CN101060404A - A method and system protecting the wireless network against the replay attack - Google Patents
A method and system protecting the wireless network against the replay attack Download PDFInfo
- Publication number
- CN101060404A CN101060404A CN 200610076226 CN200610076226A CN101060404A CN 101060404 A CN101060404 A CN 101060404A CN 200610076226 CN200610076226 CN 200610076226 CN 200610076226 A CN200610076226 A CN 200610076226A CN 101060404 A CN101060404 A CN 101060404A
- Authority
- CN
- China
- Prior art keywords
- key
- information
- message
- frame number
- time parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明涉及一种无线网络中防止重放攻击的方法及系统。本发明主要包括:在信息发送端,利用包括当前的密钥和帧号的参考信息采用预定的算法对密钥进行更新,并利用更新后的密钥进行消息发送;在信息接收端利用所述的包括当前的密钥和帧号的参考信息采用所述预定的算法在本地计算更新后的密钥,并利用更新后的密钥对收到的消息进行合法性验证。本发明中,当用户终端切换到新的基站后,对于PN_U和PN_D均可以重新计数,而不会导致重放攻击问题的出现,因此,本发明中不再需要在基站之间传递安全上下文信息,使得避免重放攻击的实现方案更为简便。
The invention relates to a method and system for preventing replay attacks in a wireless network. The present invention mainly includes: at the information sending end, using the reference information including the current key and frame number to update the key with a predetermined algorithm, and using the updated key to send messages; at the information receiving end, using the The reference information including the current key and the frame number uses the predetermined algorithm to locally calculate the updated key, and uses the updated key to verify the validity of the received message. In the present invention, after the user terminal switches to a new base station, both PN_U and PN_D can be counted again without causing replay attack problems. Therefore, in the present invention, it is no longer necessary to transfer security context information between base stations , making the implementation of avoiding replay attacks easier.
Description
Technical field
The present invention relates to wireless communication technology field, relate in particular to a kind of technology that is used for preventing Replay Attack at wireless network.
Background technology
In wireless communication system, for guaranteeing the fail safe of communication, user terminal communicates with the base station if desired, and then both must set up identical authorization key context, i.e. AK context.Described AK context comprises following information:
Authorization key (AK); authorization key sign (AKID); authorization key sequence number (AK Sequence Number); authorization key life cycle (AK Lifetime); antithesis master key sequence number (PMK Sequence Number); uplink message integrity protection key (HMAC/CMAC_KEY_U); uplink message prevents Replay Attack packet number (HMAC/CMAC_PN_U; be called for short PN_U); downlinlc message integrity protection key (HMAC/CMAC_KEY_D); downlinlc message prevents Replay Attack packet number (HMAC/CMAC_PN_D is called for short PN_D); key-encrypting key (KEK); integrality encryption key (EIK).
Wherein, described HMAC/CMAC_KEY_U, HMAC/CMAC_KEY_D are calculated according to AK, terminal media access control (MAC) address, Base Station Identification by the base station, and being respectively applied for provides integrity protection to uplink downlink message;
Described PN_U and PN_D are two 32 digit counters, and when the AK context was set up, the value of described two counters all was 0, and afterwards, every use HMAC/CMAC_KEY_U provides integrity protection one time to upstream message, and terminal just increases by 1 to the value of PN_U; Every use HMAC/CMAC_KEY_D provides integrity protection one time to downstream message, and the base station just increases by 1 to the value of PN_D.If the numerical space of PN_U or PN_D exhausts (be in these two values any arrive in 2^32-1), or AK expires life cycle in the AK context, then this AK finishes life cycle.Be to guarantee not interrupting of communication process, before AK finishes life cycle, should apply for new AK again.
After terminal switches to target BS, can not carry out the discrimination weight operation, but corresponding AK needs to upgrade.After if terminal switches to target BS, PN_U and PN_D in the AK context count again, then when terminal enters same base station twice, just may be subjected to Replay Attack.
In the prior art, after avoiding user terminal to switch, be subjected to Replay Attack, mainly adopted following two kinds to realize solution.
(1) the first kind of implementation that adopts at present is the AK caching technology, promptly at terminal and both sides, base station buffer memory AK context.An AK context is just created in the every base station of terminal, even terminal is not deleted the AK context of creating into this base station after leaving this base station yet.Equally, in base station side, whenever have a terminal to insert, just to AK of authentication device application, and generate context, like this, when terminal was mobile between the base station, different AK contexts was used in different base stations, to avoid Replay Attack.
Be not difficult to find out, when this implementation needs the AK amount of context of buffer memory big in terminal and network side base station, brought very big difficulty will for the realization of this scheme.
(2) the another kind of implementation that adopts at present is the context transfer technology, and promptly terminal and network are all only preserved an AK context, and terminal is when mobile, and AK can change, but the PN value is used continuously.Because in this method, for making the PN value use continuously, new base station need obtain current PN value from old base station, this just requires to need mutual trust between two base stations, yet, the very difficult mutual trust that guarantees between two base stations in the specific implementation process.
Therefore, also there is not a kind of technical scheme of being convenient to realize effectively to solve the Replay Attack problem that may cause after user terminal switches at present.
Summary of the invention
The purpose of this invention is to provide the method and system that prevent Replay Attack in a kind of wireless network, make in the communication process between user terminal and base station, can not be subjected to Replay Attack, thereby effectively guarantee the fail safe of network service.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides the method that prevents Replay Attack in a kind of wireless network, comprising:
A, information transmitting terminal utilization comprise that the reference information of current key and frame number adopts predetermined algorithm that key is upgraded, and utilize the key after upgrading to carry out the message transmission;
B, information receiving end utilize the described reference information of current key and frame number that comprises to adopt the key of described predetermined algorithm after renewal is calculated in this locality, and utilize the key after upgrading that the message of receiving is carried out legitimate verification.
Among the present invention, comprising:
When information transmitting terminal is a portable terminal, when information receiving end was the base station, described key was a up link integrity protection key;
When information transmitting terminal is the base station, when information receiving end was portable terminal, described key was a down link integrity protection key.
Described steps A also comprises:
Use the key after upgrading to generate the needed message authentication code of transmission message, and the key after will upgrading use as new key.
Among the present invention, before carrying out described steps A, also comprise:
When information transmitting terminal is determined to need to send article one paging request or page-response message, determine the current key and the frame number of corresponding message correspondence, and execution in step A.
Described reference information also comprises: time parameter information, described time parameter information will send to information receiving end and be used for information receiving end whether discern this information be legitimate messages in the current frame number cycle period.
Described time parameter comprises:
The time that safe context has existed, perhaps, the remaining time of safe context, perhaps, current time information, perhaps, the temporal information that the time that has existed according to safe context or the remaining time of safe context or current information of time are determined.
Described steps A also comprises: described time parameter is sent to information receiving end in mode expressly.
Among the present invention, before carrying out described step B, also comprise:
C, at information receiving end, judge the legitimacy of the message of receiving according to the consistency of the time corresponding parameter information of time parameter information that receives and local maintenance, and when definite message is legal, carry out described step B.
Described step C comprises:
Whether judge difference between the time corresponding parameter information of the time parameter information receive and local maintenance less than predetermined numerical value, if it is legal then to confirm as the message of receiving, and execution in step B, otherwise the message that acknowledges receipt of is for illegally.
The present invention also provides the dispensing device that prevents Replay Attack in a kind of wireless network, comprising:
The reference information acquiring unit is arranged at information transmitting terminal, is used for obtaining the reference information that comprises key and frame number when needing transmission information, and offers key updating units;
Key updating units is arranged at information transmitting terminal, is used for adopting predetermined algorithm to calculate the key that generates after upgrading according to the described reference information of key and frame number that comprises, and offers message sending unit;
Message sending unit is arranged at information transmitting terminal, is used for sending message according to the key after upgrading.
Described reference information acquiring unit also comprises:
The time parameter acquiring unit is used to obtain the time parameter information that information transmitting terminal is safeguarded, and offers key updating units and message sending unit as reference information.
