WO2007147354A1 - Method and system for retrieving service key - Google Patents

Method and system for retrieving service key Download PDF

Info

Publication number
WO2007147354A1
WO2007147354A1 PCT/CN2007/070098 CN2007070098W WO2007147354A1 WO 2007147354 A1 WO2007147354 A1 WO 2007147354A1 CN 2007070098 W CN2007070098 W CN 2007070098W WO 2007147354 A1 WO2007147354 A1 WO 2007147354A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
push service
push
naf
service
Prior art date
Application number
PCT/CN2007/070098
Other languages
French (fr)
Chinese (zh)
Inventor
Chengdong He
Yanmei Yang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007147354A1 publication Critical patent/WO2007147354A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present invention relates to the field of authentication technologies, and in particular, to a method and system for acquiring a service key in a service initiated by a network side. Background of the invention
  • the Common Authentication Framework is a user authentication structure used by various application service entities and provides a key for secure communication for users to access application services.
  • the application service may be a multicast/broadcast service, a user certificate service, an information providing service immediately, or a proxy service.
  • a GAA is usually a user terminal (UE) 101, a boot authentication server entity (BSF) 102 that performs user identity initial check verification, a user home server (HSS) 103, and positioning.
  • the BSF 102 is used for identity mutual authentication with the UE 101, and generates a shared key of the BSF 102 and the UE 101; the HSS 103 stores a profile file for describing user information, and the HSS 103 also generates authentication information.
  • the interface between the entities is shown in Figure 1.
  • FIG. 2 is a flow chart of obtaining a NAF-related key for a UE to initiate a service in the GAA. As shown in Figure 2, the specific steps are as follows:
  • Steps 201 to 202 The UE determines that a certain service is to be initiated to a certain NAF, and determines whether it saves the NAF requesting to use the GAA for authentication. If yes, go to step 205; otherwise, go to step 203.
  • Steps 203 to 204 The UE acquires the GAA authentication indication information from the NAF.
  • Step 205 The UE performs a GAA authentication and key agreement process with the BSF. After the authentication is passed, a shared key Ks is generated between the UE and the BSF, and the UE calculates a NAF related key used for communication with the NAF according to the Ks: Ks_NAF .
  • Steps 206 to 207 The UE sends an application request message carrying a temporary identity (B-TID) to the NAF, and then the NAF sends a key request message carrying the B-TID to the BSF.
  • B-TID temporary identity
  • Step 208 After the BSF receives the key request message, the B-TID finds the corresponding Ks, and calculates the NAF related key according to Ks: Ks_NAF, and returns the Ks_NAF to the NAF, so that the NAF uses the Ks-NAF and thereafter.
  • the UE communicates.
  • Step 301 The NAF determines to initiate a push service to the UE, and sends a key request message to the BSF, where the message carries a permanent identity of the UE, such as: an IP Multimedia Private Identity Representation (IMPI) or an IP Multimedia User Public Identity (IMPU).
  • IMPI IP Multimedia Private Identity Representation
  • IMPU IP Multimedia User Public Identity
  • Step 302 After receiving the key request message, the BSF determines whether it has negotiated with the UE to obtain an available Ks. If yes, go to step 303; otherwise, go to step 306.
  • Steps 303 ⁇ 304 The BSF calculates the NAF-related key according to the Ks, and returns the NAF-related key and the B-TID to the NAF. After that, the NAF carries the B-TID and the NAF_ID in the Push message and sends the message to the UE.
  • the BSF associates the Ks with the B-TID of the UE, and stores the correspondence between the B-TID and the permanent identity of the UE.
  • the Push message may carry data encrypted using the NAF related key.
  • Step 305 After receiving the Push message, the UE finds the Ks according to the B-TID, and calculates the NAF related key, and the process ends. If the Push message carries the encrypted data, the UE may decrypt the encrypted data by using the calculated NAF related key.
  • Steps 306 ⁇ 307 The BSF obtains a set of authentication vectors from the HSS, and calculates Ks according to the set of authentication vectors, and obtains a NAF related key, and then returns a NAF related key to the NAF and a reference in the set of authentication vectors.
  • the right token (AUTN) may also return the authentication random number ( RAND ) in the set of authentication vectors and/or the lifetime and/or B-TID of the NAF related key.
  • Step 308 The NAF carries the AUTN and the NAF_ID in the push message and sends the message to the UE.
  • the Push message may contain encrypted data, and may further carry RAND or ⁇ - ⁇ .
  • the Ks used by the NAF to initiate the Push service and the UE to initiate the service actively, and the calculation method for calculating the NAF related key by using the Ks are the same, thereby generating the NAF correlation.
  • the key is also the same.
  • the problem is: If the UE has initiated the service to the NAF before the NAF initiates the Push service to the UE, the NAF must have saved the NAF-related key used for communication with the UE. Therefore, when the originating push service is initiated, the NAF does not need to initiate a key request to the BSF, but directly uses the NAF-related key used by the UE to initiate the service to perform the push service.
  • the Push service pretends to be the service initiated by the UE.
  • the NAF will use the network resources for free, causing losses to the operator;
  • the usage fee of the Push service is higher than the usage fee of the UE actively initiating the service, it will also cause losses to the operator.
  • the embodiments of the present invention provide a method and a system for acquiring a service key, so as to prevent the NAF from using the network resources for a fee, and avoiding the service initiated by the NAF to impersonate the UE-initiated service, thereby reducing the carrier's loss.
  • a method for obtaining a service key including:
  • the push service key request is sent to the BSF;
  • the BSF After receiving the push service key request, the BSF obtains the push service Ks, calculates a push service key according to the push service Ks and the push service key calculation method, and returns the push service key to the NAF;
  • the NAF After receiving the push service key, the NAF sends a push message to the UE.
  • the UE After receiving the push message, the UE obtains the push service Ks, and calculates the push service key according to the push service Ks and the push service key calculation method.
  • a system for obtaining a service key comprising:
  • the NAF determines that the Push service is to be initiated, and sends a Push service key request to the BSF; after receiving the Push service key, the Push message is sent to the UE;
  • the BSF receives the Push service key request sent by the NAF, calculates the Push service key according to the Push service Ks and the Push service key calculation method, and returns the Push service key to the NAF;
  • the UE receives the Push message sent by the NAF, and calculates the Push service key according to the Push service Ks and the Push service key calculation method.
  • the embodiment of the present invention obtains a push service key calculation formula for actively initiating a service by the network side by changing a key calculation formula of the UE actively initiating a service, or by adding a push service authorization flag parameter for the push service key.
  • Enable NAF to initiate business The key can be distinguished from the key that the UE initiates the service, so that the NAF that does not subscribe to the Push service uses the Push service, and the NAF does not pretend to be the service initiated by the UE by the Push service, so that the network resources can be reasonably used and reduced. The loss of the operator. BRIEF DESCRIPTION OF THE DRAWINGS
  • Figure 1 is a schematic view showing the structure of the GAA
  • FIG. 2 is a flowchart of an existing NAF-related key for acquiring a service initiated by a UE under GAA;
  • FIG. 3 is a flow chart of obtaining a service key for a service initiated by a NAF under the GAA;
  • FIG. 4 is a flowchart of obtaining a service key of a service initiated by a NAF in a GAA according to Embodiment 1 of the present invention
  • FIG. 5 is a flowchart of obtaining a service key of a service initiated by a NAF in a GAA according to Embodiment 2 of the present invention
  • FIG. 6 is a flowchart of obtaining a service key for a service initiated by a NAF in a GAA according to Embodiment 3 of the present invention
  • FIG. 7 is a system composition diagram of obtaining a service key of a service initiated by a NAF in a GAA according to an embodiment of the present invention. Mode for carrying out the invention
  • FIG. 4 is a flowchart of obtaining a service key of a push service initiated by a NAF in a GAA according to Embodiment 1 of the present invention. As shown in FIG. 4, the specific steps are as follows:
  • Step 401 The NAF determines that a push service is to be initiated to a certain UE.
  • Step 402 The NAF determines whether it saves the push service key corresponding to the UE. If yes, go to step 407; otherwise, go to step 403.
  • the NAF associates the push service key with the B-TID of the UE, and saves the correspondence between the B-TID and the permanent identity of the UE.
  • the NAF may save the push service key corresponding to the UE.
  • Step 403 The NAF sends a key request message to the BSF, where the message carries the UE permanent identity, NAF-ID, and the like.
  • the user's permanent identity can be the user's IMPI or International Mobile Subscriber Identity (IMSI), or it can be other identifiers such as: Public User Identity (IMPU) or pseudonym. If it is another identifier, the BSF or HSS should be able to know the IMPI or IMSI corresponding to the identifier.
  • IMSI International Mobile Subscriber Identity
  • Step 404 After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message.
  • the NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 405 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
  • the BSF can determine whether the key request is based on the B-TID or the permanent identity of the user.
  • the service initiated by the UE is also a push service initiated by the NAF.
  • Step 405 The BSF determines, according to the permanent identity of the UE carried in the message, whether it has a Ks corresponding to the permanent identity of the UE. If yes, go to step 406; otherwise, go to step 409.
  • Step 406 The BSF calculates the push service key by using a preset push service key algorithm according to the Ks, and the push service key and the B-TID are carried in the key response message and sent to the NAF.
  • the message may also include: a Push service key validity period, and the like.
  • Push business key algorithm can be used to calculate NAF related by Ks by changing and / or extending The calculation parameters in the calculation formula of the key, and/or the calculation parameters are added to the existing calculation formula of the NSF-related key calculated by Ks.
  • NAF related key .
  • P0 is "gba-me'V "gba-u”
  • PI is RAND
  • P2 is IMPI encoded according to UTF-8 encoding
  • P3 is NAFJD
  • FC is the authentication type
  • the push service key calculation formula can be obtained by using one or a combination of the following ways: Step 1: Expand the parameters in the calculation formula of the NAF related key in the prior art.
  • the NAF_ID can be extended.
  • the NAFJD includes the FQDN and the Ua port security protocol identifier.
  • the FQDN is the domain name of the NAF.
  • the present invention can further include the NAA_ID as a GAA push service type identifier, or extend the Ua port security protocol identifier. Add a Ua port security protocol identifier value indicating the Universal Boot Authentication Architecture (GBA) push to the existing Ua port security protocol identifier.
  • GAA Universal Boot Authentication Architecture
  • Path 2 Change the parameters in the calculation formula for calculating the NAF related key in the prior art. For example: You can change the value of the static string " gba-me” / "gba-u”, such as: Change the value of " gba-me” / "gba-u” to "gba-me-push” / "gba -u-push”; You can also change the application protocol identifier of the NAF-ID. For example, change the existing application protocol identifier to the application protocol identifier that identifies the push service. You can also change the value of the authentication type, such as setting the FC to A value different from 0x01 is used to indicate the push service authentication type.
  • the authentication type such as setting the FC to A value different from 0x01 is used to indicate the push service authentication type.
  • Path 3 Add new calculation parameters in the calculation formula of the prior art calculation NAF related key.
  • a new calculation parameter px representing the GAA push service type identifier can be added.
  • the formula for the push business key is changed to:
  • Push business key KDF ( Ks, "gba-me,, /" gba-u,,, RAND, IMPI, NAF-ID, px)
  • px may be a preset fixed value, and both the BSF and the UE may hold the fixed value of px or may be a value temporarily generated by the BSF. If the value is temporarily generated by the BSF, but the UE cannot generate the px temporary value, the BSF sends the px temporary value to the UE through the NAF.
  • Step 407 The NAF sends a push message carrying the B-TID and the NAF-ID to the UE, and the push message may further include data encrypted by using the push service key.
  • Step 408 After receiving the push message, the UE finds the corresponding Ks according to the B-TID carried in the message, and obtains the push service key by using the same push service key algorithm as the BSF. This process ends.
  • the UE decrypts the encrypted data using the push service key.
  • Step 409 The BSF obtains, from the HSS, a set of authentication vectors corresponding to the UE permanent identity.
  • Step 410 The BSF calculates Ks according to the group of authentication vectors, and calculates a push service key according to the Ks and a preset push service key algorithm, where the PUSH service key, the B-TID, and the authentication vector are used.
  • the AUTN is carried in the key response message and sent to the NAF.
  • the key response message may further include: a Push service key validity period, an RAND in the authentication vector, and the like.
  • Step 411 After receiving the service key response, the NAF sends a push message carrying the NAF-ID and the AUTN to the UE, and the push message may further include data encrypted by using the push service key, and/or RAND, and/or B. -TID.
  • Step 412 After receiving the push message, the UE performs an AUTN authentication network according to the message. Network, and calculate Ks, according to the Ks and the pre-set push service key algorithm with the same BSF to get the push business key, the process ends.
  • the UE decrypts the encrypted data using the push service key.
  • the embodiment shown in FIG. 4 changes the parameters other than Ks in the calculation formula of the NAF-related key used by the existing computing UE to initiate the service by adopting the same Ks as the UE actively initiates the service.
  • the push service key is obtained to implement the push service authentication, thereby ensuring that the service initiated by the UE to a certain NAF and the key used by the NAF to the push service initiated by the UE are different.
  • FIG. 5 is a flowchart of obtaining a service key of a PUSH service initiated by a NAF in a GAA according to Embodiment 2 of the present invention. As shown in FIG. 5, the specific steps are as follows:
  • Steps 501-503 are the same as steps 401-403.
  • Step 504 After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message.
  • the NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 505 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
  • Step 505 The BSF determines, according to the permanent identity of the UE carried in the message, whether there is a Ks dedicated to the push service corresponding to the UE identifier, and if yes, executing step 506; otherwise, performing step 509.
  • the Ks specifically used for the push service mentioned in this step refers to the Ks different from the value of the Ks that the UE actively initiates the service.
  • Step 506 The BSF calculates a Ks derived key according to the Ks, and uses the Ks derived key as a push service key, and carries the push service key and the B-TID in a key response message and sends the key to the NAF.
  • the response message may further include: a Push service key validity period, and the like.
  • the BSF adopts the same algorithm for calculating the NAF related key when starting the service with the UE. To calculate the push business key.
  • Steps 507-508 are the same as steps 407-408.
  • Step 509 The BSF obtains, from the HSS, a set of authentication vectors corresponding to the UE permanent identity.
  • Step 510 The BSF calculates Ks according to the group of authentication vectors, saves the Ks dedicated to the push service, and calculates a Ks derived key as a push service key according to the Ks, and the push service key and the B-TID.
  • the AUTN in the authentication vector is sent to the NAF in the key response message, and the key response message may further include: a validity period of the Push service key, RAND in the authentication vector, and the like.
  • the Ks is associated with the B-TID.
  • the Ks dedicated to the push service can be saved in the following manner:
  • Method 1 The Ks dedicated to the push service is associated with the B-TID and the AUTN.
  • Method 2 Set a push service flag for the Ks dedicated to the push service.
  • the Ks dedicated to the push service of all the UEs are separately stored in a file. When receiving the key request message for the push service that carries the permanent identity of the UE sent by the NAF, the file is searched for There is a Ks corresponding to the UE permanent identity.
  • Steps 511 to 512 are the same as steps 411 to 412.
  • the embodiment shown in FIG. 5 is obtained by using the Ks dedicated to the push service, which is different from the value of the parameter Ks in the algorithm for calculating the NAF-related key used when the UE actively initiates the service. Pushing the service key to implement the push service authentication, so as to ensure that the service initiated by the UE to a certain NAF and the key used by the NAF to the push service initiated by the UE are different.
  • the present invention may also change the parameters of the NAF-related key used by the UE to initiate the service, and change the calculation of the NAF correlation used by the UE to initiate the service.
  • the algorithm type of the key is the push service key.
  • KDF1 such as: SHA1
  • KDF2 algorithms such as the MD5 algorithm can be used.
  • FIG. 6 is a flowchart of obtaining a service key of a PUSH service initiated by a NAF in a GAA according to Embodiment 3 of the present invention. As shown in FIG. 6, the specific steps are as follows:
  • Steps 601 to 603 are the same as steps 501 to 503.
  • Step 604 After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message.
  • the NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 605 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
  • Step 605 The BSF determines, according to the permanent identity of the UE carried in the message, whether it has a Ks corresponding to the permanent identity of the UE. If yes, go to step 606; otherwise, go to step 610.
  • Step 606 The BSF ⁇ calculates the Ks ⁇ " raw key as the push service key, and carries the push service key, the B-TID, and the push service authorization flag parameter in the key response message and sends the message to the NAF.
  • the key response message may further include: a Push service key validity period, and the like.
  • the BSF has a pair of keys: a private key and a public key, and the BSF according to the private key pair B-TID, NAF-ID, push service key, a variable that is maintained by itself and used to calculate an authorization flag parameter, and the like Or a combination of adding a digital signature, the digital signature is the push business authorization flag parameter.
  • the UE may verify, according to the public key, whether the push service authorization flag parameter is correct. Specifically, the UE can obtain the public key in three ways: Method 1: Pre-configure the public key on the UE; In the second manner, the BSF sends the public key to the NAF through a key response message, and then the NAF passes the push message.
  • the public key is sent to the UE by using the key response message.
  • the method sends the public key certificate serial number to the NAF through the push message, and then the NAF sends the public key certificate serial number to the UE according to the public key certificate sequence. Number obtained The public key.
  • the BSF may also use a Ks or push service key to perform an encryption algorithm or a digest algorithm to obtain a push service authorization for parameters such as a B-TID, a NAF-ID, a push service key, and a variable that is specifically used to calculate an authorization flag parameter.
  • the flag parameter correspondingly, the UE uses the Ks or push service key to verify whether the push service authorization flag parameter is correct.
  • Step 607 After receiving the key response message, the NAF sends a push message carrying the B-TID, the NAF-ID, and the authorization flag parameter to the UE, and the push message may further include data encrypted by using the push service key.
  • Step 608 After receiving the push message, the UE finds the corresponding Ks according to the B-TID carried in the push message, and uses the Ks to calculate the push service key.
  • Step 609 The UE determines whether the push service authorization flag parameter carried in the message is correct. If yes, accepting the push message, the process ends; otherwise, the push message is rejected, and the process ends.
  • the UE may first determine whether the push service authorization flag parameter carried in the message is correct, and if yes, according to the push message.
  • the carried B-TID finds the Ks, thereby obtaining the push service key; if not, the push message is directly rejected.
  • Step 610 The BSF obtains a set of authentication vectors from the HSS.
  • Step 611 The BSF calculates Ks according to the group of authentication vectors, and calculates a Ks derived key as a push service key, and the push service key, the B-TID, the AUTN in the authentication vector, and the authorization flag of the push service.
  • the parameter is carried in the key response message and sent to the NAF.
  • the key response message may further include: a validity period of the Push service key, RAND in the authentication vector, and the like.
  • Step 612 After receiving the key response message, the NAF sends a push message carrying the parameters of the NAF-ID, the AUTN, and the push service authorization flag to the UE, where the push message may also be Including data encrypted with a push service key, and/or RAND, and/or ⁇ - ⁇
  • Step 613 After receiving the push message, the UE calculates the Ks according to the AUTN authentication network carried by the push message, and calculates a push service key according to the Ks.
  • Step 614 The UE determines whether the push service authorization flag parameter carried in the message is correct, and if yes, accepts the push message; otherwise, rejects the push message.
  • the embodiment shown in FIG. 6 is to digitally sign the push service key, that is, to add an authorization flag parameter to verify whether the push service key is correct, thereby achieving the purpose of push service authentication.
  • FIG. 7 is a structural diagram of a system for acquiring an Push service key initiated by a NAF according to an embodiment of the present invention. As shown in FIG. 7, the method mainly includes: NAF71, BSF72, UE73, and HSS74, where:
  • NAF71 It is determined that the Push service is to be initiated, and the Push service key request is sent to the BSF 72. After receiving the Push service key returned by the BSF 72, the Push message is sent to the UE 73.
  • the BSF 72 receives the Push service key request sent by the NAF 71, and if it detects that the Push service Ks corresponding to the permanent identity of the UE carried in the request message is saved, calculates the Push service Ks according to the Push service Ks and the saved Push service key. The method calculates the Push service key. Otherwise, the authentication vector corresponding to the permanent identity of the UE is obtained from the HSS 74, and the Push service Ks is calculated according to the authentication vector, and is calculated according to the Push service Ks and the Push service key saved by the Push service. The method calculates the Push service key and returns the Push service key to the NAF 71.
  • the UE 73 receives the Push message sent by the NAF 71, calculates the Push service Ks according to the authentication token carried in the message, and calculates the Push service key according to the Push service Ks and the Push service key calculation method.
  • HSS74 The Push service Ks corresponding to the UE permanent identity is saved.
  • the embodiment of the present invention changes the key of the UE actively initiating the service.
  • the calculation formula is used to obtain the push service key calculation formula of the active service initiated by the network side, or the push service authorization flag parameter is added to the push service key, so that the key that the NAF actively initiates the service and the key that the UE initiates the service can be distinguished. Therefore, the NAF that does not subscribe to the Push service is used to use the Push service, and the NAF is prevented from impersonating the service initiated by the UE by the Push service, so that the network resource can be reasonably used and the loss of the operator is reduced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for retrieving a service key, includes: the NAF determining the service to be initiated, and sending a push service key request to the BSF; the BSF computing to obtain the push service key based on the retrieved push service Ks using the push service key computing method, and returning the push service key to the NAF, the NAF sending the push message to the UE; the UE computing to obtain the push service key. A system for retrieving a service key, includes: the NAF, the BSF and the UE. The method and the system prevent the NAF which doesn't subscribe for Push service from using the Push service, and prevent the NAF from pretending the service actively initiated by the UE with the Push service.

Description

获取业务密钥的方法及*** 技术领域  Method and system for obtaining service key
本发明涉及鉴权技术领域, 具体涉及应用在网络侧发起的业务中的 获取业务密钥的方法及***。 发明背景  The present invention relates to the field of authentication technologies, and in particular, to a method and system for acquiring a service key in a service initiated by a network side. Background of the invention
在第三代无线通信标准中, 通用鉴权框架(GAA )是多种应用业务 实体使用的用户身份验证结构, 并为用户访问应用业务提供安全通信的 密钥。 应用业务可以是多播 /广播业务、 用户证书业务、信息即时提供业 务等, 也可以是代理业务。  In the third generation wireless communication standard, the Common Authentication Framework (GAA) is a user authentication structure used by various application service entities and provides a key for secure communication for users to access application services. The application service may be a multicast/broadcast service, a user certificate service, an information providing service immediately, or a proxy service.
图 1为 GAA的结构示意图,如图 1所示, GAA通常由用户终端(UE ) 101、 执行用户身份初始检查验证的引导鉴权服务器实体(BSF ) 102、 用户归属服务器(HSS ) 103、定位 HSS位置的签约用户实体(SLF ) 104 和网络应用实体( NAF ) 105组成。 BSF 102用于与 UE 101进行身份互 验证, 同时生成 BSF 102与 UE 101的共享密钥; HSS 103中存储用于描 述用户信息的描述(Profile )文件, 同时 HSS 103还兼有产生鉴权信息 的功能。 各个实体之间的接口如图 1所示。  1 is a schematic structural diagram of a GAA. As shown in FIG. 1, a GAA is usually a user terminal (UE) 101, a boot authentication server entity (BSF) 102 that performs user identity initial check verification, a user home server (HSS) 103, and positioning. A Subscriber User Entity (SLF) 104 and a Network Application Entity (NAF) 105 of the HSS location. The BSF 102 is used for identity mutual authentication with the UE 101, and generates a shared key of the BSF 102 and the UE 101; the HSS 103 stores a profile file for describing user information, and the HSS 103 also generates authentication information. The function. The interface between the entities is shown in Figure 1.
图 2是在 GAA下, 获取 UE主动发起业务的 NAF相关密钥的流程 图, 如图 2所示, 其具体步骤如下:  Figure 2 is a flow chart of obtaining a NAF-related key for a UE to initiate a service in the GAA. As shown in Figure 2, the specific steps are as follows:
步骤 201~202: UE确定要向某个 NAF发起某种业务, 判断自身是 否保存该 NAF要求使用 GAA进行鉴权的指示信息 ,若是,执行步骤 205; 否则, 执行步骤 203。  Steps 201 to 202: The UE determines that a certain service is to be initiated to a certain NAF, and determines whether it saves the NAF requesting to use the GAA for authentication. If yes, go to step 205; otherwise, go to step 203.
步骤 203~204: UE从 NAF获取 GAA鉴权指示信息。 步骤 205: UE与 BSF执行 GAA鉴权与密钥协商过程, 鉴权通过, UE和 BSF之间生成一个共享密钥 Ks , UE根据该 Ks计算出与 NAF进 行通信使用的 NAF相关密钥: Ks_NAF。 Steps 203 to 204: The UE acquires the GAA authentication indication information from the NAF. Step 205: The UE performs a GAA authentication and key agreement process with the BSF. After the authentication is passed, a shared key Ks is generated between the UE and the BSF, and the UE calculates a NAF related key used for communication with the NAF according to the Ks: Ks_NAF .
步骤 206~207: UE向 NAF发送携带临时身份标识( B-TID ) 的应 用请求消息, 之后 NAF向 BSF发送携带 B-TID的密钥请求消息。  Steps 206 to 207: The UE sends an application request message carrying a temporary identity (B-TID) to the NAF, and then the NAF sends a key request message carrying the B-TID to the BSF.
步骤 208: BSF收到密钥请求消息后, B-TID查找到对应的 Ks, 并根据 Ks计算 NAF相关密钥: Ks—NAF, 将该 Ks_NAF返回给 NAF, 以便此后 NAF使用该 Ks—NAF与 UE进行通信。  Step 208: After the BSF receives the key request message, the B-TID finds the corresponding Ks, and calculates the NAF related key according to Ks: Ks_NAF, and returns the Ks_NAF to the NAF, so that the NAF uses the Ks-NAF and thereafter. The UE communicates.
随着 GAA的广泛应用, 出现了网络侧主动向用户发起业务即: 推 送(push )业务的需求, 针对这一需求, 现有技术给出了在 GAA下, 获取由网络侧主动发起业务即:网络侧发起 push业务的业务密钥的流程 图, 如图 3所示, 其具体步骤如下:  With the widespread application of the GAA, the network side actively initiates the service to the user, namely: the need to push the service. In response to this demand, the prior art gives the initiative to initiate the service by the network side under the GAA: A flowchart of a service key for initiating a push service on the network side, as shown in FIG. 3, the specific steps are as follows:
步骤 301: NAF确定要向 UE发起 push业务, 向 BSF发送密钥请求 消息 ,该消息携带 UE的永久身份标识如: IP多媒体私有身份表示( IMPI ) 或 IP多媒体用户公共身份标识(IMPU )等。  Step 301: The NAF determines to initiate a push service to the UE, and sends a key request message to the BSF, where the message carries a permanent identity of the UE, such as: an IP Multimedia Private Identity Representation (IMPI) or an IP Multimedia User Public Identity (IMPU).
步骤 302: BSF收到该密钥请求消息后, 判断自身是否已与 UE协 商到一个可用的 Ks, 若是, 执行步骤 303; 否则, 执行步骤 306。  Step 302: After receiving the key request message, the BSF determines whether it has negotiated with the UE to obtain an available Ks. If yes, go to step 303; otherwise, go to step 306.
步骤 303~304: BSF根据该 Ks计算得到 NAF相关密钥, 将该 NAF 相关密钥和 B-TID返回给 NAF; 之后 , NAF将该 B-TID和 NAF_ID携 带在 Push消息中发送给 UE。  Steps 303~304: The BSF calculates the NAF-related key according to the Ks, and returns the NAF-related key and the B-TID to the NAF. After that, the NAF carries the B-TID and the NAF_ID in the Push message and sends the message to the UE.
BSF将 Ks与 UE的 B-TID关联保存, 同时保存有 B-TID与 UE的 永久身份标识的对应关系。  The BSF associates the Ks with the B-TID of the UE, and stores the correspondence between the B-TID and the permanent identity of the UE.
Push消息中可能携带使用 NAF相关密钥进行加密的数据。  The Push message may carry data encrypted using the NAF related key.
步骤 305: UE收到 Push消息后, 根据 B-TID查找到 Ks, 并计算得 到 NAF相关密钥, 本流程结束。 若 Push消息携带加密数据, 则 UE可利用计算得到的 NAF相关密 钥对该加密数据进行解密。 Step 305: After receiving the Push message, the UE finds the Ks according to the B-TID, and calculates the NAF related key, and the process ends. If the Push message carries the encrypted data, the UE may decrypt the encrypted data by using the calculated NAF related key.
步骤 306~307: BSF从 HSS获取一组鉴权向量, 并根据该组鉴权向 量计算得到 Ks , 并得到 NAF相关密钥, 然后向 NAF返回 NAF相关密 钥及该组鉴权向量中的鉴权令牌(AUTN ), 进一步, 还可返回该组鉴权 向量中的鉴权随机数( RAND )和/或 NAF相关密钥的生存期和 /或 B-TID 等。  Steps 306~307: The BSF obtains a set of authentication vectors from the HSS, and calculates Ks according to the set of authentication vectors, and obtains a NAF related key, and then returns a NAF related key to the NAF and a reference in the set of authentication vectors. The right token (AUTN), further, may also return the authentication random number ( RAND ) in the set of authentication vectors and/or the lifetime and/or B-TID of the NAF related key.
步骤 308: NAF将 AUTN和 NAF_ID携带在 push消息中发送给 UE。 Push消息中可能包含加密数据, 还可进一步携带 RAND或 Β-ΤΠ 步骤 309: UE根据 AUTN计算出 Ks, 并计算得到 NAF相关密钥。 若 Push消息携带加密数据, 则 UE可利用计算得到的 NAF相关密 钥对该加密数据进行解密。  Step 308: The NAF carries the AUTN and the NAF_ID in the push message and sends the message to the UE. The Push message may contain encrypted data, and may further carry RAND or Β-ΤΠ. Step 309: The UE calculates Ks according to the AUTN, and calculates a NAF related key. If the Push message carries the encrypted data, the UE may decrypt the encrypted data by using the calculated NAF-related key.
从图 2和图 3所示流程可以看出: NAF主动发起 Push业务与 UE 主动发起业务时所使用的 Ks、 以及利用 Ks计算得到 NAF相关密钥的 计算方法是相同的, 从而产生的 NAF相关密钥也是相同的, 这样产生 的问题是: 若在 NAF向 UE发起 Push业务前, UE已经主动向该 NAF 发起过业务, 则该 NAF肯定已经保存与该 UE进行通信使用的 NAF相 关密钥, 因此 NAF在发起 push业务时, 完全可以不必向 BSF发起密钥 请求, 而直接使用 UE主动发起业务时使用的 NAF相关密钥进行 push 业务, 这样会使得 NAF在没有订购 Push业务的情况下使用 Push业务, 或者使得 NAF在订购 push业务的情况下, 以 Push业务冒充 UE主动发 起的业务, 对于前一种情况, 很显然, 会使得 NAF无偿使用了网络资 源, 给运营商造成损失; 对于后一种情况, 在 Push业务的使用费高于 UE主动发起业务的使用费的情况下, 也会给运营商造成损失。 发明内容 有鉴于此, 本发明的实施例提供了一种获取业务密钥的方法及系 统, 以避免 NAF无偿使用网络资源, 并避免 NAF以自身发起的业务冒 充 UE发起的业务, 降低运营商的损失。 It can be seen from the flow shown in FIG. 2 and FIG. 3 that: the Ks used by the NAF to initiate the Push service and the UE to initiate the service actively, and the calculation method for calculating the NAF related key by using the Ks are the same, thereby generating the NAF correlation. The key is also the same. The problem is: If the UE has initiated the service to the NAF before the NAF initiates the Push service to the UE, the NAF must have saved the NAF-related key used for communication with the UE. Therefore, when the originating push service is initiated, the NAF does not need to initiate a key request to the BSF, but directly uses the NAF-related key used by the UE to initiate the service to perform the push service. This causes the NAF to use the Push without ordering the Push service. The service, or the NAF, in the case of the subscription of the push service, the Push service pretends to be the service initiated by the UE. In the former case, it is obvious that the NAF will use the network resources for free, causing losses to the operator; In this case, if the usage fee of the Push service is higher than the usage fee of the UE actively initiating the service, it will also cause losses to the operator. SUMMARY OF THE INVENTION In view of the above, the embodiments of the present invention provide a method and a system for acquiring a service key, so as to prevent the NAF from using the network resources for a fee, and avoiding the service initiated by the NAF to impersonate the UE-initiated service, thereby reducing the carrier's loss.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种获取业务密钥的方法, 包括:  A method for obtaining a service key, including:
NAF发起业务之前, 向 BSF发送 push业务密钥请求;  Before the NAF initiates the service, the push service key request is sent to the BSF;
BSF收到该 push业务密钥请求后, 获取 push业务 Ks,根据该 push 业务 Ks和 push业务密钥计算方法计算得到 push业务密钥 , 将该 push 业务密钥返回给 NAF;  After receiving the push service key request, the BSF obtains the push service Ks, calculates a push service key according to the push service Ks and the push service key calculation method, and returns the push service key to the NAF;
NAF收到该 push业务密钥后向 UE发送 push消息;  After receiving the push service key, the NAF sends a push message to the UE.
UE收到 push消息后, 获取 push业务 Ks, 根据该 push业务 Ks和 push业务密钥计算方法计算得到 push业务密钥。  After receiving the push message, the UE obtains the push service Ks, and calculates the push service key according to the push service Ks and the push service key calculation method.
一种获取业务密钥的***, 包括:  A system for obtaining a service key, comprising:
NAF, 确定要发起 Push业务, 向 BSF发送 Push业务密钥请求; 接 收到 Push业务密钥后, 向 UE发送 Push消息;  The NAF determines that the Push service is to be initiated, and sends a Push service key request to the BSF; after receiving the Push service key, the Push message is sent to the UE;
BSF, 接收 NAF发来的 Push业务密钥请求, 根据 Push业务 Ks和 Push业务密钥计算方法计算得到 Push业务密钥, 将该 Push业务密钥返 回给 NAF;  The BSF receives the Push service key request sent by the NAF, calculates the Push service key according to the Push service Ks and the Push service key calculation method, and returns the Push service key to the NAF;
UE, 接收 NAF发来的 Push消息, 根据 Push业务 Ks和 Push业务 密钥计算方法计算得到 Push业务密钥。  The UE receives the Push message sent by the NAF, and calculates the Push service key according to the Push service Ks and the Push service key calculation method.
与现有技术相比, 本发明实施例通过更改 UE主动发起业务的密钥 计算公式得到网络侧主动发起业务的 push业务密钥计算公式,或者通过 为 push业务密钥增加 push业务授权标志参数,使得 NAF主动发起业务 的密钥与 UE 主动发起业务的密钥可以进行区分, 从而避免没有订购 Push业务的 NAF使用 Push业务, 也避免了 NAF以 Push业务冒充 UE 主动发起的业务, 使得网络资源能够合理使用, 降低了运营商的损失。 附图简要说明 Compared with the prior art, the embodiment of the present invention obtains a push service key calculation formula for actively initiating a service by the network side by changing a key calculation formula of the UE actively initiating a service, or by adding a push service authorization flag parameter for the push service key. Enable NAF to initiate business The key can be distinguished from the key that the UE initiates the service, so that the NAF that does not subscribe to the Push service uses the Push service, and the NAF does not pretend to be the service initiated by the UE by the Push service, so that the network resources can be reasonably used and reduced. The loss of the operator. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为 GAA的结构示意图;  Figure 1 is a schematic view showing the structure of the GAA;
图 2为现有的在 GAA下, 获取 UE主动发起的业务的 NAF相关密 钥的流程图;  2 is a flowchart of an existing NAF-related key for acquiring a service initiated by a UE under GAA;
图 3为现有的在 GAA下, 获取 NAF主动发起的业务的业务密钥的 流程图;  FIG. 3 is a flow chart of obtaining a service key for a service initiated by a NAF under the GAA;
图 4为本发明实施例一提供的在 GAA下, 获取 NAF主动发起的业 务的业务密钥的流程图;  4 is a flowchart of obtaining a service key of a service initiated by a NAF in a GAA according to Embodiment 1 of the present invention;
图 5为本发明实施例二提供的在 GAA下, 获取 NAF主动发起的业 务的业务密钥的流程图;  FIG. 5 is a flowchart of obtaining a service key of a service initiated by a NAF in a GAA according to Embodiment 2 of the present invention;
图 6为本发明实施例三提供的在 GAA下, 获取 NAF主动发起的业 务的业务密钥的流程图;  FIG. 6 is a flowchart of obtaining a service key for a service initiated by a NAF in a GAA according to Embodiment 3 of the present invention;
图 7为本发明实施例提供的在 GAA下, 获取 NAF主动发起的业务 的业务密钥的***组成图。 实施本发明的方式  FIG. 7 is a system composition diagram of obtaining a service key of a service initiated by a NAF in a GAA according to an embodiment of the present invention. Mode for carrying out the invention
下面结合附图及具体实施例对本发明再作进一步详细的说明。  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
图 4为本发明实施例一提供的在 GAA下,获取 NAF主动发起的 push 业务的业务密钥的流程图, 如图 4所示, 其具体步骤如下:  FIG. 4 is a flowchart of obtaining a service key of a push service initiated by a NAF in a GAA according to Embodiment 1 of the present invention. As shown in FIG. 4, the specific steps are as follows:
步骤 401: NAF确定要向某个 UE发起 push业务。  Step 401: The NAF determines that a push service is to be initiated to a certain UE.
步骤 402: NAF判断自身是否保存与该 UE对应的 push业务密钥, 若是, 执行步骤 407; 否则, 执行步骤 403。 Step 402: The NAF determines whether it saves the push service key corresponding to the UE. If yes, go to step 407; otherwise, go to step 403.
若 NAF保存有 push业务密钥, 则 NAF将 push业务密钥与 UE的 B-TID关联保存,同时保存有 B-TID与 UE的永久身份标识的对应关系。  If the NAF holds the push service key, the NAF associates the push service key with the B-TID of the UE, and saves the correspondence between the B-TID and the permanent identity of the UE.
若 NAF已向该 UE发起过 Push消息, 则 NAF可能会保存该 UE对 应的 push业务密钥。  If the NAF has initiated a Push message to the UE, the NAF may save the push service key corresponding to the UE.
步骤 403: NAF向 BSF发送密钥请求消息, 该消息携带 UE永久身 份标识、 NAF—ID等。  Step 403: The NAF sends a key request message to the BSF, where the message carries the UE permanent identity, NAF-ID, and the like.
用户永久身份标识可以是用户的 IMPI 或国际移动用户身份标识 ( IMSI ), 也可以是其它的标识如: 公共用户标识(IMPU )或假名。 如 果是其它标识, BSF或 HSS要能够知道与该标识对应的 IMPI或 IMSI。  The user's permanent identity can be the user's IMPI or International Mobile Subscriber Identity (IMSI), or it can be other identifiers such as: Public User Identity (IMPU) or pseudonym. If it is another identifier, the BSF or HSS should be able to know the IMPI or IMSI corresponding to the identifier.
步骤 404: BSF收到该密钥请求消息后, 才 据该消息携带的用户永 久身份标识和 /或 push业务类型标识, 得知该密钥请求为 push业务密钥 请求, 然后根据该消息携带的 NAF_ID判断该 NAF是否有权进行 push 业务, 若是, 执行步骤 405; 否则, 向 NAF返回拒绝消息, 本流程结束。  Step 404: After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message. The NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 405 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
若 UE主动发起业务, 则 NAF 向 BSF发送的密钥请求消息携带 B-TID, 因此, BSF可根据密钥请求消息携带的是 B-TID还是用户的永 久身份标识,判断该密钥请求是针对 UE发起的业务还是针对 NAF发起 的 push业务。  If the UE initiates the service, the key request message sent by the NAF to the BSF carries the B-TID. Therefore, the BSF can determine whether the key request is based on the B-TID or the permanent identity of the user. The service initiated by the UE is also a push service initiated by the NAF.
步骤 405: BSF根据该消息携带的 UE永久身份标识, 判断自身是 否已存在一个与该 UE永久身份标识对应的 Ks, 若是, 执行步骤 406; 否则, 执行步骤 409。  Step 405: The BSF determines, according to the permanent identity of the UE carried in the message, whether it has a Ks corresponding to the permanent identity of the UE. If yes, go to step 406; otherwise, go to step 409.
步骤 406: BSF根据该 Ks,采用预先设定的 push业务密钥算法计算 得到 push业务密钥, 将该 push业务密钥、 B-TID携带在密钥响应消息 中发送给 NAF, 该密钥响应消息还可包括: Push业务密钥有效期等。  Step 406: The BSF calculates the push service key by using a preset push service key algorithm according to the Ks, and the push service key and the B-TID are carried in the key response message and sent to the NAF. The message may also include: a Push service key validity period, and the like.
push业务密钥算法可通过更改和 /或扩展现有的由 Ks计算 NAF相关 密钥的计算公式中的计算参数、和 /或在现有的由 Ks计算 NAF相关密钥 的计算公式中增加计算参数得到。 Push business key algorithm can be used to calculate NAF related by Ks by changing and / or extending The calculation parameters in the calculation formula of the key, and/or the calculation parameters are added to the existing calculation formula of the NSF-related key calculated by Ks.
现有技术中计算 NAF相关密钥的计算公式可表示为:  The calculation formula for calculating the NAF related key in the prior art can be expressed as:
NAF相关密钥= 。 Ks, "gba-me,,/"gba-u,,、RAND、IMPI、NAF-ID ), 其中, KDF表示算法类型, Ks表示一个参数, "gba-me,,/"gba-u,,、 RAND, IMPI和 NAF-ID在计算时按照 S = FC II P0 II L0 II PI II LI II P2 II L2 II P3 II L3 II... II Pn II Ln方式串接成字符串 S作为一个参数, P0即 "gba-me'V "gba-u" , PI 即 RAND, P2 即按照 UTF-8编码方式编码的 IMPI, P3即 NAFJD, FC表示鉴权类型, Lm表示 Pm的长度, m=0, 1 , ..., n。  NAF related key = . Ks, "gba-me,,/"gba-u,,, RAND, IMPI, NAF-ID), where KDF represents the algorithm type, Ks represents a parameter, "gba-me,, /"gba-u,, , RAND, IMPI and NAF-ID are serially connected into a string S as a parameter according to S = FC II P0 II L0 II PI II LI II P2 II L2 II P3 II L3 II... II Pn II Ln. P0 is "gba-me'V "gba-u", PI is RAND, P2 is IMPI encoded according to UTF-8 encoding, P3 is NAFJD, FC is the authentication type, Lm is the length of Pm, m=0, 1 , ..., n.
可采用以下几种途径中的一种或组合得到 push业务密钥计算公式: 途径一、 扩展现有技术中计算 NAF相关密钥的计算公式中的参数。 如: 可扩展 NAF_ID, 现有技术中 NAFJD包括 FQDN和 Ua口安 全协议标识, 其中, FQDN为 NAF的域名, 本发明可使 NAF_ID再包 括一个 GAA push业务类型标识,或者扩展 Ua口安全协议标识,在现有 的 Ua 口安全协议标识中增加一个表示通用引导鉴权架构 (GBA ) push 的 Ua口安全协议标识值。  The push service key calculation formula can be obtained by using one or a combination of the following ways: Step 1: Expand the parameters in the calculation formula of the NAF related key in the prior art. For example, the NAF_ID can be extended. In the prior art, the NAFJD includes the FQDN and the Ua port security protocol identifier. The FQDN is the domain name of the NAF. The present invention can further include the NAA_ID as a GAA push service type identifier, or extend the Ua port security protocol identifier. Add a Ua port security protocol identifier value indicating the Universal Boot Authentication Architecture (GBA) push to the existing Ua port security protocol identifier.
途径二、 更改现有技术中计算 NAF相关密钥的计算公式中的参数。 例如: 可更改静态字符串" gba-me"/ "gba-u"的值, 如: 将" gba-me"/ "gba-u"的值更改改为 "gba-me-push"/ "gba-u-push"; 也可更改 NAF-ID的 应用协议标识如:将现有的应用协议标识更改为标识 push业务的应用协 议标识; 也可更改鉴权类型的值, 如将 FC设定为不同于 0x01的值, 用 于表示 push业务鉴权类型。  Path 2: Change the parameters in the calculation formula for calculating the NAF related key in the prior art. For example: You can change the value of the static string " gba-me" / "gba-u", such as: Change the value of " gba-me" / "gba-u" to "gba-me-push" / "gba -u-push"; You can also change the application protocol identifier of the NAF-ID. For example, change the existing application protocol identifier to the application protocol identifier that identifies the push service. You can also change the value of the authentication type, such as setting the FC to A value different from 0x01 is used to indicate the push service authentication type.
途径三、 在现有技术的计算 NAF相关密钥的计算公式中增加新的 计算参数。  Path 3: Add new calculation parameters in the calculation formula of the prior art calculation NAF related key.
例如:可增加一个新的表示 GAA push业务类型标识的计算参数 px, 此时, push业务密钥的计算公式更改为: For example, a new calculation parameter px representing the GAA push service type identifier can be added. At this point, the formula for the push business key is changed to:
push业务密钥=KDF( Ks, "gba-me,,/"gba-u,,、 RAND, IMPI、 NAF-ID、 px )  Push business key = KDF ( Ks, "gba-me,, /" gba-u,,, RAND, IMPI, NAF-ID, px)
这里, px既可以是一个预先设定的固定的值, 且 BSF和 UE都保存 有该 px固定值,也可以是 BSF临时生成的值。若为 BSF临时生成的值, 但 UE自身无法生成该 px临时值, 则 BSF通过 NAF将该 px临时值发 给 UE。  Here, px may be a preset fixed value, and both the BSF and the UE may hold the fixed value of px or may be a value temporarily generated by the BSF. If the value is temporarily generated by the BSF, but the UE cannot generate the px temporary value, the BSF sends the px temporary value to the UE through the NAF.
步骤 407: NAF将携带 B-TID、 NAF-ID的 push消息发送给 UE, 该 push消息还可能包括利用 push业务密钥加密的数据。  Step 407: The NAF sends a push message carrying the B-TID and the NAF-ID to the UE, and the push message may further include data encrypted by using the push service key.
步骤 408: UE收到 push消息后, 根据该消息携带的 B-TID在自身 查找到对应的 Ks, ^居该 Ks和预先设定的与 BSF相同的 push业务密 钥算法得到 push业务密钥, 本流程结束。  Step 408: After receiving the push message, the UE finds the corresponding Ks according to the B-TID carried in the message, and obtains the push service key by using the same push service key algorithm as the BSF. This process ends.
若 push消息携带加密数据, 则 UE利用 push业务密钥解密该加密 数据。  If the push message carries the encrypted data, the UE decrypts the encrypted data using the push service key.
步骤 409: BSF从 HSS获取与该 UE永久身份标识对应的一组鉴权 向量。  Step 409: The BSF obtains, from the HSS, a set of authentication vectors corresponding to the UE permanent identity.
步骤 410: BSF根据该组鉴权向量计算得到 Ks, 并根据该 Ks和预 先设定的 push业务密钥算法计算得到 push业务密钥, 将该 PUSH业务 密钥、 B-TID、鉴权向量中的 AUTN携带在密钥响应消息中发送给 NAF, 该密钥响应消息还可包括: Push业务密钥有效期、鉴权向量中的 RAND 等。  Step 410: The BSF calculates Ks according to the group of authentication vectors, and calculates a push service key according to the Ks and a preset push service key algorithm, where the PUSH service key, the B-TID, and the authentication vector are used. The AUTN is carried in the key response message and sent to the NAF. The key response message may further include: a Push service key validity period, an RAND in the authentication vector, and the like.
步骤 411 : NAF收到业务密钥响应后, 将携带 NAF-ID、 AUTN的 push消息发送给 UE, 该 push消息还可能包括利用 push业务密钥加密 的数据、 和 /或 RAND、 和 /或 B-TID。  Step 411: After receiving the service key response, the NAF sends a push message carrying the NAF-ID and the AUTN to the UE, and the push message may further include data encrypted by using the push service key, and/or RAND, and/or B. -TID.
步骤 412: UE收到 push消息后, 根据该消息携带的 AUTN鉴权网 络, 并计算得到 Ks, 据该 Ks和预先设定的与 BSF相同的 push业务 密钥算法得到 push业务密钥, 本流程结束。 Step 412: After receiving the push message, the UE performs an AUTN authentication network according to the message. Network, and calculate Ks, according to the Ks and the pre-set push service key algorithm with the same BSF to get the push business key, the process ends.
若 push消息携带加密数据, 则 UE利用 push业务密钥解密该加密 数据。  If the push message carries the encrypted data, the UE decrypts the encrypted data using the push service key.
可以看出, 图 4所示实施例是通过采用与 UE主动发起业务相同的 Ks,而更改现有的计算 UE主动发起业务时所用到的 NAF相关密钥的计 算公式中除 Ks外的参数,来得到 push业务密钥,从而实现 push业务鉴 权的, 从而保证了 UE主动向某个 NAF发起的业务和该 NAF向该 UE 发起的 push业务所使用的密钥是不同的。  It can be seen that the embodiment shown in FIG. 4 changes the parameters other than Ks in the calculation formula of the NAF-related key used by the existing computing UE to initiate the service by adopting the same Ks as the UE actively initiates the service. The push service key is obtained to implement the push service authentication, thereby ensuring that the service initiated by the UE to a certain NAF and the key used by the NAF to the push service initiated by the UE are different.
图 5为本发明实施例二提供的在 GAA下, 获取 NAF主动发起的 PUSH业务的业务密钥的流程图, 如图 5所示, 其具体步骤如下:  FIG. 5 is a flowchart of obtaining a service key of a PUSH service initiated by a NAF in a GAA according to Embodiment 2 of the present invention. As shown in FIG. 5, the specific steps are as follows:
步骤 501-503与步骤 401-403相同。  Steps 501-503 are the same as steps 401-403.
步骤 504: BSF收到该密钥请求消息后, 才 据该消息携带的用户永 久身份标识和 /或 push业务类型标识, 得知该密钥请求为 push业务密钥 请求, 然后根据该消息携带的 NAF_ID判断该 NAF是否有权进行 push 业务, 若是, 执行步骤 505; 否则, 向 NAF返回拒绝消息, 本流程结束。  Step 504: After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message. The NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 505 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
步骤 505: BSF根据该消息携带的 UE永久身份标识, 判断自身是 否已存在一个与该 UE标识对应的专门用于 push业务的 Ks, 若是, 执 行步骤 506; 否则, 执行步骤 509。  Step 505: The BSF determines, according to the permanent identity of the UE carried in the message, whether there is a Ks dedicated to the push service corresponding to the UE identifier, and if yes, executing step 506; otherwise, performing step 509.
本步骤中提到的专门用于 push业务的 Ks指的是与 UE主动发起业 务的 Ks的值不同的 Ks。  The Ks specifically used for the push service mentioned in this step refers to the Ks different from the value of the Ks that the UE actively initiates the service.
步骤 506: BSF根据该 Ks计算得到 Ks衍生密钥, 将该 Ks衍生密 钥作为 push业务密钥, 将该 push业务密钥、 B-TID携带在密钥响应消 息中发送给 NAF, 该密钥响应消息还可包括: Push业务密钥有效期等。  Step 506: The BSF calculates a Ks derived key according to the Ks, and uses the Ks derived key as a push service key, and carries the push service key and the B-TID in a key response message and sends the key to the NAF. The response message may further include: a Push service key validity period, and the like.
这里, BSF采用与 UE发起业务时, 计算 NAF相关密钥相同的算法 来计算 push业务密钥。 Here, the BSF adopts the same algorithm for calculating the NAF related key when starting the service with the UE. To calculate the push business key.
步骤 507-508与步骤 407-408相同。  Steps 507-508 are the same as steps 407-408.
步骤 509: BSF从 HSS获取与该 UE永久身份标识对应的一组鉴权 向量。  Step 509: The BSF obtains, from the HSS, a set of authentication vectors corresponding to the UE permanent identity.
步骤 510: BSF根据该组鉴权向量计算得到 Ks,保存该专门用于 push 业务的 Ks, 并根据该 Ks计算得到 Ks衍生密钥作为 push业务密钥, 将 该 push业务密钥、 B-TID、鉴权向量中的 AUTN携带在密钥响应消息中 发送给 NAF, 该密钥响应消息还可包括: Push业务密钥有效期、鉴权向 量中的 RAND等。  Step 510: The BSF calculates Ks according to the group of authentication vectors, saves the Ks dedicated to the push service, and calculates a Ks derived key as a push service key according to the Ks, and the push service key and the B-TID. The AUTN in the authentication vector is sent to the NAF in the key response message, and the key response message may further include: a validity period of the Push service key, RAND in the authentication vector, and the like.
在现有技术中 , BSF保存用于 UE发起的业务的 Ks时, 是将该 Ks 与 B-TID关联保存的, 本发明中可采用以下方式保存专门用于 push业 务的 Ks:  In the prior art, when the BSF saves the Ks for the UE-initiated service, the Ks is associated with the B-TID. In the present invention, the Ks dedicated to the push service can be saved in the following manner:
方式一、 将专门用于 push业务的 Ks与 B-TID和 AUTN关联保存。 方式二、 为专门用于 push业务的 Ks设置一个 push业务标志位。 方式三、 将所有 UE的专门用于 push业务的 Ks单独保存在一个文 件中, 当收到 NAF发来的携带 UE永久身份标识的针对 push业务的密 钥请求消息时,在该文件中查找是否存在与 UE永久身份标识对应的 Ks。  Method 1: The Ks dedicated to the push service is associated with the B-TID and the AUTN. Method 2: Set a push service flag for the Ks dedicated to the push service. In the third method, the Ks dedicated to the push service of all the UEs are separately stored in a file. When receiving the key request message for the push service that carries the permanent identity of the UE sent by the NAF, the file is searched for There is a Ks corresponding to the UE permanent identity.
步骤 511~512与步骤 411~412相同。  Steps 511 to 512 are the same as steps 411 to 412.
可以看出, 图 5所示实施例是通过采用与现有的计算 UE主动发起 业务时所用到的 NAF相关密钥的算法中的参数 Ks的值不同的、 专门用 于 push业务的 Ks来得到 push业务密钥 , 从而实现 push业务鉴权的 , 从而保证了 UE主动向某个 NAF发起的业务和该 NAF向该 UE发起的 push业务所使用的密钥是不同的。  It can be seen that the embodiment shown in FIG. 5 is obtained by using the Ks dedicated to the push service, which is different from the value of the parameter Ks in the algorithm for calculating the NAF-related key used when the UE actively initiates the service. Pushing the service key to implement the push service authentication, so as to ensure that the service initiated by the UE to a certain NAF and the key used by the NAF to the push service initiated by the UE are different.
需要指出的是, 本发明也可不更改 UE主动发起业务所用到的 NAF 相关密钥的参数,而通过更改计算 UE主动发起业务所用到的 NAF相关 密钥的算法类型得到 push业务密钥, 例如: 若计算 UE主动发起业务所 用到的 NAF相关密钥的算法类型为 KDF1如: SHA1 , 则计算 NAF主 动发起的 push业务的业务密钥时, 则可采用 KDF2算法如: MD5算法。 It should be noted that the present invention may also change the parameters of the NAF-related key used by the UE to initiate the service, and change the calculation of the NAF correlation used by the UE to initiate the service. The algorithm type of the key is the push service key. For example, if the algorithm type of the NAF-related key used by the UE to initiate the service is KDF1, such as: SHA1, when the service key of the push service initiated by the NAF is calculated, KDF2 algorithms such as the MD5 algorithm can be used.
图 6为本发明实施例三提供的在 GAA下, 获取 NAF主动发起的 PUSH业务的业务密钥的流程图, 如图 6所示, 其具体步骤如下:  FIG. 6 is a flowchart of obtaining a service key of a PUSH service initiated by a NAF in a GAA according to Embodiment 3 of the present invention. As shown in FIG. 6, the specific steps are as follows:
步骤 601~603与步骤 501~503相同。  Steps 601 to 603 are the same as steps 501 to 503.
步骤 604: BSF收到该密钥请求消息后, 才 据该消息携带的用户永 久身份标识和 /或 push业务类型标识, 得知该密钥请求为 push业务密钥 请求, 然后根据该消息携带的 NAF_ID判断该 NAF是否有权进行 push 业务, 若是, 执行步骤 605; 否则, 向 NAF返回拒绝消息, 本流程结束。  Step 604: After receiving the key request message, the BSF learns that the key request is a push service key request according to the user permanent identity and/or the push service type identifier carried in the message, and then carries the message according to the message. The NAF_ID determines whether the NAF is authorized to perform the push service. If yes, step 605 is performed; otherwise, the rejection message is returned to the NAF, and the process ends.
步骤 605: BSF根据该消息携带的 UE永久身份标识, 判断自身是 否已存在一个与该 UE永久身份标识对应的 Ks, 若是, 执行步骤 606; 否则, 执行步骤 610。  Step 605: The BSF determines, according to the permanent identity of the UE carried in the message, whether it has a Ks corresponding to the permanent identity of the UE. If yes, go to step 606; otherwise, go to step 610.
步骤 606: BSF ^居该 Ks计算得到 Ks ^"生密钥作为 push业务密钥, 将该 push业务密钥、 B-TID和 push业务授权标志参数携带在密钥响应 消息中发送给 NAF,该密钥响应消息还可包括: Push业务密钥有效期等。  Step 606: The BSF ^ calculates the Ks ^" raw key as the push service key, and carries the push service key, the B-TID, and the push service authorization flag parameter in the key response message and sends the message to the NAF. The key response message may further include: a Push service key validity period, and the like.
这里, BSF具备一对密钥: 私钥和公钥, BSF根据该私钥对 B-TID、 NAF-ID、 push 业务密钥、 自身维护的专门用于计算授权标志参数的变 量等中的一个或组合添加一个数字签名 ,该数字签名即为 push业务授权 标志参数。 对应地, UE可根据所述公钥来验证 push业务授权标志参数 是否正确。 具体地, UE可通过三种方式获取所述公钥: 方式一、 将该 公钥预先配置在 UE上; 方式二、 BSF通过密钥响应消息将该公钥发送 给 NAF, 然后 NAF通过 push消息将该公钥发送给 UE; 方式三、 BSF 通过密钥响应消息将公钥证书序列号发送给 NAF, 然后 NAF通过 push 消息将该公钥证书序列号发送给 UE, UE根据该公钥证书序列号获取到 所述公钥。 Here, the BSF has a pair of keys: a private key and a public key, and the BSF according to the private key pair B-TID, NAF-ID, push service key, a variable that is maintained by itself and used to calculate an authorization flag parameter, and the like Or a combination of adding a digital signature, the digital signature is the push business authorization flag parameter. Correspondingly, the UE may verify, according to the public key, whether the push service authorization flag parameter is correct. Specifically, the UE can obtain the public key in three ways: Method 1: Pre-configure the public key on the UE; In the second manner, the BSF sends the public key to the NAF through a key response message, and then the NAF passes the push message. The public key is sent to the UE by using the key response message. The method sends the public key certificate serial number to the NAF through the push message, and then the NAF sends the public key certificate serial number to the UE according to the public key certificate sequence. Number obtained The public key.
或者, BSF也可以采用 Ks或 push业务密钥对 B-TID、 NAF-ID、 push 业务密钥、 自身维护的专门用于计算授权标志参数的变量等参数运行加 密算法或摘要算法得到 push业务授权标志参数; 对应地, UE采用 Ks 或 push业务密钥来验证 push业务授权标志参数是否正确。  Alternatively, the BSF may also use a Ks or push service key to perform an encryption algorithm or a digest algorithm to obtain a push service authorization for parameters such as a B-TID, a NAF-ID, a push service key, and a variable that is specifically used to calculate an authorization flag parameter. The flag parameter; correspondingly, the UE uses the Ks or push service key to verify whether the push service authorization flag parameter is correct.
步骤 607: NAF收到密钥响应消息后, 将携带 B-TID、 NAF-ID和 授权标志参数的 push消息发送给 UE,该 push消息还可能包括利用 push 业务密钥加密的数据。  Step 607: After receiving the key response message, the NAF sends a push message carrying the B-TID, the NAF-ID, and the authorization flag parameter to the UE, and the push message may further include data encrypted by using the push service key.
步骤 608: UE收到 push消息后, 根据该 push消息携带的 B-TID在 自身查找到对应的 Ks, 利用该 Ks计算得到 push业务密钥。  Step 608: After receiving the push message, the UE finds the corresponding Ks according to the B-TID carried in the push message, and uses the Ks to calculate the push service key.
步骤 609: UE判断该消息携带的 push业务授权标志参数是否正确, 若是, 接受该 push消息, 本流程结束; 否则, 拒绝该 push消息, 本流 程结束。  Step 609: The UE determines whether the push service authorization flag parameter carried in the message is correct. If yes, accepting the push message, the process ends; otherwise, the push message is rejected, and the process ends.
若 UE获取 push业务授权标志参数时, 不需 push业务密钥的参与, 则 UE收到 push消息后, 可先判断该消息携带的 push业务授权标志参 数是否正确, 若正确, 再根据该 push消息携带的 B-TID找到 Ks, 从而 得到 push业务密钥; 若不正确, 则直接拒绝 push消息。  If the UE obtains the push service authorization flag parameter, and does not need to participate in the push service key, after receiving the push message, the UE may first determine whether the push service authorization flag parameter carried in the message is correct, and if yes, according to the push message. The carried B-TID finds the Ks, thereby obtaining the push service key; if not, the push message is directly rejected.
步骤 610: BSF从 HSS获取一组鉴权向量。  Step 610: The BSF obtains a set of authentication vectors from the HSS.
步骤 611 : BSF根据该组鉴权向量计算得到 Ks, 并计算得到 Ks衍 生密钥作为 push业务密钥, 将该 push业务密钥、 B-TID、鉴权向量中的 AUTN和 push业务的授权标志参数携带在密钥响应消息中发送给 NAF, 该密钥响应消息还可包括: Push业务密钥有效期、鉴权向量中的 RAND 等。  Step 611: The BSF calculates Ks according to the group of authentication vectors, and calculates a Ks derived key as a push service key, and the push service key, the B-TID, the AUTN in the authentication vector, and the authorization flag of the push service. The parameter is carried in the key response message and sent to the NAF. The key response message may further include: a validity period of the Push service key, RAND in the authentication vector, and the like.
步骤 612: NAF收到密钥响应消息后, 将携带 NAF-ID、 AUTN和 push业务授权标志参数的 push消息发送给 UE, 该 push消息还可能包 括利用 push业务密钥加密的数据、 和 /或 RAND, 和 /或 Β-ΤΠ Step 612: After receiving the key response message, the NAF sends a push message carrying the parameters of the NAF-ID, the AUTN, and the push service authorization flag to the UE, where the push message may also be Including data encrypted with a push service key, and/or RAND, and/or Β-ΤΠ
步骤 613: UE收到 push消息后,根据该 push消息携带的 AUTN鉴 权网络, 并计算得到 Ks, 根据该 Ks计算得到 push业务密钥。  Step 613: After receiving the push message, the UE calculates the Ks according to the AUTN authentication network carried by the push message, and calculates a push service key according to the Ks.
步骤 614: UE判断该消息携带的 push业务授权标志参数是否正确, 若是, 接受该 push消息; 否则, 拒绝该 push消息。  Step 614: The UE determines whether the push service authorization flag parameter carried in the message is correct, and if yes, accepts the push message; otherwise, rejects the push message.
可以看出,图 6所示实施例是通过对 push业务密钥进行数字签名即: 增加一个授权标志参数,来验证 push业务密钥是否正确,从而达到 push 业务鉴权的目的。  It can be seen that the embodiment shown in FIG. 6 is to digitally sign the push service key, that is, to add an authorization flag parameter to verify whether the push service key is correct, thereby achieving the purpose of push service authentication.
图 7为本发明实施例提供的获取 NAF主动发起的 Push业务密钥的 ***组成图,如图 7所示,其主要包括: NAF71、 BSF72、 UE73和 HSS74, 其中:  FIG. 7 is a structural diagram of a system for acquiring an Push service key initiated by a NAF according to an embodiment of the present invention. As shown in FIG. 7, the method mainly includes: NAF71, BSF72, UE73, and HSS74, where:
NAF71 :确定要发起 Push业务,向 BSF72发送 Push业务密钥请求; 接收到 BSF72返回的 Push业务密钥后, 向 UE73发送 Push消息。  NAF71: It is determined that the Push service is to be initiated, and the Push service key request is sent to the BSF 72. After receiving the Push service key returned by the BSF 72, the Push message is sent to the UE 73.
BSF72: 接收 NAF71发来的 Push业务密钥请求, 若检测到自身已 保存与该请求消息携带的 UE永久身份标识对应的 Push业务 Ks, 则根 据该 push业务 Ks和自身保存的 Push业务密钥计算方法计算得到 Push 业务密钥;否则,从 HSS74获取与该 UE永久身份标识对应的鉴权向量, 根据该鉴权向量计算得到 Push业务 Ks, 根据该 Push业务 Ks和自身保 存的 Push业务密钥计算方法计算得到 Push业务密钥,将 Push业务密钥 返回给 NAF71。  The BSF 72: receives the Push service key request sent by the NAF 71, and if it detects that the Push service Ks corresponding to the permanent identity of the UE carried in the request message is saved, calculates the Push service Ks according to the Push service Ks and the saved Push service key. The method calculates the Push service key. Otherwise, the authentication vector corresponding to the permanent identity of the UE is obtained from the HSS 74, and the Push service Ks is calculated according to the authentication vector, and is calculated according to the Push service Ks and the Push service key saved by the Push service. The method calculates the Push service key and returns the Push service key to the NAF 71.
UE73: 接收 NAF71发来的 Push消息, 根据该消息携带的鉴权令牌 计算得到 Push业务 Ks,根据该 Push业务 Ks和 Push业务密钥计算方法 计算得到 Push业务密钥。  The UE 73: receives the Push message sent by the NAF 71, calculates the Push service Ks according to the authentication token carried in the message, and calculates the Push service key according to the Push service Ks and the Push service key calculation method.
HSS74: 保存与 UE永久身份标识对应的 Push业务 Ks。  HSS74: The Push service Ks corresponding to the UE permanent identity is saved.
与现有技术相比, 本发明实施例通过更改 UE主动发起业务的密钥 计算公式得到网络侧主动发起业务的 push业务密钥计算公式,或者通过 为 push业务密钥增加 push业务授权标志参数,使得 NAF主动发起业务 的密钥与 UE 主动发起业务的密钥可以进行区分, 从而避免没有订购 Push业务的 NAF使用 Push业务, 也避免了 NAF以 Push业务冒充 UE 主动发起的业务, 使得网络资源能够合理使用, 降低了运营商的损失。 同时也会避免 UE主动发起业务的密钥和 push业务密钥同时泄漏情况的 发生,消除了 UE主动发起业务的密钥和 push业务密钥中的一个泄漏而 使得另一种业务遭受攻击的安全隐患, 提高了业务可靠性和网络安全 性。 Compared with the prior art, the embodiment of the present invention changes the key of the UE actively initiating the service. The calculation formula is used to obtain the push service key calculation formula of the active service initiated by the network side, or the push service authorization flag parameter is added to the push service key, so that the key that the NAF actively initiates the service and the key that the UE initiates the service can be distinguished. Therefore, the NAF that does not subscribe to the Push service is used to use the Push service, and the NAF is prevented from impersonating the service initiated by the UE by the Push service, so that the network resource can be reasonably used and the loss of the operator is reduced. At the same time, it also avoids the simultaneous leakage of the key and the push service key of the UE actively initiating the service, and eliminates the leakage of the key of the UE actively initiating the service and the push service key, so that the security of another service is attacked. Hidden dangers improve business reliability and network security.
以上所述仅为本发明的过程及方法实施例, 并不用以限制本发明, 凡在本发明的精神和原则之内所做的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  The above is only the embodiment of the process and method of the present invention, and is not intended to limit the present invention. Any modifications, equivalents, improvements, etc. made within the spirit and principles of the present invention should be included in the present invention. Within the scope of protection.

Claims

权利要求书 Claim
1、 一种获取业务密钥的方法, 其特征在于, 该方法包括: 网络应用实体 NAF向引导鉴权服务器实体 BSF发送推送 push业务 密钥请求; A method for obtaining a service key, the method comprising: the network application entity NAF sending a push service key request to the boot authentication server entity BSF;
BSF收到该 push业务密钥请求后, 获取 push业务 Ks,根据该 push 业务 Ks和 push业务密钥计算方法计算得到 push业务密钥 , 将该 push 业务密钥返回给 NAF;  After receiving the push service key request, the BSF obtains the push service Ks, calculates a push service key according to the push service Ks and the push service key calculation method, and returns the push service key to the NAF;
NAF收到该 push业务密钥后向用户设备 UE发送 push消息; UE收到 push消息后, 获取 push业务 Ks, 根据该 push业务 Ks和 push业务密钥计算方法计算得到 push业务密钥。  After receiving the push service key, the NAF sends a push message to the user equipment UE. After receiving the push message, the UE obtains the push service Ks, and calculates the push service key according to the push service Ks and the push service key calculation method.
2、 如权利要求 1所述的方法, 其特征在于, 所述 BSF和 UE获取 的 push业务 Ks的值与 UE发起业务的 Ks值相同,  2. The method according to claim 1, wherein the value of the push service Ks obtained by the BSF and the UE is the same as the value of the Ks initiated by the UE.
所述 BSF和 UE所 ^居的 push业务密钥计算方法通过以下至少一 种方法得到,  The push service key calculation method in which the BSF and the UE are located is obtained by at least one of the following methods.
更改 UE主动发起业务的 NAF相关密钥的计算公式中的参数; 扩展 UE主动发起业务的 NAF相关密钥的计算公式中的参数; 增加 UE主动发起业务的 NAF相关密钥的计算公式中的参数。  The parameter in the calculation formula of the NAF-related key of the UE actively initiating the service; the parameter in the calculation formula of the NAF-related key that the UE actively initiates the service; and the parameter in the calculation formula of the NAF-related key that the UE initiates the service actively .
3、 如权利要求 2所述的方法, 其特征在于, 所述更改 UE主动发起 业务的密钥的计算公式中的参数通过以下至少一种方法实现,  The method according to claim 2, wherein the parameter in the calculation formula for changing the key of the UE actively initiating the service is implemented by at least one of the following methods,
更改 UE主动发起业务的密钥的计算公式中的字符串参数 "gba-me" I "gba-u" ;  Change the string parameter "gba-me" I "gba-u" in the calculation formula of the key for the UE to initiate the service;
更改 UE主动发起业务的密钥的计算公式中的 NAF标识;  Changing the NAF identifier in the calculation formula of the key of the UE actively initiating the service;
更改 UE主动发起业务的密钥的计算公式中的鉴权类型值。  The value of the authentication type in the calculation formula of the key of the UE actively initiating the service.
4、 如权利要求 2所述的方法, 其特征在于, 所述扩展 UE主动发起 业务的 NAF相关密钥的计算公式中的参数为:扩展 UE主动发起业务的 密钥的计算公式中的 NAF标识; The method according to claim 2, wherein the extended UE actively initiates The parameter in the calculation formula of the NAF-related key of the service is: the NAF identifier in the calculation formula of the key that the UE actively initiates the service;
或者, 扩展 UE主动发起业务的密钥的计算公式中的 Ua口安全协 议标识。  Or, the Ua port security protocol identifier in the calculation formula of the key for actively initiating the service of the UE is extended.
5、 如权利要求 2所述的方法, 其特征在于, 所述增加 UE主动发起 业务的密钥的计算公式中的参数为: 在 UE主动发起业务的密钥的计算 公式中增加一个表示 push业务类型的参数。  The method according to claim 2, wherein the parameter in the calculation formula for increasing the key of the UE actively initiating the service is: adding a representation of the push service in the calculation formula of the key for the UE to initiate the service actively. The type of parameter.
6、 如权利要求 1所述的方法, 其特征在于, 所述 BSF和 UE获取 的 push业务 Ks的值与 UE主动发起业务的 Ks的值不同。  The method according to claim 1, wherein the value of the push service Ks obtained by the BSF and the UE is different from the value of the Ks actively initiated by the UE.
7、 如权利要求 6所述的方法, 其特征在于, 所述 BSF获取的 push 业务 Ks与 UE的临时身份标识 B-TID和鉴权令牌 AUTN关联保存。  The method according to claim 6, wherein the push service Ks acquired by the BSF is associated with the temporary identity B-TID of the UE and the authentication token AUTN.
8、 如权利要求 6所述的方法, 其特征在于, 所述 BSF获取的 push 业务 Ks上设置有 push业务类型标识。  The method according to claim 6, wherein the push service Ks obtained by the BSF is provided with a push service type identifier.
9、 如权利要求 6所述的方法, 其特征在于, 所述 BSF获取的 push 业务 Ks保存在专门用于保存 push业务的 Ks的文件中。  The method according to claim 6, wherein the push service Ks acquired by the BSF is stored in a file dedicated to the Ks of the push service.
10、 如权利要求 1、 2、 6中任一项所述的方法, 其特征在于, 所述 BSF将 push业务密钥返回给 NAF的同时, 进一步包括: BSF向 NAF 返回一个 push业务授权标志参数,  The method according to any one of claims 1 to 2, wherein the BSF returns the push service key to the NAF, and further includes: the BSF returns a push service authorization flag parameter to the NAF. ,
所述 NAF发送给 UE的 push消息进一步携带: BSF发来的 push业 务授权标志参数;  The push message sent by the NAF to the UE further carries: a push service authorization flag parameter sent by the BSF;
所述 UE收到 push消息之后进一步包括: UE判断 NAF发来的 push 业务授权标志参数是否正确, 若是, 接受该 push 消息; 否则, 拒绝该 push消息。  After receiving the push message, the UE further includes: determining, by the UE, whether the push service authorization flag parameter sent by the NAF is correct, and if yes, accepting the push message; otherwise, rejecting the push message.
11、 如权利要求 10所述的方法, 其特征在于, 所述 BSF计算得到 push业务密钥之后、 向 NAF返回 push业务授权标志参数之前, 进一步 包括: BSF根据自身保存的 push业务授权标志参数的计算公式, 得到 push业务授权标志参数; The method according to claim 10, after the BSF calculates the push service key and returns the push service authorization flag parameter to the NAF, further The method includes: the BSF obtains a push service authorization flag parameter according to a calculation formula of a push service authorization flag parameter saved by the BSF;
所述 UE判断 NAF发来的 push业务授权标志参数是否正确包括: UE根据自身保存的 push业务授权标志参数的验证公式, 验证 push 业务授权标志参数是否正确。  Whether the UE determines whether the push service authorization flag parameter sent by the NAF is correct includes: the UE verifies whether the push service authorization flag parameter is correct according to the verification formula of the push service authorization flag parameter saved by the UE.
12、 如权利要求 11所述的方法, 其特征在于, 所述 push业务授权 标志参数计算公式通过包含以下至少一种参数的函数实现,  The method according to claim 11, wherein the push service authorization flag parameter calculation formula is implemented by a function including at least one of the following parameters,
UE的临时身份标识 B-TID;  UE's temporary identity B-TID;
NAF标识;  NAF logo;
push业务密钥;  Push business key;
BSF维护的专门用于计算授权标志参数的变量;  A variable maintained by the BSF specifically for calculating the authorization flag parameters;
push业务 Ks。  Push business Ks.
13、 如权利要求 10所述的方法, 其特征在于, 所述 BSF计算得到 push业务密钥之后、 向 NAF返回 push业务授权标志参数之前, 进一步 包括: BSF根据自身保存的私钥得到 push业务授权标志参数;  The method according to claim 10, wherein, after the BSF calculates the push service key and returns the push service authorization flag parameter to the NAF, the method further includes: the BSF obtaining the push service authorization according to the private key saved by the BSF. Flag parameter
所述 UE判断 NAF发来的 push业务授权标志参数是否正确包括: UE根据获取的与所述私钥对应的公钥 , 验证 push业务授权标志参 数是否正确。  Whether the UE determines whether the push service authorization flag parameter sent by the NAF is correct includes: the UE verifies whether the push service authorization flag parameter is correct according to the obtained public key corresponding to the private key.
14、 如权利要求 1所述的方法, 其特征在于, 所述 BSF和 UE所根 据的 push业务密钥计算方法通过: 更改计算 UE主动发起业务的 NAF 相关密钥的算法类型得到。  The method according to claim 1, wherein the method for calculating the push service key according to the BSF and the UE is obtained by: changing an algorithm type for calculating a NAF-related key that the UE actively initiates the service.
15、 一种获取业务密钥的***, 其特征在于, 包括:  15. A system for obtaining a service key, comprising:
NAF, 确定要发起 Push业务, 向 BSF发送 Push业务密钥请求; 接 收到 Push业务密钥后, 向 UE发送 Push消息;  The NAF determines that the Push service is to be initiated, and sends a Push service key request to the BSF; after receiving the Push service key, the Push message is sent to the UE;
BSF, 接收 NAF发来的 Push业务密钥请求, 根据 Push业务 Ks和 Push业务密钥计算方法计算得到 Push业务密钥, 将该 Push业务密钥返 回给 NAF; The BSF receives the Push service key request from the NAF, according to the Push service Ks and The Push service key calculation method calculates the Push service key, and returns the Push service key to the NAF;
UE, 接收 NAF发来的 Push消息 , 根据 Push业务 Ks和 Push业务 密钥计算方法计算得到 Push业务密钥。  The UE receives the Push message sent by the NAF, and calculates the Push service key according to the Push service Ks and the Push service key calculation method.
16、如权利要求 15所述的***,其特征在于,所述***进一步包括: HSS , 用于保存与 UE标识对应的 Push业务 Ks ,  The system according to claim 15, wherein the system further comprises: an HSS, configured to save a Push service Ks corresponding to the UE identifier,
且, BSF在收到 Push业务密钥请求后,检测到自身未保存与该请求 消息携带的 UE标识对应的 Push业务 Ks, 则从 HSS获取与该 UE标识 对应的 Push业务 Ks。  After receiving the Push service key request, the BSF detects that the Push service Ks corresponding to the UE identifier carried in the request message is not saved, and obtains the Push service Ks corresponding to the UE identifier from the HSS.
PCT/CN2007/070098 2006-06-13 2007-06-11 Method and system for retrieving service key WO2007147354A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2006100828455A CN101090513B (en) 2006-06-13 2006-06-13 Method for getting service key
CN200610082845.5 2006-06-13

Publications (1)

Publication Number Publication Date
WO2007147354A1 true WO2007147354A1 (en) 2007-12-27

Family

ID=38833080

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070098 WO2007147354A1 (en) 2006-06-13 2007-06-11 Method and system for retrieving service key

Country Status (2)

Country Link
CN (1) CN101090513B (en)
WO (1) WO2007147354A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2010291951B2 (en) * 2009-09-14 2016-01-28 Mark W. Publicover Rebounding apparatus with tensioned elastic cords

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101583131B (en) * 2009-06-10 2012-05-09 中兴通讯股份有限公司 Service key transmission method and system
CN101990203B (en) * 2009-08-05 2013-06-12 中兴通讯股份有限公司 Key agreement method, device and system based on universal self-initializing architecture
CN102497273B (en) * 2011-12-27 2018-09-28 西安西电捷通无线网络通信股份有限公司 A kind of method for authenticating entities and apparatus and system
CN105337935B (en) * 2014-07-09 2018-12-21 阿里巴巴集团控股有限公司 A kind of method and apparatus for establishing client and the long connection of server-side
CN106487501B (en) 2015-08-27 2020-12-08 华为技术有限公司 Key distribution and reception method, key management center, first network element and second network element
CN107733639B (en) * 2017-08-24 2020-08-04 深圳壹账通智能科技有限公司 Key management method, device and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004040410A2 (en) * 2002-10-25 2004-05-13 Grand Virtual Inc Password encryption key
CN1614903A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for authenticating users

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070086590A1 (en) * 2005-10-13 2007-04-19 Rolf Blom Method and apparatus for establishing a security association

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004040410A2 (en) * 2002-10-25 2004-05-13 Grand Virtual Inc Password encryption key
CN1614903A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for authenticating users

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2010291951B2 (en) * 2009-09-14 2016-01-28 Mark W. Publicover Rebounding apparatus with tensioned elastic cords

Also Published As

Publication number Publication date
CN101090513A (en) 2007-12-19
CN101090513B (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CN109699031B (en) Verification method and device adopting shared secret key, public key and private key
US8559633B2 (en) Method and device for generating local interface key
US8275355B2 (en) Method for roaming user to establish security association with visited network application server
CN110035033B (en) Key distribution method, device and system
KR101485230B1 (en) Secure multi-uim authentication and key exchange
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
CN111050322B (en) GBA-based client registration and key sharing method, device and system
US20060059344A1 (en) Service authentication
WO2004043006A1 (en) A method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
WO2011147364A1 (en) User identity information transmission method, and user equipment, web side equipment and system
JP2011139457A (en) System and method for secure transaction of data between wireless communication device and server
WO2010078755A1 (en) Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof
WO2020088026A1 (en) Authentication method employing general bootstrapping architecture (gba) and related apparatus
EP1933498A1 (en) Method, system and device for negotiating about cipher key shared by ue and external equipment
WO2010020186A1 (en) Multicast key distribution method, update method, and base station based on unicast conversation key
WO2008006312A1 (en) A realizing method for push service of gaa and a device
WO2007147354A1 (en) Method and system for retrieving service key
WO2009135445A1 (en) Roaming authentication method based on wapi
WO2007022731A1 (en) Encryption key negotiation method, system and equipment in the enhanced universal verify frame
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
CN112333705B (en) Identity authentication method and system for 5G communication network
WO2007025484A1 (en) Updating negotiation method for authorization key and device thereof
WO2012000313A1 (en) Method and system for home gateway certification
Southern et al. Solutions to security issues with legacy integration of GSM into UMTS

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07721719

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07721719

Country of ref document: EP

Kind code of ref document: A1