[go: up one dir, main page]

CN101056169B - Method and system for improving the multicast service security of the radio communication system - Google Patents

Method and system for improving the multicast service security of the radio communication system Download PDF

Info

Publication number
CN101056169B
CN101056169B CN2006100721513A CN200610072151A CN101056169B CN 101056169 B CN101056169 B CN 101056169B CN 2006100721513 A CN2006100721513 A CN 2006100721513A CN 200610072151 A CN200610072151 A CN 200610072151A CN 101056169 B CN101056169 B CN 101056169B
Authority
CN
China
Prior art keywords
key
related parameters
mgtek
key material
base station
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2006100721513A
Other languages
Chinese (zh)
Other versions
CN101056169A (en
Inventor
单长虹
林志斌
冯成燕
王海宁
杜海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2006100721513A priority Critical patent/CN101056169B/en
Publication of CN101056169A publication Critical patent/CN101056169A/en
Application granted granted Critical
Publication of CN101056169B publication Critical patent/CN101056169B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明涉及一种提高无线通信系统组播业务安全的方法及系统。本发明主要包括:首先,在无线通信系统中,由密钥管理器将其生成的开展组播业务所需的密钥材料信息发送给基站;之后,基站收到所述的密钥材料信息后,根据所述的密钥材料对基站与用户终端之间交互的空口组播业务进行加密处理。本发明的实现使得在WiMAX等无线通信系统中,基站可以获得空口业务传输需要的各密钥材料信息,从而可以有效保证空口业务的安全性,如可以保证用户终端的位置信息、会话信息等的安全。

Figure 200610072151

The invention relates to a method and system for improving the safety of multicast services in a wireless communication system. The present invention mainly includes: firstly, in the wireless communication system, the key manager sends the key material information generated by the key manager to the base station; after that, the base station receives the key material information and performing encryption processing on the air interface multicast service interacted between the base station and the user terminal according to the key material. The realization of the present invention enables the base station to obtain the key material information required for air interface service transmission in wireless communication systems such as WiMAX, thereby effectively ensuring the security of the air interface service, such as ensuring the location information of the user terminal, session information, etc. Safety.

Figure 200610072151

Description

提高无线通信系统组播业务安全的方法及系统Method and system for improving security of multicast service in wireless communication system

技术领域technical field

本发明涉及无线通信技术领域,尤其涉及一种组播密钥管理技术。The invention relates to the technical field of wireless communication, in particular to a multicast key management technology.

背景技术Background technique

在通信系统中,为保证开展通信业务过程中的安全性,需要在业务交互信息中应用相应的密钥,例如,在无线通信系统中,需要针对开展的多播业务采用相应的多播密钥。In the communication system, in order to ensure the security of the communication service, it is necessary to apply the corresponding key in the service interaction information. For example, in the wireless communication system, it is necessary to use the corresponding multicast key for the multicast service carried out .

下面将以组播业务为例对组播密钥的管理及应用进行说明。The management and application of the multicast key will be described below by taking the multicast service as an example.

在组播业务开展过程中,需要使用的组播密钥主要分为两类:During the development of multicast services, the multicast keys to be used are mainly divided into two categories:

(1)直接保护组播业务数据的数据加密密钥;(1) Data encryption key for directly protecting multicast service data;

(2)保护数据加密密钥分发至数据接收端的密钥加密密钥。(2) Protect the data encryption key and distribute the key encryption key to the data receiving end.

上述两类密钥在组播业务中的使用比较常见,其中:The above two types of keys are commonly used in multicast services, among which:

所述的数据加密密钥直接用于对数据进行加解密,由于该密钥通常是使用广播信道进行分发,而且针对数据加密密钥的存储方式也容易被终端的用户获知,因此,为进一步保证通信过程的安全,便需要相对频繁地更新相应的数据加密密钥。The data encryption key is directly used to encrypt and decrypt data. Since the key is usually distributed using a broadcast channel, and the storage method of the data encryption key is also easily known by the terminal user, therefore, in order to further ensure To ensure the security of the communication process, the corresponding data encryption key needs to be updated relatively frequently.

所述的密钥加密密钥则通常为采用单播信道进行分发,而且,由于不需要利用该密钥加密密钥直接对数据加密,所以可以将其存储在安全性较高的地方,例如,将其存储SIM(用户标识模块)卡中等。The key encryption key is usually distributed through a unicast channel, and since the key encryption key does not need to be used to directly encrypt data, it can be stored in a place with higher security, for example, Store it in a SIM (Subscriber Identity Module) card, etc.

在现有的3GPP和3GPP2等无线通信系统中,上述两类密钥是在数据高层控制点直接加密,这样,对于终端与高层控制点之间交互的信息可以利用上述两类密钥进行相应的保护,以保证交互信息的安全性。In existing wireless communication systems such as 3GPP and 3GPP2, the above two types of keys are directly encrypted at the data high-level control point, so that the information exchanged between the terminal and the high-level control point can be correspondingly encrypted using the above two types of keys protection to ensure the security of the exchanged information.

由于现有的无线通信系统中,仅在高层控制点进行加密操作,因而,对于接入网与终端之间交互的信息的安全性无法得到很好的保证,例如,无法保证空口交互的会话信息、终端位置信息等内容的安全性。In the existing wireless communication system, the encryption operation is only performed at the high-level control point, so the security of the information exchanged between the access network and the terminal cannot be well guaranteed, for example, the session information exchanged over the air interface cannot be guaranteed , terminal location information and other content security.

发明内容Contents of the invention

本发明的目的是提供一种提高无线通信系统组播业务安全的方法及系统,从而可以有效保证基站与用户终端之间交互的组播业务的安全。The purpose of the present invention is to provide a method and system for improving the security of multicast services in a wireless communication system, thereby effectively ensuring the security of multicast services interacted between base stations and user terminals.

本发明的目的是通过以下技术方案实现的:The purpose of the present invention is achieved through the following technical solutions:

本发明提供了一种提高无线通信系统组播业务安全的方法,包括:The invention provides a method for improving the security of multicast services in a wireless communication system, including:

A、在无线通信系统中,由密钥管理器将其生成的开展组播业务所需的密钥材料信息发送给基站;A. In the wireless communication system, the key manager sends the key material information generated by it to the base station for multicast services;

B、基站收到所述的密钥材料信息后,根据所述的密钥材料对基站与用户终端之间交互的空口组播业务进行加密处理。B. After receiving the key material information, the base station encrypts the air interface multicast service exchanged between the base station and the user terminal according to the key material.

所述的密钥材料包括:Said key material includes:

授权密钥MAK及其相关参数、组播组通信加密密钥MGTEK及其相关参数、组播密钥加密密钥GKEK及其相关参数、组播组安全套件MBSGSA和/或组播通信密钥MTK及其相关参数。Authorization key MAK and its related parameters, multicast group communication encryption key MGTEK and its related parameters, multicast key encryption key GKEK and its related parameters, multicast group security suite MBSGSA and/or multicast communication key MTK and its related parameters.

所述的MAK及其相关参数包括:MAK、MAK的剩余生命时间和/或MAK序列号。The MAK and its related parameters include: the MAK, the remaining life time of the MAK and/or the serial number of the MAK.

所述的GKEK及其相关参数包括:GKEK、GKEK序列号、GKEK标识符、GKEK剩余生命时间、基于密文的组播密钥更新消息认证码密钥CMAC_KEY_G和/或基于密文的组播密钥更新消息认证码包序列号CMAC_PN_G。The GKEK and its related parameters include: GKEK, GKEK serial number, GKEK identifier, GKEK remaining life time, ciphertext-based multicast key update message authentication code key CMAC_KEY_G and/or ciphertext-based multicast key Key Update Message Authentication Code Packet Sequence Number CMAC_PN_G.

所述的MGTEK及其相关参数包括:MGTEK、MGTEK剩余生命时间和/或MGTEK序列号。The MGTEK and its related parameters include: MGTEK, MGTEK remaining life time and/or MGTEK serial number.

所述的MBSGSA及其相关参数包括:MBSGSA的标识符、MBSGSA的类型、MBSGSA的加密套件、MBSGSA的业务类型、基站记录的发出的下行包序列号、终端记录的收到的下行包序列号、旧的MGTEK参数和/或新的MGTEK参数。The MBSGSA and related parameters include: the identifier of the MBSGSA, the type of the MBSGSA, the encryption suite of the MBSGSA, the service type of the MBSGSA, the sequence number of the downlink packet sent by the base station, the sequence number of the downlink packet received by the terminal, Old MGTEK parameters and/or new MGTEK parameters.

所述的步骤A包括:Described step A comprises:

A1、密钥管理器生成包括MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数和MBSGSA的密钥材料;A1. The key manager generates key material including MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, and MBSGSA;

或者,or,

A2、密钥管理器生成包括MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数、MBSGSA和MTK及其相关参数的密钥材料。A2. The key manager generates key material including MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, MBSGSA and MTK and its related parameters.

本发明中,当执行所述的步骤A1时,所述的步骤B还包括:In the present invention, when performing the step A1, the step B also includes:

基站收到密钥管理器发来的密钥材料后,根据所述密钥材料生成MTK及其相关参数,并将生成的MTK及其相关参数和收到的密钥材料一起作为用于空口业务传输的密钥材料。After receiving the key material sent by the key manager, the base station generates MTK and its related parameters according to the key material, and uses the generated MTK and its related parameters together with the received key material as a key for air interface services. The transmitted key material.

所述的方法还包括:对密钥管理器生成的密钥材料的更新操作。The method further includes: updating the key material generated by the key manager.

所述的方法还包括:可以在密钥的剩余生命时间到期之前进行密钥材料的更新触发。The method further includes: updating the key material may be triggered before the remaining life time of the key expires.

本发明还提供了一种在无线通信系统中提高组播业务安全性能的实现系统,包括:The present invention also provides an implementation system for improving the security performance of multicast services in a wireless communication system, including:

密钥材料发送单元,设置于无线通信系统的密钥管理器中,用于将密钥管理器生成的开展组播业务所需的密钥材料信息发送给基站;The key material sending unit is arranged in the key manager of the wireless communication system, and is used to send the key material information generated by the key manager required to carry out the multicast service to the base station;

安全处理单元,设置于无线通信系统的基站中,用于根据收到所述的密钥材料信息对基站与用户终端之间交互的空口组播业务进行加密处理。The security processing unit is arranged in the base station of the wireless communication system, and is used for encrypting the air interface multicast service exchanged between the base station and the user terminal according to the received key material information.

所述的密钥材料包括:Said key material includes:

MAK及其相关参数、MGTEK及其相关参数、GKEK及其相关参数、MBSGSA和/或MTK及其相关参数。MAK and its related parameters, MGTEK and its related parameters, GKEK and its related parameters, MBSGSA and/or MTK and its related parameters.

本发明中,当密钥管理器生成的密钥材料为部分密钥材料时,则所述的系统还包括:In the present invention, when the key material generated by the key manager is part of the key material, the system further includes:

密钥信息生成单元,设置于无线通信系统的基站中,用于根据基站收到的部分密钥材料生成完整的密钥材料包括的其余密钥材料,并提供给安全处理单元。The key information generation unit is set in the base station of the wireless communication system, and is used to generate the remaining key material included in the complete key material according to the part of the key material received by the base station, and provide it to the security processing unit.

所述的密钥信息生成单元包括:The key information generation unit includes:

MTK信息生成单元,用于根据收到的部分密钥材料生成MTK及相关参数信息,并提供给安全处理单元。The MTK information generation unit is used to generate MTK and related parameter information according to the received part of the key material, and provide them to the security processing unit.

由上述本发明提供的技术方案可以看出,本发明的实现使得在WiMAX等无线通信系统中,基站可以获得空口业务传输需要的各密钥材料信息,从而可以有效保证空口业务的安全性,例如,可以保证用户终端的位置信息、会话信息等的安全。因此,本发明的实现可以有效保证无线通信系统中的空口组播业务的安全。It can be seen from the above-mentioned technical solution provided by the present invention that the implementation of the present invention enables the base station to obtain various key material information required for air interface service transmission in wireless communication systems such as WiMAX, thereby effectively ensuring the security of the air interface service, for example , which can ensure the security of the location information and session information of the user terminal. Therefore, the realization of the present invention can effectively guarantee the security of the air interface multicast service in the wireless communication system.

附图说明Description of drawings

图1为本发明所述的方法的具体实现流程示意图一;Fig. 1 is a schematic diagram of a specific realization flow chart of the method of the present invention;

图2为本发明所述的方法的具体实现流程示意图二Fig. 2 is the concrete realization flow chart diagram two of the method described in the present invention

图3为本发明所述的系统的具体实现结构示意图。FIG. 3 is a schematic structural diagram of a specific implementation of the system of the present invention.

具体实施方式Detailed ways

本发明提供的无线网络中的多播密钥管理方法的核心是在密钥材料初始生成和更新的时候,密钥管理器生成组播业务所需的密钥材料,并由密钥管理器向基站发送所述的密钥材料;这样,基站收到所述的密钥材料后,便可以根据所述的密钥材料对空口交互的组播业务进行加密处理。所述的密钥管理器为无线通信系统中负责密钥材料的生成、分发、更新和维护的实体。The core of the multicast key management method in the wireless network provided by the present invention is that when the key material is initially generated and updated, the key manager generates the key material required for the multicast service, and the key manager sends the key material to the The base station sends the key material; in this way, after the base station receives the key material, it can encrypt the multicast service of air interface interaction according to the key material. The key manager is an entity responsible for generating, distributing, updating and maintaining key materials in a wireless communication system.

以WiMAX网络为例中,所述的密钥材料包括以下至少一项:Taking a WiMAX network as an example, the key material includes at least one of the following:

(1)MAK(授权密钥)及其相关参数(1) MAK (Authorization Key) and its related parameters

用于和MGTEK(组播组通信加密密钥)一起用来生成MTK(组播通信密钥),其由高层的组播业务提供商提供给对此业务授权的用户;It is used together with MGTEK (multicast group communication encryption key) to generate MTK (multicast communication key), which is provided by the high-level multicast service provider to users authorized for this service;

具体包括:MAK、MAK的剩余生命时间和MAK序列号;Specifically include: MAK, remaining life time of MAK and serial number of MAK;

(2)MGTEK及其相关参数(2) MGTEK and its related parameters

用于和MAK一起生成MTK,其由运营商的网络给被授权接入网络的用户或设备提供,具体包括:Used to generate MTK together with MAK, which is provided by the operator's network to users or devices authorized to access the network, including:

MGTEK、MGTEK剩余生命时间和MGTEK序列号;MGTEK, MGTEK remaining life time and MGTEK serial number;

(3)GKEK(组播密钥加密密钥)及其参数(3) GKEK (multicast key encryption key) and its parameters

GKEK的作用是对MGTEK提供保护,对其加密,传至终端,具体包括:The role of GKEK is to protect MGTEK, encrypt it, and transmit it to the terminal, including:

GKEK、GKEK序列号、GKEK标识符、GKEK剩余生命时间、CMAC_KEY_G(基于密文的组播密钥更新消息认证码密钥)和CMAC_PN_G(基于密文的组播密钥更新消息认证码包序列号);GKEK, GKEK serial number, GKEK identifier, GKEK remaining life time, CMAC_KEY_G (ciphertext-based multicast key update message authentication code key) and CMAC_PN_G (ciphertext-based multicast key update message authentication code package sequence number );

(4)MBSGSA(组播组安全套件)及其相关参数(4) MBSGSA (Multicast Group Security Suite) and its related parameters

用于在WiMAX网络中,专门为MBS(多播组播业务)提供组播的密钥和数据加密提供指明算法和加密模式,具体包括:In the WiMAX network, it is used to provide multicast keys and data encryption for MBS (Multicast Multicast Service) to provide specified algorithms and encryption modes, including:

MBSGSA的标识符、MBSGSA的类型、MBSGSA的加密套件、MBSGSA的业务类型、基站记录的发出的下行包序列号、终端记录的收到的下行包序列号、旧的MGTEK参数、新的MGTEK参数;MBSGSA identifier, MBSGSA type, MBSGSA cipher suite, MBSGSA service type, sequence number of downlink packets sent by the base station, sequence number of downlink packets received by the terminal, old MGTEK parameters, new MGTEK parameters;

(5)MTK及其相关参数(5) MTK and its related parameters

用于对空口的组播数据进行加密传输。It is used for encrypted transmission of multicast data on the air interface.

本发明中,初始生成密钥材料并下发的处理过程包括以下两种方式:In the present invention, the process of initial key material generation and distribution includes the following two methods:

(一)第一种实现方式如下:(1) The first implementation method is as follows:

首先,密钥管理器生成组播业务所需的密钥材料;在密钥管理器上生成的密钥材料包括:组播业务授权密钥及其相关参数、组播业务密钥加密密钥及其相关参数、组播业务通信加密密钥及其参数、指明加密算法和加密模式的安全套件。First, the key manager generates the key material required by the multicast service; the key material generated on the key manager includes: the multicast service authorization key and its related parameters, the multicast service key encryption key and Its related parameters, multicast service communication encryption key and its parameters, security suite indicating encryption algorithm and encryption mode.

之后,由密钥管理器将密钥材料发送给基站;所述的密钥材料包括:组播业务授权密钥及其相关参数、组播业务密钥加密密钥及其相关参数、组播业务通信加密密钥及其参数、指明加密算法和加密模式的安全套件。Afterwards, the key manager sends the key material to the base station; the key material includes: the multicast service authorization key and its related parameters, the multicast service key encryption key and its related parameters, the multicast service Communication encryption key and its parameters, security suite specifying encryption algorithm and encryption mode.

最后,基站收到所述的密钥材料后,根据所述密钥材料需要生成开展组播业务需要的密钥材料中的其余密钥材料,如可以为MTK及其相关参数。Finally, after receiving the key material, the base station generates the rest of the key material needed to carry out the multicast service according to the key material, such as MTK and its related parameters.

(二)第二种实现方式如下:(2) The second implementation method is as follows:

即相应的初始生成密钥材料并下发的处理过程中也可以包括:That is, the corresponding initial key material generation and distribution process may also include:

首先,密钥管理器生成组播业务所需的密钥材料;在密钥管理器上生成的密钥材料包括:组播业务授权密钥及其相关参数、组播业务密钥加密密钥及其相关参数、组播业务通信加密密钥及其参数、指明加密算法和加密模式的安全套件、MTK及其相关参数;即在密钥管理器中生成组播业务开展过程中需要的所有密钥材料。First, the key manager generates the key material required by the multicast service; the key material generated on the key manager includes: the multicast service authorization key and its related parameters, the multicast service key encryption key and Its related parameters, multicast service communication encryption key and its parameters, security suite specifying the encryption algorithm and encryption mode, MTK and its related parameters; that is, all keys required for the development of multicast services are generated in the key manager Material.

之后,由密钥管理器将密钥材料发送给基站,所述的密钥材料包括:组播业务密钥加密密钥及其相关参数、组播业务通信加密密钥及其参数、指明加密算法和加密模式的安全套件、MTK及其相关参数;由于这种方式下基站已经可以获得开展组播业务需要的所有密钥材料,所以在基站上无需再进行密钥材料的生成,只要直接利用密钥管理器发来的密钥材料即可以针对空口组播业务进行加密处理,保证组播业务的安全。Afterwards, the key manager sends the key material to the base station. The key material includes: the multicast service key encryption key and its related parameters, the multicast service communication encryption key and its parameters, and the specified encryption algorithm and encryption mode security suite, MTK and related parameters; since the base station can already obtain all the key materials needed to carry out multicast services in this way, there is no need to generate key materials on the base station. The key material sent by the key manager can be encrypted for the air interface multicast service to ensure the security of the multicast service.

本发明中,为保证空口组播业务加密的可靠性,还需要对所述的密钥材料进行更新,相应的更新的触发条件可以在密钥的剩余生命时间到期之前,或者,也可以在其他设定的条件下触发。In the present invention, in order to ensure the reliability of air interface multicast service encryption, it is also necessary to update the key material, and the trigger condition for the corresponding update can be before the remaining life time of the key expires, or it can also be at Triggered under other set conditions.

密钥材料的更新处理过程与密钥材料的初始生成材料的处理过程相同,即仍由密钥管理器生成组播业务所需的密钥材料,并下发给基站,基站收到后,便可以为利用相应的密钥材料更新原来的密钥材料,也可以在基站上生成其它需要的密钥材料,如MTK及其相关参数等,然后,再更新相应的密钥材料信息。The update processing process of the key material is the same as that of the initial key material generation material, that is, the key manager still generates the key material required for the multicast service and sends it to the base station. After the base station receives it, it The original key material can be updated to use the corresponding key material, and other required key material, such as MTK and its related parameters, can also be generated on the base station, and then the corresponding key material information can be updated.

为便于对本发明的理解,下面将结合附图对本发明应用于WiMAX网络中时的具体实现方式进行说明。In order to facilitate the understanding of the present invention, a specific implementation manner of the present invention applied to a WiMAX network will be described below with reference to the accompanying drawings.

实施例一Embodiment one

在该实施例中,提供了初始生成密钥材料的相应处理过程,且MTK在密钥管理器中生成,如图1所示,具体包括:In this embodiment, a corresponding process for initially generating key material is provided, and MTK is generated in the key manager, as shown in Figure 1, specifically including:

步骤11:密钥管理器生成组播业务所需的密钥材料;Step 11: the key manager generates the key material required for the multicast service;

所述的密钥材料包括:MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数、MBSGSA和/或MTK及其相关参数,其中:The key material includes: MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, MBSGSA and/or MTK and its related parameters, wherein:

所述的MAK及其相关参数包括:MAK、MAK的剩余生命时间、MAK序列号;The MAK and its related parameters include: MAK, MAK remaining life time, MAK serial number;

所述的MGTEK及其相关参数包括:MGTEK、MGTEK剩余生命时间、MGTEK序列号;The MGTEK and its related parameters include: MGTEK, MGTEK remaining life time, MGTEK serial number;

所述的GKEK及其相关参数包括:GKEK、GKEK序列号、GKEK标识符、GKEK剩余生命时间、CMAC_KEY_G和CMAC_PN_G;The GKEK and its related parameters include: GKEK, GKEK serial number, GKEK identifier, GKEK remaining life time, CMAC_KEY_G and CMAC_PN_G;

所述的MBSGSA及其相关参数包括:MBSGSA的标识符、MBSGSA的类型、MBSGSA的加密套件、MBSGSA的业务类型、基站记录的发出的下行包序列号、终端记录的收到的下行包序列号、旧的MGTEK参数和新的MGTEK参数;The MBSGSA and related parameters include: the identifier of the MBSGSA, the type of the MBSGSA, the encryption suite of the MBSGSA, the service type of the MBSGSA, the sequence number of the downlink packet sent by the base station, the sequence number of the downlink packet received by the terminal, Old MGTEK parameters and new MGTEK parameters;

所述的MTK及其相关参数包括:由MGTEK和MAK共同生成的MTK、MTK的剩余生命时间、MTK序列号、加密方法和模式相关的初始向量和相关联的GKEK序列号;The MTK and its related parameters include: MTK jointly generated by MGTEK and MAK, remaining life time of MTK, MTK serial number, encryption method and mode-related initial vector and associated GKEK serial number;

步骤12:密钥管理器向基站发送其生成的密钥材料;Step 12: The key manager sends the key material generated by it to the base station;

其中,所述的密钥材料包括:MGTEK及其相关参数、MGKEK及其参数、MBSGSA和MTK及其相关参数中的至少一项;Wherein, the key material includes: at least one of MGTEK and its related parameters, MGKEK and its parameters, MBSGSA, MTK and its related parameters;

这样,基站接收密钥管理器发来的密钥材料便可以利用其对空口组播业务进行加密操作。In this way, the base station can use the key material sent by the key manager to encrypt the air interface multicast service.

实施例二Embodiment two

在该实施例中,本发明提供了初始生成密钥材料的处理过程,而且MTK是在基站上生成,如图2所示,具体包括:In this embodiment, the present invention provides a process for initially generating key material, and MTK is generated on the base station, as shown in Figure 2, specifically including:

步骤21:密钥管理器生成组播业务所需的密钥材料;Step 21: the key manager generates the key material required for the multicast service;

所述的密钥材料包括:MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数、MBSGSA和MTK及其相关参数;The key material includes: MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, MBSGSA and MTK and its related parameters;

其中,各密钥材料包含的具体信息参见实施例一,此处不再详述;Wherein, for the specific information contained in each key material, refer to Embodiment 1, which will not be described in detail here;

步骤22:密钥管理器向基站发送密钥材料;Step 22: the key manager sends the key material to the base station;

其中,所述的密钥材料包括:MGTEK及其相关参数、MAK及其相关参数、MGKEK及其参数和MBSGSA;Wherein, the key material includes: MGTEK and its related parameters, MAK and its related parameters, MGKEK and its parameters, and MBSGSA;

步骤23:基站收到所述的密钥材料,并根据所述的密钥材料生成MTK及其相关参数信息;Step 23: The base station receives the key material, and generates MTK and related parameter information according to the key material;

具体为:根据MGTEK和MAK生成相应的MTK及其相关参数信息,包括:MTK、MTK的剩余生命时间、MTK序列号、加密方法和模式相关的初始向量、相关联的GKEK序列号;Specifically: generate the corresponding MTK and its related parameter information according to MGTEK and MAK, including: MTK, remaining life time of MTK, MTK serial number, encryption method and mode-related initial vector, and associated GKEK serial number;

这样,尽管密钥管理器生成的密钥材料不包括MTK及其相关参数,但在基站上可以生成,因此,基站仍可以获得开展组播业务需要的完整的密钥材料,以便于对空口组播业务进行加密操作。In this way, although the key material generated by the key manager does not include MTK and its related parameters, it can be generated on the base station. Therefore, the base station can still obtain the complete key material needed to carry out the multicast service, so that the air interface group Encryption operations for broadcasting services.

本发明还提供了一种在无线通信系统中提高组播业务安全性能的实现系统,该系统的具体实现如图3所示,具体包括以下功能单元:The present invention also provides an implementation system for improving the security performance of multicast services in a wireless communication system. The specific implementation of the system is shown in Figure 3, and specifically includes the following functional units:

(1)密钥材料发送单元(1) Key material sending unit

该单元设置于无线通信系统的密钥管理器中,用于将密钥管理器生成的开展组播业务所需的密钥材料信息发送给基站,即对空口组播加密所需要的各密钥材料信息;This unit is set in the key manager of the wireless communication system, and is used to send the key material information generated by the key manager required to carry out multicast services to the base station, that is, the keys required for air interface multicast encryption material information;

所述的密钥材料包括MAK及其相关参数、MGTEK及其相关参数、GKEK及其相关参数、MBSGSA和MTK及其相关参数中的至少一项。The key material includes at least one of MAK and its related parameters, MGTEK and its related parameters, GKEK and its related parameters, MBSGSA, MTK and its related parameters.

(2)安全处理单元(2) Security processing unit

该单元设置于无线通信系统的基站中,用于根据收到所述的密钥材料信息对基站与用户终端之间交互的空口组播业务进行加密处理,即利用所述的密钥材料对空口传输的组播业务进行加密处理,从而可以保证空口组播业务的传输安全。This unit is set in the base station of the wireless communication system, and is used to encrypt the air interface multicast service exchanged between the base station and the user terminal according to the received key material information, that is, use the key material to encrypt the air interface multicast service. The transmitted multicast service is encrypted to ensure the transmission security of the air interface multicast service.

需要说明的是,用于开展组播业务需要的密钥材料可以完全由密钥管理器生成,并发送给基站,也可以由密钥管理器生成部分密钥材料,之后,由基站根据密钥管理器发来的部分密钥材料生成其余部分的密钥材料,从而使得基站可以获得完整的密钥材料;It should be noted that the key material required for carrying out the multicast service can be completely generated by the key manager and sent to the base station, or a part of the key material can be generated by the key manager, and then the base station can Part of the key material sent by the manager generates the rest of the key material, so that the base station can obtain the complete key material;

当密钥管理器生成的密钥材料为部分密钥材料,如不包括MTK及相关参数时,则所述的系统还包括:When the key material generated by the key manager is part of the key material, such as MTK and related parameters are not included, the system also includes:

(3)密钥信息生成单元(3) Key information generation unit

该单元设置于无线通信系统的基站中,用于在基站中,根据基站收到的密钥材料生成完整的密钥材料包括的其余部分密钥材料信息,并提供给安全处理单元,从而使得安全处理单元可以获得完整的密钥材料,以便于利用该完整的密钥材料保证空口信息的安全;This unit is set in the base station of the wireless communication system, and is used to generate the complete key material and the rest of the key material information included in the key material in the base station according to the key material received by the base station, and provide it to the security processing unit, so that the security The processing unit can obtain the complete key material, so as to use the complete key material to ensure the security of the air interface information;

例如,所述的密钥信息生成单元可以包括MTK信息生成单元,用于生成在密钥管理器中未生成的MTK及其相关参数,并提供给安全处理单元。For example, the key information generating unit may include an MTK information generating unit, configured to generate MTK and related parameters not generated in the key manager, and provide them to the security processing unit.

综上所述,在WiMAX等无线通信系统中,基站可以获得空口业务传输需要的密钥材料,从而可以有效保证空口业务的安全性,例如,可以保证用户终端的位置信息、会话信息等的安全,本发明尤其适用于为无线通信系统中的空口组播业务提供安全保证。To sum up, in wireless communication systems such as WiMAX, the base station can obtain the key material required for air interface service transmission, so as to effectively ensure the security of the air interface service, for example, the security of the location information and session information of the user terminal can be guaranteed , the invention is especially suitable for providing security guarantee for the air interface multicast service in the wireless communication system.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (12)

1.一种提高无线通信系统组播业务安全的方法,其特征在于,包括:1. A method for improving multicast service security in a wireless communication system, characterized in that, comprising: A、在无线通信系统中,由密钥管理器将其生成的开展组播业务所需的密钥材料信息发送给基站,所述密钥材料包括授权密钥MAK及其相关参数、组播组通信加密密钥MGTEK及其相关参数、组播密钥加密密钥GKEK及其相关参数、组播组安全套件MBSGSA或组播通信密钥MTK及其相关参数中的至少一项;A. In a wireless communication system, the key manager sends the key material information generated by the key manager to the base station. The key material includes the authorization key MAK and its related parameters, and the multicast group At least one of the communication encryption key MGTEK and its related parameters, the multicast key encryption key GKEK and its related parameters, the multicast group security suite MBSGSA or the multicast communication key MTK and its related parameters; B、基站收到所述的密钥材料信息后,根据所述的密钥材料对基站与用户终端之间交互的空口组播业务进行加密处理;B. After receiving the key material information, the base station encrypts the air interface multicast service interacted between the base station and the user terminal according to the key material; 其中,所述MAK表示用户获得相应的MBS业务的授权,用于和MGTEK一起生成MTK;所述MGTEK为当终端和网络建立MBS业务的连接时,将获得该密钥,用于和MAK一起生成MTK;所述GKEK用于加密GTEK或MGTEK,以保证他们在设备间安全传递;所述MBSGSA包含和该MBS业务相关的各种安全信息;所述MTK用于加密MBS业务在空口传递的密钥。Wherein, the MAK indicates that the user is authorized to obtain the corresponding MBS service, and is used to generate the MTK together with the MGTEK; the MGTEK is the key that will be obtained when the terminal establishes an MBS service connection with the network, and is used to generate it together with the MAK MTK; the GKEK is used to encrypt GTEK or MGTEK to ensure their safe transfer between devices; the MBSGSA contains various security information related to the MBS service; the MTK is used to encrypt the key of the MBS service transmitted over the air interface . 2.根据权利要求1所述的方法,其特征在于,所述的MAK及其相关参数包括:MAK、MAK的剩余生命时间和/或MAK序列号。2. The method according to claim 1, wherein the MAK and its related parameters include: the MAK, the remaining life time of the MAK and/or the serial number of the MAK. 3.根据权利要求1所述的方法,其特征在于,所述的GKEK及其相关参数包括:GKEK、GKEK序列号、GKEK标识符、GKEK剩余生命时间、基于密文的组播密钥更新消息认证码密钥CMAC_KEY_G和/或基于密文的组播密钥更新消息认证码包序列号CMAC_PN_G。3. The method according to claim 1, wherein the GKEK and related parameters thereof include: GKEK, GKEK serial number, GKEK identifier, GKEK remaining life time, ciphertext-based multicast key update message The authentication code key CMAC_KEY_G and/or the ciphertext-based multicast key update message authentication code packet sequence number CMAC_PN_G. 4.根据权利要求1所述的方法,其特征在于,所述的MGTEK及其相关参数包括:MGTEK、MGTEK剩余生命时间和/或MGTEK序列号。4. The method according to claim 1, wherein the MGTEK and its related parameters include: MGTEK, MGTEK remaining life time and/or MGTEK serial number. 5.根据权利要求1所述的方法,其特征在于,所述的MBSGSA及其相关参数包括:MBSGSA的标识符、MBSGSA的类型、MBSGSA的加密套件、MBSGSA的业务类型、基站记录的发出的下行包序列号、终端记录的收到的下行包序列号、旧的MGTEK参数和/或新的MGTEK参数。5. The method according to claim 1, wherein the MBSGSA and its related parameters include: MBSGSA identifier, MBSGSA type, MBSGSA cipher suite, MBSGSA service type, downlink sent by the base station record The packet sequence number, the sequence number of the received downlink packet recorded by the terminal, the old MGTEK parameter and/or the new MGTEK parameter. 6.根据权利要求1至5中任一项所述的方法,其特征在于,所述的步骤A包括:6. The method according to any one of claims 1 to 5, wherein said step A comprises: A1、密钥管理器生成包括MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数和MBSGSA的密钥材料中的至少一项;A1. The key manager generates at least one of the key materials including MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, and MBSGSA; 或者,or, A2、密钥管理器生成包括MAK及其相关参数、MGTEK及其相关参数、GKEK及其参数、MBSGSA和MTK及其相关参数的密钥材料中的至少一项。A2. The key manager generates at least one item of key material including MAK and its related parameters, MGTEK and its related parameters, GKEK and its parameters, MBSGSA and MTK and its related parameters. 7.根据权利要求6所述的方法,其特征在于,当执行所述的步骤A1时,所述的步骤B还包括:7. The method according to claim 6, wherein, when performing the step A1, the step B further comprises: 基站收到密钥管理器发来的密钥材料后,根据所述密钥材料生成MTK及其相关参数,并将生成的MTK及其相关参数和收到的密钥材料一起作为用于空口业务传输的密钥材料。After receiving the key material sent by the key manager, the base station generates MTK and its related parameters according to the key material, and uses the generated MTK and its related parameters together with the received key material as a key for air interface services. The transmitted key material. 8.根据权利要求1至5中任一项所述的方法,其特征在于,所述的方法还包括:对密钥管理器生成的密钥材料的更新操作。8. The method according to any one of claims 1 to 5, further comprising: updating the key material generated by the key manager. 9.根据权利要求8所述的方法,其特征在于,所述的方法包括:在密钥的剩余生命时间到期之前进行密钥材料的更新触发。9. The method according to claim 8, characterized in that the method comprises: triggering an update of the key material before the remaining life time of the key expires. 10.一种在无线通信系统中提高组播业务安全性能的实现系统,其特征在于,包括:10. An implementation system for improving multicast service security performance in a wireless communication system, characterized in that it comprises: 密钥材料发送单元,设置于无线通信系统的密钥管理器中,用于将密钥管理器生成的开展组播业务所需的密钥材料信息发送给基站,所述密钥材料包括授权密钥MAK及其相关参数、组播组通信加密密钥MGTEK及其相关参数、组播密钥加密密钥GKEK及其相关参数、组播组安全套件MBSGSA或组播通信密钥MTK及其相关参数中的至少一项;The key material sending unit is set in the key manager of the wireless communication system, and is used to send the key material information generated by the key manager to the base station for carrying out the multicast service, and the key material includes the authorization key Key MAK and its related parameters, multicast group communication encryption key MGTEK and its related parameters, multicast key encryption key GKEK and its related parameters, multicast group security suite MBSGSA or multicast communication key MTK and its related parameters at least one of the 安全处理单元,设置于无线通信系统的基站中,用于根据收到所述的密钥材料信息对基站与用户终端之间交互的空口组播业务进行加密处理;The security processing unit is arranged in the base station of the wireless communication system, and is used for encrypting the air interface multicast service interacted between the base station and the user terminal according to the received key material information; 其中,所述MAK表示用户获得相应的MBS业务的授权,用于和MGTEK一起生成MTK;所述MGTEK为当终端和网络建立MBS业务的连接时,将获得该密钥,用于和MAK一起生成MTK;所述GKEK用于加密GTEK或MGTEK,以保证他们在设备间安全传递;所述MBSGSA包含和该MBS业务相关的各种安全信息;所述MTK用于加密MBS业务在空口传递的密钥。Wherein, the MAK indicates that the user is authorized to obtain the corresponding MBS service, and is used to generate the MTK together with the MGTEK; the MGTEK is the key that will be obtained when the terminal establishes an MBS service connection with the network, and is used to generate it together with the MAK MTK; the GKEK is used to encrypt GTEK or MGTEK to ensure their safe transfer between devices; the MBSGSA contains various security information related to the MBS service; the MTK is used to encrypt the key of the MBS service transmitted over the air interface . 11.根据权利要求10所述的系统,其特征在于,当密钥管理器生成的密钥材料为部分密钥材料时,则所述的系统还包括:11. The system according to claim 10, wherein when the key material generated by the key manager is part of the key material, the system further comprises: 密钥信息生成单元,设置于无线通信系统的基站中,用于根据基站收到的部分密钥材料生成完整的密钥材料包括的其余密钥材料,并提供给安全处理单元。The key information generation unit is set in the base station of the wireless communication system, and is used to generate the remaining key material included in the complete key material according to the part of the key material received by the base station, and provide it to the security processing unit. 12.根据权利要求11所述的系统,其特征在于,所述的密钥信息生成单元包括:12. The system according to claim 11, wherein the key information generation unit comprises: MTK信息生成单元,用于根据收到的部分密钥材料生成MTK及相关参数信息,并提供给安全处理单元。The MTK information generation unit is used to generate MTK and related parameter information according to the received part of the key material, and provide them to the security processing unit.
CN2006100721513A 2006-04-14 2006-04-14 Method and system for improving the multicast service security of the radio communication system Expired - Fee Related CN101056169B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006100721513A CN101056169B (en) 2006-04-14 2006-04-14 Method and system for improving the multicast service security of the radio communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006100721513A CN101056169B (en) 2006-04-14 2006-04-14 Method and system for improving the multicast service security of the radio communication system

Publications (2)

Publication Number Publication Date
CN101056169A CN101056169A (en) 2007-10-17
CN101056169B true CN101056169B (en) 2011-07-20

Family

ID=38795799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006100721513A Expired - Fee Related CN101056169B (en) 2006-04-14 2006-04-14 Method and system for improving the multicast service security of the radio communication system

Country Status (1)

Country Link
CN (1) CN101056169B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101415187B (en) * 2007-10-19 2011-12-28 华为技术有限公司 Method for implementing position business, method and apparatus for broadcasting base station geographic position information
CN101345677B (en) * 2008-08-21 2011-06-01 西安西电捷通无线网络通信股份有限公司 Method for improving security of broadcast or multicast system
CN102761830A (en) * 2011-04-27 2012-10-31 华为终端有限公司 Multicasting secret key updating and sending methods, access point device, terminal device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1599326A (en) * 2003-09-16 2005-03-23 华为技术有限公司 Method for dynamic changing group information in group service
CN1625173A (en) * 2003-12-05 2005-06-08 华为技术有限公司 Optimization Method of Transmission Control Protocol in Mobile Communication System
CN1751533A (en) * 2003-02-20 2006-03-22 西门子公司 Method for forming and distributing encryption keys in a mobile radio system and mobile radio system
CN1756149A (en) * 2004-09-30 2006-04-05 株式会社日立制作所 Key update method and system in decentralized environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1751533A (en) * 2003-02-20 2006-03-22 西门子公司 Method for forming and distributing encryption keys in a mobile radio system and mobile radio system
CN1599326A (en) * 2003-09-16 2005-03-23 华为技术有限公司 Method for dynamic changing group information in group service
CN1625173A (en) * 2003-12-05 2005-06-08 华为技术有限公司 Optimization Method of Transmission Control Protocol in Mobile Communication System
CN1756149A (en) * 2004-09-30 2006-04-05 株式会社日立制作所 Key update method and system in decentralized environment

Also Published As

Publication number Publication date
CN101056169A (en) 2007-10-17

Similar Documents

Publication Publication Date Title
US12058239B2 (en) Encryption method, decryption method, and related apparatus
CN102625995B (en) Galois/counter mode encryption in a wireless network
KR101299837B1 (en) Trust establishment from forward link only to non-forward link only devices
CN102026178B (en) User identity protection method based on public-key mechanism
CN101094065B (en) Key distribution method and system in wireless communication network
CN101420686B (en) Implementation method of secure communication in industrial wireless network based on key
RU2530331C2 (en) Multicast key negotiation method suitable for group calling system and respective system
CN101133592A (en) Key distribution control device, wireless base station device and communication system
CN103533539A (en) Virtual SIM card parameter management method and device
CN102106111A (en) Method of deriving and updating traffic encryption key
CN101296138B (en) Wireless terminal configuration generating method, system and device
CN103532985B (en) Communication means, equipment and system between virtual machine
CN101056169B (en) Method and system for improving the multicast service security of the radio communication system
CN109586899B (en) Signaling operation and indication method and device thereof, and computer storage medium
CN1941695B (en) Method and system for generating and distributing key during initial access network process
CN105262759A (en) Method and system for encrypted communication
KR20190040443A (en) Apparatus and method for creating secure session of smart meter
CN106533686B (en) Encrypted communication method and system, communication unit and client
CN112054905A (en) Secure communication method and system of mobile terminal
CN101388801B (en) Lawful interception method, system and server
CN108156112B (en) Data encryption method, electronic equipment and network side equipment
CN101087188B (en) MBS authentication secret key management method and system in wireless network
WO2012016434A1 (en) Management method for authentication parameters and terminal
IL254758B2 (en) Method, equipment and computer program product for code encryption
CN116782208A (en) Encryption transmission method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110720

Termination date: 20130414