CN101938743B - Generation method and device of safe keys - Google Patents

Generation method and device of safe keys Download PDF

Info

Publication number
CN101938743B
CN101938743B CN200910151993.1A CN200910151993A CN101938743B CN 101938743 B CN101938743 B CN 101938743B CN 200910151993 A CN200910151993 A CN 200910151993A CN 101938743 B CN101938743 B CN 101938743B
Authority
CN
China
Prior art keywords
key
kdf
algorithm
keys
rrcint
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200910151993.1A
Other languages
Chinese (zh)
Other versions
CN101938743A (en
Inventor
李静岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200910151993.1A priority Critical patent/CN101938743B/en
Priority to PCT/CN2010/072691 priority patent/WO2011006390A1/en
Publication of CN101938743A publication Critical patent/CN101938743A/en
Application granted granted Critical
Publication of CN101938743B publication Critical patent/CN101938743B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a generation method of safe keys. When the three safe keys of an AS (Access Layer) are generated: if an encryption algorithm is a null algorithm, a signaling integrity protection key is generated by only one calling of a KDF (Key Derivation Function), and a signaling encryption key and a user data encryption key are directly set as 0; if the encryption algorithm is not the null algorithm, parameters for generating any two keys are combined, and in the process of once calling the KDF, the two keys can be obtained, thus, the three keys can be generated by only twice calling the KDF; and meanwhile, the invention discloses a generation device of the safe keys, and the utilization ratio of key generation resources can be improved and the time delay of the whole key generation system can be reduced through the method or the device.

