CN101583130A - Air interface key producing method and device - Google Patents
Air interface key producing method and device Download PDFInfo
- Publication number
- CN101583130A CN101583130A CNA2009100870973A CN200910087097A CN101583130A CN 101583130 A CN101583130 A CN 101583130A CN A2009100870973 A CNA2009100870973 A CN A2009100870973A CN 200910087097 A CN200910087097 A CN 200910087097A CN 101583130 A CN101583130 A CN 101583130A
- Authority
- CN
- China
- Prior art keywords
- key
- travelling carriage
- cmac
- tstid
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an air interface key producing method, comprising: in the process of initial authentication, using temporary station ID (TSTID) information instead of station MAC address information to produce an air interface secondary key. The invention simultaneously discloses an air interface key producing device, comprising a first acquisition unit and a first producing unit; wherein, the first acquisition unit is used for acquiring the station TSTID information, and the first producing unit is used for using the TSTID information instead of the station MAC address information to produce the air interface secondary key in the process of initial authentication. The invention ensures the safety of the communication information of the station and the network side and ensures the safety of the communication in IEEE 802.16m specification.
Description
Technical field
The present invention relates to the generation technique of air interface key, relate in particular to the generation method and apparatus of the air interface key in a kind of electronic motor engineering association (IEEE, Institute of Electrical and Electronic Engineer) 802.16m standards system.
Background technology
The IEEE802.16 standards system mainly proposes at metropolitan area network, its main target is wireless access system air interface physical layer (PHY) and medium access control layer (MAC) standard of development in 2GHz~66GHz frequency band, also has uniformity test relevant with air interface protocol and the coexistence standard between the different radio connecting system simultaneously.
According to whether supporting mobility, IEEE 802.16 standards can be divided into fixed broadband wireless and insert air-interface standard and mobile broadband wireless access air-interface standard, wherein 802.16d belongs to the fixed wireless access air-interface standard, pass in IEEE 802 committees, with the title issue of IEEE802.16-2004 in June, 2004.And 802.16e belongs to mobile broadband wireless access air-interface standard, passes in IEEE 802 committees in November, 2005, with the title issue of IEEE 802.16-2005.The inserting of microwave whole world interoperability authentication (WiMAX of alliance, Worldwide Interoperability forMicrowave Access) promptly is based on the standard of IEEE 802.16 air interfaces, become the wireless access wide band technology of influence power maximum in the world at present.
IEEE is working out the 802.16m standard at present.This standard is in order to study next step evolution path of WiMAX, target is to become the next generation mobile communication technology, and finally submit to the technology motion to become one of IMT-Advanced standard of ITU to International Telecommunications Union (ITU, International Telecommunication Union).This standard is with the existing 802.16e standard of compatibility.
And along with development of wireless communication devices, safety problem more and more causes everybody attention.The user is more and more higher to the requirement of secure communication.Because the opening and the mobility of mobile radio system, travelling carriage is easy under attack and eavesdropping with internetwork communication.Therefore nearly all wireless communication system all has a cover complete safe measure, comprises authentication and encryption.Authentication is meant that communication network carries out between unidirectional affirmation or travelling carriage and the communication network mutual identity being carried out two-way confirmation to the travelling carriage identity, guarantees that it is a legitimate device; Encryption is meant encrypts the data of eating dishes without rice or wine, and guarantees the confidentiality of communication.General in order to improve the dynamic of key, the fail safe that further improves system is encrypted used key and is all connected with verification process, dynamically generates and distributed key by verification process.
The key that defines in the 802.16e/m system mainly comprises:
1) master session key (MSK, Master Session Key).MSK is the root key of all other keys of 802.16e/m definition, is that travelling carriage and aaa server produce in EAP authentication and authorization process separately, is used to derive other key such as PMK.
2) pairwise master key (PMK, Pairwise Master Key).PMK is derived by MSK and goes out, and is used to derive AK.
3) authorization key (AK, Authorization Key).AK is an authorization key, is derived and is gone out by PMK.It is used to derive from KEK, CMAC_KEY_U/D, and TEK (only at 802.16m).
4) key-encrypting key (KEK, Key Encryption).In 802.1616e, KEK is directly derived by AK, is used to encrypt TEK etc. is sent to MS by the BS clean culture key.
5) uplink complete protection key HMAC/CMAC_KEY_U and descending integrity protection key HMAC/CMAC_KEY_D.Derive from by AK, be respectively applied for the integrity protection of up/down management message.
6) traffic encryption key (TEK is Traffic Encryption Key in 802.16e, is Transmission Encryption Key in 802.16m).802.16e/m use TEK that user data is encrypted, to protect the privacy of the data of between MS and BS, transmitting.
In 802.16e, TEK is generated at random by the base station, and by sending to travelling carriage after the KEK encryption; In 802.16m, TEK is generated respectively by base station and travelling carriage, and the random number of one of input parameter (NONCE) is generated at random by the base station, and sends to travelling carriage in three-way handshake process.
802.16m system description document (SDD, System Description Document) defined two types mobile station identification-be Temporary Mobile Station Identity (TSTID, Temporary Station ID) and formal mobile station identification (STID, Station ID), these two identifiers of TSTID and STID are all unique in the scope of base station.TSTID is that the unique branch of travelling carriage is used in the temporary mark travelling carriage by the base station in the ranging of travelling carriage initial network entry process, after this interacting message just identifies travelling carriage with TSTID, and the base station will be distributed to till the travelling carriage for the STID that travelling carriage distributes in registration process.The transmission of STID needs protection mechanism.The base station discharges TSTID then, uses STID to be used for identifying travelling carriage in follow-up flow process.
In 802.16m, all comprise this parameter of travelling carriage MAC Address (AMS MAC Address) in the generation parameter of AK, KEK, CMAC_KEY_U/D and TEK.But when initial authentication, because travelling carriage and two ends, base station also do not generate association key, therefore the interacting message of eating dishes without rice or wine all is a plaintext transmission.And travelling carriage reports the base station with oneself AMS MAC Address at this moment, the risk that this address just has victim to intercept and capture.And the system requirements document of 802.16m (SRD; System RequirementDocument) also regulation need be protected the privacy of travelling carriage; promptly need protection AMS MACAddress in the plaintext transmission of eating dishes without rice or wine, thereby to avoid the assailant can obtain the privacy that this address threatens travelling carriage.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of generation method and apparatus of air interface key, can promote the fail safe of the message transmission between travelling carriage and the network.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of generation method of air interface key comprises:
In the initial authentication process, use Temporary Mobile Station Identity TSTID information to replace the travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.
Preferably, described method also comprises:
After travelling carriage reports the mac address information of self to give the base station, or the base station is after travelling carriage distributes mobile station identification STID information, or behind the re-authentication, utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine of utilizing TSTID information to generate.
Preferably, described method also comprises: after the least significant bit LSB of TSTID or STID or highest significant position MSB replenish random number as the input parameter of air interface key.
Preferably, described method also comprises: random number is added in LSB position or the MSB position of TSTID or STID in the base station before sending TSTID or STID.
Preferably, described derivative key comprises uplink complete protection ciphering key MAC_KEY_U, descending integrity protection ciphering key MAC_KEY_D and traffic encryption key TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and cryptographic key protection key K EK.
Preferably, the input parameter that generates AK comprises one of following parameter or its combination in any: PMK, TSTID, Base Station Identification ABSID.
Preferably, the input parameter that generates TEK comprises random number N ONCE, Security Association sign SAID, the network re-entry key counter CMAC_KEY_COUNT that one of following parameter or its combination in any: AK, TSTID, base station generate.
Preferably, the input parameter that generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, Base Station Identification ABSID, CMAC_KEY_COUNT.
A kind of generation method of air interface key comprises:
In the initial authentication process, the travelling carriage mac address information that the base station uses network side to provide generates the derivative key of eating dishes without rice or wine.
Preferably, the travelling carriage mac address information that network side provides comprises:
After described travelling carriage was finished initial authentication, the aaa server of network side was handed down to authenticator with described travelling carriage mac address information, by described authenticator described travelling carriage mac address information was handed down to the base station.
Preferably, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
A kind of generating apparatus of air interface key comprises:
First acquiring unit is used to obtain travelling carriage TSTID information; And
First generation unit is used in initial authentication process, uses described TSTID information replacement travelling carriage mac address information and generates the derivative key of eating dishes without rice or wine.
Preferably, described device also comprises:
Second acquisition unit is used to obtain the mobile station identification STID information of travelling carriage mac address information or travelling carriage;
Second generation unit is used to utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine; And
Replace the unit, be used for the derivative key of eating dishes without rice or wine that described second generation unit generates is replaced the derivative key of eating dishes without rice or wine that described first generation unit generates.
Preferably, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
Preferably, described first generation unit input parameter that generates AK comprises one of following parameter or its combination in any: PMK, TSTID, ABSID.
Preferably, described first generation unit input parameter that generates TEK comprises one of following parameter or its combination in any: AK, TSTID, NONCE, SAID, CMAC_KEY_COUNT.
Preferably, described first generation unit input parameter that generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, ABSID, CMAC_KEY_COUNT.
A kind of generating apparatus of air interface key comprises:
Acquiring unit is used for obtaining the travelling carriage mac address information in initial authentication process by network side; And
Generation unit, the travelling carriage mac address information that is used to use described acquiring unit to obtain generates the derivative key of eating dishes without rice or wine.
Among the present invention, enter into the initial authentication process of network at travelling carriage, at network side (being the base station) after travelling carriage has distributed TSTID information, base station and travelling carriage will utilize TSTID information to generate the derivative key (TEK, CMAC_KEY_U/D) of eating dishes without rice or wine, like this, when between travelling carriage and network side, carrying out message transmission, encrypt utilizing TSTID information to generate the derivative key of eating dishes without rice or wine.In case and travelling carriage to report MAC Address (AMS MAC Address) information of self or base station be after travelling carriage distributes STID information and notifies travelling carriage, or behind the re-authentication, the derivative key of eating dishes without rice or wine will be updated, and promptly utilize STID information or mac address information to regenerate the derivative key of eating dishes without rice or wine.The present invention has guaranteed the fail safe of the travelling carriage and the network side communication information, has guaranteed the fail safe of communicating by letter under the IEEE 802.16m standard.
Description of drawings
The flow chart of first kind of using method of the derivative key that Fig. 1 eats dishes without rice or wine for the present invention;
The flow chart of second kind of using method of the derivative key that Fig. 2 eats dishes without rice or wine for the present invention;
The flow chart of the third using method of the derivative key that Fig. 3 eats dishes without rice or wine for the present invention;
Fig. 4 is a kind of composition structural representation of the generating apparatus of air interface key of the present invention;
Fig. 5 forms structural representation for the another kind of the generating apparatus of air interface key of the present invention.
Embodiment
Basic thought of the present invention is: the initial authentication process that enters into network at travelling carriage; at network side (being the base station) after travelling carriage has distributed TSTID information; base station and travelling carriage will utilize TSTID information to generate the derivative key (keys such as AK, KEK, TEK, CMAC_KEY_U/D) of eating dishes without rice or wine; like this; when between travelling carriage and network side, carrying out message transmission, with the derivative key protection of eating dishes without rice or wine (encrypting and/or integrity protection) of utilizing TSTID information to generate.In case and travelling carriage to report MAC Address (AMSMAC Address) information of self or base station be after travelling carriage distributes STID information and notifies travelling carriage, or behind the re-authentication, the derivative key of eating dishes without rice or wine will be updated, and promptly utilize mac address information or STID information to regenerate the derivative key of eating dishes without rice or wine.The present invention has guaranteed the fail safe of the travelling carriage and the network side communication information, has guaranteed the fail safe of communicating by letter under the IEEE802.16m standard.
For making the purpose, technical solutions and advantages of the present invention clearer, by the following examples and with reference to accompanying drawing, the present invention is described in more detail.
Carry out in the initial authentication process to network side (base station) at travelling carriage, because travelling carriage does not also report the mac address information of self to the base station, according to IEEE 802.16m standard, to can not generate any derivative key of eating dishes without rice or wine this moment, and information transmitted will be a mode expressly between this moment travelling carriage and the base station, and fail safe can not be guaranteed.The present invention promptly proposes at this phenomenon, carry out in the initial authentication process to the base station at travelling carriage, distributed TSTID information and notified travelling carriage as long as the base station is a travelling carriage this TSTID information, so, base station and travelling carriage will utilize TSTID information to generate the derivative key of eating dishes without rice or wine, so that the transmission information between base station and the travelling carriage is encrypted.Below describe the detailed process of utilizing TSTID information to generate the derivative key of eating dishes without rice or wine in detail.
Wherein, the generating mode of AK is referring to following formula:
AK<=Dot16KDF(PMK,TSTID|ABSID|“AK”,160)
Wherein, Dot16KDF is the cryptographic algorithm function of definition among the IEEE 802.16." | " is meanings of cascade as IEEE 802.16 definition.TSTID is that the base station is the interim moving station mark information that travelling carriage distributes, and TSTID herein also can be for having replenished the TSTID of random number, and the purpose of replenishing random number is the fail safe that adds strong encryption keys.ABSID is the identification information of base station.The base station is notified to travelling carriage with TSTID." " expression content wherein is a character string, and " AK " promptly represents this monogram corresponding characters string of AK.The length of " 160 " expression AK, unit is bit.Can draw by the MSK derivation with reference to the associated description in the background technology: PMK, and MSK is the root key in IEEE 802.16 standards, is that mobile radio station and base station generate respectively at two ends in initial authentication process.Among the present invention, identical symbol implication is identical.
Among the present invention, after travelling carriage and two ends, base station generated AK respectively, three-way handshake process was carried out in travelling carriage and base station, checking AK.After definite AK is correct, regeneration TEK.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is realized by following formula:
At first determine CMAC_PREKEY_U and CMAC_PREKEY_D, CMAC_PREKEY_U and CMAC_PREKEY_D are the intermediate parameters of derivation CMAC_KEY_U and CMAC_KEY_D.CMAC_PREKEY_U and CMAC_PREKEY_D generating mode are:
CMAC_PREKEY_U|CMAC_PREKEY_D<=Dot16KDF(AK,TSTID|ABSID|“CMAC_KEYS”,256)。In the formula, " CMAC_KEYS " is this character combination corresponding characters string of CMAC_KEYS.The length of 256 expression derivation result is 128bit.The result that following formula generated is the concatenated values of CMAC_PREKEY_U and CMAC_PREKEY_D, and the value that 128bit is CMAC_PREKEY_U and CMAC_PREKEY_D is respectively got in front and back.
CMAC_PREKEY_U and CMAC_PREKEY_D generating mode also can be realized by following formula:
CMAC_PREKEY_U|CMAC_PREKEY_D|KEK<=Dot16KDF(AK,TSTID|ABSID|“CMAC_KEYS+KEK”,384)
Different with preceding formula is that this formula has generated key K EK in the lump, and the result who generates is got 128bit respectively three times, will correspond respectively to CMAC_PREKEY_U, CMAC_PREKEY_D and KEK.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is:
CMAC_KEY_U<=AES
CMAC_PREKEY_U(CMAC_KEY_COUNT)
CMAC_KEY_D<=AES
CMAC_PREKEY_D(CMAC_KEY_COUNT
Wherein, AES is Advanced Encryption Standard (Advanced Encryption Standard) algorithm, can determine CMAC_KEY_U and CMAC_KEY_D by above-mentioned two formulas.
The generating mode of TEK is referring to following formula:
TEK<=Dot16KDF(AK,TSTID|NONCE|SAID|CMAC_KEY_COUNT|“TEK”,128)
Wherein, AK is the authorization key that aforementioned manner generates, and NONCE is the random number that base station side generates, and will be notified to travelling carriage after generating.SAID is the Security Association sign, is that travelling carriage distributes by the base station, and the generation of this parameter can repeat no more here referring to the relevant regulations among the IEEE 802.16m.The definition of CMAC_KEY_COUNT such as 802.16e is the key counter that is used for network re-entry.Complete successfully at travelling carriage under the situation of initial authentication or re-authentication, when setting up a new PMK, travelling carriage is made as 0 with the CMAC_KEY_COUNT value.At travelling carriage network re-entry/carry out safe position renewal/switching, and do not need to carry out PMK again more under the news, before travelling carriage sent this administrative messag of distance measurement request (RNG-REQ) message, CMAC_KEY_COUNT can increase progressively." TEK " promptly represents this monogram corresponding characters string of TEK.The length of 128 expression TEK is 128bit.
The generating mode of TEK also can be realized by following formula:
TEK<=Dot16KDF(AK,NONCE|SAID|CMAC_KEY_COUNT|“TEK”,128)。Identical in each meaning of parameters in the formula and the aforementioned TEK production repeats no more here.
After the derivative key (TEK, CMAC_KEY_U/D) that generation is eated dishes without rice or wine, when communicating by letter between travelling carriage and the base station, encrypt by the derivative key that is generated and to get final product.
It is after travelling carriage distributes STID information that travelling carriage reports the mac address information of self to give base station or base station, travelling carriage and base station will utilize the mac address information of travelling carriage or mobile station identification STID information to generate the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine of utilizing TSTID information to generate.
Perhaps, it is after travelling carriage distributes STID information that travelling carriage reports the mac address information of self to give base station or base station, travelling carriage and base station do not generate the derivative key of eating dishes without rice or wine at once, but behind re-authentication, utilize the mac address information of travelling carriage or mobile station identification STID information to generate the derivative key of eating dishes without rice or wine again, and replace the derivative key of eating dishes without rice or wine of utilizing TSTID information to generate.
Utilize the mode of the derivative key that mode that the mac address information of mobile station identification STID information or travelling carriage generates the derivative key eat dishes without rice or wine and the generation of the aforementioned TSTID of utilization information eat dishes without rice or wine identical, just change the TSTID information in the above-mentioned formula into mac address information or STID information gets final product, repeat no more it here and generate details.TSTID herein also can be for having replenished the TSTID of random number, and the purpose of replenishing random number is the fail safe that adds strong encryption keys.
The flow chart of first kind of using method of the derivative key that Fig. 1 eats dishes without rice or wine for the present invention as shown in Figure 1, may further comprise the steps:
Step 101: during the travelling carriage initial network entry, find range, process such as pre-capability negotiation.In ranging process, network side is a travelling carriage distribution T STID information, and is notified to travelling carriage;
TSTID herein also can be for having replenished the TSTID of random number.Be the base station before sending TSTID, the random number that increases by a location number at highest significant position (MSB, the Most Significant Bit) or the least significant bit (LSB, the Least Significant Bit) of TSTID.For example, increase by 36 random numbers.
Step 102: travelling carriage and network side carry out initial authentication/licensing process;
Step 103: travelling carriage and two ends, base station utilize TSTID information to generate AK, CMAC_KEY_U/D key respectively; Generating mode is referring to mode shown in the preamble.
The TSTID of Shi Yonging also can be for having replenished the TSTID of random number herein.
Step 104: three-way handshake process is carried out in travelling carriage and base station, checking AK.The base station is counted NONCE with the stochastic parameter of derivation TEK and is sent to travelling carriage simultaneously.
Step 105: travelling carriage and two ends, base station generate TEK respectively, and the TSTID of Shi Yonging also can be for having replenished the TSTID of random number herein.
Step 106: registration process is carried out in travelling carriage and base station, and consults other ability except that pre-capability negotiation.In this process, travelling carriage reports the base station with the AMS MAC Address of oneself simultaneously, and travelling carriage will be handed down to for the STID that travelling carriage distributes in the base station.STID herein also can be for having replenished the TSTID of random number.Be the base station before sending STID, the random number that increases by a location number at MSB or the LSB of STID.For example, increase by 36 random numbers.
In step 106 and the later step thereof, the transmission information between travelling carriage and the base station uses the TEK that is generated in the step 105 to protect, up to step 107.
Step 107: when the re-authentication condition satisfied, re-authentication was carried out in travelling carriage and base station.
Step 108: travelling carriage and base station use AMS AMC Address or STID information to derive from air interface key AK, CMAC_KEY_U/D and the TEK that makes new advances; promptly utilize the mac address information or the mobile station identification STID information of travelling carriage to generate AK, CMAC_KEY_U/D, TEK key respectively; and replace AK, CMAC_KEY_U/D, the TEK key that utilizes STID information to generate respectively, protect the transmission of the data of eating dishes without rice or wine.The STID of Shi Yonging also can be for having replenished the STID of random number herein.
The flow chart of second kind of using method of the derivative key that Fig. 2 eats dishes without rice or wine for the present invention as shown in Figure 2, may further comprise the steps:
Step 201 to step 206 with the step 101 among Fig. 1 to step 106.
Step 207: utilize AMS AMC Address or STID information as input parameter, travelling carriage and base station are calculated respectively and are generated new AK, CMAC_KEY_U/D.
STID herein also can be for having replenished the STID of random number.
Step 208: travelling carriage and base station are carried out three-way handshake process once more, and the AK that upgrades is verified.In this process, the base station can be upgraded NONCE and be handed down to travelling carriage.
Step 209: travelling carriage and base station are used the random number N ONCE of AMS AMC Address (or STID information) and/or renewal to recomputate and are generated new TEK.After this process promptly uses new TEK that the data of eating dishes without rice or wine are protected transmission.STID herein also can be for having replenished the STID of random number.
The flow chart of the third using method of the derivative key that Fig. 3 eats dishes without rice or wine for the present invention as shown in Figure 3, may further comprise the steps:
Step 301: during the travelling carriage initial network entry, find range, process such as pre-capability negotiation;
Step 302: travelling carriage and network side carry out initial authentication/licensing process;
Step 303: authenticator is by receiving the Access-Accept message from aaa server, obtains the travelling carriage MAC Address or comprises the information (as network access Identifier (NAI, Network Access Identifier) information) of travelling carriage MAC Address;
Step 304: authenticator and mobile station side generate AK and context thereof respectively;
Step 305: authenticator sends AK and the context thereof that generates to base station, wherein comprises the travelling carriage MAC Address or comprises the information (as NAI information) of travelling carriage MAC Address;
Step 306: the base station obtains the travelling carriage MAC Address;
Step 307: base station and mobile station side generate CMAC_KEY_U/D and context thereof respectively;
Step 308: three-way handshake process is carried out in travelling carriage and base station, checking AK.The base station generates parameter N ONCE with TEK and sends to travelling carriage simultaneously.
Step 309: travelling carriage and two ends, base station generate TEK respectively, and process is after this promptly used the eat dishes without rice or wine transmission of data of the new key protection of generation;
Step 310: registration process is carried out in travelling carriage and base station, and consults other ability except that pre-capability negotiation.
Fig. 4 is a kind of composition structural representation of the generating apparatus of air interface key of the present invention, as shown in Figure 4, the generating apparatus of air interface key of the present invention comprises first acquiring unit 40 and first generation unit 41, and wherein, first acquiring unit 40 is used to obtain the TSTID information of travelling carriage; For travelling carriage, obtain by the announcement information that receives the base station, for the base station, read this TSTID information and get final product.First generation unit 41 is used in initial authentication process, uses described TSTID information replacement travelling carriage mac address information and generates the derivative key of eating dishes without rice or wine.Described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK, perhaps, also comprises KEK.The mode that generates can repeat no more here referring to aforementioned generating mode.
As shown in Figure 4, the generating apparatus of air interface key of the present invention also comprises second acquisition unit 42, second generation unit 43 and replaces unit 44, and wherein, second acquisition unit 42 is used to obtain the mobile station identification STID information of the mac address information or the travelling carriage of travelling carriage; Obtain manner is different with the base station at travelling carriage.Second generation unit 43 is used to utilize the mac address information of described travelling carriage or STID information to generate the derivative key of eating dishes without rice or wine; Generating mode is still referring to the aforesaid generating mode of the present invention.Replacing unit 44 is used for the derivative key of eating dishes without rice or wine that second generation unit 43 generates is replaced the derivative key of eating dishes without rice or wine that first generation unit 41 generates.Second generation unit 43 can obtain AMS MAC Address or travelling carriage and obtain to be triggered behind the STID in the base station, or is triggered behind re-authentication.
It will be appreciated by those skilled in the art that second acquisition unit 42, second generation unit 43 and replacing unit 44 is not the essential features that realizes the generating apparatus of air interface key of the present invention.
Those skilled in the art are to be understood that, the realization function of the each processing unit of the generating apparatus of the air interface key that the present invention is shown in Figure 4 can be with reference to the associated description of earlier figures 1, method shown in Figure 2 and is understood, the function of each unit can realize by the program that runs on the processor, also can realize by corresponding logical circuit.
Fig. 5 forms structural representation for the another kind of the generating apparatus of air interface key of the present invention, as shown in Figure 5, the generating apparatus of air interface key of the present invention comprises acquiring unit 50 and generation unit 51, wherein, acquiring unit 50 is used for obtaining the travelling carriage mac address information in initial authentication process by network side; The travelling carriage mac address information that generation unit 51 is used to use described acquiring unit to obtain generates the derivative key of eating dishes without rice or wine.Acquiring unit 50 is positioned at base station side, it is after travelling carriage and network side are finished the EAP authentication, by aaa server travelling carriage MAC Address or the information (as NAI information) that comprises the travelling carriage MAC Address are handed down to authenticator by Access-Accept message, by authenticator this information are handed down to acquiring unit 50 again.For mobile station side, the travelling carriage MAC Address of directly extracting self can realize the generation of key.This moment, the derivation mode of all air interface keys still can use AMS MAC Address as input parameter.
Those skilled in the art are to be understood that, the realization function of the each processing unit of the generating apparatus of the air interface key that the present invention is shown in Figure 5 can be with reference to the associated description of aforementioned method shown in Figure 3 and is understood, the function of each unit can realize by the program that runs on the processor, also can realize by corresponding logical circuit.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (18)
1, a kind of generation method of air interface key is characterized in that, comprising:
In the initial authentication process, use Temporary Mobile Station Identity TSTID information to replace the travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.
2, method according to claim 1 is characterized in that, described method also comprises:
After travelling carriage reports the mac address information of self to give the base station, or the base station is after travelling carriage distributes mobile station identification STID information, or behind the re-authentication, utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine of utilizing TSTID information to generate.
3, method according to claim 1 and 2 is characterized in that, described method also comprises: after the least significant bit LSB of TSTID or STID or highest significant position MSB replenish random number as the input parameter of air interface key.
4, method according to claim 3 is characterized in that, described method also comprises: random number is added in LSB position or the MSB position of TSTID or STID in described base station before sending TSTID or STID.
5, method according to claim 1 is characterized in that, described derivative key comprises uplink complete protection ciphering key MAC_KEY_U, descending integrity protection ciphering key MAC_KEY_D and traffic encryption key TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and cryptographic key protection key K EK.
6, method according to claim 5 is characterized in that, the input parameter that generates AK comprises one of following parameter or its combination in any: PMK, TSTID, Base Station Identification ABSID.
7, method according to claim 6, it is characterized in that the input parameter that generates TEK comprises random number N ONCE, Security Association sign SAID, the network re-entry key counter CMAC_KEY_COUNT that one of following parameter or its combination in any: AK, TSTID, base station generate.
8, method according to claim 6 is characterized in that, the input parameter that generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, Base Station Identification ABSID, CMAC_KEY_COUNT.
9, a kind of generation method of air interface key is characterized in that, comprising:
In the initial authentication process, the travelling carriage mac address information that the base station uses network side to provide generates the derivative key of eating dishes without rice or wine.
10, method according to claim 9 is characterized in that, the travelling carriage mac address information that network side provides comprises:
After described travelling carriage was finished initial authentication, the aaa server of network side was handed down to authenticator with described travelling carriage mac address information, by described authenticator described travelling carriage mac address information was handed down to the base station.
11, according to claim 9 or 10 described methods, it is characterized in that described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
12, a kind of generating apparatus of air interface key is characterized in that, comprising:
First acquiring unit is used to obtain travelling carriage TSTID information; And
First generation unit is used in initial authentication process, uses described TSTID information replacement travelling carriage mac address information and generates the derivative key of eating dishes without rice or wine.
13, device according to claim 12 is characterized in that, described device also comprises:
Second acquisition unit is used to obtain the mobile station identification STID information of travelling carriage mac address information or travelling carriage;
Second generation unit is used to utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine; And
Replace the unit, be used for the derivative key of eating dishes without rice or wine that described second generation unit generates is replaced the derivative key of eating dishes without rice or wine that described first generation unit generates.
14, according to claim 12 or 13 described devices, it is characterized in that described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Perhaps, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
15, device according to claim 14 is characterized in that, the input parameter that described first generation unit generates AK comprises one of following parameter or its combination in any: PMK, TSTID, ABSID.
16, device according to claim 15 is characterized in that, the input parameter that described first generation unit generates TEK comprises one of following parameter or its combination in any: AK, TSTID, NONCE, SAID, CMAC_KEY_COUNT.
17, device according to claim 15 is characterized in that, the input parameter that described first generation unit generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, ABSID, CMAC_KEY_COUNT.
18, a kind of generating apparatus of air interface key is characterized in that, comprising:
Acquiring unit is used for obtaining the travelling carriage mac address information in initial authentication process by network side; And
Generation unit, the travelling carriage mac address information that is used to use described acquiring unit to obtain generates the derivative key of eating dishes without rice or wine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910087097.3A CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910087097.3A CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101583130A true CN101583130A (en) | 2009-11-18 |
| CN101583130B CN101583130B (en) | 2015-09-16 |
Family
ID=41365032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910087097.3A Expired - Fee Related CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101583130B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102196427A (en) * | 2010-03-05 | 2011-09-21 | 中兴通讯股份有限公司 | Air interface key updating method and system |
| WO2011153852A1 (en) * | 2010-06-07 | 2011-12-15 | 中兴通讯股份有限公司 | Method for updating air interface key, core network node, and wireless access system thereof |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1351789A (en) * | 1999-05-21 | 2002-05-29 | 国际商业机器公司 | Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices |
| CN1968494A (en) * | 2005-11-15 | 2007-05-23 | 华为技术有限公司 | Playback attack prevention method |
| US20070157024A1 (en) * | 2005-12-30 | 2007-07-05 | Greg Miller | Automatic configuration of devices upon introduction into a networked environment |
| CN101047945A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Mobile communication system and customer temporary identity distribution method |
| CN101047505A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method and system for setting safety connection in network application PUSH service |
| US20080108303A1 (en) * | 2006-11-07 | 2008-05-08 | Fujitsu Limited | Radio base station, relay station and radio communication method |
| CN101299888A (en) * | 2008-06-16 | 2008-11-05 | 中兴通讯股份有限公司 | Cryptographic key generation method, switching method, mobile management entity and customer equipment |
| CN101400059A (en) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | Cipher key updating method and device under active state |
| CN101411115A (en) * | 2006-03-31 | 2009-04-15 | 三星电子株式会社 | System and method for optimizing authentication procedure during inter access system handovers |
-
2009
- 2009-06-18 CN CN200910087097.3A patent/CN101583130B/en not_active Expired - Fee Related
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1351789A (en) * | 1999-05-21 | 2002-05-29 | 国际商业机器公司 | Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices |
| CN1968494A (en) * | 2005-11-15 | 2007-05-23 | 华为技术有限公司 | Playback attack prevention method |
| US20070157024A1 (en) * | 2005-12-30 | 2007-07-05 | Greg Miller | Automatic configuration of devices upon introduction into a networked environment |
| CN101047505A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method and system for setting safety connection in network application PUSH service |
| CN101047945A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Mobile communication system and customer temporary identity distribution method |
| CN101411115A (en) * | 2006-03-31 | 2009-04-15 | 三星电子株式会社 | System and method for optimizing authentication procedure during inter access system handovers |
| US20080108303A1 (en) * | 2006-11-07 | 2008-05-08 | Fujitsu Limited | Radio base station, relay station and radio communication method |
| CN101400059A (en) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | Cipher key updating method and device under active state |
| CN101299888A (en) * | 2008-06-16 | 2008-11-05 | 中兴通讯股份有限公司 | Cryptographic key generation method, switching method, mobile management entity and customer equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102196427A (en) * | 2010-03-05 | 2011-09-21 | 中兴通讯股份有限公司 | Air interface key updating method and system |
| WO2011153852A1 (en) * | 2010-06-07 | 2011-12-15 | 中兴通讯股份有限公司 | Method for updating air interface key, core network node, and wireless access system thereof |
| US8938071B2 (en) | 2010-06-07 | 2015-01-20 | Zte Corporation | Method for updating air interface key, core network node and radio access system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101583130B (en) | 2015-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101640886B (en) | Authentication method, re-authentication method and communication device | |
| CN1964258B (en) | Method for secure device discovery and introduction | |
| CN102036238B (en) | Method for realizing user and network authentication and key distribution based on public key | |
| WO2010077910A3 (en) | Enhanced security for direct link communications | |
| CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN101192927B (en) | Authorization based on identity confidentiality and multiple authentication method | |
| CN1323523C (en) | Method of forming dynamic key in radio local network | |
| CN101699890A (en) | 3G-WLAN authentication method | |
| Lu et al. | On the security of an efficient mobile authentication scheme for wireless networks | |
| CN107659405B (en) | The encrypting and decrypting method of data communication between a kind of substation boss station | |
| CN101610511A (en) | The guard method of terminal privacy and device | |
| CN101510825B (en) | Protection method and system for management message | |
| Deng et al. | A novel 3GPP SAE authentication and key agreement protocol | |
| CN101583130A (en) | Air interface key producing method and device | |
| Huang et al. | Improving Security Levels of IEEE802. 16e Authentication by Involving Diffie-Hellman PKDS. | |
| Katz | Wpa vs. wpa2: Is wpa2 really an improvement on wpa? | |
| CN101022330A (en) | Method and module for raising key management authorized information security | |
| KR101366442B1 (en) | Authentication method for smartmeter and device | |
| Baskaran et al. | Blind key distribution mechanism to secure wireless metropolitan area network | |
| Kahya et al. | Secure key management protocol in wimax | |
| Habib et al. | Performance of wimax security algorithm (the comparative study of rsa encryption algorithm with ecc encryption algorithm) | |
| CN110047181B (en) | Intelligent door lock safety control method based on Zigbee | |
| CN101668289B (en) | Method and system for updating air interface secret key in wireless communication system | |
| Wang et al. | An efficient EAP-based pre-authentication for inter-WRAN handover in TV white space |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180716 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: 518057 Nanshan District high tech Industrial Park, Shenzhen, Guangdong, Ministry of justice, Zhongxing Road, South China road. Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150916 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |