[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101902324B - Method and system for establishing communication key between nodes - Google Patents

Method and system for establishing communication key between nodes Download PDF

Info

Publication number
CN101902324B
CN101902324B CN2010101596752A CN201010159675A CN101902324B CN 101902324 B CN101902324 B CN 101902324B CN 2010101596752 A CN2010101596752 A CN 2010101596752A CN 201010159675 A CN201010159675 A CN 201010159675A CN 101902324 B CN101902324 B CN 101902324B
Authority
CN
China
Prior art keywords
key
field
destination
source
switching equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010101596752A
Other languages
Chinese (zh)
Other versions
CN101902324A (en
Inventor
朱林
铁满霞
李琴
葛莉
曹军
张莎
李剑雄
苑克龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianwei signal (Beijing) Technology Co., Ltd.
China Iwncomm Co Ltd
Original Assignee
RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd, China Iwncomm Co Ltd filed Critical RADIOSKY RADIO EQUIPMENT TESTING (BEIJING) CO Ltd
Priority to CN2010101596752A priority Critical patent/CN101902324B/en
Publication of CN101902324A publication Critical patent/CN101902324A/en
Priority to PCT/CN2011/070475 priority patent/WO2011134292A1/en
Application granted granted Critical
Publication of CN101902324B publication Critical patent/CN101902324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to a method for establishing a communication key between nodes, comprising the following steps: 1) an N source sends a first key announce subgroup to an SW First; 2) the SW First sends a second key announce subgroup to an SW Last; 3) the SW Last sends a third key announce subgroup to an N Destination; 4) the N Destination sends a third key announce responding subgroup to the SW Last; 5) the SW Last sends a second key announce responding subgroup to the SW First; 6) the SW First sends a first second key announce responding subgroup to the N source; and 7) the N source receives the first second key announce responding subgroup. By utilizing the method of the invention, the key between legal nodes in a local area network can be flexibly established or updated and no administrator is needed for deploying a shared static node between every two nodes in an entire network.

Description

A kind of method for building up of communication key between nodes and system
Technical field
The present invention relates to the communication network application field, relate in particular to a kind of method for building up and system of communication key between nodes.
Background technology
Cable LAN is generally broadcast type network, the data that node sends, and other node can both be received.Each nodes sharing channel on the network, this has brought great potential safety hazard to network.The assailant just can catch packets all on the network as long as access network is monitored.The local area network (LAN) LAN of existing standard GB/T 15629.3 (corresponding IEEE 802.3 or ISO/IEC 8802-3) definition does not provide data encryption method, so just makes the assailant steal key message easily.
In cable LAN, IEEE strengthens the safety that realizes link layer through IEEE 802.3 being carried out safety.IEEE 802.1AE provides data encryption protocol for the protection Ethernet, and adopts the safety measure of hop-by-hop encryption to realize that the safety of data is passed between the network node.This safety measure has brought huge computation burden for the switching equipment in the local area network (LAN), causes the attack of assailant to switching equipment easily; And packet also can increase from the time-delay that sending node is delivered to destination node, has reduced network transmission efficiency.
The topological structure more complicated of cable LAN, the interstitial content that relates to is also many, so the data communication more complicated in the network, and terminal and switching equipment are collectively referred to as node.If for distributing static keys to guarantee internodal secure communication between LAN node, its distribution and renewal process are very complicated.
Summary of the invention
In order to solve the problems referred to above that exist in the background technology, the invention provides a kind of method for building up and system of communication key between nodes.
Technical solution of the present invention is: the present invention is a kind of method for building up of communication key between nodes, and its special character is: said method comprising the steps of:
1) sends source node N SourceSend first key announce packet and give switching equipment SW First
2) switching equipment SW FirstSend second key announce packet and give switching equipment SW Last
3) switching equipment SW LastSend the 3rd key announce packet and give destination node N Destination
4) destination node N DestinationSend the 3rd key announce response packet and give switching equipment SW Last
5) switching equipment SW LastSend second key announce response packet and give switching equipment SW First
6) switching equipment SW FirstSend first key announce response packet and give transmission source node N Source
7) send source node N SourceReceive first key announce response packet.
Above-mentioned steps 1) first key announce packet comprises ID in DestinationField, E 1(KEY S-D) field and MIC1 field; Wherein:
ID DestinationField: expression destination node N DestinationSign;
E 1(KEY S-D) field: expression keying material data, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY STo KEY S-DData encrypted; KEY wherein S-DBe by sending source node N SourceThe random number that generates, as with destination node N DestinationBetween communication key;
The MIC1 field: expression message integrity identifying code, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY SThe Hash Value that other outer fields of this field in first key announce packet are calculated through hash function.
Above-mentioned steps 2) switching equipment SW in FirstSend second key announce packet to switching equipment SW after receiving first key announce packet Last, its concrete implementation is:
2.1) utilize it and send source node N SourceBetween key K EY SWhether MIC1 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 2.2);
2.2) utilize it and send source node N SourceBetween key K EY SDeciphering E 1(KEY S-D) field, obtain communication key between nodes KEY S-D
2.3) structure second key announce packet send to switching equipment SW Last, said second key announce packet comprises: ID SourceField, ID DestinationField, E 2(KEY S-D) field and MIC2 field;
Wherein:
ID SourceField: source node N is sent in expression SourceSign;
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in the key announce packet of receiving 1 DestinationThe value of field;
E 2(KEY S-D) field: expression keying material data, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC2 field: expression message integrity identifying code, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce packet are calculated through hash function.
Above-mentioned steps 3) switching equipment SW in LastSend the 3rd key announce packet to destination node N after receiving second key announce packet Destination, its concrete implementation is:
3.1) utilize itself and switching equipment SW FirstBetween key K EY F-LWhether MIC2 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 3.2);
3.2) utilize itself and switching equipment SW FirstBetween key K EY F-LDeciphering E 2(KEY S-D) field, obtain communication key between nodes KEY S-D
3.3) structure the 3rd key announce packet send to destination node N Destination, said the 3rd key announce packet comprises: ID SourceField, E 3(KEY S-D) field and MIC3 field; Wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in second key announce packet of receiving SourceThe value of field;
E 3(KEY S-D) field: expression keying material data, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC3 field: expression message integrity identifying code, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce packet are calculated through hash function.
Above-mentioned steps 4) destination node N in DestinationSend the 3rd key announce response packet to switching equipment SW after receiving the 3rd key announce packet Last, its concrete implementation is:
4.1) utilize and switching equipment SW LastBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 4.2);
4.2) utilize and switching equipment SW LastBetween key K EY DDeciphering E 3(KEY S-D) field, obtain communication key between nodes KEY S-D, this KEY S-DBe destination node N DestinationWith transmission source node N SourceBetween communication key;
4.3) structure the 3rd key announce response packet send to switching equipment SW Last, said the 3rd key announce response packet comprises: ID SourceField and MIC4 field; Wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in the 3rd key announce packet of receiving SourceThe value of field;
The MIC4 field: expression message integrity identifying code, by destination node N DestinationUtilize and switching equipment SW LastBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce response packet are calculated through hash function.
Above-mentioned steps 5) switching equipment SW in LastSend second key announce response packet to switching equipment SW after receiving the 3rd key announce response packet First, its concrete implementation is:
5.1) comparison ID SourceID in the 3rd key announce packet of field and transmission before SourceWhether field value is consistent, if inconsistent, then abandons this grouping; Otherwise, carry out 5.2);
5.2) utilize and destination node N DestinationBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 5.3);
5.3) structure second key announce response packet send to switching equipment SW First, said second key announce response packet comprises: ID SourceField, ID DestinationField and MIC5 field, wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in second key announce packet of receiving SourceThe value of field;
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in second key announce packet of receiving DestinationThe value of field;
The MIC5 field: expression message integrity identifying code, by switching equipment SW LastUtilize and switching equipment SW FirstBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce response packet are calculated through hash function.
Above-mentioned steps 6) switching equipment SW in FirstSend first key announce response packet to sending source node N after receiving second key announce response packet Source, its concrete implementation is:
6.1) ID of inspection in dividing into groups SourceField, ID DestinationField with send to switching equipment SW before LastSecond key announce packet in the corresponding field value whether consistent, if inconsistent, then abandon this grouping; Otherwise, carry out 6.2);
6.2) utilize and switching equipment SW LastBetween key K EY F-LWhether correct, if incorrect, then abandon this grouping if testing positive MIC5; Otherwise, carry out 6.3);
6.3) structure first key announce response packet sends to and send source node N Source, said first key announce response packet comprises: ID DestinationField and MIC6 field, wherein:
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in first key announce packet of receiving DestinationThe value of field;
The MIC6 field: expression message integrity identifying code, by switching equipment SW FirstWith itself and transmission source node N SourceBetween key K EY SThe Hash Value that other outer fields of this field in first key announce response packet are calculated through hash function.
Above-mentioned steps 7) concrete implementation is:
7.1) ID of inspection in dividing into groups DestinationField with send to switching equipment SW before FirstFirst key announce packet in ID DestinationWhether field value is consistent, if inconsistent, then abandons this grouping; Otherwise, carry out 7.2);
7.2) utilize and switching equipment SW FirstBetween key K EY SWhether MIC6 is correct in checking, if incorrect, then abandons this grouping; Otherwise, promptly accomplish and send source node N SourceWith destination node N DestinationBetween communication key KEY S-DThe process of setting up, after this send source node N SourceWith destination node N DestinationBetween can adopt this communication key KEY S-DCarry out confidential corespondence.
A kind of system that sets up of communication key between nodes, its special character is: the system that sets up of said communication key between nodes comprises to switching equipment SW FirstSend first key announce packet, receive switching equipment SW FirstThe transmission source node N of first key announce response packet of sending SourceReceive and send source node N SourceFirst key announce packet of sending, to switching equipment SW LastSend second key announce packet, receive switching equipment SW LastSecond key announce response packet of sending, to sending source node N SourceSend the switching equipment SW of first key announce response packet FirstReceive switching equipment SW FirstSecond key announce packet of sending, to destination node N DestinationSend the 3rd key announce packet, receive destination node N DestinationThe 3rd key announce response packet of sending, to switching equipment SW FirstSend the switching equipment SW of second key announce response packet LastReceive switching equipment SW LastThe 3rd key announce packet of sending, to switching equipment SW LastSend the destination node N of the 3rd key announce response packet Destination
Advantage of the present invention is: send source node N SourceWith destination node N DestinationBetween communication key be through sending source node N SourceThe interim generation, and progressively announce to destination node N through the safe interface channel of having set up Destination.Foundation and the renewal process of sharing key between node can be by sending source node N SourceInitiating this process triggers.Through this method, can set up and upgrade the key between them flexibly between the legal node of local area network (LAN), Unsupervised member disposes shared static keys between any two for the whole network node.
Description of drawings
Fig. 1 sets up the process sketch map for communication key between nodes provided by the present invention.
Embodiment
The node N (Node) that defines among the present invention is meant user terminal STA (STAtion) and the switching equipment SW (SWitch) in the local area network (LAN).Physical layer equipments such as the hub in the local area network (LAN) are not as node processing.
Suppose, in network, send out or other security mechanisms have all been set up safe the connection through presorting between adjacent switching equipment and the user terminal promptly had cipher key shared; All switching equipment are sent out or other security mechanisms have been set up safe connection through presorting between any two, have promptly had cipher key shared.
To send source node N SourceWith destination node N DestinationBetween the example that is established as of communication key describe switching equipment SW FirstBe meant from sending source node N SourceTo destination node N DestinationFirst switching equipment of packet process, switching equipment SW LastBe meant from sending source node N SourceTo destination node N DestinationLast switching equipment of packet process.
According to above-mentioned hypothesis, send source node N SourceWith switching equipment SW FirstSet up safe connection, cipher key shared is designated as KEY S, destination node N DestinationWith switching equipment SW LastSet up safe connection, cipher key shared is designated as KEY D, switching equipment SW FirstWith switching equipment SW LastSet up safe connection, cipher key shared is designated as KEY F-L
Referring to Fig. 1, the method for building up of a kind of communication key between nodes provided by the present invention is for sending source node N SourceWith destination node N DestinationBetween the concrete scheme of foundation of communication key following:
1) sends source node N SourceSend key announce packet 1 and give switching equipment SW First
This key announce packet 1 comprises:
ID Destination E 1(KEY S-D) MIC1
Wherein:
ID DestinationField: expression destination node N DestinationSign;
E 1(KEY S-D) field: expression keying material data, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY STo KEY S-DData encrypted; KEY wherein S-DBe by sending source node N SourceThe random number that generates, as with destination node N DestinationBetween communication key;
The MIC1 field: expression message integrity identifying code, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY SThe Hash Value that other outer fields of this field in this key announce packet 1 are calculated through hash function.
2) switching equipment SW FirstSend key announce packet 2 and give switching equipment SW Last
Switching equipment SW FirstAfter receiving key announce packet 1, handle as follows:
2.1) utilize it and send source node N SourceBetween key K EY SWhether MIC1 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 2.2);
2.2) utilize it and send source node N SourceBetween key K EY SDeciphering E 1(KEY S-D) field, can obtain communication key between nodes KEY S-D
2.3) structure key announce packet 2 send to switching equipment SW Last
This key announce packet 2 comprises:
ID Source ID Destination E 2(KEY S-D) MIC2
Wherein:
ID SourceField: source node N is sent in expression SourceSign;
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in the key announce packet of receiving 1 DestinationThe value of field;
E 2(KEY S-D): expression keying material data, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC2 field: expression message integrity identifying code, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe Hash Value that other outer fields of this field in this key announce packet 2 are calculated through hash function.
3) switching equipment SW LastSend key announce packet 3 and give destination node N Destination
Switching equipment SW LastAfter receiving key announce packet 2, handle as follows:
3.1) utilize itself and switching equipment SW FirstBetween key K EY F-LWhether MIC2 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 3.2);
3.2) utilize itself and switching equipment SW FirstBetween key K EY F-LDeciphering E 2(KEY S-D) field, can obtain communication key between nodes KEY S-D
3.3) structure key announce packet 3 send to destination node N Destination
Comprise in this key announce packet 3:
ID Source E 3(KEY S-D) MIC3
Wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in the key announce packet of receiving 2 SourceThe value of field;
E 3(KEY S-D) field: expression keying material data, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC3 field: expression message integrity identifying code, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe Hash Value that other outer fields of this field in this key announce packet 3 are calculated through hash function.
4) destination node N DestinationSend key announce response packet 3 and give switching equipment SW Last
Destination node N DestinationAfter receiving key announce packet 3, handle as follows:
4.1) utilize and switching equipment SW LastBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 4.2);
4.2) utilize and switching equipment SW LastBetween key K EY DDeciphering E 3(KEY S-D) field, can obtain communication key between nodes KEY S-D, this KEY S-DBe destination node N DestinationWith transmission source node N SourceBetween communication key;
4.3) structure key announce response packet 3 send to switching equipment SW Last
This key announce response packet 3 comprises:
ID Source MIC4
Wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in the key announce packet of receiving 3 SourceThe value of field;
The MIC4 field: expression message integrity identifying code, by destination node N DestinationUtilize and switching equipment SW LastBetween key K EY DThe Hash Value that other outer fields of this field in this key announce response packet 3 are calculated through hash function.
5) switching equipment SW LastSend key announce response packet 2 and give switching equipment SW First
Switching equipment SW LastAfter receiving key announce response packet 3, handle as follows:
5.1) comparison ID SourceID in the key announce packet 3 of field and transmission before SourceWhether field value is consistent, if inconsistent, then abandons this grouping; Otherwise, carry out 5.2);
5.2) utilize and destination node N DestinationBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 5.3);
5.3) structure key announce response packet 2 send to switching equipment SW First
This temporary key negotiation respond packet comprises:
ID Source ID Destination MIC5
Wherein:
ID SourceField: source node N is sent in expression SourceSign, its value is with the ID in the key announce packet of receiving 2 SourceThe value of field;
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in the key announce packet of receiving 2 DestinationThe value of field;
The MIC5 field: expression message integrity identifying code, by switching equipment SW LastUtilize and switching equipment SW FirstBetween key K EY F-LThe Hash Value that other outer fields of this field in this key announce response packet 2 are calculated through hash function.
6) switching equipment SW FirstSend key announce response packet 1 and give transmission source node N Source
Switching equipment SW FirstAfter receiving key announce response packet 2, handle as follows:
6.1) ID of inspection in dividing into groups SourceField, ID DestinationField with send to switching equipment SW before LastKey announce packet 2 in the corresponding field value whether consistent, if inconsistent, then abandon this grouping; Otherwise, carry out 6.2);
6.2) utilize and switching equipment SW LastBetween key K EY F-LWhether MIC5 is correct in checking, if incorrect, then abandons this grouping; Otherwise, carry out 6.3);
6.3) structure key announce response packet 1 sends to and send source node N Source
This key announce response packet 1 comprises:
ID Destination MIC6
Wherein:
ID DestinationField: expression destination node N DestinationSign, its value is with the ID in the key announce packet of receiving 1 DestinationThe value of field;
The MIC6 field: expression message integrity identifying code, by switching equipment SW FirSt is with itself and transmission source node N SourceBetween key K EY SThe Hash Value that other outer fields of this field in the key announce response packet 1 are calculated through hash function.
7) send source node N SourceReceive key announce response packet 1;
Send source node N SourceAfter receiving key announce response packet 1, handle as follows:
7.1) ID of inspection in dividing into groups DestinationField with send to switching equipment SW before FirstKey announce packet 1 in ID DestinationWhether field value is consistent, if inconsistent, then abandons this grouping; Otherwise, carry out 7.2);
7.2) utilize and switching equipment SW FirstBetween key K EY SWhether MIC6 is correct in checking, if incorrect, then abandons this grouping; Otherwise, promptly accomplish and send source node N SourceWith destination node N DestinationBetween communication key KEY S-DThe process of setting up, after this send source node N SourceWith destination node N DestinationBetween can adopt this communication key KEY S-DCarry out confidential corespondence.
Send source node N SourceNeed with destination node N DestinationSet up communication key KEY S-D, when utilizing such scheme to carry out practical implementation, send source node N SourceAlso can generate a numerical value, set up the sign of process as this communication key, this sign can be clock, serial number or random number, and in each message, carries, correspondingly switching equipment SW LastNeed the ident value in the checking grouping whether consistent after receiving key announce response packet 3 with the ident value in its key announce packet 2 that receives before; Switching equipment SW FirstNeed the ident value in the checking grouping whether consistent after receiving key announce response packet 2 with the ident value in its key announce packet 1 that receives before; Send source node N SourceNeed the ident value in the checking grouping whether consistent after receiving key announce response packet 1 with the ident value in its key announce packet 1 of sending before.
When utilizing such scheme to carry out practical implementation, also can be by sending source node N Source, switching equipment SW FirstAnd switching equipment SW LastWhen sending key announce packet 1, key announce packet 2 and key announce packet 3, numerical value of independent separately generation is carried at respectively in the above-mentioned grouping as the announcement sign, and this announcement sign can be clock, serial number or random number, correspondingly switching equipment SW Last, switching equipment SW FirstAnd transmission source node N SourceNeed verify all whether the announcement ident value in the grouping is consistent with the ident value in its grouping of sending before after receiving key announce response packet 3, key announce response packet 2 and key announce response packet 1.
A kind of system that sets up of communication key between nodes, its special character is: the system that sets up of said communication key between nodes comprises to switching equipment SW FirstSend key announce packet 1, receive switching equipment SW FirstThe transmission source node N of the key announce response packet 1 of sending SourceReceive and send source node N SourceThe key announce packet 1 of sending, to switching equipment SW LastSend key announce packet 2, receive switching equipment SW LastThe key announce response packet 2 of sending, to sending source node N SourceSend the switching equipment SW of key announce response packet 1 FirstReceive switching equipment SW FirstThe key announce packet 2 of sending, to destination node N DestinationSend key announce packet 3, receive destination node N DestinationThe key announce response packet 3 of sending, to switching equipment SW FirstSend the switching equipment SW of key announce response packet 2 LastReceive switching equipment SW LastThe key announce packet 3 of sending, to switching equipment SW LastSend the destination node N of key announce response packet 3 Destination

Claims (8)

1. the method for building up of a communication key between nodes, it is characterized in that: the method for building up of said communication key between nodes may further comprise the steps:
1) sends source node N SourceSend first key announce packet and give switching equipment SW First
Said first key announce packet comprises ID DestinationField, E 1(KEY S-D) field and MIC1 field; Wherein:
ID DestinationField: expression destination node N DestinationSign;
E 1(KEY S-D) field: expression keying material data, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY STo KEY S-DData encrypted; KEY wherein S-DBe by sending source node N SourceThe random number that generates, as with destination node N DestinationBetween communication key;
The MIC1 field: expression message integrity identifying code, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY SThe Hash Value that other outer fields of this field in first key announce packet are calculated through hash function;
2) switching equipment SW FirstSend second key announce packet and give switching equipment SW Last
Said second key announce packet comprises ID SourceField, ID DestinationField, E 2(KEY S-D) field and MIC2 field;
Wherein:
ID SourceField: source node N is sent in expression SourceSign;
ID DestinationField: value is with ID in first key announce packet DestinationField value;
E 2(KEY S-D) field: expression keying material data, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC2 field: expression message integrity identifying code, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce packet are calculated through hash function;
3) switching equipment SW LastSend the 3rd key announce packet and give destination node N Destination
Said the 3rd key announce packet comprises ID SourceField, E 3(KEY S-D) field and MIC3 field; Wherein:
ID SourceField: value is with ID in second key announce packet SourceField value;
E 3(KEY S-D) field: expression keying material data, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC3 field: expression message integrity identifying code, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce packet are calculated through hash function;
4) destination node N DestinationSend the 3rd key announce response packet and give switching equipment SW Last
Said the 3rd key announce response packet comprises ID SourceField and MIC4 field; Wherein:
ID SourceField: value is with ID in the 3rd key announce packet SourceField value;
The MIC4 field: expression message integrity identifying code, by destination node N DestinationUtilize and switching equipment SW LastBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce response packet are calculated through hash function;
5) switching equipment SW LastSend second key announce response packet and give switching equipment SW First
Said second key announce response packet comprises ID SourceField, ID DestinationField and MIC5 field, wherein:
ID SourceField: value is with ID in the 3rd key announce response packet SourceField value;
ID DestinationField: value is with ID in second key announce packet DestinationField value;
The MIC5 field: expression message integrity identifying code, by switching equipment SW LastUtilize and switching equipment SW FirstBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce response packet are calculated through hash function;
6) switching equipment SW FirstSend first key announce response packet and give transmission source node N Source
Said first key announce response packet comprises ID DestinationField and MIC6 field, wherein:
ID DestinationField: value is with ID in second key announce response packet DestinationField value;
The MIC6 field: expression message integrity identifying code, by switching equipment SW FirstWith itself and transmission source node N SourceBetween key K EY SThe Hash Value that other outer fields of this field in first key announce response packet are calculated through hash function;
7) send source node N SourceReceive first key announce response packet.
2. the method for building up of communication key between nodes according to claim 1 is characterized in that: switching equipment SW said step 2) FirstSend second key announce packet to switching equipment SW after receiving first key announce packet Last, its concrete implementation is:
2.1) utilize it and send source node N SourceBetween key K EY SWhether MIC1 is correct in checking, if incorrect, then abandons first key announce packet; Otherwise, carry out 2.2);
2.2) utilize it and send source node N SourceBetween key K EY SDeciphering E 1(KEY S-D) field, obtain communication key between nodes KEY S-D
2.3) structure second key announce packet send to switching equipment SW Last
3. the method for building up of communication key between nodes according to claim 2 is characterized in that: switching equipment SW in the said step 3) LastSend the 3rd key announce packet to destination node N after receiving second key announce packet Destination, its concrete implementation is:
3.1) utilize itself and switching equipment SW FirstBetween key K EY F-LWhether MIC2 is correct in checking, if incorrect, then abandons second key announce packet; Otherwise, carry out 3.2);
3.2) utilize itself and switching equipment SW FirstBetween key K EY F-LDeciphering E 2(KEY S-D) field, obtain communication key between nodes KEY S-D
3.3) structure the 3rd key announce packet send to destination node N Destination
4. the method for building up of communication key between nodes according to claim 3 is characterized in that: destination node N in the said step 4) DestinationSend the 3rd key announce response packet to switching equipment SW after receiving the 3rd key announce packet Last, its concrete implementation is:
4.1) utilize and switching equipment SW LastBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons the 3rd key announce packet; Otherwise, carry out 4.2);
4.2) utilize and switching equipment SW LastBetween key K EY DDeciphering E 3(KEY S-D) field, obtain communication key between nodes KEY S-D, this KEY S-DBe destination node N DestinationWith transmission source node N SourceBetween communication key;
4.3) structure the 3rd key announce response packet send to switching equipment SW Last
5. the method for building up of communication key between nodes according to claim 4 is characterized in that: switching equipment SW in the said step 5) LastSend second key announce response packet to switching equipment SW after receiving the 3rd key announce response packet First, its concrete implementation is:
5.1) ID in the 3rd key announce response packet relatively SourceID in the 3rd key announce packet of field and transmission before SourceWhether field value is consistent, if inconsistent, then abandons the 3rd key announce response packet; Otherwise, carry out 5.2);
5.2) utilize and destination node N DestinationBetween key K EY DWhether MIC3 is correct in checking, if incorrect, then abandons the 3rd key announce response packet; Otherwise, carry out 5.3);
5.3) structure second key announce response packet send to switching equipment SW First
6. the method for building up of communication key between nodes according to claim 5 is characterized in that: switching equipment SW in the said step 6) FirstSend first key announce response packet to sending source node N after receiving second key announce response packet Source, its concrete implementation is:
6.1) ID of inspection in second key announce response packet SourceField, ID DestinationField with send to switching equipment SW before LastSecond key announce packet in the corresponding field value whether consistent, if inconsistent, then abandon second key announce response packet; Otherwise, carry out 6.2);
6.2) utilize and switching equipment SW LastBetween key K EY F-LWhether MIC5 is correct in checking, if incorrect, then abandons second key announce response packet; Otherwise, carry out 6.3);
6.3) structure first key announce response packet sends to and send source node N Source
7. the method for building up of communication key between nodes according to claim 6, it is characterized in that: the concrete implementation of said step 7) is:
7.1) ID of inspection in second key announce response packet DestinationField with send to switching equipment SWF before IrstFirst key announce packet in ID DestinationWhether field value is consistent, if inconsistent, then abandons first key announce response packet; Otherwise, carry out 7.2);
7.2) utilize and switching equipment SW FirstBetween key K EY SWhether MIC6 is correct in checking, if incorrect, then abandons first key announce response packet; Otherwise, promptly accomplish and send source node N SourceWith destination node N DestinationBetween communication key KEY S-DThe process of setting up, after this send source node N SourceWith destination node N DestinationBetween can adopt this communication key KEY S-DCarry out confidential corespondence.
8. the system that sets up of a communication key between nodes, it is characterized in that: the system that sets up of said communication key between nodes comprises to switching equipment SW FirstSend first key announce packet, receive switching equipment SW FirstThe transmission source node N of first key announce response packet of sending SourceReceive and send source node N SourceFirst key announce packet of sending, to switching equipment SW LastSend second key announce packet, receive switching equipment SW LastSecond key announce response packet of sending, to sending source node N SourceSend the switching equipment SW of first key announce response packet FirstReceive switching equipment SW FirstSecond key announce packet of sending, to destination node N DestinationSend the 3rd key announce packet, receive destination node N DestinationThe 3rd key announce response packet of sending, to switching equipment SW FirstSend the switching equipment SW of second key announce response packet LastReceive switching equipment SW LastThe 3rd key announce packet of sending, to switching equipment SW LastSend the destination node N of the 3rd key announce response packet Destination
Said first key announce packet comprises ID DestinationField, E 1(KEY S-D) field and MIC1 field; Wherein:
ID DestinationField: expression destination node N DestinationSign;
E 1(KEY S-D) field: expression keying material data, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY STo KEY S-DData encrypted; KEY wherein S-DBe by sending source node N SourceThe random number that generates, as with destination node N DestinationBetween communication key;
The MIC1 field: expression message integrity identifying code, by sending source node N SourceUtilize itself and switching equipment SW FirstBetween key K EY SThe Hash Value that other outer fields of this field in first key announce packet are calculated through hash function;
Said second key announce packet comprises ID SourceField, ID DestinationField, E 2(KEY S-D) field and MIC2 field;
Wherein:
ID SourceField: source node N is sent in expression SourceSign;
E 2(KEY S-D) field: expression keying material data, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC2 field: expression message integrity identifying code, by switching equipment SW FirstUtilize itself and switching equipment SW LastBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce packet are calculated through hash function;
ID DestinationField: value is with ID in first key announce packet DestinationField value;
Said the 3rd key announce packet comprises ID SourceField, E 3(KEY S-D) field and MIC3 field; Wherein:
E 3(KEY S-D) field: expression keying material data, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe communication key between nodes KEY that deciphering is obtained S-DData encrypted;
The MIC3 field: expression message integrity identifying code, by switching equipment SW LastWith itself and destination node N DestinationBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce packet are calculated through hash function;
ID SourceField: value is with ID in the 3rd key announce packet SourceField value;
Said the 3rd key announce response packet comprises ID SourceField and MIC4 field; Wherein:
The MIC4 field: expression message integrity identifying code, by destination node N DestinationUtilize and switching equipment SW LastBetween key K EY DThe Hash Value that other outer fields of this field in the 3rd key announce response packet are calculated through hash function;
ID SourceField: value is with ID in the 3rd key announce packet SourceField value;
Said second key announce response packet comprises ID SourceField, ID DestinationField and MIC5 field, wherein:
The MIC5 field: expression message integrity identifying code, by switching equipment SW LastUtilize and switching equipment SW FirstBetween key K EY F-LThe Hash Value that other outer fields of this field in second key announce response packet are calculated through hash function;
ID SourceField: value is with ID in the 3rd key announce response packet SourceField value;
ID DestinationField: value is with ID in second key announce packet DestinationField value;
Said first key announce response packet comprises ID DestinationField and MIC6 field, wherein:
The MIC6 field: expression message integrity identifying code, by switching equipment SW FirstWith itself and transmission source node N SourceBetween key K EY SThe Hash Value that other outer fields of this field in first key announce response packet are calculated through hash function;
ID DestinationField: value is with ID in second key announce response packet DestinationField value.
CN2010101596752A 2010-04-29 2010-04-29 Method and system for establishing communication key between nodes Active CN101902324B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2010101596752A CN101902324B (en) 2010-04-29 2010-04-29 Method and system for establishing communication key between nodes
PCT/CN2011/070475 WO2011134292A1 (en) 2010-04-29 2011-01-21 Establishment method, system and device for communication keys among nodes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101596752A CN101902324B (en) 2010-04-29 2010-04-29 Method and system for establishing communication key between nodes

Publications (2)

Publication Number Publication Date
CN101902324A CN101902324A (en) 2010-12-01
CN101902324B true CN101902324B (en) 2012-11-07

Family

ID=43227548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101596752A Active CN101902324B (en) 2010-04-29 2010-04-29 Method and system for establishing communication key between nodes

Country Status (2)

Country Link
CN (1) CN101902324B (en)
WO (1) WO2011134292A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902324B (en) * 2010-04-29 2012-11-07 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes
CN101841414B (en) * 2010-05-20 2012-05-23 西安西电捷通无线网络通信股份有限公司 Method and system for establishing end-to-end communication key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937558A (en) * 2005-09-22 2007-03-28 索尼株式会社 Wireless communication system, wireless communication device, method of wireless communication, and computer program
CN101183934A (en) * 2007-10-23 2008-05-21 中兴通讯股份有限公司 Cipher key updating method in passive optical network
CN101227272A (en) * 2007-01-19 2008-07-23 华为技术有限公司 System and method for obtaining media stream protection cryptographic key

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1297107C (en) * 2003-03-31 2007-01-24 华为技术有限公司 Key distribution method based on preshared key
CN1323523C (en) * 2003-04-02 2007-06-27 华为技术有限公司 Method of forming dynamic key in radio local network
US7957533B2 (en) * 2007-10-02 2011-06-07 Alcatel-Lucent Usa Inc. Method of establishing authentication keys and secure wireless communication
CN101902324B (en) * 2010-04-29 2012-11-07 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937558A (en) * 2005-09-22 2007-03-28 索尼株式会社 Wireless communication system, wireless communication device, method of wireless communication, and computer program
CN101227272A (en) * 2007-01-19 2008-07-23 华为技术有限公司 System and method for obtaining media stream protection cryptographic key
CN101183934A (en) * 2007-10-23 2008-05-21 中兴通讯股份有限公司 Cipher key updating method in passive optical network

Also Published As

Publication number Publication date
CN101902324A (en) 2010-12-01
WO2011134292A1 (en) 2011-11-03

Similar Documents

Publication Publication Date Title
CN101917272B (en) Secret communication method and system among neighboring user terminals
KR101492179B1 (en) Method and system for establishing secure connection between user terminals
JP5367168B2 (en) Integration method of sensor network authentication and key management mechanism
CN101841413B (en) Creation method of end-to-end secure link and system
CN101741547A (en) Inter-node secret communication method and system
CN101854244B (en) Three-section type secure network architecture establishment and secret communication method and system
CN101741548B (en) Method and system for establishing safe connection between switching equipment
CN101834863B (en) Method and system for establishing secure connection between local area network nodes
CN101841547B (en) Creation method of end-to-end shared key and system
CN102611557A (en) Safe network coding data transmission method based on knapsack cryptosystem
CN101814987B (en) Method and system for establishing key between nodes
CN106789845A (en) A kind of method of network data security transmission
CN101902324B (en) Method and system for establishing communication key between nodes
CN101834862B (en) Method and system for establishing safe connection between nodes
CN101964708B (en) System and method for establishing session key between nodes
CN101841414B (en) Method and system for establishing end-to-end communication key
CN101964802B (en) Centralized safety connection establishing system and method
CN101969375B (en) Notice-type safe connection establishing system and method
CN107483197A (en) A kind of VPN terminal key distribution method and device
CN101964803B (en) System and method for establishing session key between nodes
CN106357595A (en) Encryption method and encryption system based on SIM card
Ahmad et al. Security on MANETs using block coding
Kapila et al. Enhanced security of WEP Using RSA against Dictionary attacks
CN104301332A (en) Secret key distribution system based on wireless cascading
CN115174047A (en) Data encryption and decryption method and device, storage medium and processor

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 "change of name, title or address"

Address after: 15 to 1, 2, floor 30, Shixing street, Shijingshan District, Beijing.

Co-patentee after: Anxi Dianjietong Wireless Network Communications Co.,Ltd.

Patentee after: Tianwei signal (Beijing) Technology Co., Ltd.

Address before: No. 80 North ritual Road, Xicheng District, Beijing

Co-patentee before: Anxi Dianjietong Wireless Network Communications Co.,Ltd.

Patentee before: Radiosky Radio Equipment Testing (Beijing) Co., Ltd.

CP03 "change of name, title or address"