Description

A kind of generation method and apparatus of safe key
Technical field
The present invention relates to mobile communication security fields, relate in particular to a kind of generation method and apparatus of safe key.
Background technology
At Long Term Evolution (LTE; Long Term Evolution) in system; the Radio Resource of network is controlled (RRC; Radio Resource Control) function is placed on the Node B (eNB of evolution; Evolved NodeB) on, so the corresponding safety protecting mechanism of RRC also is placed among eNB thereupon.One's name is legion due to the eNB deployment, distribution area is wide, between Access Layer, each network entity is all still high degree of dispersion from the geographical position in logic, operator can't carry out in safe collection it at all and control, each eNB is in non-security zone, so each eNB needs self to generate and each subscriber equipment (UE, User Equipment) between be used for the key of Access Layer (AS, Access Stratum) security mechanism.
Description according to 3GPP TS33.401 agreement, Mobility Management Entity (MME in core net, the initial context of Mobility Management Entity) initiating is set up in process, eNB need to set up AS root key K entrained in request message according to this initial context after the initial context of receiving MME is set up request message eNB, use key-function (KDF, Key Derivation Function) to generate three keys that are used for AS integrity protection and encryption: signaling integrity protection key K RrcInt, signaling encryption key K RrcEnc, the ciphering user data key K UpEnc, the length of these three keys is the regular length of 128 bits.
When the RRC of network switches or re-establishes, the fresh down hop that need to provide according to the MME of core net (NH, Next Hop) value or current K eNB, generate new AS root key K * eNBWhen there is no fresh NH value, need to generate K according to target physical residential quarter ID (PCI, Target Physical Cell ID), target physical cell downlink carrier frequency (EARFCN-DL, Target Physical Cell Downlink Frequency) * eNBGenerate K * eNBAfter, then according to K * eNBUse KDF to produce three keys that are used for AS integrity protection and encryption.
What KDF adopted is HMAC-SHA-256 (Keyed-Hash Message Authentication Code-Secure Hash Algorithm-256) algorithm, it has two input parameters, one is character string (S), one is AS root key (Key), these two parameters are all variable lengths, in the LTE system, Key is for fixing 256 bits; The output of KDF is fixed as 256 bits.
In prior art, use KDF to generate three key K RrcInt, K RrcEnc, K UpEncProcess, as shown in Figure 1:
Step 101: be configured to respectively generate K RrcInt, K RrcEnc, K UpEncCharacter string input parameter S1, S2, the S3 of KDF;
Be configured to respectively generate K RrcInt, K RrcEnc, K UpEncCharacter string input parameter S1, S2, the S3 of KDF, wherein,
S1=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt
S2=FC‖P0 RrcEnc‖L0 RrcEnc‖P1 RrcEnc‖L1 RrcEnc
S3=FC‖P0 UpEnc‖L0 UpEnc‖P1 UpEnc‖L1 UpEnc
Wherein: " ‖ " represents series connection; FC is the KDF instance identification, is used for sign different K DF example, and when using KDF to generate three safe keys that are used for AS, its value is 0x15; P0 iBe algorithm types sign (algorithm type distinguisher), concrete value sees Table 1; L0 iP0 iByte length; RrcInt, RrcEnc and UpEnc in above-mentioned i expression; Herein, RrcInt, RrcEnc and UpEnc as lower target parameter respectively to being applied to generate K RrcInt, K RrcEnc, K UpEncParameter; Wherein, P0 RrcIntRRC-int-alg in corresponding table 1; P0 RrcEncRRC-enc-alg in corresponding table 1; P0 UpEncUP-enc-alg in corresponding table 1; P1 iBe the encryption adopted or the sign (algorithm identity) of protection algorithm integrallty, concrete value sees Table 2, such as: when the cryptographic algorithm of selecting is empty algorithm, i.e. Null ciphering algorithm in table 2, P1 iValue is 0x00, but according to the description of 3GPP TS33.401 agreement, to K RrcIntAlgorithm can not be empty algorithm; L1 iP1 iByte length;
algorithm type distinguisher Value
RRC-enc-alg 0x03
RRC-int-alg 0x04
UP-enc-alg 0x05
Table 1
algorithm identity Value
128-EIA1 SNOW 3G 0x01
128-EIA2 AES 0x02
Null ciphering algorithm 0x00
128-EEA1 SNOW 3G based algorithm 0x01
128-EEA2 AES based algorithm 0x02
Table 2
Step 102: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S1 and K eNBWhen the RRC of network switched or re-establishes, the input parameter of KDF was S1 and K * eNB, obtain the KDF output string of 256 bits;
Step 103: low 128 bits of intercepting KDF output string are as K RrcInt
Step 104: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S2 and K eNBWhen the RRC of network switched or re-establishes, the input parameter of KDF was S2 and K * eNBObtain the KDF output string of 256 bits;
Step 105: low 128 bits of intercepting KDF output string are as K RrcEnc
Step 106: call KDF, when the RRC of network initial safe activated, the input parameter of KDF was S3 and K eNBWhen the RRC of network switched or re-establishes, the input parameter of KDF was S3 and K * eNBObtain the KDF output string of 256 bits;
Step 107: low 128 bits of intercepting KDF output string are as K UpEnc
Can find out in order to generate three keys for AS from top process, need to call KDF three times, call at every turn and obtain a key; And the output of each KDF is 256 bits, but the length of each key is only required 128 bits, so each invoked procedure has only utilized the part of KDF output.Obviously, such key generation method has not only reduced resource utilization, and has increased the time delay of whole key generation system.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of generation method and apparatus of safe key, improves key and generates resource utilization, and reduce the time delay of whole key generation system.
For achieving the above object, technical scheme of the present invention is achieved in that
The present invention realizes a kind of generation method of safe key, and when generating the safe key of Access Layer AS, the method comprises:
If the cryptographic algorithm of selecting is empty algorithm:
Signaling encryption key and ciphering user data key directly are set to 0; Be configured to generate the character string input parameter of the key-function KDF of signaling integrity protection key, call KDF, generate signaling integrity protection key by the KDF output string that obtains;
If the cryptographic algorithm of selecting is not empty algorithm:
To form a character string for the parameter splicing of wherein two keys that generate signaling integrity protection key, signaling encryption key and ciphering user data key, character string input parameter as KDF, call KDF, generate described two keys by the KDF output string that obtains;
Be configured to generate the character string input parameter of the KDF of a key remaining in signaling integrity protection key, signaling encryption key and ciphering user data key, call KDF, generate described key by the KDF output string that obtains.
The described character string input parameter that is configured to generate the KDF of signaling integrity protection key; be specially: choose for the parameter that generates signaling integrity protection key: the byte length of the byte length of KDF instance identification, algorithm types sign, algorithm types sign, protection algorithm integrallty sign, protection algorithm integrallty sign; described each parameter is connected, be configured to the character string input parameter of KDF.
When described cryptographic algorithm selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving, be specially: 128 bits of intercepting KDF output string are as described signaling integrity protection key.
Described will the splicing for the parameter that generates two keys forms a character string; be specially: choose the parameter for two keys that generate signaling integrity protection key, signaling encryption key and ciphering user data key; comprise: the byte length of byte length, encryption or the protection algorithm integrallty sign of KDF instance identification, algorithm types sign, algorithm types sign, encryption or protection algorithm integrallty sign, described each parameter is connected to be spliced into forms a character string.
The generation method of described a kind of safe key, if the cryptographic algorithm of selecting is not empty algorithm,
Described two keys of described generation are specially: intercept 128 bits of described KDF output string as a key in described two keys, then 128 bits that intercept described KDF output string are as another key in described two keys;
The described key of described generation is specially: intercept 128 bits of described KDF output string as a described remaining key.
The described KDF that calls is specially: KDF obtains described KDF output string with the character string input parameter of AS root key and described KDF as input parameter.
The present invention realizes a kind of generating apparatus of safe key, and this device comprises:
The first string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, to form a character string for the parameter splicing of wherein two keys that generate signaling integrity protection key, signaling encryption key and ciphering user data key, as the first character string input parameter of KDF;
The second string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of a key remaining in signaling integrity protection key, signaling encryption key and ciphering user data key, be sent to the KDF processing module; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to the KDF processing module;
The KDF processing module is used for obtaining the KDF output string, and the described KDF output string that will be obtained by the first character string input parameter of described KDF sends to respectively the first key production module and the second key production module; The described KDF output string that will be obtained by the second character string input parameter of described KDF sends to the 3rd key production module;
The first key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, by a key in described two keys of described KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
The second key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, by another key in described two keys of described KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, generates a described remaining key by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving.
This device also comprises:
AS root key module is used for providing the AS root key to the KDF processing module.
A kind of safe key provided by the invention generates method and apparatus, when generating three keys of AS: if when cryptographic algorithm is empty algorithm, K RrcEnc, K UpEncDirectly be set to 0, only need to call a KDF generates K RrcIntWhen if cryptographic algorithm is not empty algorithm, to splice be used to the parameter that generates the key of any two, call again the process of a KDF, just can obtain this two keys, like this, the generation of three keys only need to be called twice KDF and be got final product, thereby omitted once the generative process of complicated key (can omit the generative process of two secondary keys when cryptographic algorithm is sky), obviously can reduce the amount of calculation of key generation and the time delay of key generation system, when accessing a plurality of UE especially at the same time, this advantage is more remarkable.
Description of drawings
Fig. 1 is used for the generative process schematic diagram of three keys of AS in prior art;
Fig. 2 is the generation method flow schematic diagram of realizing safe key in the present invention;
Fig. 3 is the generation method flow schematic diagram of the cryptographic algorithm selected in the present invention safe key when being empty algorithm;
Fig. 4 is with K in the present invention RrcEncAnd K UpEncThe method flow schematic diagram of the safe key that generates in once calling the KDF process;
Fig. 5 is with K in the present invention RrcIntAnd K RrcEncThe method flow schematic diagram of the safe key that generates in once calling the KDF process;
Fig. 6 is with K in the present invention RrcIntAnd K UpEncThe method flow schematic diagram of the safe key that generates in a KDF process;
Fig. 7 is the structural representation of device of realizing the generation of safe key in the present invention.
Embodiment
Basic thought of the present invention is: when generating the safe key that is used for AS, if the cryptographic algorithm of selecting is empty algorithm, equal not to be encrypted process, can not generate K so RrcEncAnd K UpEnc, directly with K RrcEncAnd K UpEncTwo keys are set to 0, call KDF and only generate K RrcIntOtherwise, be configured to generate the wherein character string input parameter of the KDF of any two keys, call KDF, generate this two keys by the KDF output string that obtains; At last, be configured to generate the KDF output string of a remaining key, call KDF, generate this key by the KDF output string that obtains.
Embodiment one: the generative process of safe key as shown in Figure 2, before generating safe key, the communicating pair of network consults the interception way to the KDF output string that generates three keys, and each interception way had better not be identical, three keys that namely generate are different, can strengthen fail safe, the method comprises following step:
Step 201: if selected cryptographic algorithm is empty algorithm, equal not to be encrypted process, can not generate K so RrcEncAnd K UpEnc, with K RrcEncAnd K UpEncTwo keys directly are set to 0, turn step 205, if selected cryptographic algorithm is not empty algorithm, turn step 202;
Step 202: when the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn two be respectively the first key K AS1With the second key K AS2, choose for generating K AS1And K AS2Parameters, and be spliced into for generating K AS1And K AS2The character string input parameter (S1) of KDF;
Choose for generating K AS1Parameter: P0 Key1, L0 Key1, P1 Key1And L1 Key1, and be used for generating K AS2Parameter: P0 Key2, L0 Key2, P1 Key2And L1 Key2FC=0x15; Will be for generating K AS1And K AS2Parameter be spliced into the character string input parameter S1 of KDF, that is:
S1=FC‖P0 Key1‖L0 Key1‖P1 Key1‖L1 Key1‖P0 Key2‖L0 Key2‖P1 Key2‖L1 Key2
Wherein, " ‖ " represents series connection, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue be all 0x0001, i.e. byte length, the i here represents Key1, Key2, Key1, Key2 are respectively K AS1And K AS2In corresponding RrcInt, RrcEnc and UpEnc two;
algorithm identity Value
128-EIA1 SNOW 3G 0x01
128-EIA2 AES 0x02
128-EEA1 SNOW 3G based algorithm 0x01
128-EEA2 AES based algorithm 0x02
Table 3
Step 203: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S1 and K * eNBObtain the KDF output string of 256 bits;
Step 204: the interception way according to the communicating pair of network consults intercepts respectively the 128 different bits of KDF output string as K AS1And K AS2
Step 205: when the cryptographic algorithm of selecting is empty algorithm, with K RrcIntAs the 3rd key K AS3When the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn remaining one be K AS3Be configured to generate K AS3The character string input parameter (S2) of KDF;
When the cryptographic algorithm of selecting is empty algorithm, K AS3Be K RrcInt, choose for generating K RrcIntThe parameter P0 of S2 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15, the structure S2 be:
S2=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt
Wherein, P0 RrcIntChoose according to table 1; P1 RrcIntBe chosen for 0x04 according to table 3; L0 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue be all 0x0001, i.e. byte length;
When the cryptographic algorithm of selecting is not empty algorithm, choose K RrcInt, K RrcEncAnd K UpEncIn remaining one be K AS3, choose for generating K AS3The parameter P0 of S2 Key3, L0 Key3, P1 Key3, L1 Key3, FC=0x15, the structure S2 be:
S2=FC‖P0 Key3‖L0 Key3‖P1 Key3‖L1 Key3
Wherein, P0 Key3Choose P1 according to table 1 Key3Choose L0 according to table 3 Key3Be P0 Key3Byte length, L1 Key3Be P1 Key3Byte length, according to table 1 and table 3, L0 Key3, L1 Key3Value be all 0x0001, i.e. byte length, Key3 is K AS3In corresponding RrcInt, RrcEnc and UpEnc one;
Step 206: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S2 and K * eNBObtain the KDF output string of 256 bits;
Step 207: according to the interception way that the communicating pair of network consults, 128 bits of intercepting KDF output string are as K AS3, current safety key generative process finishes.
By said method, can obtain K AS1, K AS2And K AS3Corresponding K separately RrcInt, K RrcEncAnd K UpEnc
Embodiment two: when the cryptographic algorithm of selecting is empty algorithm, what the intercepting of KDF output string was adopted is to high or low 128 bits of KDF output string intercepting, the present invention realizes the embodiment of the generation method of safe key, as shown in Figure 3, comprises the following steps:
Step 301: directly signaling encryption key and data encryption key are set to 0, i.e. K RrcEnc=0, K UpEnc=0;
Step 302: be configured to generate K RrcIntThe character string input parameter (S) of KDF;
Choose for generating K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15, structure K RrcIntThe character string input parameter of KDF be:
S=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt
Wherein, P0 RrcIntChoose according to table 1, i.e. P0 RrcIntBe 0x04, P1 RrcIntChoose L0 according to table 3 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue be all 0x0001, i.e. byte length, for example:
According to table 3, work as P1 RrcIntDuring for 128-EIA1SNOW 3G:
S=0x15‖0x04‖0x0001‖0x01‖0x0001,
And for example, work as P1 RrcIntDuring for 128-EIA2AES, S=0x15 ‖ 0x04 ‖ 0x0001 ‖ 0x02 ‖ 0x0001;
Step 303: call KDF, when the RRC of network initial safe activated, its input parameter was S and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S and K * eNBObtain the KDF output string of 256 bits;
Step 304: high or low 128 bits of intercepting KDF output string are as K RrcInt
Embodiment three: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcEncAnd K UpEncGenerate in the process of once calling KDF, what the intercepting of KDF output string was adopted is to KDF output string high 128 bits of intercepting or low 128 bits, the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 4, comprises the following steps:
Step 401: choose for generating K RrcEncAnd K UpEncParameters, and be spliced into the character string input parameter (S1) of KDF;
Concrete, choose for generating K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEnc, and be used for generating K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEncWherein, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue be all 0x0001, i.e. byte length, the i here represents RrcEnc, UpEnc, namely according to table 1, P0 RrcEncBe 0x03, P0 UpEncBe 0x05; Be spliced into for generating K RrcEncAnd K UpEncThe character string input parameter of KDF be:
S1=FC ‖ P0 RrcEnc‖ L0 RrcEnc‖ P1 RrcEnc‖ L1 RrcEnc‖ P0 UpEnc‖ L0 UpEnc‖ P1 UpEnc‖ L1 UpEnc, for example:
According to table 3, work as P1 RrcEncAnd P1 UpEncBe 128-EIA1SNOW 3G, the time:
S1=0x15‖0x03‖0x0001‖0x01‖0x0001‖0x05‖0x0001‖0x01‖0x0001,
Perhaps, work as P1 RrcEncAnd P1 UpEncDuring for 128-EEA2AES based algorithm:
S1=0x15‖0x03‖0x0001‖0x02‖0x0001‖0x05‖0x0001‖0x02‖0x0001;
Step 402: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S1 and K * eNBObtain the KDF output string of 256 bits;
Step 403: high 128 bits of intercepting KDF output string are as K RrcEnc, low 128 bits of intercepting KDF output are as K UpEncPerhaps, high 128 bits of intercepting KDF output string are as K UpEnc, low 128 bits of intercepting KDF output are as K RrcEnc
Step 404: be configured to generate K RrcIntThe character string input parameter (S2) of KDF:
Choose for generating K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, FC=0x15 is used for generating K RrcIntThe character string input parameter of KDF be:
S2=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt
Wherein, P0 RrcIntChoose P0 according to table 1 RrcIntBe 0x04; P1 RrcIntChoose according to table 3; L0 RrcIntBe P0 RrcIntByte length, L1 RrcIntBe P1 RrcIntByte length, according to table 1 and table 3, L0 RrcInt, L1 RrcIntValue be all 0x0001, i.e. byte length, for example:
According to table 3, work as P1 RrcIntDuring for 128-EIA1SNOW 3G:
S2=0x15‖0x04‖0x0001‖0x01‖0x0001,
Perhaps work as P1 RrcIntDuring for 128-EIA2AES:
S2=0x15‖0x04‖0x0001‖0x02‖0x0001;
Step 405: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S2 and K * eNBObtain the KDF output string of 256 bits;
Step 406: high or low 128 bits of intercepting KDF output string are as K RrcInt
Embodiment four: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcIntAnd K RrcEncGenerate in the process of once calling KDF, what the intercepting of KDF output string was adopted is to KDF output string high 128 bits of intercepting or low 128 bits, the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 5, comprises the following steps:
Step 501: choose for generating K RrcIntAnd K RrcEncParameters, and be spliced into the character string input parameter (S1) of KDF;
Concrete, choose for generating K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, be used for generating K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEncFC=0x15; Be spliced into for generating K RrcIntAnd K RrcEncThe character string input parameter of KDF be:
S1=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt‖P0 RrcEnc‖L0 RrcEnc‖P1 RrcEnc‖L1 RrcEnc
Wherein, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue be all 0x0001, i.e. byte length, the i here represents RrcInt, RrcEnc, namely according to table 1, P0 RrcIntBe 0x04, P0 RrcEncBe 0x03; For example:
According to table 3, work as P1 RrcIntBe 128-EIA1SNOW 3G and P1 RrcEncDuring for 128-EEA1SNOW3G based algorithm:
S1=0x15‖0x04‖0x0001‖0x01‖0x0001‖0x03‖0x0001‖0x01‖0x0001;
And for example, work as P1 RrcIntBe 128-EIA2AES and P1 RrcEncDuring for 128-EEA2AES basedalgorithm:
S1=0x1‖0x04‖0x0001‖0x02‖0x00015‖0x03‖0x0001‖0x02‖0x0001;
And for example, work as P1 RrcIntBe 128-EIA1SNOW 3G and P1 RrcEncDuring for 128-EEA2AES based algorithm:
S1=0x15‖0x04‖0x0001‖0x01‖0x0001‖0x03‖0x0001‖0x02‖0x0001;
For another example, work as P1 RrcIntBe 128-EIA2AES and P1 RrcEncDuring for 128-EEA1 SNOW 3G based algorithm:
S1=0x15‖0x04‖0x0001‖0x02‖0x0001‖0x03‖0x0001‖0x01‖0x0001;
Step 502: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S1 and K * eNBObtain the KDF output string of 256 bits;
Step 503: high 128 bits of intercepting KDF output string are as K RrcInt, low 128 bits of intercepting KDF output string are as K RrcEncPerhaps intercept high 128 bits of KDF output string as K RrcEnc, low 128 bits of intercepting KDF output string are as K RrcInt
Step 504: be configured to generate K UpEncThe character string input parameter (S2) of KDF;
Choose for generating K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEnc, FC is configured to generate K UpEncThe character string input parameter of KDF be:
S2=FC‖P0 UpEnc‖L0 UpEnc‖P1 UpEnc‖L1 UpEnc
Wherein, " ‖ " represents series connection, P0 UpEncChoose according to table 1, i.e. P0 UpEncBe 0x05, P1 UpEncChoose L0 according to table 3 UpEncBe P0 UpEncByte length, L1 UpEncBe P1 UpEncByte length, according to table 1 and table 3, L0 UpEnc, L1 UpEncValue be all 0x0001, i.e. byte length, FC=0x15; For example:
According to table 3, work as P1 UpEncDuring for 128-EIA1SNOW 3G:
S2=0x15‖0x05‖0x0001‖0x01‖0x0001;
And for example, work as P1 UpEncDuring for 128-EIA2AES:
S2=0x15‖0x05‖0x0001‖0x02‖0x0001;
Step 505: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S2 and K * eNBObtain the KDF output string of 256 bits;
Step 506: high or low 128 bits of intercepting KDF output string are as K UpEnc
Embodiment five: when the cryptographic algorithm of selecting is not empty algorithm, with K RrcIntAnd K UpEncGenerate in once calling the KDF process, what the intercepting of KDF output string was adopted is that the present invention realizes a kind of embodiment of generation method of safe key, as shown in Figure 6, comprises the following steps to high or low 128 bits of KDF output string intercepting:
Step 601: choose for generating K RrcIntAnd K UpEncParameters, and be spliced into for generating K RrcIntAnd K UpEncThe character string input parameter (S1) of KDF;
Concrete, choose for generating K RrcIntParameter: P0 RrcInt, L0 RrcInt, P1 RrcInt, L1 RrcInt, be used for generating K UpEncParameter: P0 UpEnc, L0 UpEnc, P1 UpEnc, L1 UpEncFC=0x15; Be spliced into for generating K RrcIntAnd K UpEncThe character string input parameter of KDF be:
S1=FC‖P0 RrcInt‖L0 RrcInt‖P1 RrcInt‖L1 RrcInt‖P0 UpEnc‖L0 UpEnc‖P1 UpEnc‖L1 UpEnc
Wherein, " ‖ " represents series connection, P0 iChoose P1 according to table 1 iChoose L0 according to table 3 iBe P0 iByte length, L1 iBe P1 iByte length, according to table 1 and table 3, L0 i, L1 iValue be all 0x0001, i.e. byte length, the i here represents RrcInt, UpEnc, namely according to table 1, P0 RrcIntBe 0x04, P0 UpEncBe 0x05;
For example:
According to table 3, work as P1 RrcIntBe 128-EIA1SNOW 3G, P1 UpEncDuring for 128-EEA1SNOW 3Gbased algorithm:
S1=0x15‖0x04‖0x0001‖0x01‖0x0001‖0x05‖0x0001‖0x01‖0x0001;
And for example, work as P1 RrcIntBe 128-EIA2 AES, P1 UpEncDuring for 128-EEA2 AES based algorithm:
S1=0x15‖0x04‖0x0001‖0x02‖0x0001‖0x05‖0x0001‖0x02‖0x0001;
And for example, work as P1 RrcIntBe 128-EIA1SNOW 3G, P1 UpEncDuring for 128-EEA2AES basedalgorithm:
S1=0x15‖0x04‖0x0001‖0x01‖0x0001‖0x05‖0x0001‖0x02‖0x0001;
For another example, work as P1 RrcIntBe 128-EIA2AES, P1 UpEncDuring for 128-EEA1SNOW 3G based algorithm:
S1=0x15‖0x04‖0x0001‖0x02‖0x0001‖0x05‖0x0001‖0x01‖0x0001;
Step 602: call KDF, when the RRC of network initial safe activated, its input parameter was S1 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S1 and K * eNBObtain the KDF output string of 256 bits;
Step 603: high 128 bits of intercepting KDF output string are as K RrcInt, low 128 bits of intercepting KDF output string are as K UpEncPerhaps, high 128 bits of intercepting KDF output string are as K UpEnc, low 128 bits of intercepting KDF output string are as K RrcInt
Step 604: be configured to generate K RrcEncThe character string input parameter (S2) of KDF:
Choose for generating K RrcEncParameter: P0 RrcEnc, L0 RrcEnc, P1 RrcEnc, L1 RrcEnc, FC=0x15 is configured to generate K RrcEncThe character string input parameter of KDF be:
S2=FC‖P0 RrcEnc‖L0 RrcEnc‖P1 RrcEnc‖L1 RrcEnc
Wherein, " ‖ " represents series connection, P0 RrcEncChoose according to table 1, i.e. P0 RrcEncBe 0x03, P1 RrcEncChoose L0 according to table 3 RrcEncBe P0 RrcEncByte length, L1 RrcEncBe P1 RrcEncByte length, according to table 1 and table 3, L0 RrcEnc, L1 RrcEncValue be all 0x0001, i.e. byte length;
For example:
According to table 3, work as P1 RrcEncDuring for 128-EIA1 SNOW 3G:
S2=0x15‖0x03‖0x0001‖0x01‖0x0001;
And for example, work as P1 RrcEncDuring for 128-EIA2AES:
S2=0x15‖0x03‖0x0001‖0x02‖0x0001;
Step 605: call KDF, when the RRC of network initial safe activated, its input parameter was S2 and K eNBWhen the RRC of network switched or re-establishes, its input parameter was S2 and K * eNBObtain the KDF output string of 256 bits;
Step 606: high or low 128 bits of intercepting KDF output string are as K RrcEnc
Based on above-mentioned method, realize the device that safe key generates in the present invention, before generating safe key, the communicating pair of network consults the interception way to the KDF output string that generates three keys, and each interception way had better not be identical, three keys that namely generate are different, and as shown in Figure 7, this device comprises:
The first string argument constructing module 71, the second string argument constructing module 72, KDF processing module 74, the first key production module 75, the second key production module 76, the 3rd key production module 77; Wherein,
The first string argument constructing module 71, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the first character string input parameter of KDF of wherein two keys of signaling integrity protection key, signaling encryption key and ciphering user data key, the first character string input parameter is sent to KDF processing module 74; Be configured to generate the character string input parameter of the KDF of two keys, specifically: will form a character string be used to the parameter splicing that generates described two keys, as the character string input parameter of KDF, the parameter of choosing is; The byte length of byte length, encryption or the protection algorithm integrallty sign of the KDF instance identification relevant with each key, algorithm types sign, algorithm types sign, encryption or protection algorithm integrallty sign; when the cryptographic algorithm of selecting was empty algorithm, this module was not worked.
The second string argument constructing module 72, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of a key remaining in signaling integrity protection key, signaling encryption key and ciphering user data key, be sent to KDF processing module 74; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to KDF processing module 74;
KDF processing module 74, be used for when the cryptographic algorithm of selecting is not empty algorithm, obtain the KDF output string, the KDF output string that will be obtained by the first character string input parameter that the first string argument constructing module 71 transmits sends to respectively the first key production module 75 and the second key production module 76; The KDF output string that will be obtained by the second character string input parameter that the second string argument constructing module 72 transmits sends to the 3rd key production module 77; When the cryptographic algorithm of selecting was empty algorithm, the KDF output string that only will be obtained by the second character string input parameter that the second string argument constructing module 72 transmits sent to the 3rd key production module 77;
The first key production module 75 is used for when the cryptographic algorithm of selecting be not empty algorithm, and the interception way that consults according to the communicating pair of network is by a key in described two keys of KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
The second key production module 76 is used for when the cryptographic algorithm of selecting be not empty algorithm, and the interception way that consults according to the communicating pair of network is by another key in described two keys of KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module 77 is used for when the cryptographic algorithm of selecting be not empty algorithm, and the interception way according to the communicating pair of network consults generates by the KDF output string of receiving a key that is left; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving;
KDF processing module 74 arranges can arrange the first string argument constructing module 71 and the first key production module 75 in correspondence, the second key production module 76 is corresponding, is about to send to respectively the first key production module 75, the second key production module 76 by the KDF output string that the first character string input parameter that the first string argument constructing module 71 transmits obtains; Correspondingly, the second string argument constructing module 72 is set corresponding with the 3rd key production module 77, is about to send to the 3rd key production module 77 by the KDF output string that the second character string input parameter that the second string argument constructing module 72 transmits obtains.
The above KDF output string can be 256 bits, and any 128 bits of each key production module intercepting KDF output string are as the gained key.
Further, this device also comprises: AS root key module 73;
AS root key module 73 is used for providing the AS root key to KDF processing module 74, particularly, when the RRC of network initial safe activates, provides another input parameter of KDF: K eNBWhen the RRC of network switches or re-establishes, provide another input parameter of KDF: K * eNB
The above is only preferred embodiment of the present invention, is not for limiting protection scope of the present invention, all any modifications of doing within the spirit and principles in the present invention, is equal to and replaces and improvement etc., within all should being included in protection scope of the present invention.

Claims (8)

1. the generation method of a safe key, is characterized in that, when generating the safe key of Access Layer AS, the method comprises:
If the cryptographic algorithm of selecting is empty algorithm:
Signaling encryption key and ciphering user data key directly are set to 0; Be configured to generate the character string input parameter of the key-function KDF of signaling integrity protection key, call KDF, generate signaling integrity protection key by the KDF output string that obtains;
If the cryptographic algorithm of selecting is not empty algorithm:
To form a character string for the parameter splicing of wherein two keys that generate signaling integrity protection key, signaling encryption key and ciphering user data key, character string input parameter as KDF, call KDF, generate described two keys by the KDF output string that obtains;
Be configured to generate the character string input parameter of the KDF of a key remaining in signaling integrity protection key, signaling encryption key and ciphering user data key, call KDF, generate described key by the KDF output string that obtains.
2. the generation method of a kind of safe key according to claim 1; it is characterized in that; the described character string input parameter that is configured to generate the KDF of signaling integrity protection key; be specially: choose for the parameter that generates signaling integrity protection key: the byte length of the byte length of KDF instance identification, algorithm types sign, algorithm types sign, protection algorithm integrallty sign, protection algorithm integrallty sign; described each parameter is connected, be configured to the character string input parameter of KDF.
3. the generation method of a kind of safe key according to claim 1 and 2; it is characterized in that; when described cryptographic algorithm selecting is empty algorithm; generate signaling integrity protection key by the KDF output string of receiving, be specially: 128 bits of intercepting KDF output string are as described signaling integrity protection key.
4. the generation method of a kind of safe key according to claim 1, it is characterized in that, described will the splicing for the parameter that generates two keys forms a character string, be specially: choose for generating signaling integrity protection key, the parameter of two keys in signaling encryption key and ciphering user data key, comprise: the KDF instance identification, the algorithm types sign, the byte length of algorithm types sign, encrypt or the protection algorithm integrallty sign, the byte length of encryption or protection algorithm integrallty sign, described each parameter is connected to be spliced into form a character string.
5. the generation method of according to claim 1 or 4 described a kind of safe keys, is characterized in that, if the cryptographic algorithm of selecting is not empty algorithm,
Described two keys of described generation are specially: intercept 128 bits of described KDF output string as a key in described two keys, then 128 bits that intercept described KDF output string are as another key in described two keys;
The described key of described generation is specially: intercept 128 bits of described KDF output string as a described remaining key.
6. the generation method of a kind of safe key according to claim 1, is characterized in that, the described KDF that calls is specially: KDF obtains described KDF output string with the character string input parameter of AS root key and described KDF as input parameter.
7. the generating apparatus of a safe key, is characterized in that, this device comprises:
The first string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, to form a character string for the parameter splicing of wherein two keys that generate signaling integrity protection key, signaling encryption key and ciphering user data key, as the first character string input parameter of KDF;
The second string argument constructing module, be used for when the cryptographic algorithm of selecting is not empty algorithm, be configured to generate the second character string input parameter of the KDF of a key remaining in signaling integrity protection key, signaling encryption key and ciphering user data key, be sent to the KDF processing module; When the cryptographic algorithm of selecting is empty algorithm, be configured to generate the second character string input parameter of the KDF of signaling integrity protection key, be sent to the KDF processing module;
The KDF processing module is used for obtaining the KDF output string, and the described KDF output string that will be obtained by the first character string input parameter of described KDF sends to respectively the first key production module and the second key production module; The described KDF output string that will be obtained by the second character string input parameter of described KDF sends to the 3rd key production module;
The first key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, by a key in described two keys of described KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, with 0 as signaling encryption key or ciphering user data key;
The second key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, by another key in described two keys of described KDF output string generation of receiving; When the cryptographic algorithm of selecting is empty algorithm, this module with 0 as ciphering user data key or signaling encryption key;
The 3rd key production module is used for when the cryptographic algorithm of selecting is not empty algorithm, generates a described remaining key by the described KDF output string of receiving; When the cryptographic algorithm of selecting is empty algorithm, generate signaling integrity protection key by the KDF output string of receiving.
8. the generating apparatus of a kind of safe key according to claim 7, is characterized in that, this device also comprises:
AS root key module is used for providing the AS root key to the KDF processing module.
CN200910151993.1A 2009-06-30 2009-07-15 Generation method and device of safe keys Active CN101938743B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910151993.1A CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys
PCT/CN2010/072691 WO2011006390A1 (en) 2009-07-15 2010-05-12 Method and device for generating security keys

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN200910158444.7 2009-06-30
CN200910158444 2009-06-30
CN200910151993.1A CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys

Publications (2)

Publication Number Publication Date
CN101938743A CN101938743A (en) 2011-01-05
CN101938743B true CN101938743B (en) 2013-05-08

Family

ID=43391826

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910151993.1A Active CN101938743B (en) 2009-06-30 2009-07-15 Generation method and device of safe keys

Country Status (1)

Country Link
CN (1) CN101938743B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8953789B2 (en) * 2011-06-01 2015-02-10 International Business Machines Corporation Combining key control information in common cryptographic architecture services
WO2018227480A1 (en) * 2017-06-15 2018-12-20 Qualcomm Incorporated Refreshing security keys in 5g wireless systems
CN110191084A (en) * 2019-03-27 2019-08-30 青岛海信电子设备股份有限公司 The encapsulation of IPsec data, method of reseptance and device
WO2021196047A1 (en) * 2020-03-31 2021-10-07 华为技术有限公司 Key processing method and apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601957A (en) * 2003-09-22 2005-03-30 华为技术有限公司 Method of distributing group secret keys
CN101039180A (en) * 2007-05-09 2007-09-19 中兴通讯股份有限公司 Method and system for generating and transmitting key
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Method, apparatus and system for generating cipher key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601957A (en) * 2003-09-22 2005-03-30 华为技术有限公司 Method of distributing group secret keys
CN101039180A (en) * 2007-05-09 2007-09-19 中兴通讯股份有限公司 Method and system for generating and transmitting key
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Method, apparatus and system for generating cipher key

Also Published As

Publication number Publication date
CN101938743A (en) 2011-01-05

Similar Documents

Publication Publication Date Title
US10187202B2 (en) Key agreement for wireless communication
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
CN102257842B (en) Enhanced security for direct link communications
Choudhury et al. Enhancing user identity privacy in LTE
CN101511084B (en) Authentication and cipher key negotiation method of mobile communication system
US9088408B2 (en) Key agreement using a key derivation key
CN102057617A (en) Cryptographic key generation
EP3503496B1 (en) Secure establishment method, system and decive of a wireless local area network
US11082843B2 (en) Communication method and communications apparatus
CN108810890A (en) Anchor key generation method, equipment and system
US10320917B2 (en) Key negotiation processing method and apparatus
EP2648437B1 (en) Method, apparatus and system for key generation
CN104661217A (en) Authentication and key derivation method and system based on TD-LTE (time division-long term evolution) network
CN101938743B (en) Generation method and device of safe keys
CN105764052A (en) TD-LTE authentication and protective encryption method
CN104735626A (en) Achieving method and device for trunking group communication public security
Deng et al. A novel 3GPP SAE authentication and key agreement protocol
WO2022237561A1 (en) Communication method and apparatus
Farhat et al. An extended authentication and key agreement protocol of UMTS
CN110536289A (en) Key providing method and device thereof, mobile terminal, communication equipment and storage medium
RU2781250C2 (en) Method for key formation, user equipment, device, computer-readable data carrier and communication system
CN108809635B (en) Anchor key generation method, device and system
Huang et al. A secure wireless communication system by integrating RSA and Diffie-Hellman PKDS in 4G environments and an intelligent protection-key chain with a data connection core
Peng et al. A novel key derivation method for eavesdropper in LTE system
CN111212424A (en) Method and system for authenticating UE during interoperation from EPS to 5GS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant