CN101583130B - The generation method and apparatus of air interface key - Google Patents
The generation method and apparatus of air interface key Download PDFInfo
- Publication number
- CN101583130B CN101583130B CN200910087097.3A CN200910087097A CN101583130B CN 101583130 B CN101583130 B CN 101583130B CN 200910087097 A CN200910087097 A CN 200910087097A CN 101583130 B CN101583130 B CN 101583130B
- Authority
- CN
- China
- Prior art keywords
- key
- travelling carriage
- cmac
- information
- tstid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of generation method of air interface key, comprising: in initial authentication process, use Temporary Mobile Station Identity TSTID information replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.The present invention discloses a kind of generating apparatus of air interface key, comprising: the first acquiring unit, for obtaining the TSTID information of travelling carriage; First generation unit, in initial authentication process, uses described TSTID information replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.This invention ensures that the fail safe of travelling carriage and network-side communication information, the fail safe communicated under ensure that IEEE 802.16m specification.
Description
Technical field
The present invention relates to the generation technique of air interface key, particularly relate to the generation method and apparatus of the air interface key in a kind of electronic motor engineering association (IEEE, Institute of Electrical and Electronic Engineer) 802.16m standards system.
Background technology
IEEE802.16 standards system mainly proposes for metropolitan area network, its main target is development in the wireless access system air interface physical layer (PHY) of 2GHz ~ 66GHz frequency band and medium access control layer (MAC) specification, also has the specification that coexists between the uniformity test relevant to air interface protocol and different radio connecting system simultaneously.
According to whether supporting mobility, IEEE 802.16 standard can be divided into fixed broadband wireless access air-interface standard and mobile broadband wireless access air-interface standard, wherein 802.16d belongs to fixed wireless access air-interface standard, pass in IEEE 802 committee in June, 2004, issue with the title of IEEE802.16-2004.And 802.16e belongs to mobile broadband wireless access air-interface standard, pass in IEEE 802 committee in November, 2005, issue with the title of IEEE 802.16-2005.Inserting of microwave worldwide interoperability certification alliance (WiMAX, Worldwide Interoperability forMicrowave Access) be namely specification based on IEEE 802.16 air interface, become the wireless access wide band technology that influence power is maximum in the world at present.
Current IEEE is working out 802.16m standard.This standard is to study next step evolution path of WiMAX, target becomes next generation mobile communication technology, and eventually to one of International Telecommunication Union (ITU, International Telecommunication Union) the technology motion of submission to IMT-Advanced standard becoming ITU.This standard is by existing for compatibility 802.16e specification.
And along with the development of wireless communication technology, safety problem more and more causes everybody attention.The requirement of user to secure communication is more and more higher.Due to opening and the mobility of mobile radio system, travelling carriage is easy under attack and eavesdropping with internetwork communication.Therefore nearly all wireless communication system has the safety measure of complete set, comprises certification and encryption.Certification refers to that communication network carries out unidirectional confirmation to travelling carriage identity or carries out two-way confirmation to mutual identity between travelling carriage and communication network, ensures that it is legitimate device; Encryption refers to and is encrypted data of eating dishes without rice or wine, and ensures the confidentiality of communication.General in order to improve the dynamic of key, the fail safe of further raising system, is encrypted key used and all connects with verification process, dynamically generated and distributed key by verification process.
The key defined in 802.16e/m system mainly comprises:
1) master session key (MSK, Master Session Key).MSK is the root key of other keys all of 802.16e/m definition, is that travelling carriage and aaa server produce separately in EAP authentication and authorization process, for deriving other the key such as PMK.
2) pairwise master key (PMK, Pairwise Master Key).PMK is derived by MSK, for deriving AK.
3) authorization key (AK, Authorization Key).AK is authorization key, is derived by PMK.It is for deriving from KEK, CMAC_KEY_U/D, and TEK (only for 802.16m).
4) key-encrypting key (KEK, Key Encryption).In 802.1616e, KEK is directly derived by AK, is sent to the key of MS for encrypting TEK etc. by BS clean culture.
5) uplink complete property Protective Key HMAC/CMAC_KEY_U and descending tegrity protection key HMAC/CMAC_KEY_D.Derived from by AK, be respectively used to the integrity protection of uplink/downlink administrative messag.
6) traffic encryption key (TEK is Traffic Encryption Key in 802.16e, is Transmission Encryption Key in 802.16m).802.16e/m uses TEK to be encrypted user data, to protect the privacy of the data transmitted between MS and BS.
In 802.16e, TEK by base station stochastic generation, and sends to travelling carriage after being encrypted by KEK; In 802.16m, TEK is generated respectively by base station and travelling carriage, and the random number (NONCE) of one of input parameter by base station stochastic generation, and sends to travelling carriage in three-way handshake process.
802.16m system description documents (SDD, System Description Document) define the mobile station identification-i.e. Temporary Mobile Station Identity (TSTID of two types, Temporary Station ID) and formal mobile station identification (STID, Station ID), these two identifiers of TSTID and STID are all unique in base station range.TSTID is that travelling carriage uniquely divides and is used in temporary mark travelling carriage by base station in the ranging process of travelling carriage initial network entry, after this interacting message just identifies travelling carriage with TSTID, until the STID for mobile assignment is distributed to travelling carriage by base station in registration process.The transmission of STID needs protection mechanism.Then base station release TSTID, uses STID to be used for identifying travelling carriage in follow-up flow process.
In 802.16m, in the generation parameter of AK, KEK, CMAC_KEY_U/D and TEK, all comprise travelling carriage MAC Address (AMS MAC Address) this parameter.But when initial authentication, because travelling carriage and two ends, base station also do not generate association key, the interacting message of therefore eating dishes without rice or wine is all plaintext transmission.And the AMS MAC Address of oneself is reported base station by travelling carriage at this moment, the risk that this address just has victim to intercept and capture.And the system requirements documents of 802.16m (SRD; System RequirementDocument) also regulation need to protect the privacy of travelling carriage; namely need protection AMS MACAddress in plaintext transmission of eating dishes without rice or wine, this address can be obtained to avoid assailant thus the privacy of threat travelling carriage.
Summary of the invention
In view of this, main purpose of the present invention is the generation method and apparatus providing a kind of air interface key, the fail safe of the information transmission between energy lifting mobile platform and network.
For achieving the above object, technical scheme of the present invention is achieved in that
A generation method for air interface key, comprising:
In initial authentication process, Temporary Mobile Station Identity TSTID information is used to replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.
Preferably, described method also comprises:
Travelling carriage reports the mac address information of self to behind base station, or base station is after mobile assignment mobile station identification STID information, or after re-authentication, utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine utilizing TSTID information to generate.
Preferably, described method also comprises: as the input parameter of air interface key after the least significant bit LSB of TSTID or STID or highest significant position MSB supplements random number.
Preferably, described method also comprises: random number, before transmission TSTID or STID, is added in the LSB position of TSTID or STID or MSB position in base station.
Preferably, described derivative key comprises uplink complete property Protective Key CMAC_KEY_U, descending tegrity protection key CMAC_KEY_D and traffic encryption key TEK;
Or described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and key-protection key KEK.
Preferably, generate the input parameter of AK and comprise one of following parameter or its combination in any: PMK, TSTID, Base Station Identification ABSID.
Preferably, the input parameter of TEK comprises one of following parameter or its combination in any: AK, TSTID, base station generates random number N ONCE, Security Association mark SAID, network re-entry key counter CMAC_KEY_COUNT is generated.
Preferably, generate the input parameter of CMAC_KEY_U and CMAC_KEY_D and comprise one of following parameter or its combination in any: AK, TSTID, Base Station Identification ABSID, CMAC_KEY_COUNT.
A generation method for air interface key, comprising:
In initial authentication process, the travelling carriage mac address information that base station uses network side to provide generates the derivative key of eating dishes without rice or wine.
Preferably, the travelling carriage mac address information that network side provides, comprising:
After described travelling carriage completes initial authentication, described travelling carriage mac address information is handed down to authenticator by the aaa server of network side, by described authenticator, described travelling carriage mac address information is handed down to base station.
Preferably, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Or described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
A generating apparatus for air interface key, comprising:
First acquiring unit, for obtaining travelling carriage TSTID information; And
First generation unit, in initial authentication process, uses described TSTID information replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.
Preferably, described device also comprises:
Second acquisition unit, for obtaining the mobile station identification STID information of travelling carriage mac address information or travelling carriage;
Second generation unit, generates the derivative key of eating dishes without rice or wine for utilizing travelling carriage mac address information or STID information; And
Replacement unit, the derivative key of eating dishes without rice or wine for being generated by described second generation unit replaces the derivative key of eating dishes without rice or wine that described first generation unit generates.
Preferably, described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK;
Or described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and KEK.
Preferably, the input parameter that described first generation unit generates AK comprises one of following parameter or its combination in any: PMK, TSTID, ABSID.
Preferably, the input parameter that described first generation unit generates TEK comprises one of following parameter or its combination in any: AK, TSTID, NONCE, SAID, CMAC_KEY_COUNT.
Preferably, the input parameter that described first generation unit generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, ABSID, CMAC_KEY_COUNT.
A generating apparatus for air interface key, comprising:
Acquiring unit, for obtaining travelling carriage mac address information by network side in initial authentication process; And
Generation unit, the travelling carriage mac address information obtained for using described acquiring unit generates the derivative key of eating dishes without rice or wine.
In the present invention, the initial authentication process of network is entered at travelling carriage, at network side (i.e. base station) to mobile assignment after TSTID information, the derivative key (TEK, CMAC_KEY_U/D) that base station and travelling carriage will utilize TSTID information to generate to eat dishes without rice or wine, like this, when carrying out information transmission between travelling carriage and network side, generate the derivative key of eating dishes without rice or wine by utilizing TSTID information and be encrypted.And once travelling carriage reports self MAC Address (AMS MAC Address) information or base station to be mobile assignment STID information and after notifying travelling carriage, or after re-authentication, the derivative key of eating dishes without rice or wine will be updated, and namely utilize STID information or mac address information to regenerate the derivative key of eating dishes without rice or wine.This invention ensures that the fail safe of travelling carriage and network-side communication information, the fail safe communicated under ensure that IEEE 802.16m specification.
Accompanying drawing explanation
Fig. 1 is the flow chart of the first using method of the derivative key that the present invention eats dishes without rice or wine;
Fig. 2 is the flow chart of the second using method of the derivative key that the present invention eats dishes without rice or wine;
Fig. 3 is the flow chart of the third using method of the derivative key that the present invention eats dishes without rice or wine;
Fig. 4 is the one composition structural representation of the generating apparatus of air interface key of the present invention;
Fig. 5 is the another kind composition structural representation of the generating apparatus of air interface key of the present invention.
Embodiment
Basic thought of the present invention is: the initial authentication process entering into network at travelling carriage; at network side (i.e. base station) to mobile assignment after TSTID information; the derivative key (key such as AK, KEK, TEK, CMAC_KEY_U/D) that base station and travelling carriage will utilize TSTID information to generate to eat dishes without rice or wine; like this; when carrying out information transmission between travelling carriage and network side, the derivative key of eating dishes without rice or wine generated utilizing TSTID information carries out protecting (encryption and/or integrity protection).And once travelling carriage reports self MAC Address (AMSMAC Address) information or base station to be mobile assignment STID information and after notifying travelling carriage, or after re-authentication, the derivative key of eating dishes without rice or wine will be updated, and namely utilize mac address information or STID information to regenerate the derivative key of eating dishes without rice or wine.This invention ensures that the fail safe of travelling carriage and network-side communication information, the fail safe communicated under ensure that IEEE802.16m specification.
For making the object, technical solutions and advantages of the present invention clearly understand, by the following examples also with reference to accompanying drawing, the present invention is described in more detail.
Carry out in initial authentication process at travelling carriage to network side (base station), because travelling carriage does not also report the mac address information of self to base station, according to IEEE 802.16m specification, now can not generate any derivative key of eating dishes without rice or wine, and the information now transmitted between travelling carriage and base station will be mode expressly, fail safe can not be guaranteed.Namely the present invention proposes for this phenomenon, carry out in initial authentication process at travelling carriage to base station, as long as base station be mobile assignment TSTID information and by this TSTID message notice travelling carriage, so, base station and travelling carriage will utilize TSTID information to generate derivative key of eating dishes without rice or wine, to be encrypted the transmission information between base station and travelling carriage.Below describe the detailed process utilizing TSTID information to generate derivative key of eating dishes without rice or wine in detail.
Wherein, the generating mode of AK is see following formula:
AK<=Dot16KDF(PMK,TSTID|ABSID|“AK”,160)
Wherein, Dot16KDF is the cryptographic algorithm function of definition in IEEE 802.16." | " defines as IEEE 802.16, is the meaning of cascade.The Temporary Mobile Station Identifier information of TSTID to be base station be mobile assignment, TSTID herein also can for supplementing the TSTID of random number, and the object of supplementing random number is the fail safe adding strong encryption keys.ABSID is the identification information of base station.TSTID is informed to travelling carriage by base station." " represents that content is wherein character string, and " AK " namely represents the character string that this monogram of AK is corresponding." 160 " represent the length of AK, and unit is bit.Associated description with reference in background technology: PMK can be derived by MSK and draw, and MSK is the root key in IEEE 802.16 specification, is that mobile radio station and base station generate respectively at two ends in initial authentication process.In the present invention, identical symbol implication is identical.
In the present invention, after travelling carriage and two ends, base station generate AK respectively, three-way handshake process is carried out in travelling carriage and base station, checking AK.After determining that AK is correct, regeneration TEK.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is realized by following formula:
First determine CMAC_PREKEY_U and CMAC_PREKEY_D, CMAC_PREKEY_U and CMAC_PREKEY_D is an intermediate parameters of derivation CMAC_KEY_U and CMAC_KEY_D.CMAC_PREKEY_U and CMAC_PREKEY_D generating mode is:
CMAC_PREKEY_U|CMAC_PREKEY_D<=Dot16KDF(AK,TSTID|ABSID|“CMAC_KEYS”,256)。In formula, " CMAC_KEYS " is character string corresponding to this character combination of CMAC_KEYS.The length of 256 expression derivation result is 128bit.The result that above formula generates is the concatenated values of CMAC_PREKEY_U and CMAC_PREKEY_D, and the value that 128bit is CMAC_PREKEY_U and CMAC_PREKEY_D is respectively got in front and back.
CMAC_PREKEY_U and CMAC_PREKEY_D generating mode also realizes by following formula:
CMAC_PREKEY_U|CMAC_PREKEY_D|KEK<=Dot16KDF(AK,TSTID|ABSID|“CMAC_KEYS+KEK”,384)
With front formula unlike, this formula generates key K EK in the lump, the result of generation is got respectively three 128bit, will correspond respectively to CMAC_PREKEY_U, CMAC_PREKEY_D and KEK.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is:
CMAC_KEY_U<=AES
CMAC_PREKEY_U(CMAC_KEY_COUNT)
CMAC_KEY_D<=AES
CMAC_PREKEY_D(CMAC_KEY_COUNT
Wherein, AES is Advanced Encryption Standard (Advanced Encryption Standard) algorithm, can determine CMAC_KEY_U and CMAC_KEY_D by above-mentioned two formulas.
The generating mode of TEK is see following formula:
TEK<=Dot16KDF(AK,TSTID|NONCE|SAID|CMAC_KEY_COUNT|“TEK”,128)
Wherein, the authorization key that AK and aforementioned manner generate, NONCE is the random number that base station side generates, and will inform to travelling carriage after generation.SAID is Security Association mark, and be mobile assignment by base station, the generation of this parameter see the relevant regulations in IEEE 802.16m, can repeat no more here.CMAC_KEY_COUNT, as the definition of 802.16e, is the key counter for network re-entry.When travelling carriage is successfully completed initial authentication or re-authentication, when setting up a new PMK, CMAC_KEY_COUNT value is set to 0 by travelling carriage.At travelling carriage network re-entry/carry out safe location updating/switching, and do not need again to carry out PMK more under news, before travelling carriage sends this administrative messag of distance measurement request (RNG-REQ) message, CMAC_KEY_COUNT can increase progressively." TEK " namely represents the character string that this monogram of TEK is corresponding.The length of 128 expression TEK is 128bit.
The generating mode of TEK also realizes by following formula:
TEK<=Dot16KDF(AK,NONCE|SAID|CMAC_KEY_COUNT|“TEK”,128)。Identical with aforementioned TEK production of each meaning of parameters in formula, repeats no more here.
After generating the derivative key (TEK, CMAC_KEY_U/D) of eating dishes without rice or wine, when communicating between travelling carriage with base station, be encrypted by generated derivative key.
After travelling carriage reports the mac address information of self to be mobile assignment STID information to base station or base station, travelling carriage and base station generate the derivative key of eating dishes without rice or wine by utilizing the mac address information of travelling carriage or mobile station identification STID information, and replace the derivative key of eating dishes without rice or wine utilizing TSTID information to generate.
Or, after travelling carriage reports the mac address information of self to be mobile assignment STID information to base station or base station, travelling carriage and base station do not generate the derivative key of eating dishes without rice or wine at once, but after re-authentication, recycle the mac address information of travelling carriage or mobile station identification STID information generates the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine utilizing TSTID information to generate.
The mac address information of mobile station identification STID information or travelling carriage is utilized to generate the mode of the derivative key of eating dishes without rice or wine identical with the mode that the aforementioned TSTID of utilization information generates the derivative key of eating dishes without rice or wine, just change the TSTID information in above-mentioned formula into mac address information or STID information, repeat no more it here and generate details.TSTID herein also can for supplementing the TSTID of random number, and the object of supplementing random number is the fail safe adding strong encryption keys.
Fig. 1 is the flow chart of the first using method of the derivative key that the present invention eats dishes without rice or wine, and as shown in Figure 1, comprises the following steps:
Step 101: during travelling carriage initial network entry, carries out finding range, the process such as pre-capability negotiation.In ranging process, network side is mobile assignment TSTID information, and informs travelling carriage;
TSTID herein also can for supplementing the TSTID of random number.Namely base station is before transmission TSTID, increases the random number of a location number at the highest significant position (MSB, the Most Significant Bit) of TSTID or least significant bit (LSB, the Least Significant Bit).Such as, 36 random numbers are increased.
Step 102: travelling carriage and network side carry out initial authentication/licensing process;
Step 103: travelling carriage and two ends, base station utilize TSTID information to generate AK, CMAC_KEY_U/D key respectively; Generating mode is see mode shown in above.
TSTID used herein also can for supplementing the TSTID of random number.
Step 104: three-way handshake process is carried out in travelling carriage and base station, checking AK.The stochastic parameter number NONCE of derivation TEK is sent to travelling carriage by base station simultaneously.
Step 105: travelling carriage and two ends, base station generate TEK respectively, TSTID used herein also can for supplementing the TSTID of random number.
Step 106: registration process is carried out in travelling carriage and base station, and consult other ability except pre-capability negotiation.In this process, the AMS MAC Address of oneself is reported base station by travelling carriage, and the STID for mobile assignment is handed down to travelling carriage by base station simultaneously.STID herein also can for supplementing the TSTID of random number.Namely base station is before transmission STID, increases the random number of a location number at MSB or LSB of STID.Such as, 36 random numbers are increased.
In step 106 and later step thereof, the transmission information between travelling carriage and base station uses the TEK generated in step 105 to protect, until step 107.
Step 107: when re-authentication condition meets, re-authentication is carried out in travelling carriage and base station.
Step 108: air interface key AK, CMAC_KEY_U/D and TEK that travelling carriage and base station use AMS AMC Address or STID information derivable to make new advances; namely the mac address information of travelling carriage or mobile station identification STID information is utilized to generate AK, CMAC_KEY_U/D, TEK key respectively; and replace AK, CMAC_KEY_U/D, TEK key utilizing STID information to generate respectively, protect the transmission of data of eating dishes without rice or wine.STID used herein also can for supplementing the STID of random number.
Fig. 2 is the flow chart of the second using method of the derivative key that the present invention eats dishes without rice or wine, and as shown in Figure 2, comprises the following steps:
Step 201 to step 206 with the step 101 in Fig. 1 to step 106.
Step 207: utilize AMS AMC Address or STID information as input parameter, travelling carriage and base station calculate respectively and generate new AK, CMAC_KEY_U/D.
STID herein also can for supplementing the STID of random number.
Step 208: three-way handshake process is carried out again in travelling carriage and base station, verifies the AK upgraded.In the process, base station can upgrade NONCE and be handed down to travelling carriage.
Step 209: travelling carriage and base station use the random number N ONCE of AMS AMC Address (or STID information) and/or renewal to recalculate and generate new TEK.After this namely process uses new TEK to carry out protection transmission to data of eating dishes without rice or wine.STID herein also can for supplementing the STID of random number.
Fig. 3 is the flow chart of the third using method of the derivative key that the present invention eats dishes without rice or wine, and as shown in Figure 3, comprises the following steps:
Step 301: during travelling carriage initial network entry, carries out finding range, the process such as pre-capability negotiation;
Step 302: travelling carriage and network side carry out initial authentication/licensing process;
Step 303: authenticator is by receiving the Access-Accept message from aaa server, obtain travelling carriage MAC Address or comprise the information (as network access Identifier (NAI, Network Access Identifier) information) of travelling carriage MAC Address;
Step 304: authenticator and mobile station side generate AK and context thereof respectively;
Step 305: the AK that generates and context transfer thereof to base station, are wherein comprised travelling carriage MAC Address or comprise the information (as NAI information) of travelling carriage MAC Address by authenticator;
Step 306: base station obtains travelling carriage MAC Address;
Step 307: base station and mobile station side generate CMAC_KEY_U/D and context thereof respectively;
Step 308: three-way handshake process is carried out in travelling carriage and base station, checking AK.TEK is generated Parameter N ONCE and sends to travelling carriage by base station simultaneously.
Step 309: travelling carriage and two ends, base station generate TEK respectively, namely process after this uses the protection of the new key of generation to eat dishes without rice or wine the transmission of data;
Step 310: registration process is carried out in travelling carriage and base station, and consult other ability except pre-capability negotiation.
Fig. 4 is the one composition structural representation of the generating apparatus of air interface key of the present invention, as shown in Figure 4, the generating apparatus of air interface key of the present invention comprises the first acquiring unit 40 and the first generation unit 41, and wherein, the first acquiring unit 40 is for obtaining the TSTID information of travelling carriage; For travelling carriage, obtained by the announcement information receiving base station, for base station, read this TSTID information.First generation unit 41, in initial authentication process, uses described TSTID information replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine.Described derivative key comprises CMAC_KEY_U, CMAC_KEY_D and TEK, or, also comprise KEK.The mode generated see aforementioned generating mode, can repeat no more here.
As shown in Figure 4, the generating apparatus of air interface key of the present invention also comprises second acquisition unit 42, second generation unit 43 and replacement unit 44, and wherein, second acquisition unit 42 is for the mobile station identification STID information of the mac address information or travelling carriage that obtain travelling carriage; Obtain manner is for travelling carriage and base station difference.Second generation unit 43 generates the derivative key of eating dishes without rice or wine for utilizing the mac address information of described travelling carriage or STID information; Generating mode is still see the aforesaid generating mode of the present invention.Replacement unit 44 replaces for the derivative key of eating dishes without rice or wine generated by the second generation unit 43 derivative key of eating dishes without rice or wine that first generation unit 41 generates.Second generation unit 43 can be triggered after base station obtains AMS MAC Address or travelling carriage obtains STID, or is triggered after re-authentication.
It will be appreciated by those skilled in the art that second acquisition unit 42, second generation unit 43 and replacement unit 44 not realize the essential features of the generating apparatus of air interface key of the present invention.
Those skilled in the art are to be understood that, the practical function of each processing unit of the generating apparatus of the air interface key shown in Fig. 4 of the present invention can refer to the associated description of method shown in earlier figures 1, Fig. 2 and understands, the function of each unit realizes by the program run on processor, also realizes by corresponding logical circuit.
Fig. 5 is the another kind composition structural representation of the generating apparatus of air interface key of the present invention, as shown in Figure 5, the generating apparatus of air interface key of the present invention comprises acquiring unit 50 and generation unit 51, wherein, acquiring unit 50 for obtaining travelling carriage mac address information by network side in initial authentication process; Generation unit 51 generates the derivative key of eating dishes without rice or wine for the travelling carriage mac address information using described acquiring unit and obtain.Acquiring unit 50 is positioned at base station side, it is after travelling carriage and network side complete EAP certification, by aaa server, travelling carriage MAC Address or the information (as NAI information) that comprises travelling carriage MAC Address are handed down to authenticator by Access-Accept message, then by authenticator, this information are handed down to acquiring unit 50.For mobile station side, the travelling carriage MAC Address of extracting directly self can realize the generation of key.Now the derivation mode of all air interface keys still can use AMS MAC Address as input parameter.
Those skilled in the art are to be understood that, the practical function of each processing unit of the generating apparatus of the air interface key shown in Fig. 5 of the present invention can refer to the associated description of method shown in earlier figures 3 and understands, the function of each unit realizes by the program run on processor, also realizes by corresponding logical circuit.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (12)
1. a generation method for air interface key, is characterized in that, comprising:
During travelling carriage initial network entry, network side is mobile assignment Temporary Mobile Station Identity TSTID information, in highest significant position MSB or the least significant bit LSB increase random number of described TSTID information;
In initial authentication process, Temporary Mobile Station Identity TSTID information is used to replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine;
Travelling carriage reports the mac address information of self to behind base station, or base station is after mobile assignment mobile station identification STID information, or travelling carriage reports the mac address information of self to base station and after carrying out re-authentication, or base station is mobile assignment mobile station identification STID information and after carrying out re-authentication, utilize travelling carriage mac address information or STID information to generate the derivative key of eating dishes without rice or wine, and replace the derivative key of eating dishes without rice or wine utilizing TSTID information to generate.
2. method according to claim 1, is characterized in that, described method also comprises: as the input parameter of air interface key after the least significant bit LSB of TSTID or STID or highest significant position MSB supplements random number.
3. method according to claim 2, is characterized in that, described method also comprises: random number, before transmission STID, is added in the LSB position of STID or MSB position in described base station.
4. method according to claim 1, is characterized in that, described derivative key comprises uplink complete property Protective Key CMAC_KEY_U, descending tegrity protection key CMAC_KEY_D and traffic encryption key TEK;
Or described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and key-protection key KEK.
5. method according to claim 4, is characterized in that, the input parameter generating authorization key AK comprises one of following parameter or its combination in any: master key PMK, TSTID, Base Station Identification ABSID.
6. method according to claim 5, it is characterized in that, generate the input parameter of TEK comprises one of following parameter or its combination in any: AK, TSTID, base station generates random number N ONCE, Security Association mark SAID, network re-entry key counter CMAC_KEY_COUNT.
7. method according to claim 5, is characterized in that, generates the input parameter of CMAC_KEY_U and CMAC_KEY_D and comprises one of following parameter or its combination in any: AK, TSTID, Base Station Identification ABSID, CMAC_KEY_COUNT.
8. a generating apparatus for air interface key, is characterized in that, comprising:
First acquiring unit, for obtaining the Temporary Mobile Station Identity TSTID information of travelling carriage; And
First generation unit, for when travelling carriage initial network entry, network side is mobile assignment TSTID information, increases random number at the highest significant position MSB of described TSTID information or least significant bit LSB; In initial authentication process, described TSTID information is used to replace travelling carriage mac address information and generate the derivative key of eating dishes without rice or wine;
Second acquisition unit, for obtaining the mobile station identification STID information of travelling carriage mac address information or travelling carriage;
Second generation unit, generates the derivative key of eating dishes without rice or wine for utilizing travelling carriage mac address information or STID information; And
Replacement unit, the derivative key of eating dishes without rice or wine for being generated by described second generation unit replaces the derivative key of eating dishes without rice or wine that described first generation unit generates.
9. device according to claim 8, is characterized in that, described derivative key comprises uplink complete property Protective Key CMAC_KEY_U, descending tegrity protection key CMAC_KEY_D and traffic encryption key TEK;
Or described derivative key comprises CMAC_KEY_U, CMAC_KEY_D, TEK and key-protection key KEK.
10. device according to claim 9, is characterized in that, the input parameter that described first generation unit generates authorization key AK comprises one of following parameter or its combination in any: master key PMK, TSTID, Base Station Identification ABSID.
11. devices according to claim 10, it is characterized in that, described first generation unit generates the input parameter of TEK comprises one of following parameter or its combination in any: AK, TSTID, base station generates random number N ONCE, Security Association mark SAID, network re-entry key counter CMAC_KEY_COUNT.
12. devices according to claim 11, is characterized in that, the input parameter that described first generation unit generates CMAC_KEY_U and CMAC_KEY_D comprises one of following parameter or its combination in any: AK, TSTID, ABSID, CMAC_KEY_COUNT.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910087097.3A CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910087097.3A CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101583130A CN101583130A (en) | 2009-11-18 |
| CN101583130B true CN101583130B (en) | 2015-09-16 |
Family
ID=41365032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910087097.3A Expired - Fee Related CN101583130B (en) | 2009-06-18 | 2009-06-18 | The generation method and apparatus of air interface key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101583130B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102196427A (en) * | 2010-03-05 | 2011-09-21 | 中兴通讯股份有限公司 | Air interface key updating method and system |
| CN101841810B (en) | 2010-06-07 | 2016-01-20 | 中兴通讯股份有限公司 | The update method of air interface key, core net node and wireless access system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1351789A (en) * | 1999-05-21 | 2002-05-29 | 国际商业机器公司 | Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices |
| CN1968494A (en) * | 2005-11-15 | 2007-05-23 | 华为技术有限公司 | Playback attack prevention method |
| CN101047505A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method and system for setting safety connection in network application PUSH service |
| CN101047945A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Mobile communication system and customer temporary identity distribution method |
| CN101299888A (en) * | 2008-06-16 | 2008-11-05 | 中兴通讯股份有限公司 | Cryptographic key generation method, switching method, mobile management entity and customer equipment |
| CN101411115A (en) * | 2006-03-31 | 2009-04-15 | 三星电子株式会社 | System and method for optimizing authentication procedure during inter access system handovers |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8041035B2 (en) * | 2005-12-30 | 2011-10-18 | Intel Corporation | Automatic configuration of devices upon introduction into a networked environment |
| JP4983208B2 (en) * | 2006-11-07 | 2012-07-25 | 富士通株式会社 | Relay station, wireless communication method |
| CN101400059B (en) * | 2007-09-28 | 2010-12-08 | 华为技术有限公司 | Cipher key updating method and device under active state |
-
2009
- 2009-06-18 CN CN200910087097.3A patent/CN101583130B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1351789A (en) * | 1999-05-21 | 2002-05-29 | 国际商业机器公司 | Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices |
| CN1968494A (en) * | 2005-11-15 | 2007-05-23 | 华为技术有限公司 | Playback attack prevention method |
| CN101047505A (en) * | 2006-03-27 | 2007-10-03 | 华为技术有限公司 | Method and system for setting safety connection in network application PUSH service |
| CN101047945A (en) * | 2006-03-28 | 2007-10-03 | 华为技术有限公司 | Mobile communication system and customer temporary identity distribution method |
| CN101411115A (en) * | 2006-03-31 | 2009-04-15 | 三星电子株式会社 | System and method for optimizing authentication procedure during inter access system handovers |
| CN101299888A (en) * | 2008-06-16 | 2008-11-05 | 中兴通讯股份有限公司 | Cryptographic key generation method, switching method, mobile management entity and customer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101583130A (en) | 2009-11-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122428B2 (en) | Transmission data protection system, method, and apparatus | |
| CN101926151B (en) | Method and communication network system for establishing security conjunction | |
| US8397071B2 (en) | Generation method and update method of authorization key for mobile communication | |
| CN101854629B (en) | Method of access authentication and recertification in home NodeB system of user terminal | |
| CN101945387B (en) | The binding method of a kind of access layer secret key and equipment and system | |
| KR20130114561A (en) | Local security key update at a wireless communication device | |
| CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
| CN110612729A (en) | Anchor key generation method, device and system | |
| US20150229620A1 (en) | Key management in machine type communication system | |
| CN101926122A (en) | Method and communication system for establishing security association | |
| EP3700245A1 (en) | Communication method and device | |
| CN101631306A (en) | Updating method of air key, terminal and base station | |
| CN101610507A (en) | A kind of method that inserts the 3G-WLAN internet | |
| CN101800982B (en) | Method for enhancing fast handover authentication security of wireless local land area | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN103905389B (en) | Relay equipment-based security association, data transmission method, device and system | |
| CN101583130B (en) | The generation method and apparatus of air interface key | |
| CN101610511A (en) | The guard method of terminal privacy and device | |
| CN101510825B (en) | Protection method and system for management message | |
| CN101742492B (en) | Key processing method and system | |
| Altaf et al. | Security enhancements for privacy and key management protocol in IEEE 802.16 e-2005 | |
| CN101022330A (en) | Method and module for raising key management authorized information security | |
| CN101631307B (en) | Empty password refreshing method and system for wireless communication system | |
| CN101668289B (en) | Method and system for updating air interface secret key in wireless communication system | |
| CN101588576B (en) | A kind of method and system of system for protecting terminal privacy in wireless communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180716 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: 518057 Nanshan District high tech Industrial Park, Shenzhen, Guangdong, Ministry of justice, Zhongxing Road, South China road. Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150916 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |