type of the terminal device includes the preset target data type, the security management device acquires the key deduction parameter value, and obtains the first key according to the key derivation parameter value.
  • the security management device may determine whether the transmission data type of the terminal device includes a preset target data type. If included, the security management device may obtain a key derivation parameter value, where the key derivation The parameter value is the same as the key derivation parameter value acquired by the terminal device. Further, the first key may be derived based on the obtained key derivation parameter value. Optionally, the security management device can store the first key of the deduction.
  • the key derivation parameter value may be a random value or a device identifier of the terminal device.
  • step 504 can be various, and several feasible processing methods are given below:
  • the transmission data type of the terminal device includes the preset target data type
  • the generated key derivation parameter value is obtained, and the key derivation parameter value is sent to the terminal device, and the first key is obtained according to the key derivation parameter value. key.
  • the security management device can generate a key derivation parameter. Specifically, after receiving the indication information sent by the terminal device, the key derivation parameter value may be generated.
  • the authentication authorization accounting server may generate a key derivation parameter value, and may send the server hello to the terminal device when sending the server hello to the terminal device. The device sends the generated key derivation parameter value, so that the terminal device derives the parameter value based on the key derivation and deduces the first key.
  • the processing method for generating key derivation parameter values can be various.
  • Several feasible processing methods are given below.
  • the terminal device and The security management device still performs the existing authentication process, and the embodiment of the present application does not change the existing process.
  • the authentication authorization accounting server may perform the next processing according to the existing authentication processing flow, that is, may send the AKA to the home subscription server.
  • the home subscription server receives the AKA authentication vector request, in addition to performing existing processing (such as generating an authentication vector), may also generate a key derivation parameter value (such as a random value), and may generate The key derivation parameter value is sent to the authentication authorization charging server (where the home subscription server may send the key derivation parameter value when sending the authentication vector to the authentication authorization charging server, or may be at other time nodes),
  • the authentication authorization accounting server may obtain the generated key derivation parameter value and may send it to the terminal device.
  • the authentication authorization accounting server may derive the first key based on the key derivation parameter value parameter value and other key materials.
  • the first key may be derived based on the key derivation parameter value, and further, the first key may be sent to the authentication authorization charging server.
  • the key derivation parameter value can be transmitted in the same manner as in the mode 1.
  • the authentication authorization charging server may generate a key deduction parameter value and may send the key deduction parameter value to the terminal device.
  • the key derivation parameter value After the key derivation parameter value is generated, the first key can be derived based on the generated key derivation parameter value.
  • the authentication authorization charging The AKA authentication vector request sent by the server to the home subscription server may further carry indication information indicating the type of the transmission data of the terminal device, and after receiving the indication information, the home subscription server may perform subsequent processing of generating the key deduction parameter value. .
  • CK'/IK' in addition to deriving the parameter value by using the key, other key materials (for example: CK'/IK') may be utilized.
  • the key derivation parameter value sent by the terminal device is obtained.
  • the security management device may receive the key derivation parameter value sent by the terminal device and may store it.
  • the security management device may obtain the key derivation parameter value sent by the terminal device, and further derive the first based on the key derivation parameter value. Key.
  • Step 505 The security management device sends the first key to the security termination device.
  • the security termination device may be a trusted network device deployed by a service provider (such as an operator), and may be a network device on a transmission path of the terminal device and the server transmitting data of a target data type.
  • the security termination network device may be a PDN GW, a SCEF, or an ePDG, or an independent security gateway whose deployment location is before the PDN GW.
  • the security management device after the security management device obtains the first key, it can send it to the security termination device.
  • the security management device may encrypt the first key.
  • the process of step 505 may be as follows: encrypting the first key based on a predefined public key, and obtaining the encrypted The first key; the encrypted first key is sent to the security terminating device.
  • the public key may be pre-stored in the security management device.
  • the first key may be encrypted by using a pre-stored public key to obtain the encrypted first key.
  • the secure termination device sends the encrypted first key.
  • the security termination device may send the encrypted first key to the security termination device through the network control device, and correspondingly, the processing procedure may be as follows: the security management device sends the encrypted first to the security termination device by using the network control device A key for causing the network control device to send the encrypted first key to the security terminating device.
  • the encrypted first key may be sent to the network control device during the authentication process, for example, the existing primary device may be sent to the network control device.
  • the encrypted first key is sent to the network control device.
  • the network control device may send the encrypted first key to the security termination device when detecting that the key transmission trigger event occurs.
  • the network control device may send the encrypted first key to the security termination device when sending the connection establishment request, and correspondingly, the processing may be as follows: sending the encrypted first to the security termination device by using the network control device A key, so that the network control device sends the encrypted first key when sending a connection establishment request to the security termination device.
  • the network control device may send a connection establishment request to the security termination device to establish a data transmission path of the target data type.
  • the network control device may also initiate a packet data network (PDN) connection establishment process after the attach process is completed.
  • PDN packet data network
  • the network control device may receive the connection establishment request sent by the terminal device. Afterwards, the connection establishment request is sent to the security termination device, where the connection establishment request is carried in the connection establishment request An indication indicating a type of transmission data of the terminal device.
  • the network control device may send the encrypted first key when sending the connection establishment request to the security termination device.
  • Step 506 The security termination device receives the first key sent by the security management device, where the first key is used by the security termination device to decrypt the encrypted target data type data sent by the terminal device based on the first key, or Encrypt data of the target data type that the server sends to the terminal device.
  • the security termination device receives the encrypted first key sent by the security management device, and then encrypts the encryption based on the pre-acquired private key pair. The latter first key is decrypted to obtain the first key.
  • the security termination device may further derive the second key based on the first key.
  • the processing of step 506 may be as follows: the first key is used to securely terminate the encrypted target data sent by the device to the terminal device. The type of data is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted; or the first key is used by the security termination device to derive the second key based on the first key; the second key is used The security termination device decrypts the encrypted target data type data sent by the terminal device based on the second key, or encrypts the data of the target data type sent by the server to the terminal device.
  • FIG. 6 a flowchart for obtaining the first key for the EPA-AKA , the authentication, the security management device, and the terminal device may be as shown in FIG. 6. among them,
  • SP AAA (where SP AAA is an authentication and authorization accounting server provided by the server provider) may store the public key in advance. (Used to encrypt the first key in step 21).
  • the UE performs IoT (Internet of Things) network selection.
  • IoT Internet of Things
  • An air interface connection is established between the UE and the MF AP, that is, an RRC (Radio Resource Control) connection.
  • RRC Radio Resource Control
  • the UE initiates an attach request, which carries a "CP CIoT EPS optimization supported" indication message indicating that the IoT data transmission function is to be used.
  • the "CP CIoT EPS optimization supported” indication information is the IoT optimization architecture support indication information.
  • the NH-MME sends the EAP-RQ/Identity to the UE through the NAS (Non-Access Stratum) message, requesting the device identifier of the UE.
  • the EAP-RQ/Identity may be a message name used to request the device identifier of the UE.
  • the UE feeds back the device identifier to the NH-MME.
  • the NH-MME sends the device identifier and the "CP CIoT EPS optimization supported" indication information to the SP AAA.
  • the SP AAA sends an AKA authentication vector request to the HSS, and the authentication vector is used to generate an encryption key and verify the UE.
  • the HSS generates an authentication vector and an IoT-RAND random value (IoT-RAND is the key derivation parameter value described above), and the random value is used to derive the MSK-IoT key of step 21 and step 24c (the secret)
  • the key is the first key).
  • HSS returns the IoT-RAND random value to SP AAA.
  • the SP generates a primary session key MSK based on the authentication vector obtained from the HSS.
  • the UE generates a primary session key MSK and a response RES (Response) according to the received authentication vector;
  • the SP AAA will verify that the received RES and the SP AAA itself generate the same RES in step 10, and if they are the same, consider that the UE is a legitimate terminal;
  • the subscription data is obtained from the HSS
  • the SP AAA derives the generated key MSK-IoT from the IoT-RAND random value obtained in step 9c and other key material (e.g., CK'/IK').
  • SP AAA sends the primary session key MSK and the generated MSK-IoT to the NH-MME. Moreover, the MSK-IoT is transmitted to the NH-MME through the public key encryption of step 1, that is to say, the NH-MME obtains the MSK-IoT as an encrypted information, and does not see the real MSK-IoT.
  • the NH-MME sends the EAP authentication success information to the UE.
  • the UE and the NH-MME derive the key Kasme according to the obtained authentication vector for NAS message encryption.
  • UE is the same as step 21, and also performs MSK-IoT.
  • the UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
  • the above is the execution of the authentication process.
  • the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME.
  • the authentication process shown in FIG. 6 is prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application.
  • the information of each execution subject interaction may be a message name and/or information carried in the message.
  • the MSK-IoT may be derived according to the IoT-RAND random value and other key materials, and then the MSK-IoT is sent to the SP AAA, and other steps are processed as shown in FIG. 6. The same.
  • the MSK-IoT can be encrypted with a pre-stored public key, and the encrypted MSK-IoT is sent to the SP AAA.
  • the SP AAA may also generate the IoT-RAND, that is, the 10th step in the process shown in FIG. 6 may also generate the IoT-RAND, no longer by the HSS.
  • the other steps are the same as in Fig. 6.
  • the SP AAA may also send a “CP CIoT EPS optimization supported” indication information to the HSS.
  • the NH-MME can send a connection establishment request to the security termination device in the prior art.
  • the connection establishment request may carry the encrypted first key.
  • the attaching process is complete, or the terminal device may initiate a PDN connection establishment process.
  • the NH-MME may send a connection establishment request to the security termination device.
  • the encrypted connection first key may also be carried in the connection establishment request.
  • a flowchart of the security management device and the terminal device acquiring the first key may be as shown in FIG. 7. among them,
  • SP AAA can pre-store the public key
  • the UE initiates an initial connection message (ie, an attach request); and carries the CP CIoT EPS optimization supported indication information, indicating that the IoT network will be used;
  • the NH MME requests the UE for the device identifier of the UE.
  • the UE sends the device identifier.
  • the NH MME forwards the device identifier to the SP AAA Server and carries the CP CIoT EPS optimization supported indication.
  • the authentication server retrieves the authentication database through the user identifier, and learns that the TLS authentication mechanism is adopted.
  • the TLS authentication process is initiated by sending a Start message to the applicant, waiting for TLS authentication.
  • the UE sends an EAP-TLS: Client-Hello message to the SP AAA Server.
  • This message contains a list of algorithms that you can implement, Client Random Value, and other required information.
  • the SP AAA Server After receiving the EAP-TLS: Client-Hello, the SP AAA Server determines that the TLS authentication has been established, and sends the digital certificate Server-Certificate including the SP AAA Server, the UE's digital certificate request Client Certificate-Request, Sever-Hello, and Server Key-Exchange messages are used to exchange key procedures.
  • Server Hello determines the algorithm and Server Random Value required for this communication.
  • the SP AAA Server also generates a random value Server-IoT Random (that is, a key derivation parameter value) and sends it to the UE.
  • the UE verifies the digital certificate Server-Certificate of the SP AAA Server. If it is valid, it sends a Client-Cert, Client Key-Exchange, Change Cipher-spec, and Finished message to the SP AAA Server.
  • the Client-Cert is the digital certificate of the UE
  • the Client Key-Exchange is a fixed-length random string encrypted by the public key of the SP AAA Server. It is also called Pre Master Secert.
  • the Change Cipher-spec is the encryption type that the UE can support.
  • the SP AAA Server verifies the UE's certificate Client-Certificate. If it is valid, then it replies to the UE to change the Cipher-spec and Finished messages.
  • the Change Cipher-spec contains the encryption type specified by the SP AAA Server.
  • the UE returns a response message.
  • the UE and the SP AAA Server derive the main session key MSK;
  • the UE and the SP AAA Server derive the key MSK-IoT used by the IoT according to the Server-IoT-Random obtained in steps 9 and 10;
  • the SP AAA Server sends the authentication success information and the primary session key MSK to the NH-MME, and encrypts the MSK-IoT with the public key stored in step 0 and sends it to the NH-MME;
  • the NH-MME sends an authentication success message EAP-Success to the UE.
  • the UE and the NH MME each derive a key Kasme for NAS encryption according to the MSK.
  • the UE and the NH-MME negotiate an encryption algorithm between the UE and the NH-MME through an SMC (Security Mode Command).
  • the above is the execution of the authentication process.
  • the present application implements the key MSK-IoT on the UE, and the encrypted key MSK-IoT on the NH-MME.
  • the authentication process shown in FIG. 7 is a prior art, and the related process of generating the first key (MSK-IoT) in the authentication process is the solution of the present application.
  • the information of each execution subject interaction may be a message name and/or information carried in the message.
  • the scheme shown in FIG. 7 is that the SP AAA server generates a key derivation parameter value.
  • the key derivation parameter value may also be generated by the terminal device and sent to the SP AAA through steps 7 and 8 in FIG. 7. Server.
  • both the terminal device and the SP AAA server can derive the first key by using the key derivation parameter value generated by the terminal device, and other processes can be the same as in FIG. 7.
  • the security management device may In the case that it is determined that the transmission data type of the terminal device includes the preset target data type, the key derivation parameter value is obtained, and further, the first key is obtained based on the obtained key derivation parameter value, and is sent To the safety termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • FIG. 8 is a block diagram of a security management device provided by an embodiment of the present application.
  • the security management device provided by the embodiment of the present application may implement the steps performed by the security management device in the process described in FIG. 5 of the embodiment of the present application, where the security management device includes:
  • the determining module 810 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 503, and other implicit steps.
  • the obtaining module 820 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically obtain the obtaining function in the above step 504, and other implicit steps.
  • the obtaining module 820 is further configured to obtain the first key according to the key derivation parameter value, and specifically implement the derivation function in the foregoing step 504, and other implicit steps.
  • the sending module 830 is configured to send the first key to the security termination device, and specifically implement the sending function in the foregoing step 505, and other implicit steps.
  • the determining module 810 is configured to:
  • Determining a transmission data type of the terminal device according to a correspondence between a predefined device identifier and a transmission data type and a device identifier sent by the terminal device.
  • the target data type is an Internet of Things data type
  • the indication information is an Internet of Things optimization architecture support indication information
  • the sending module 830 is further configured to:
  • the obtaining module 820 is configured to:
  • the transmission data type of the terminal device includes the target data type
  • the key derivation parameter value sent by the terminal device is obtained.
  • the security management device further includes:
  • the encryption module 840 is configured to encrypt the first key based on a predefined public key to obtain an encrypted first key.
  • the sending module 830 is configured to send the encrypted first key to the security termination device.
  • the sending module 830 is configured to:
  • the sending module 830 is configured to:
  • the key derivation parameter value is a random value or a device identifier of the terminal device.
  • the foregoing determining module 810, the obtaining module 820, and the encrypting module 840 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 830 may be Implemented.
  • FIG. 10 is a block diagram of a terminal device according to an embodiment of the present application.
  • the terminal device provided by the embodiment of the present application may implement the steps performed by the terminal device in the process described in FIG. 5 of the embodiment of the present application, where the terminal device includes:
  • the determining module 1010 is configured to determine the type of the transmission data of the terminal device, and specifically, the determining function in the foregoing step 501, and other implicit steps.
  • the obtaining module 1020 is configured to obtain the key derivation parameter value when the transmission data type of the terminal device includes the target data type, and specifically, the obtaining function in the foregoing step 501, and other implicit steps.
  • the obtaining module 1020 is further configured to acquire a first key according to the key derivation parameter value, where the first key is used by the terminal device according to the target data type to be transmitted by the first key
  • the data is encrypted, or the received data of the encrypted target data type is decrypted, and the obtaining function in the above step 502 and other implicit steps can be specifically implemented.
  • the terminal device further includes:
  • the sending module 1030 is configured to send, to the security management device, a device identifier of the terminal device and/or indication information used to indicate a type of transmission data of the terminal device.
  • the target data type is an Internet of Things data type
  • the indication information is an Internet of Things optimization architecture support indication information
  • the obtaining module 1020 is configured to:
  • the key derivation parameter value sent by the security management device is obtained.
  • the terminal device further includes:
  • the sending module 1030 is configured to send the generated key derivation parameter value to the security management device.
  • the key derivation parameter value is a random value or a device identifier of the terminal device.
  • the first key is used by the terminal device to encrypt data of a target data type to be transmitted according to the first key, or to decrypt data of the received encrypted target data type.
  • the terminal device uses the terminal device to encrypt data of a target data type to be transmitted according to the first key, or to decrypt data of the received encrypted target data type.
  • the first key is used to encrypt data of a target data type to be transmitted by the terminal device, or to decrypt data of the received encrypted target data type;
  • the first key is used by the terminal device to derive a second key based on the first key; the second key is used to encrypt data of a target data type to be transmitted by the terminal device, or The received encrypted data of the target data type is decrypted.
  • determining module 1010 and the obtaining module 1020 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute the program instructions in the memory, and the sending module 1030 may be implemented by a transmitter.
  • FIG. 12 is a block diagram of a security termination device provided by an embodiment of the present application.
  • the security termination device provided by the embodiment of the present application may implement the steps performed by the security termination device in the process described in FIG. 5 of the embodiment of the present application, where the security termination device includes:
  • the receiving module 1210 is configured to receive a first key sent by the security management device, where the first key is used by the security termination device to send the encrypted target to the terminal device based on the first key.
  • the data of the data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the receiving function in the above step 506 and other implicit steps can be implemented.
  • the receiving module 1210 is configured to:
  • the security termination device receives the encrypted first key sent by the security management device
  • the security termination device further includes:
  • the decryption module 1220 is configured to decrypt the encrypted first key based on a pre-stored private key to obtain a first key.
  • the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device based on the first key, or sent to the terminal by the server.
  • the data of the target data type of the device is encrypted, including:
  • the first key is used by the security termination device to decrypt data of the encrypted target data type sent by the terminal device, or encrypt data of a target data type sent by the server to the terminal device; or ,
  • the first key is used by the security termination device to acquire a second key based on the first key; the second key is used by the security termination device to send the encrypted information to the terminal device.
  • the data of the target data type is decrypted, or the data of the target data type sent by the server to the terminal device is encrypted.
  • the decryption module 1220 may be implemented by a processor, or the processor may be implemented by using a memory, or the processor may execute a program instruction in the memory, and the receiving module 1210 may be implemented by a receiver.
  • the security management device may obtain the key derivation parameter value when determining that the transmission data type of the terminal device includes the preset target data type. Further, the first key can be obtained based on the obtained key derivation parameter value and sent to the security termination device. After receiving the first key, the security termination device may decrypt the encrypted target data type data sent by the terminal device based on the first key, or encrypt the data of the target data type sent by the server to the terminal device.
  • the terminal device may also obtain the key derivation parameter value that is the same as the key derivation parameter value obtained by the security management device, and the terminal device may also acquire the first key, and further, the terminal device may be based on the target data type to be transmitted by the first key.
  • the data is encrypted or the received encrypted data of the target data type is decrypted.
  • the terminal device and the security termination device in the transmission path may encrypt the data based on the first key learned in advance, because the first key is not stored in the network control device. Therefore, the network control device cannot decrypt the encrypted data transmitted by the terminal device and the server, that is, the data transmitted by the terminal device and the server cannot be stolen, thereby enhancing the security of data transmission.
  • the related hardware may be instructed by a program, and the program may be stored in a computer readable storage medium.
  • the storage medium mentioned above may be a read only memory, a magnetic disk or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Des modes de réalisation de la présente invention se rapportent au domaine technique des communications sans fil. L'invention concerne un procédé, un appareil et un système pour transmettre des données. Le procédé comprend les étapes suivantes : un dispositif de gestion sécurisé peut acquérir une valeur de paramètre de déduction de clé, de façon à acquérir une première clé sur la base de la valeur de paramètre de déduction de clé acquise, et envoyer la première clé à un dispositif de terminaison sécurisé. Le dispositif de terminaison sécurisé peut décrypter, sur la base de la première clé, des données cryptées d'un type de données cible envoyées par un dispositif terminal ou crypter les données du type de données cible envoyées au dispositif terminal à partir d'un serveur. Le dispositif terminal peut également acquérir la valeur de paramètre de déduction de clé de façon à acquérir la première clé, de telle sorte que le dispositif terminal peut crypter, sur la base de la première clé, les données à transmettre du type de données cible ou décrypter les données cryptées reçues du type de données cible. La présente invention permet d'améliorer la sécurité de la transmission de données.
PCT/CN2017/072674 2017-01-25 2017-01-25 Procédé, appareil et système pour transmettre des données Ceased WO2018137202A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/072674 WO2018137202A1 (fr) 2017-01-25 2017-01-25 Procédé, appareil et système pour transmettre des données

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/072674 WO2018137202A1 (fr) 2017-01-25 2017-01-25 Procédé, appareil et système pour transmettre des données

Publications (1)

Publication Number Publication Date
WO2018137202A1 true WO2018137202A1 (fr) 2018-08-02

Family

ID=62978907

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/072674 Ceased WO2018137202A1 (fr) 2017-01-25 2017-01-25 Procédé, appareil et système pour transmettre des données

Country Status (1)

Country Link
WO (1) WO2018137202A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111832259A (zh) * 2019-04-12 2020-10-27 中国联合网络通信集团有限公司 Json数据生成方法及设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002271313A (ja) * 2001-03-14 2002-09-20 Sony Disc Technology Inc 暗号化通信システム及びその暗号化通信方法並びにその暗号鍵の生成方法
CN103297224A (zh) * 2012-02-23 2013-09-11 中国移动通信集团公司 密钥信息分发方法及相关设备
CN103532975A (zh) * 2013-10-28 2014-01-22 国家电网公司 一种可动态平滑扩展的数据采集系统及方法
CN105141637A (zh) * 2015-09-25 2015-12-09 中铁工程装备集团有限公司 一种以流为粒度的传输加密方法
CN105281904A (zh) * 2014-06-06 2016-01-27 佛山市顺德区美的电热电器制造有限公司 报文数据的加密方法、系统、物联网服务器和物联网终端
TW201631918A (zh) * 2015-01-27 2016-09-01 高通公司 群組確認/負確認及觸發群組確認/負確認/通道狀態資訊

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002271313A (ja) * 2001-03-14 2002-09-20 Sony Disc Technology Inc 暗号化通信システム及びその暗号化通信方法並びにその暗号鍵の生成方法
CN103297224A (zh) * 2012-02-23 2013-09-11 中国移动通信集团公司 密钥信息分发方法及相关设备
CN103532975A (zh) * 2013-10-28 2014-01-22 国家电网公司 一种可动态平滑扩展的数据采集系统及方法
CN105281904A (zh) * 2014-06-06 2016-01-27 佛山市顺德区美的电热电器制造有限公司 报文数据的加密方法、系统、物联网服务器和物联网终端
TW201631918A (zh) * 2015-01-27 2016-09-01 高通公司 群組確認/負確認及觸發群組確認/負確認/通道狀態資訊
CN105141637A (zh) * 2015-09-25 2015-12-09 中铁工程装备集团有限公司 一种以流为粒度的传输加密方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
INTEL ET AL.: "pCR to TR 33.899: Authentication and Key Agreement for non-3GPP access", S3-161719 ; 3GPPTSG SA WG3 (SECURITY) MEETING #85, 11 November 2016 (2016-11-11), XP051186077 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111832259A (zh) * 2019-04-12 2020-10-27 中国联合网络通信集团有限公司 Json数据生成方法及设备
CN111832259B (zh) * 2019-04-12 2023-09-12 中国联合网络通信集团有限公司 Json数据生成方法及设备

Similar Documents

Publication Publication Date Title
US10849191B2 (en) Unified authentication for heterogeneous networks
US11212676B2 (en) User identity privacy protection in public wireless local access network, WLAN, access
CN108781366B (zh) 用于5g技术的认证机制
CA2800941C (fr) Procede et appareil pour lier l'authentification d'abonnes et l'authentification de dispositifs dans des systemes de communication
US9240881B2 (en) Secure communications for computing devices utilizing proximity services
EP3216249B1 (fr) Appareils et procédés pour une communication sans fil
KR100704675B1 (ko) 무선 휴대 인터넷 시스템의 인증 방법 및 관련 키 생성방법
US11316670B2 (en) Secure communications using network access identity
CN104754575B (zh) 一种终端认证的方法、装置及系统
JP2011139457A (ja) 無線通信装置とサーバとの間でデータを安全にトランザクション処理する方法及びシステム
US20170223531A1 (en) Authentication in a wireless communications network
WO2013166908A1 (fr) Procédé, système, équipement terminal et appareil de réseau d'accès de génération d'informations de clé
JP6123035B1 (ja) Twagとueとの間でのwlcpメッセージ交換の保護
US9307406B2 (en) Apparatus and method for authenticating access of a mobile station in a wireless communication system
WO2018137202A1 (fr) Procédé, appareil et système pour transmettre des données

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17894312

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17894312

Country of ref document: EP

Kind code of ref document: A1