Described information transmitting terminal is user terminal or base station.
The present invention also provides the receiving system that prevents Replay Attack in a kind of wireless network, comprising:
Key updating units is arranged at information receiving end, is used for according to the key after the predetermined algorithm computation generation renewal identical with transmitting terminal of the reference information employing that comprises key and frame number of the message correspondence of receiving, and offers the legitimacy judging unit;
The message sink unit is arranged at information receiving end, is used to receive message, and the reference information that comprises key and frame number of this message correspondence is offered key updating units;
The legitimacy judging unit is arranged at information receiving end, and the key that is used to calculate after the renewal of acquisition judges that the message sink unit receives the legitimacy of message.
Described legitimacy judging unit also comprises:
The time parameter judging unit is used for the legitimacy that the reference time information that receives according to the message sink unit and the consistency of the time parameter information of local maintenance are judged reception message.
Described information receiving end is user terminal or base station.
The present invention also provides a kind of system that prevents Replay Attack, comprising:
Prevent the information transmitting apparatus of Replay Attack, be used for sending message to information receiver, comprise time parameter information in the message alternatively according to the key after upgrading;
Prevent the information receiver of Replay Attack, be used to receive the message that the information transmitting apparatus that prevents Replay Attack is sent, and judge the legitimacy receive message, and judge the legitimacy of receiving message according to the time parameter information of time parameter information and local maintenance alternatively according to the key behind the local update.
As seen from the above technical solution provided by the invention, because among the present invention, after user terminal inserts a new base station, then the frame number according to interactive messages between user terminal and the base station generates new CMAC_KEY_U and CMAC_KEY_D, thereby can thoroughly solve the Replay Attack problem of wave point.And, among the present invention, after user terminal switches to new base station, all can count again for PN_U and PN_D, and can not cause the appearance of Replay Attack problem, be no longer need between the base station, transmit safe context information among the present invention, make and avoid the implementation of Replay Attack more easy.
Therefore, among the present invention, after user terminal switches under the new base station, can not be subjected to Replay Attack again, effectively guarantee the fail safe of communicating by letter between user terminal and the base station.
Description of drawings
Fig. 1 is the specific implementation process schematic diagram of method of the present invention;
Fig. 2 is the specific embodiment processing procedure schematic diagram of the method for the invention;
Fig. 3 is the specific implementation structural representation of system of the present invention.
Embodiment
The invention provides a kind of method that prevents Replay Attack in wireless system, the realization of this method makes does not need terminal and network to safeguard the PN value separately, still can be still effective when switching.
In wireless communication system, a message must be carried on some or several specific frames, and each frame all has frame number.Even and the assailant has intercepted and captured certain message, this frame of also can not in same frame, just resetting, and be selected at the moment initiation Replay Attack that next time adopts same frame number.
Therefore, the present invention can utilize frame number to come the conversion process that tries again to the CMAC_KEY_U that generates and CMAC_KEY_D in implementation procedure, makes MS can use different CMAC_KEY_U and CMAC_KEY_D after the difference on the same base station inserts.
Below in conjunction with accompanying drawing specific implementation provided by the invention is elaborated.
As shown in Figure 1, method of the present invention specifically comprises:
Step 11: after portable terminal switches, the residing frame number of article one RNG-REQ (paging request) message that use sends to new base station, CMAC_KEY_U is handled, obtain CMAC_KEY_U ', be CMAC_KEY_U '=f1 (CMAC_KEY_U, frame number), the calculation process function of wherein said f1 for setting, representing a kind of computing that utilizes frame number that current CMAC_KEY_U value is carried out, just can obtain CMAC_KEY_U ' through after the computing;
Need to prove that also can carry out processing accordingly in this step to the moment that the base station sends other message at portable terminal, with acquisition CMAC_KEY_U ', and this value need be through the affirmation of base station;
In this step, if portable terminal is not received corresponding RNG-RSP message after sending RNG-REQ, then portable terminal can be retransmitted RNG-REQ message, and use the frame number of the frame at this message place, recomputate CMAC_KEY_U ' according to described formula CMAC_KEY_U '=f1 (CMAC_KEY_U, frame number);
Step 12: use and calculate CMAC_KEY_U ' the generation upstream message authentication code that obtains, be attached to RNG-REQ message end and send, simultaneously described CMAC_KEY_U ' is used as new CMAC_KEY_U.
Step 13: after the base station receives described RNG-REQ message, also use same algorithm f1, and use the residing frame number of this message that the CMAC_KEY_U on the base station is handled, obtain corresponding C MAC_KEY_U '=f1 (CMAC_KEY_U, frame number);
Step 14: use the CMAC_KEY_U ' that obtains to the upstream message authentication code verifying in the RNG-REQ message, if correct, think that then this message is legal, and this CMAC_KEY_U ' is used as new CMAC_KEY_U, if the checking result is incorrect, think that then this message is invalid message.
After described RNG-REQ message is received in the base station, also need to return the RNG-RSP response message to user terminal, the processing procedure of returning corresponding response message is as follows:
Step 15: the residing frame number of RNG-RSP message of replying to portable terminal is used in the base station, CMAC_KEY_D is handled, obtain CMAC_KEY_D ', be CMAC_KEY_D '=f2 (CMAC_KEY_D, frame number), wherein, the calculation process function of described f2 for setting, representing a kind of computing that utilizes frame number that current CMAC_KEY_D value is carried out, just can obtain CMAC_KEY_D ' through after the computing;
In this step, f2 and f1 can be identical, also can be different;
Step 16: the CMAC_KEY_D ' that uses computing to obtain generates the downstream message authentication code, is attached to the message end, and this CMAC_KEY_D ' is used as new CMAC_KEY_D.
Step 17: after portable terminal receives this RNG-RSP message, also use same algorithm f2, and use the residing frame number of this message that the CMAC_KEY_D on the portable terminal is handled, obtain CMAC_KEY_D ', in this step, still adopt formula CMAC_KEY_D '=f2 (CMAC_KEY_D, frame number);
Step 18: use described CMAC_KEY_D ' to the downstream message authentication code verifying in the RNG-RSP message,, then this CMAC_KEY_D ' is used as new CMAC_KEY_D if correct, otherwise, think that then the response message of receiving is an invalid message.
To be applied in the WiMAX system with the present invention below is that example describes.
In the WiMAX system, the length of frame number has only 24 bits, calculates according to a frame 2ms, and frame number can use up after 9.3 hours, at this moment, will reuse used frame number.Promptly after frame number circulation one circle, just need to reuse corresponding frame number, at this moment, Replay Attack just may take place.
For this reason, defined time parameter among the present invention, whether described time parameter information is used for discerning this information as information receiving end is the foundation of the legitimate messages in the current frame number cycle period;
And, described time parameter can be used to represent the time that the context of key correspondence has existed, perhaps, the remaining time of safe context, perhaps, local current time information, perhaps, the also temporal information determined of the remaining time of time that can exist or safe context or local current time for context based on the key correspondence.
Described time parameter can be safeguarded that at network side the base station just can obtain the time parameter information of needs from authentication device by authentication device;
Described time parameter can adopt expressly form and message to send to the opposite end together, and simultaneously, described time parameter is also as also as a parameter of authentication code.
Among the present invention, the time parameter that network side and terminal are safeguarded does not separately need strict conformance, only needs error amount to get final product much smaller than the cycle of frame number.
As shown in Figure 2, be example to introduce the current time as time parameter, the specific implementation process of method of the present invention may further comprise the steps:
(1) portable terminal sends the information processing process to the base station
Step 21: after portable terminal switches, use the residing frame number of article one RNG-REQ message, the current time of portable terminal that send to new base station, CMAC_KEY_U is handled, obtain CMAC_KEY_U ';
Be CMAC_KEY_U '=f3 (CMAC_KEY_U, frame number, the time), wherein, f3 is for utilizing a kind of compute mode of CMAC_KEY_U, frame number and time parameter information acquisition CMAC_KEY_U ', and concrete compute mode is not limit, as long as transmitting-receiving two-end is consistent;
Wherein, described time parameter can use multiple unit of measurement, and for example second, half frame number cycle period etc. are as long as be not more than the frame number cycle period.
Described time parameter need be safeguarded at MS and network side separately as the part of safe context.At network side, specifically can need safeguard this time parameter information, and pass to the base station when needing and use in the base station by authentication device.
Step 22: use CMAC_KEY_U ' to generate the upstream message authentication code, be attached to the message end, and described CMAC_KEY_U ' is used as new CMAC_KEY_U;
Step 23: after the base station receives this RNG-REQ message, also use same algorithm f3, and use the time parameter value of carrying in the residing frame number of this message, the message that the CMAC_KEY_U on the base station is handled, obtain CMAC_KEY_U ';
Step 24: the time value of carrying in the message and the current time of base station are compared, if error amount less than predetermined value, promptly is far smaller than the cycle of frame number, then execution in step 25, otherwise, confirm that this message is invalid message;
Step 25: use this CMAC_KEY_U ' to the upstream message authentication code verifying in the RNG-REQ message,, think that then this message is legal, and this CMAC_KEY_U ' is used as new CMAC_KEY_U if correct, otherwise, determine that this message is invalid message.
(2) base station sends the information processing process to portable terminal
Step 26: the residing frame number of RNG-RSP message, the current time of base station of replying to portable terminal is used in the base station, and CMAC_KEY_D is handled, and obtains CMAC_KEY_D '.
Even CMAC_KEY_D '=f14 (CMAC_KEY_D, frame number, time), wherein f4 is for utilizing a kind of compute mode of CMAC_KEY_D, frame number and time parameter information acquisition CMAC_KEY_D ', and concrete compute mode is not limit, as long as transmitting-receiving two-end is consistent;
Same described time parameter can use multiple unit of measurement, as second, half frame number cycle period etc., and described time parameter is as the part of safe context, need safeguard separately at MS and network side, at network side, specifically can need safeguard this time parameter information, and pass to the base station when needing and use in the base station by authentication device.
Step 27: use CMAC_KEY_D ' to generate the downstream message authentication code, be attached to the message end, and this CMAC_KEY_D ' is used as new CMAC_KEY_D.
Step 28: after portable terminal receives described RNG-RSP message, also use same algorithm f4, and use the time value of carrying in the residing frame number of this message, the message that the CMACKEY_D on the portable terminal is handled, obtain CMAC_KEY_D '.
Step 29: the time parameter value of carrying in the message and the current time of portable terminal are compared, if error amount less than predetermined value, promptly is far smaller than the cycle of frame number, then execution in step 210, otherwise, confirm that this message is invalid message;
Step 210: use this CMAC_KEY_D ' to the downstream message authentication code verifying in the RNG-RSP message, if correct, think that then this message is legitimate messages, and this CMAC_KEY_D ' is used as new CMAC_KEY_D, otherwise, confirm that this message is invalid message.
Need to prove in step 21, if portable terminal is not received corresponding RNG-RSP message in the preset time section after sending RNG-REQ, then portable terminal can be retransmitted RNG-REQ message, and needs the frame number and the current time of the frame at this message place of use to upgrade CMAC_KEY_U value acquisition CMAC_KEY_U ' again.
The present invention also provides a kind of system that prevents Replay Attack, and the specific implementation of described system specifically comprises as shown in Figure 3:
Prevent the information transmitting apparatus of Replay Attack, be arranged at information transmitting terminal, be used for sending message according to the key after upgrading to information receiver, comprise time parameter information in the message alternatively, described information transmitting terminal can be user terminal or base station;
Prevent the information receiver of Replay Attack, be arranged at information receiving end, be used to receive the message that the information transmitting apparatus that prevents Replay Attack is sent, and judge the legitimacy receive message according to the key behind the local update, and judge the legitimacy of receiving message according to the time parameter information of time parameter information and local maintenance alternatively, corresponding with described information transmitting terminal, described information receiving end can be base station or user terminal.
Wherein, prevent the dispensing device of Replay Attack in the described wireless network,, specifically comprise following each processing unit with reference to shown in Figure 3:
(1) reference information acquiring unit
Is used for when needing transmission information, obtaining the reference information that comprises key and frame number, and offers key updating units, and described reference information acquiring unit also comprises:
The time parameter acquiring unit is used to obtain the time parameter information that information transmitting terminal is safeguarded, and offers key updating units and message sending unit as reference information.
(2) key updating units
Be used for adopting predetermined algorithm to calculate the key that generates after upgrading, and offer message sending unit according to the described reference information of key and frame number that comprises;
Described key comprises up link integrity protection key and down link integrity protection key;
(3) message sending unit
Be used for sending message according to the key after upgrading.
Prevent the receiving system of Replay Attack in the described wireless network, still, specifically comprise following processing unit with reference to shown in Figure 3:
(1) key updating units
Be used for according to the key after the predetermined algorithm computation generation renewal identical of the reference information employing that comprises key and frame number of the message correspondence of receiving, and offer the legitimacy judging unit with transmitting terminal;
When information transmitting terminal adopted time parameter information as reference information, then this key updating units also needed also to utilize time parameter information as reference information key to be upgraded simultaneously;
Do not limit the algorithm of concrete employing, as long as adopt identical algorithm with transmitting terminal;
(2) message sink unit
Be used to receive message, and the reference information that comprises key and frame number of this message correspondence is offered key updating units;
(3) legitimacy judging unit
The key that is used to calculate after the renewal of acquisition judges that the message sink unit receives the legitimacy of message, is specially the key that utilizes after upgrading and judges that authentication code in the message that receives carries out legitimacy and judges;
Described legitimacy judging unit also comprises:
The time parameter judging unit, be used for the reference time information that receives according to the message sink unit and the consistency of the time parameter information of local maintenance and judge the legitimacy of reception message, the time parameter information basically identical of time parameter that specific requirement is received and local maintenance is just passable, and does not require in full accord.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (16)
1, prevent the method for Replay Attack in a kind of wireless network, it is characterized in that, comprising:
A, information transmitting terminal utilization comprise that the reference information of current key and frame number adopts predetermined algorithm that key is upgraded, and utilize the key after upgrading to carry out the message transmission;
B, information receiving end utilize the described reference information of current key and frame number that comprises to adopt the key of described predetermined algorithm after renewal is calculated in this locality, and utilize the key after upgrading that the message of receiving is carried out legitimate verification.
2, method according to claim 1 is characterized in that,
When information transmitting terminal is a portable terminal, when information receiving end was the base station, described key was a up link integrity protection key;
When information transmitting terminal is the base station, when information receiving end was portable terminal, described key was a down link integrity protection key.
3, method according to claim 1 is characterized in that, described steps A also comprises:
Use the key after upgrading to generate the needed message authentication code of transmission message, and the key after will upgrading use as new key.
4, method according to claim 1 is characterized in that, also comprises before carrying out described steps A:
When information transmitting terminal is determined to need to send article one paging request or page-response message, determine the current key and the frame number of corresponding message correspondence, and execution in step A.
5, according to each described method in the claim 1 to 4, it is characterized in that, described reference information also comprises: time parameter information, described time parameter information will send to information receiving end and be used for information receiving end whether discern this information be legitimate messages in the current frame number cycle period.
6, method according to claim 5 is characterized in that, described time parameter comprises:
The time that safe context has existed, perhaps, the remaining time of safe context, perhaps, current time information, perhaps, the temporal information that the time that has existed according to safe context or the remaining time of safe context or current information of time are determined.
7, method according to claim 5 is characterized in that, described steps A also comprises:
Described time parameter is sent to information receiving end in mode expressly.
8, method according to claim 5 is characterized in that, also comprises before carrying out described step B:
C, at information receiving end, judge the legitimacy of the message of receiving according to the consistency of the time corresponding parameter information of time parameter information that receives and local maintenance, and when definite message is legal, carry out described step B.
9, method according to claim 8 is characterized in that, described step C comprises:
Whether judge difference between the time corresponding parameter information of the time parameter information receive and local maintenance less than predetermined numerical value, if it is legal then to confirm as the message of receiving, and execution in step B, otherwise the message that acknowledges receipt of is for illegally.
10, prevent the dispensing device of Replay Attack in a kind of wireless network, it is characterized in that, comprising:
The reference information acquiring unit is arranged at information transmitting terminal, is used for obtaining the reference information that comprises key and frame number when needing transmission information, and offers key updating units;
Key updating units is arranged at information transmitting terminal, is used for adopting predetermined algorithm to calculate the key that generates after upgrading according to the described reference information of key and frame number that comprises, and offers message sending unit;
Message sending unit is arranged at information transmitting terminal, is used for sending message according to the key after upgrading.
11, device according to claim 10 is characterized in that, described reference information acquiring unit also comprises:
The time parameter acquiring unit is used to obtain the time parameter information that information transmitting terminal is safeguarded, and offers key updating units and message sending unit as reference information.
According to claim 10 or 11 described devices, it is characterized in that 12, described information transmitting terminal is user terminal or base station.
13, prevent the receiving system of Replay Attack in a kind of wireless network, it is characterized in that, comprising:
Key updating units is arranged at information receiving end, is used for according to the key after the predetermined algorithm computation generation renewal identical with transmitting terminal of the reference information employing that comprises key and frame number of the message correspondence of receiving, and offers the legitimacy judging unit;
The message sink unit is arranged at information receiving end, is used to receive message, and the reference information that comprises key and frame number of this message correspondence is offered key updating units;
The legitimacy judging unit is arranged at information receiving end, and the key that is used to calculate after the renewal of acquisition judges that the message sink unit receives the legitimacy of message.
14, device according to claim 13 is characterized in that, described legitimacy judging unit also comprises:
The time parameter judging unit is used for the legitimacy that the reference time information that receives according to the message sink unit and the consistency of the time parameter information of local maintenance are judged reception message.
According to claim 13 or 14 described devices, it is characterized in that 15, described information receiving end is user terminal or base station.
16, a kind of system that prevents Replay Attack is characterized in that, comprising:
Prevent the information transmitting apparatus of Replay Attack, be used for sending message to information receiver, comprise time parameter information in the message alternatively according to the key after upgrading;
Prevent the information receiver of Replay Attack, be used to receive the message that the information transmitting apparatus that prevents Replay Attack is sent, and judge the legitimacy receive message, and judge the legitimacy of receiving message according to the time parameter information of time parameter information and local maintenance alternatively according to the key behind the local update.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610076226 CN101060404A (en) | 2006-04-19 | 2006-04-19 | A method and system protecting the wireless network against the replay attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610076226 CN101060404A (en) | 2006-04-19 | 2006-04-19 | A method and system protecting the wireless network against the replay attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101060404A true CN101060404A (en) | 2007-10-24 |
Family
ID=38866314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610076226 Pending CN101060404A (en) | 2006-04-19 | 2006-04-19 | A method and system protecting the wireless network against the replay attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101060404A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572601B (en) * | 2009-06-09 | 2011-03-30 | 普天信息技术研究院有限公司 | A data encryption transmission method and device |
| CN102972054A (en) * | 2010-03-05 | 2013-03-13 | 英特尔公司 | Local security key update at a wireless communication device |
| WO2014019456A1 (en) * | 2012-07-30 | 2014-02-06 | 中国移动通信集团公司 | Method, apparatus, system, and related device for data transmission |
| CN108521641A (en) * | 2018-03-29 | 2018-09-11 | 维沃移动通信有限公司 | A method, device and system for generating a key in D2D communication |
| CN109120608A (en) * | 2018-08-01 | 2019-01-01 | 飞天诚信科技股份有限公司 | A kind of anti-replay safety communication processing method and processing device |
| CN109379193A (en) * | 2018-12-06 | 2019-02-22 | 佛山科学技术学院 | A kind of dynamic anti-replay attack authentication method and device |
| WO2019072184A1 (en) * | 2017-10-11 | 2019-04-18 | 华为技术有限公司 | Method and apparatus for generating key |
| WO2020020029A1 (en) * | 2018-07-26 | 2020-01-30 | 维沃移动通信有限公司 | Key update method, terminal, and network side device |
-
2006
- 2006-04-19 CN CN 200610076226 patent/CN101060404A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572601B (en) * | 2009-06-09 | 2011-03-30 | 普天信息技术研究院有限公司 | A data encryption transmission method and device |
| CN102972054A (en) * | 2010-03-05 | 2013-03-13 | 英特尔公司 | Local security key update at a wireless communication device |
| CN102972054B (en) * | 2010-03-05 | 2016-06-01 | 英特尔公司 | Local security key update at wireless communication device |
| WO2014019456A1 (en) * | 2012-07-30 | 2014-02-06 | 中国移动通信集团公司 | Method, apparatus, system, and related device for data transmission |
| WO2019072184A1 (en) * | 2017-10-11 | 2019-04-18 | 华为技术有限公司 | Method and apparatus for generating key |
| CN108521641A (en) * | 2018-03-29 | 2018-09-11 | 维沃移动通信有限公司 | A method, device and system for generating a key in D2D communication |
| WO2020020029A1 (en) * | 2018-07-26 | 2020-01-30 | 维沃移动通信有限公司 | Key update method, terminal, and network side device |
| CN109120608A (en) * | 2018-08-01 | 2019-01-01 | 飞天诚信科技股份有限公司 | A kind of anti-replay safety communication processing method and processing device |
| CN109120608B (en) * | 2018-08-01 | 2020-11-24 | 飞天诚信科技股份有限公司 | A kind of anti-replay safety communication processing method and device |
| CN109379193A (en) * | 2018-12-06 | 2019-02-22 | 佛山科学技术学院 | A kind of dynamic anti-replay attack authentication method and device |
| CN109379193B (en) * | 2018-12-06 | 2021-06-29 | 佛山科学技术学院 | A dynamic anti-replay attack authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101060404A (en) | A method and system protecting the wireless network against the replay attack | |
| CN1949709A (en) | Method of network access indentifying and authorizing and method of updating authorizing key | |
| CN101060405A (en) | A method and system for preventing the replay attack | |
| CN1946019A (en) | Network device, network system and method for updating a key | |
| CN113099443A (en) | Equipment authentication method, device, equipment and system | |
| CN1874271A (en) | Protection for wireless devices against false access-point attacks | |
| CN1512708A (en) | Radio communication system, co-shared key management server and terminal | |
| CN1614903A (en) | Method for authenticating users | |
| CN1698305A (en) | Broadcast encryption key distribution system | |
| CN101060712A (en) | Wireless connecting establishment method | |
| CN1345498A (en) | Authentication method | |
| CN1864387A (en) | Authentication method in data communication and smart card for implementing the same | |
| CN1929380A (en) | Public key certificate state obtaining and verification method | |
| CN101873298A (en) | Registration method and terminal, server, system | |
| CN101047978A (en) | Method for updating key in user's set | |
| CN1831836A (en) | Method and system of saftware using license | |
| CN101064599A (en) | Method and system for optical network authentication, cipher key negotiation method and system and optical line terminal and optical network unit | |
| CN101047505A (en) | Method and system for setting safety connection in network application PUSH service | |
| CN1833422A (en) | packet communication device | |
| CN1921491A (en) | Method and equipment for preventing network attack by using address analytic protocol | |
| CN101080036A (en) | Method for processing call in wireless communication network | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN108271154A (en) | A kind of authentication method and device | |
| CN108377494A (en) | A kind of terminal abnormal flow guard method and device | |
| CN1941695A (en) | Method and system for generating and distributing key during initial access network process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |