[go: up one dir, main page]

CN101330379B - A key distribution method and device - Google Patents

A key distribution method and device Download PDF

Info

Publication number
CN101330379B
CN101330379B CN2007101230477A CN200710123047A CN101330379B CN 101330379 B CN101330379 B CN 101330379B CN 2007101230477 A CN2007101230477 A CN 2007101230477A CN 200710123047 A CN200710123047 A CN 200710123047A CN 101330379 B CN101330379 B CN 101330379B
Authority
CN
China
Prior art keywords
key
time
unit
chain
related information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101230477A
Other languages
Chinese (zh)
Other versions
CN101330379A (en
Inventor
吕东俊
王晓芸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101230477A priority Critical patent/CN101330379B/en
Publication of CN101330379A publication Critical patent/CN101330379A/en
Application granted granted Critical
Publication of CN101330379B publication Critical patent/CN101330379B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明属于移动通信技术领域,公开了一种密钥下发方法和设备,该密钥下发方法包括步骤:接收携带有时间相关信息的密钥请求;根据当前具体时刻、设置的密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的至少一个密钥,并将所述密钥下发。该方法能够通过一次消息交互满足用户所请求的时间相关信息所对应的密钥,而不需要当密钥更换时,分别下发,因此可以减少密钥下发次数,进而可以降低网络设备的资源消耗,节约网络传输资源。

Figure 200710123047

The invention belongs to the technical field of mobile communication, and discloses a method and device for issuing a key. The method for issuing a key includes the steps of: receiving a key request carrying time-related information; changing the key according to the current specific time and setting Frequency, obtaining at least one key corresponding to the time-related information from the set key chain, and delivering the key. This method can meet the key corresponding to the time-related information requested by the user through one message interaction, and does not need to be issued separately when the key is replaced, so the number of key issuances can be reduced, and the resources of the network device can be reduced. Consumption, saving network transmission resources.

Figure 200710123047

Description

一种密钥下发方法和设备 A key distribution method and device

技术领域technical field

本发明涉及移动通信技术领域,尤其涉及一种密钥下发方法和设备。The present invention relates to the technical field of mobile communication, in particular to a method and device for issuing a key.

背景技术Background technique

随着移动通信技术的快速发展、移动通信网络的广泛使用以及移动通信用户数量的迅猛增长,广播组播技术迅速地应用于移动通信网络中。广播组播技术是指通过共享一条传输链路,把多媒体数据广播或组播到移动终端。为了在移动通信系统中实现广播组播技术,第三代移动通信的标准化组织3GPP和3GPP2在全球移动通信系统/宽带码分多址(GSM/WCDMA,Global System forMobile Communications/Wideband Code Division Multiple Access)和CDMA2000网络上设计广播组播服务,在3GPP中,该项目被叫做多媒体广播组播业务(MBMS,Multimedia Broadcast Multicast Service),在3GPP2中,该项目则被称为广播和组播业务(BCMCS,Broadcast Multicast Service)。With the rapid development of mobile communication technology, the widespread use of mobile communication networks and the rapid growth of the number of mobile communication users, broadcast and multicast technology is rapidly applied to mobile communication networks. The broadcast and multicast technology refers to broadcast or multicast multimedia data to mobile terminals by sharing a transmission link. In order to realize the broadcast multicast technology in the mobile communication system, the standardization organizations 3GPP and 3GPP2 of the third generation of mobile communication have developed the global system for mobile communication/Wideband Code Division Multiple Access (GSM/WCDMA, Global System for Mobile Communications/Wideband Code Division Multiple Access) In 3GPP, this project is called Multimedia Broadcast Multicast Service (MBMS, Multimedia Broadcast Multicast Service), and in 3GPP2, this project is called Broadcast and Multicast Service (BCMCS, Broadcast Multicast Service).

为了保证数据安全,需要对用户身份进行鉴别,并对数据通过密钥进行加密。例如,在MBMS中,用户设备(UE,User Equipment)以及广播组播业务中心(BM-SC,Broadcast Multicast-Service Center)预先存储有MBMS请求密钥(MRK,MBMS Request Key),二者分别通过同样的算法生成MBMS用户密钥(MUK,MBMS User Key);其中,MRK用于BM-SC在接收到UE发送的请求密钥时,根据MRK来识别UE;MUK用于BM-SC给UE发送点对点的MBMS业务密钥(MSK,MBMS Service Key)时,对MSK进行加密,保护MSK。参照图1,为现有技术中密钥下发以及使用所述密钥进行加密、解密的流程图,具体包括以下步骤:In order to ensure data security, it is necessary to authenticate the identity of the user and encrypt the data with a key. For example, in MBMS, the user equipment (UE, User Equipment) and the broadcast multicast service center (BM-SC, Broadcast Multicast-Service Center) pre-store MBMS request key (MRK, MBMS Request Key), and the two respectively pass The same algorithm generates MBMS User Key (MUK, MBMS User Key); among them, MRK is used for BM-SC to identify UE according to MRK when receiving the request key sent by UE; MUK is used for BM-SC to send UE When using a point-to-point MBMS service key (MSK, MBMS Service Key), the MSK is encrypted to protect the MSK. Referring to Fig. 1, it is a flow chart of issuing a key in the prior art and using the key for encryption and decryption, specifically including the following steps:

11、UE向BM-SC发送HTTP Digest Authentication(MRK)消息进行身份鉴定和密钥请求;11. UE sends HTTP Digest Authentication (MRK) message to BM-SC for identity authentication and key request;

12、BM-SC根据MRK对UE进行鉴别,鉴别通过后,通过MUK对MSK进行加密,并通过MIKEY MSK delivery(protect with MUK)消息把含有MSK的经过MUK加密的数据包下发至UE;12. The BM-SC authenticates the UE according to the MRK. After the authentication is passed, the MSK is encrypted by the MUK, and the MUK-encrypted data packet containing the MSK is sent to the UE through the MIKEY MSK delivery (protect with MUK) message;

13、UE通过MUK对步骤12发送的数据包进行解密得到MSK;13. The UE decrypts the data packet sent in step 12 through the MUK to obtain the MSK;

14、BM-SC通过MSK对MBMS传输密钥(MTK,MBMS Traffic Key)进行加密,并通过MIKEY MTK delivery(protect with MSK)消息把含有MTK的经过MSK加密的数据包下发至UE;对于手机等用户终端设备来说,MTK用于UE解密接收到的MBMS数据。14. The BM-SC encrypts the MBMS transmission key (MTK, MBMS Traffic Key) through MSK, and sends the MSK-encrypted data packet containing MTK to the UE through the MIKEY MTK delivery (protect with MSK) message; for mobile phones For user terminal equipment, MTK is used for UE to decrypt received MBMS data.

15、UE通过步骤13解密得到的MSK对步骤14中下发的数据包进行解密得到MTK;15. The UE decrypts the MSK obtained in step 13 to decrypt the data packet delivered in step 14 to obtain the MTK;

16、BM-SC将内容提供者提供的MBMS媒体流通过MTK进行加密并传输至UE;16. The BM-SC encrypts the MBMS media stream provided by the content provider through MTK and transmits it to the UE;

17、UE通过步骤15解密得到的MTK对步骤16传输的MBMS媒体流进行解密,即可得到正确的数据。17. The UE decrypts the MBMS media stream transmitted in step 16 through the MTK obtained through decryption in step 15 to obtain correct data.

为了保证数据传输的安全,每隔一定时间,需要更换MSK。在现有技术中,当BM-SC判断得知到了修改MSK时限的时候,通过用户数据报协议(UDP,User Data Protocol)传输方式把MIKEY MSK delivery消息传输到UE,MIKEYMSK delivery消息中携带有MUK加密的修改后的MSK数据包;由于UDP传输方式是不可靠的,当用户终端接收到MIKEY MSK delivery(protect withMUK)消息时,通过向BM-SC返回MIKEY ACK(protect with MUK)确认消息来保证传输的可靠性。In order to ensure the security of data transmission, the MSK needs to be replaced at regular intervals. In the prior art, when the BM-SC judges that the MSK time limit has been modified, the MIKEY MSK delivery message is transmitted to the UE through the User Datagram Protocol (UDP, User Data Protocol) transmission mode, and the MIKEY MSK delivery message carries the MUK Encrypted modified MSK data packets; since the UDP transmission method is unreliable, when the user terminal receives the MIKEY MSK delivery (protect with MUK) message, it will return the MIKEY ACK (protect with MUK) confirmation message to the BM-SC to ensure transmission reliability.

在实现本发明过程中,发明人发现所述现有技术方案在密钥下发过程中,每次到了更换MSK的时限,BM-SC和UE之间就得通过相应的消息来传输MSK,消息条数很多。同时,由于采用的是UDP这种不可靠的传输方式,为了保证传输的可靠性,需要发确认消息,而为了保证数据安全,需要比较频繁地更换MSK,因此,确认消息也会很多。而由于MBMS一般会有很多用户,这样一来,导致和BM-SC服务器交互的消息条数就会非常多。In the process of implementing the present invention, the inventors found that in the process of issuing the key in the prior art solution, each time the time limit for replacing the MSK is reached, the BM-SC and the UE must transmit the MSK through a corresponding message, and the message There are many. At the same time, due to the unreliable transmission method of UDP, in order to ensure the reliability of transmission, confirmation messages need to be sent, and in order to ensure data security, MSK needs to be replaced frequently, so there will be many confirmation messages. And because MBMS generally has many users, in this way, the number of messages interacting with the BM-SC server will be very large.

发明内容Contents of the invention

本发明实施例所要解决的技术问题是提供一种密钥下发方法和设备,能够减少密钥下发过程中交互的消息条数。The technical problem to be solved by the embodiments of the present invention is to provide a key distribution method and device, which can reduce the number of interactive messages during the key distribution process.

为解决上述技术问题,本发明实施例的目的是通过以下技术方案实现的:In order to solve the above technical problems, the purpose of the embodiments of the present invention is achieved through the following technical solutions:

本发明实施例提供了一种密钥下发方法,该方法包括:An embodiment of the present invention provides a method for issuing a key, the method including:

接收携带有时间相关信息的密钥请求;Receive a key request carrying time-related information;

根据当前具体时刻、设置的密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的至少一个密钥,并将所述密钥下发。According to the current specific time and the set key change frequency, at least one key corresponding to the time-related information is obtained from the set key chain, and the key is issued.

本发明实施例还提供了一种密钥下发设备,该设备包括:The embodiment of the present invention also provides a key delivery device, the device includes:

接收单元,用于接收携带有时间相关信息的密钥请求;a receiving unit, configured to receive a key request carrying time-related information;

存储单元,用于存储设置的密钥变化频率以及设置的密钥链;The storage unit is used to store the set key change frequency and the set key chain;

密钥获取单元,用于根据当前具体时刻、所述存储单元中存储的设置的密钥变化频率,从所述存储单元存储的密钥链中,获取所述时间相关信息所对应的至少一个密钥;A key acquisition unit, configured to acquire at least one key corresponding to the time-related information from the key chain stored in the storage unit according to the current specific moment and the set key change frequency stored in the storage unit. key;

密钥下发单元,用于将从所述密钥获取单元所获取的密钥下发。A key delivery unit, configured to deliver the key obtained from the key acquisition unit.

从以上技术方案可以看出,由于本发明实施例是根据当前具体时刻以及密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的密钥,并将所述密钥一次进行下发,而不需要在每次更换密钥时分别下发,因此可以减少密钥下发次数,进而可以降低网络设备的资源消耗,节约网络传输资源。As can be seen from the above technical solutions, since the embodiment of the present invention obtains the key corresponding to the time-related information from the set key chain according to the current specific time and the key change frequency, and stores the key once It is not necessary to issue separately every time the key is changed, so the number of times of key delivery can be reduced, which in turn can reduce the resource consumption of network devices and save network transmission resources.

附图说明Description of drawings

图1为现有技术中密钥下发以及使用所述密钥进行加密、解密的流程图;Fig. 1 is a flow chart of issuing a key and using the key for encryption and decryption in the prior art;

图2为本发明实施例一密钥下发方法的流程图;FIG. 2 is a flowchart of a method for issuing a key according to an embodiment of the present invention;

图3为本发明实施例二密钥下发方法的流程图;FIG. 3 is a flowchart of a method for issuing a key according to Embodiment 2 of the present invention;

图4为本发明实施例三密钥下发方法的流程图;FIG. 4 is a flowchart of a method for issuing a third key according to Embodiment 3 of the present invention;

图5为本发明实施例四密钥下发方法的流程图;FIG. 5 is a flowchart of a method for issuing a key according to Embodiment 4 of the present invention;

图6为本发明实施例五密钥下发设备的结构图;FIG. 6 is a structural diagram of a key issuing device according to Embodiment 5 of the present invention;

图7为本发明实施例六密钥下发设备的结构图;FIG. 7 is a structural diagram of a key delivery device according to Embodiment 6 of the present invention;

图8为本发明实施例七密钥下发设备的结构图;FIG. 8 is a structural diagram of a key delivery device according to Embodiment 7 of the present invention;

图9为本发明实施例八密钥下发设备的结构图。FIG. 9 is a structural diagram of an eight-key issuing device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案及优点更加清楚明白,以下参照附图,通过在MBMS中的具体应用,对本发明实施例进行详细说明。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the embodiments of the present invention will be described in detail below through specific applications in MBMS with reference to the accompanying drawings.

实施例一,根据UE请求的时长的不同,BM-SC会生成用户请求的时长所对应的密钥,并将该密钥向UE下发。Embodiment 1: According to different durations requested by the UE, the BM-SC will generate a key corresponding to the duration requested by the user, and deliver the key to the UE.

参照图2,为本发明实施例一密钥下发的流程图,以下具体说明根据用户请求的时长的不同,BM-SC向UE下发用户请求的时长所对应的密钥的过程:Referring to FIG. 2 , it is a flow chart of issuing a key according to an embodiment of the present invention. The following describes in detail the process of the BM-SC delivering the key corresponding to the duration of the user request to the UE according to the duration of the user request:

21、在BM-SC中设置密钥链,设置密钥变化频率;21. Set the key chain in BM-SC, and set the key change frequency;

所述密钥链可以由一个根密钥和一个单向函数生成,例如:设置一个根密钥为k1,单向函数为f生成的密钥链,则由k1和f所生成的密钥链中的密钥依次为k1、k2、k3,......其中,k2=f(k1),k3=f(k2),k3=f2(k1),......The key chain can be generated by a root key and a one-way function, for example: if a root key is set to k1, and the one-way function is a key chain generated by f, then the key chain generated by k1 and f The keys in are sequentially k1, k2, k3, ... among them, k2=f(k1), k3=f(k2), k3=f 2 (k1), ...

设置密钥变化频率为10分钟一次。Set the key change frequency to once every 10 minutes.

例如,从每天的00:00分开始,00:00-00:10分,采用k3加密;00:10-00:20分,采用k2加密,00:20-00:30分,采用k1加密,......For example, starting from 00:00 every day, 00:00-00:10 minutes, use k3 encryption; 00:10-00:20 minutes, use k2 encryption, 00:20-00:30 minutes, use k1 encryption, …

22、UE发送携带有用户请求的时长的密钥请求;22. The UE sends a key request carrying the duration requested by the user;

例如,UE通过HTTP POST(List of Key Domain ID-MSK ID Pairs)消息向BM-SC发送密钥请求,消息中携带有用户请求的时长。For example, the UE sends a key request to the BM-SC through an HTTP POST (List of Key Domain ID-MSK ID Pairs) message, and the message carries the duration of the user request.

23、BM-SC根据当前具体时刻、步骤21中设置的密钥变化频率,从步骤21中所设置的密钥链中获取所述用户请求的时长所对应的密钥;23. The BM-SC obtains the key corresponding to the duration requested by the user from the key chain set in step 21 according to the current specific time and the key change frequency set in step 21;

由于步骤21中所设置的密钥链中的密钥的关系为:k2=f(k1),k3=f(k2),k3=f2(k1),......所以对于利用k3加密的媒体流,拥有k1、k2的UE可以直接推出k3,所以可以解密k3加密的媒体流,拥有k1的UE可以推出k2,所以可以解密k2加密的媒体流。Since the relationship of the keys in the key chain set in step 21 is: k2=f(k1), k3=f(k2), k3=f 2 (k1), ... so for utilizing k3 For encrypted media streams, the UE with k1 and k2 can directly launch k3, so it can decrypt the media stream encrypted by k3, and the UE with k1 can launch k2, so it can decrypt the media stream encrypted by k2.

设在00:00分接收到UE发送的密钥请求,请求10分钟的媒体流,则从密钥链中获取的密钥为k3,UE根据该密钥可以解开00:00-00:10分的媒体流,00:10分之后的媒体流根据k3无法解开。Assuming that the key request sent by the UE is received at 00:00, and a 10-minute media stream is requested, the key obtained from the key chain is k3, and the UE can unlock the 00:00-00:10 key according to this key. The media stream after 00:10 minutes cannot be decomposed according to k3.

设在00:07分接收到UE发送的密钥请求,请求10分钟的媒体流,则从密钥链中获取的密钥为k2,k2可以解开00:10-00:20分的媒体流,由于UE可以根据k2推出k3,可以解开00:07-00:10分的媒体流,总之,用户可以解开00:07-00:20分的媒体流,能够满足用户要求,但00:20分之后的媒体流UE无法打开。Assuming that the key request sent by the UE is received at 00:07, and a 10-minute media stream is requested, the key obtained from the key chain is k2, and k2 can unlock the media stream at 00:10-00:20 , since the UE can launch k3 according to k2, it can unlock the media stream of 00:07-00:10. After 20 minutes, the media stream UE cannot be opened.

24、BM-SC向UE下发所获取的密钥。24. The BM-SC delivers the acquired key to the UE.

BM-SC通过MIKEY MSK delivery消息向UE下发所获取的密钥。The BM-SC sends the obtained key to the UE through the MIKEY MSK delivery message.

由于仍然采用UDP传输方式,为了保证可靠性,当BMSC接收到UE发送的HTTP POST(List of Key Domain ID-MSK ID Pairs)消息时,会向UE返回响应消息HTTP 200 OK,当UE接收到BM-SC下发的密钥时,会返回MIKEYACK确认消息,不再详细描述。Since the UDP transmission method is still used, in order to ensure reliability, when the BMSC receives the HTTP POST (List of Key Domain ID-MSK ID Pairs) message sent by the UE, it will return a response message HTTP 200 OK to the UE. When the UE receives the BM - When the key is issued by the SC, it will return a MIKEYACK confirmation message, which will not be described in detail.

在现有技术中,每过10分钟,UE和BM-SC就要交互一次消息来更换密钥。如果用户收看的节目时长60分钟,那么UE和BM-SC之间由于更换密钥需要交互6次消息,加上为了保证UDP传输安全所发送的确认消息,则增消息交互次数又增加一倍。而本发明实施例中不论用户请求的时长有多长,只需要一次消息交互,即可完成所有的密钥下发。对于MBMS这样拥有大量用户的业务,可以节约大量的交互消息,因此可以减少BM-SC服务器资源的消耗,节约网络传输资源。In the prior art, every 10 minutes, the UE and the BM-SC need to exchange a message to change the key. If the program that the user watches lasts for 60 minutes, the UE and the BM-SC need to exchange messages 6 times due to key replacement, plus the confirmation message sent to ensure UDP transmission security, the number of message interactions is doubled. However, in the embodiment of the present invention, no matter how long the user request is, only one message interaction is required to complete all key delivery. For services with a large number of users such as MBMS, a large number of interactive messages can be saved, so the resource consumption of the BM-SC server can be reduced, and network transmission resources can be saved.

实施例二,为了保证数据安全,可以在实施例一基础上,采用鉴别用户身份以及不断更换设置的密钥链的根密钥的方法来保证密钥的安全性。In the second embodiment, in order to ensure data security, on the basis of the first embodiment, the method of authenticating the identity of the user and constantly changing the root key of the set key chain can be used to ensure the security of the key.

参照图3,为本发明实施例二密钥下发方法的流程图,以下进行详细说明:Referring to FIG. 3 , it is a flow chart of a method for issuing a key according to Embodiment 2 of the present invention, which will be described in detail below:

31、在BM-SC中设置密钥链,设置根密钥的更新频率,设置密钥变化频率;31. Set the key chain in BM-SC, set the update frequency of the root key, and set the key change frequency;

仍然设置一个根密钥为k1,单向函数为f生成的密钥链,各个密钥依次为k1、k2、k3、......,其中,k2=f(k1),k3=f(k2),k3=f2(k1),......Still set a root key as k1, a key chain generated by the one-way function as f, each key is k1, k2, k3,..., among them, k2=f(k1), k3=f (k2), k3=f 2 (k1),  …

设置密钥变化频率为10分钟一次。Set the key change frequency to once every 10 minutes.

假设从每天的00:00分开始,00:00-00:10分,采用k3加密;00:10-00:20分,采用k2加密,00:20-00:30分,采用k1加密,......Assume starting from 00:00 every day, 00:00-00:10 minutes, use k3 encryption; 00:10-00:20 minutes, use k2 encryption, 00:20-00:30 minutes, use k1 encryption, . .....

设置根密钥的更新频率为30分钟一次,设在00:30分之后,使用k1’作为根密钥,单向函数仍为f,则可以得到k2’=f(k1’),k3’=f(k2’),k3’=f2(k1’),......Set the update frequency of the root key to once every 30 minutes, after 00:30, use k1' as the root key, and the one-way function is still f, then you can get k2'=f(k1'), k3'= f(k2'), k3'=f 2 (k1'),  …

32、UE发送携带有用户请求的时长的密钥请求;32. The UE sends a key request carrying the duration requested by the user;

UE可以通过携带有用户请求的时长的HTTP POST(List of Key DomainID-MSK ID Pairs)消息向BM-SC发送密钥请求。The UE can send a key request to the BM-SC through an HTTP POST (List of Key DomainID-MSK ID Pairs) message carrying the duration requested by the user.

33、BM-SC向UE发送鉴权请求;33. The BM-SC sends an authentication request to the UE;

BM-SC向UE发送HTTP 401 www-Authenticate消息,在消息的头字段www-Authenticate至少包含一个质询来指定适用于该领域的鉴权机制和参数。The BM-SC sends an HTTP 401 www-Authenticate message to the UE, and the www-Authenticate header field of the message contains at least one challenge to specify the authentication mechanism and parameters applicable to this field.

34、UE使用合适的证书重新发起密钥请求;34. The UE re-initiates the key request with an appropriate certificate;

当UE接收到HTTP 401 www-Authenticate消息时,向BM-SC发送HTTPPOST Authorization Request(List of Key Domain ID-MSK ID Pairs)消息重新发起密钥请求;When the UE receives the HTTP 401 www-Authenticate message, it sends an HTTPPOST Authorization Request (List of Key Domain ID-MSK ID Pairs) message to the BM-SC to re-initiate the key request;

35、当鉴权通过时,BM-SC向UE返回响应消息;35. When the authentication passes, the BM-SC returns a response message to the UE;

鉴权通过,BM-SC向用户返回HTTP 200 OK Authentication-Info(StatusCodes)响应消息,消息中携带有鉴权通过的具体状态码。After the authentication is passed, the BM-SC returns an HTTP 200 OK Authentication-Info (StatusCodes) response message to the user, and the message carries the specific status code of the authentication passing.

36、BM-SC根据当前具体时刻、步骤31中设置的密钥变化频率,从步骤31中所设置的密钥链中获取所述用户请求的时长所对应的密钥;36. The BM-SC obtains the key corresponding to the duration requested by the user from the key chain set in step 31 according to the current specific time and the key change frequency set in step 31;

对于在00:00分接收到UE发送的密钥请求,如果用户请求的时长小于等于30分钟,获取对应时段的密钥与实施例一中所获取的密钥相同,不再详细描述。For the key request sent by the UE received at 00:00, if the duration of the user request is less than or equal to 30 minutes, the key obtained for the corresponding time period is the same as that obtained in Embodiment 1, and will not be described in detail.

对于在00:00分接收到UE发送的密钥请求,如果用户请求的时长大于30分钟,则可按照下述方法获取用户请求的时长所对应的密钥。For the key request sent by the UE received at 00:00, if the duration requested by the user is longer than 30 minutes, the key corresponding to the duration requested by the user may be acquired according to the following method.

例如,在00:00分接收到UE发送的密钥请求为40分钟,由于通过k1可以解开00:00-00:30分的媒体流,而k3’可以解开00:30-00:40分的媒体流,故从密钥链中获取的密钥为k1和k3’。For example, at 00:00, the key request sent by the UE is received for 40 minutes, because the media stream of 00:00-00:30 can be unlocked through k1, and the media stream of 00:30-00:40 can be unlocked by k3' The divided media stream, so the keys obtained from the key chain are k1 and k3'.

如果在00:00分接收到UE发送的密钥请求为50分钟,由于通过k1可以解开00:00-00:30分的媒体流,而k2’可以解开00:40-00:50分的媒体流,通过k2’可以推出k3’,k3’可以解开00:30-00:40分的媒体流,故从密钥链中获取的密钥为k1和k2’。If the key request sent by the UE is received at 00:00 for 50 minutes, since the media stream of 00:00-00:30 can be unlocked through k1, and the media stream of 00:40-00:50 can be unlocked by k2' media stream, k3' can be deduced through k2', and k3' can unlock the media stream at 00:30-00:40, so the keys obtained from the key chain are k1 and k2'.

如果在00:00分接收到UE发送的密钥请求为60分钟,由于通过k1可以解开00:00-00:30分的媒体流,而k1’可以解开00:50-01:00分的媒体流,通过k1’可以推出k2’,k2’可以解开00:40-00:50分的媒体流,进而通过k2’可以推出k3’,k3’可以解开00:30-00:40分的媒体流,故从密钥链中获取的密钥为k1和k1’。If the key request sent by the UE is received at 00:00 for 60 minutes, since the media stream from 00:00-00:30 can be unlocked through k1, and the media stream from 00:50-01:00 can be unlocked by k1' The media stream of k2' can be launched through k1', k2' can unlock the media stream of 00:40-00:50, and then k3' can be launched through k2', and k3' can unlock the media stream of 00:30-00:40 The divided media stream, so the keys obtained from the key chain are k1 and k1'.

以此可以类推用户请求的时长大于60分钟的情况,不再一一描述。In this way, it can be deduced that the duration of the user request is longer than 60 minutes, and will not be described one by one.

37、BM-SC向UE下发所生成的密钥;37. The BM-SC sends the generated key to the UE;

BM-SC通过MIKEY MSK delivery消息向UE下发所生成的密钥。The BM-SC sends the generated key to the UE through the MIKEY MSK delivery message.

38、UE接收到密钥后向BM-SC返回确认消息。38. After receiving the key, the UE returns a confirmation message to the BM-SC.

由于使用的为UDP的传输方式,为了保证传输的可靠性,UE返回MIKEYACK确认消息。Since the UDP transmission mode is used, in order to ensure the reliability of the transmission, the UE returns a MIKEYACK confirmation message.

可见,该实施例以一定的频率更新生成密钥链的根密钥,可以增强数据的安全性;而对用户身份的鉴权,可以防止非法用户的非法请求。It can be seen that in this embodiment, the root key of the generated key chain is updated at a certain frequency, which can enhance data security; and the authentication of user identity can prevent illegal requests from illegal users.

为了保证数据安全,也可以按照设置的频率更换密钥链的单向函数或同时更换根密钥及单向函数。In order to ensure data security, the one-way function of the key chain can also be replaced according to the set frequency or the root key and one-way function can be replaced at the same time.

在下发密钥前,还可以对所生成的密钥进行加密后再下发,以更好地保证数据安全。Before issuing the key, the generated key can also be encrypted before being issued to better ensure data security.

BM-SC根据当前具体时刻、设置的所述密钥变化频率,在确定的时间段内从所述设置的密钥链中获取该时间段内对应的密钥,采用该密钥对媒体流进行加密并下发。除了采用下发的密钥对媒体流进行加密外,还可以对其他数据进行加密,例如,另外一种密钥。而且,这样可以更好地保证数据安全。The BM-SC obtains the corresponding key within the specified time period from the set key chain within a certain time period according to the current specific time and the set frequency of the key change, and uses the key to process the media stream Encrypt and send. In addition to encrypting the media stream with the issued key, other data may also be encrypted, for example, another key. Moreover, this can better ensure data security.

例如,BM-SC根据当前具体时刻、密钥变化频率,在确定的时间段内从所述密钥链中选取该时间段对应的MSK对MTK信息进行加密并下发,然后通过MTK消息对媒体流进行加密并下发,相应地,UE通过从先前BM-SC下发的MSK中选取该时间段内应选取的MSK对MTK信息进行解密,再利用MTK对接收到的媒体流进行解密。For example, according to the current specific time and the key change frequency, the BM-SC selects the MSK corresponding to the time period from the key chain within a certain period of time to encrypt and deliver the MTK information, and then transmits the MTK information to the media through the MTK message. The stream is encrypted and delivered. Correspondingly, the UE decrypts the MTK information by selecting the MSK that should be selected within the time period from the MSK delivered by the previous BM-SC, and then uses the MTK to decrypt the received media stream.

实施例三,为了便于UE能够快速地使用适当的密钥对媒体流进行解密,BM-SC可以给不同的密钥添加标识。In the third embodiment, in order for the UE to quickly use an appropriate key to decrypt the media stream, the BM-SC can add identifiers to different keys.

参照图4,为本发明实施例三下发密钥方法的流程图,以下具体说明为所获取的密钥添加标识时的密钥下发的具体流程:Referring to FIG. 4 , it is a flow chart of the method for issuing a key in Embodiment 3 of the present invention. The following specifically describes the specific process of issuing a key when adding an identifier to the obtained key:

41、在BM-SC中设置密钥链,设置密钥链中根密钥的更新频率,设置密钥链中的密钥变化频率;41. Set the key chain in BM-SC, set the update frequency of the root key in the key chain, and set the key change frequency in the key chain;

42、UE发送携带有用户请求的时长的密钥请求;42. The UE sends a key request carrying the duration requested by the user;

43、BM-SC根据当前具体时刻、步骤41中设置的密钥变化频率,从设置的密钥链中获取所述用户请求的时长所对应的密钥;43. The BM-SC obtains the key corresponding to the duration requested by the user from the set key chain according to the current specific time and the key change frequency set in step 41;

44、对步骤43所获取的密钥进行加密并添加标识;44. Encrypt the key obtained in step 43 and add an identifier;

标识可以是索引号,假设从密钥链中所获取的密钥为k1、k2’,为k1添加的索引号为1,为k2’添加的索引号为2,可对索引号进行加密也可以不加密。并为下发的媒体流添加相应的标识,例如对经过MTK加密的媒体流根据密钥的不同添加对应的标识。The identifier can be an index number. Assuming that the keys obtained from the key chain are k1 and k2', the index number added to k1 is 1, and the index number added to k2' is 2. The index number can be encrypted or Not encrypted. And add corresponding identifiers to the delivered media streams, for example, add corresponding identifiers to media streams encrypted by MTK according to different keys.

标识也可以直接是时间戳,例如,k1的时间戳为00:00-00:30,k2’的时间戳为00:30-00:50。The identifier can also be a timestamp directly, for example, the timestamp of k1 is 00:00-00:30, and the timestamp of k2' is 00:30-00:50.

45、BM-SC向UE下发所获取的密钥;45. The BM-SC sends the obtained key to the UE;

46、UE根据标识在需要时采用适当的密钥对媒体流进行解密。46. The UE uses an appropriate key to decrypt the media stream according to the identification.

如果标识为索引号,则UE根据媒体流中的索引号选择对应的密钥对媒体流进行解密。If the identifier is an index number, the UE selects a corresponding key to decrypt the media stream according to the index number in the media stream.

如果所述标识为时间戳,UE将时间与BM-SC时间保持同步,通过判断时间确定正确的密钥,如果此时UE时间在00:00-00:30范围内,则采用k1进行解密;如果此时UE时间在00:30-00:50范围内,则采用k2’进行解密。If the identifier is a time stamp, the UE keeps the time synchronized with the BM-SC time, determines the correct key by judging the time, and if the UE time is within the range of 00:00-00:30 at this time, use k1 to decrypt; If the UE time is within the range of 00:30-00:50 at this time, k2' is used for decryption.

可见,本实施例通过对所获取的用户请求的时长所对应的每个密钥都添加对应的标识,当用户接收到含有该标识的媒体流时,直接通过媒体流中的标识找到对应的密钥,从而实现快速解密。而通过设置密钥链中根密钥的更新频率,以及对所获取的密钥加密后再下发,增强了媒体流数据传输的安全。It can be seen that in this embodiment, a corresponding identifier is added to each key corresponding to the obtained user request duration, and when the user receives a media stream containing the identifier, the corresponding key can be found directly through the identifier in the media stream. key for fast decryption. By setting the update frequency of the root key in the key chain, and encrypting the obtained key before issuing it, the security of media stream data transmission is enhanced.

当然,BM-SC也可以不对下发的密钥添加标识,当UE接收到密钥时,可以采取逐个尝试的方法选择正确的密钥对接收到的媒体流或其他数据进行解密。Of course, the BM-SC may not add an identifier to the issued key, and when the UE receives the key, it may adopt a trial-by-case method to select the correct key to decrypt the received media stream or other data.

对于移动通信领域的组播和广播技术,从业务数据方面来看,组播广播都对用户进行收费,而从承载方面来看,组播对用户和内容提供商进行收费,广播只对内容提供商进行收费。现有技术中主要是根据用户签约情况来收费,例如包月付费业务。但是根据用户的签约情况进行计费的方式无法满足用户的需要,例如,用户仅在一定的时段内希望享受MBMS,而在其他时段内并不需要;或者,一个用户对一个节目首先试看几分钟,再决定是否继续看下去,则现有的根据用户的签约情况进行计费的方式无法满足这部分用户的需求。For multicast and broadcast technologies in the field of mobile communications, from the perspective of service data, multicast broadcast charges users, while from the perspective of bearer, multicast charges users and content providers, and broadcast only charges content providers. merchant charges. In the prior art, charging is mainly based on the user's contract status, such as a monthly subscription service. However, the billing method based on the user's subscription status cannot meet the needs of the user. For example, the user only wants to enjoy MBMS in a certain period of time, but does not need it in other periods of time; or, a user first tries to watch a program for a few minutes , and then decide whether to continue reading, then the existing billing method based on the user's subscription status cannot meet the needs of these users.

实施例四,在以上各实施例基础上,下面具体说明在下发密钥的过程中如何实现分时计费。Embodiment 4. On the basis of the above embodiments, how to implement time-sharing charging in the process of issuing keys will be specifically described below.

参照图5,为本发明实施例四密钥下发方法的流程图,具体包括步骤:Referring to FIG. 5 , it is a flow chart of a method for issuing a key according to Embodiment 4 of the present invention, which specifically includes steps:

51、UE发送携带有用户请求的时长的密钥请求至BM-SC;51. The UE sends a key request carrying the duration requested by the user to the BM-SC;

在MBMS业务中,首先BM-SC通过service announcement消息把业务服务清单通过广播的形式通知给UE,UE选择自己要加入的媒体流,并通过HTTP POST消息通知BM-SC,在该消息中,含有时长选项,用于UE选择或填写希望享受的服务的时长。In the MBMS service, firstly, the BM-SC notifies the UE of the business service list in the form of broadcast through the service announcement message, and the UE selects the media stream to join, and notifies the BM-SC through the HTTP POST message, in which the message contains The duration option is used for the UE to select or fill in the duration of the service it wants to enjoy.

52、BM-SC根据密钥请求中所携带的用户请求的时长,以及设置的单位时长内费用,计算并扣除用户请求的时长所对应的费用。52. The BM-SC calculates and deducts the fee corresponding to the duration of the user request according to the duration of the user request carried in the key request and the set fee per unit duration.

例如用户请求的时长为40分钟,设置的单位时长费用为每10分钟一元,则应扣除的用户费用为4元。For example, if the duration requested by the user is 40 minutes, and the unit duration fee is set as 1 yuan per 10 minutes, the user fee that should be deducted is 4 yuan.

仍然假设密钥更换频率为10分钟一次,设置的密钥链的根密钥为k1,单向函数为f,则密钥链中各个密钥依次为k1、k2、k3、......,其中,k2=f(k1),k3=f(k2),k3=f2(k1),......假设从每天的00:00分开始,00:00-00:10分,采用k3加密;00:10-00:20分,采用k2加密,00:20-00:30分,采用k1加密,......Still assuming that the key replacement frequency is once every 10 minutes, the root key of the set key chain is k1, and the one-way function is f, then the keys in the key chain are k1, k2, k3, ..... ., among them, k2=f(k1), k3=f(k2), k3=f 2 (k1),...Assume starting from 00:00 every day, 00:00-00:10 , use k3 encryption; 00:10-00:20 minutes, use k2 encryption, 00:20-00:30 minutes, use k1 encryption,...

如果在00:07分接收到UE发送的携带有时长为10分钟的密钥请求,则该用户所使用的密钥应该无法打开00:17分之后的媒体流,但是,由于密钥要在一定的时间内才会改变,即到00:20分,所以用户可能会多享受几分钟的服务。If at 00:07 a key request with a duration of 10 minutes is received from the UE, the key used by the user should not be able to open the media stream after 00:17. The time will change, that is, until 00:20, so users may enjoy a few more minutes of service.

密钥更换频率越快,计费越精确。The faster the key change frequency, the more accurate the billing.

在以上各实施例及具体实施方式中,所述的用户请求的时长也可以是其他的时间相关信息,例如,用户请求的一定的时间段,或者用户所选择的服务节目,也可以是这几项中任意一项或多项的组合。例如,BM-SC可以根据用户所选择的服务节目,得知该节目播出的时长及具体时间。用户所请求的时间段也可以是未来某一段具体的时间,比如,当前时间为00:00分,用户可以请求01:00-01:40分时长内的媒体流。In the above embodiments and specific implementations, the duration requested by the user may also be other time-related information, for example, a certain period of time requested by the user, or a service program selected by the user, or these Any one or a combination of multiple items. For example, the BM-SC can know the broadcast duration and specific time of the program according to the service program selected by the user. The time period requested by the user may also be a specific period of time in the future. For example, the current time is 00:00, and the user may request a media stream within the time period of 01:00-01:40.

以上对本发明实施例所提供的密钥下发方法进行了详细的说明,为了使本领域技术人员更好地实现本发明实施例所提供的技术方案,以下对本发明实施例所提供的密钥下发设备进行详细说明。The key distribution method provided by the embodiment of the present invention has been described above in detail. In order to enable those skilled in the art to better realize the technical solution provided by the embodiment of the present invention, the key distribution method provided by the embodiment of the present invention is as follows: The equipment is described in detail.

参照图6,为本发明实施例五密钥下发设备的结构图,该密钥下发设备包括:Referring to FIG. 6, it is a structural diagram of a key delivery device according to Embodiment 5 of the present invention. The key delivery device includes:

接收单元61,用于接收携带有时间相关信息的密钥请求;A receiving unit 61, configured to receive a key request carrying time-related information;

存储单元62,用于存储设置的密钥变化频率以及设置的密钥链;The storage unit 62 is used to store the set key change frequency and the set key chain;

密钥获取单元63,用于根据当前具体时刻、所述存储单元62中存储的设置的密钥变化频率,从所述存储单元62存储的设置的密钥链中获取所述时间相关信息所对应的至少一个密钥;The key acquisition unit 63 is configured to obtain the time-related information corresponding to the time-related information from the set key chain stored in the storage unit 62 according to the current specific time and the set key change frequency stored in the storage unit 62. at least one key of the

密钥下发单元64,用于将所述密钥获取单元63获取的密钥下发。The key delivery unit 64 is configured to deliver the key acquired by the key acquisition unit 63 .

采用本实施例中所述密钥下发设备,不论用户请求的时长有多长,只需要一次消息交互,即可完成所有的密钥下发。对于MBMS这样拥有大量用户的业务,可以节约大量的交互消息,因此可以节约服务器资源以及网络传输资源。With the key delivery device described in this embodiment, no matter how long the user request is, all key delivery can be completed with only one message interaction. For services with a large number of users such as MBMS, a large number of interactive messages can be saved, so server resources and network transmission resources can be saved.

上述密钥下发设备还可进一步包括:加密单元、数据下发单元,其中:The above-mentioned key delivery device may further include: an encryption unit and a data delivery unit, wherein:

加密单元,用于根据当前具体时刻、密钥变化频率,在确定的时间段内采用从所述密钥链中获取的该时间段对应的密钥对数据进行加密;An encryption unit, configured to encrypt data within a determined time period using the key corresponding to the time period obtained from the key chain according to the current specific time and the key change frequency;

数据下发单元,用于将加密单元加密后的数据进行下发。The data delivery unit is configured to deliver the data encrypted by the encryption unit.

数据下发单元下发的数据可以是媒体流,也可以是另一个密钥,以更好地保证数据安全。The data delivered by the data delivery unit may be a media stream or another key to better ensure data security.

参照图7,为本发明实施例六密钥下发设备的结构图,为了保证数据安全,可以在上述密钥下发设备中,设置一个密钥链生成单元71,用于通过一个根密钥和一个单向函数生成所述密钥链。Referring to FIG. 7 , it is a structural diagram of a key issuing device according to Embodiment 6 of the present invention. In order to ensure data security, a key chain generation unit 71 can be set in the above key issuing device to pass a root key and a one-way function to generate the keychain.

通过密钥生成单元71,可以根据具体情况来决定某段时间内生成的密钥链中密钥的个数。例如:设置一个根密钥为k1,单向函数为f生成的密钥链,则由k1和f所生成的密钥链中的密钥依次为k1、k2、k3,......其中,k2=f(k1),k3=f(k2),k3=f2(k1),......Through the key generation unit 71, the number of keys in the key chain generated within a certain period of time can be determined according to specific conditions. For example: set a root key as k1 and a key chain generated by f as the one-way function, then the keys in the key chain generated by k1 and f are k1, k2, k3, ... Among them, k2=f(k1), k3=f(k2), k3=f 2 (k1),  …

在实施例六基础上,为了保证数据的安全性,可以进一步设置参数更新单元,参照图8,为本发明实施例七密钥下发设备结构图,该密钥下发设备中,在图7所示的密钥下发设备基础上,进一步增加参数更新单元81,用于按照设置的频率更新所述密钥链生成单元中的根密钥和/或单向函数。On the basis of Embodiment 6, in order to ensure data security, a parameter update unit can be further set. Referring to FIG. 8 , it is a structural diagram of a key distribution device in Embodiment 7 of the present invention. On the basis of the key distribution device shown, a parameter update unit 81 is further added, which is used to update the root key and/or one-way function in the key chain generation unit according to the set frequency.

在以上各实施例所述的密钥下发设备中,还可包括密钥加密单元,用于对所述密钥获取单元所获取的密钥进行加密,加密后再由所述密钥下发单元64将加密后的密钥进行下发,从而可以保证数据传输的安全性。In the key delivery device described in the above embodiments, a key encryption unit may also be included, which is used to encrypt the key obtained by the key acquisition unit, and then the key is issued after encryption. Unit 64 distributes the encrypted key, so as to ensure the security of data transmission.

为了便于UE能够快速地使用适当的密钥对媒体流等数据进行解密,密钥下发设备还可包括标识添加单元,用于对所述密钥获取单元63所获取的密钥添加标识。In order for the UE to quickly use an appropriate key to decrypt data such as media streams, the key issuing device may further include an identification adding unit, configured to add an identification to the key obtained by the key obtaining unit 63 .

标识具体可为索引号或时间戳。The identifier can specifically be an index number or a time stamp.

对于移动通信领域的组播和广播技术,从业务数据方面来看,组播广播都对用户进行收费,而从承载方面来看,组播对用户和内容提供商进行收费,广播只对内容提供商进行收费。现有技术中主要是根据用户签约情况来收费,例如包月付费业务。但是根据用户的签约情况进行计费的方式无法满足用户的需要,例如,用户仅在某一时段内希望享受MBMS,而在其他时段内并不需要。或者,一个用户对一个节目首先试看几分钟,再决定是否继续看下去,则现有的根据用户签约的情况进行计费的方式无法满足这部分用户的需求。For multicast and broadcast technologies in the field of mobile communications, from the perspective of service data, multicast broadcast charges users, while from the perspective of bearer, multicast charges users and content providers, and broadcast only charges content providers. merchant charges. In the prior art, charging is mainly based on the user's contract status, such as a monthly subscription service. However, the method of charging according to the user's subscription status cannot meet the user's needs. For example, the user only wants to enjoy MBMS in a certain period of time, but does not need it in other periods of time. Or, a user tries to watch a program for a few minutes first, and then decides whether to continue watching, then the existing charging mode based on the user's subscription cannot meet the needs of these users.

实施例八,密钥下发设备在以上实施例和实施方式的基础上,还可进一步包括费用管理单元,用于实现对用户分时收费,参照图9,为本发明实施例八密钥下发设备的结构图,该密钥下发设备进一步包括费用管理单元91,用于根据所述时间相关信息,以及设置的单位时长内的费用,进行计费管理。例如,可以根据所述时间相关信息,以及设置的单位时长内的费用,计算并扣除时间相关信息所对应的费用。Embodiment 8. On the basis of the above embodiments and implementations, the key delivery device may further include a fee management unit for implementing time-sharing charging for users. Referring to FIG. The structure diagram of the key issuing device, the key issuing device further includes a fee management unit 91, which is used to perform charging management according to the time-related information and the set fee within the unit duration. For example, the fee corresponding to the time-related information may be calculated and deducted according to the time-related information and the set fee per unit duration.

在以上实施例所说的密钥下发设备中,所述的时间相关信息为用户请求的时长、用户请求的时间段、用户请求的服务节目至少其中一项。In the key distribution device mentioned in the above embodiments, the time-related information is at least one of the duration requested by the user, the time period requested by the user, and the service program requested by the user.

所述的密钥下发设备,在MBMS中,可以由BM-SC来实现。The device for delivering the key may be implemented by a BM-SC in MBMS.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,包括如下步骤:Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be executed during execution , including the following steps:

接收携带有时间相关信息的密钥请求;Receive a key request carrying time-related information;

根据当前具体时刻、设置的密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的至少一个密钥,并将所述密钥下发。According to the current specific time and the set key change frequency, at least one key corresponding to the time-related information is obtained from the set key chain, and the key is issued.

所述的存储介质,如:ROM/RAM、磁碟、光盘等。The storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.

从以上各实施例可以看出,本发明具有如下有益效果:As can be seen from the above embodiments, the present invention has the following beneficial effects:

由于可以根据当前具体时刻、设置的密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的密钥,并将所述密钥一次下发,不需要像现有技术中每改变一次密钥就要下发一次,因而可以减少密钥下发次数,因而可以降低网络设备的资源消耗,节约网络传输资源。Since the key corresponding to the time-related information can be obtained from the set key chain according to the current specific time and the set key change frequency, and the key is issued at one time, there is no need to The key is issued once every time the key is changed, thereby reducing the number of times of key issuance, thereby reducing resource consumption of network devices and saving network transmission resources.

特别是为了保证消息在UDP传输方式下的可靠性,减少密钥下发次数,同时也减少了确认消息的次数,尤其是当用户数据很多时,可以节约大量的网络设备以及网络传输资源。Especially in order to ensure the reliability of the message in the UDP transmission mode, reduce the number of key delivery times, and also reduce the number of confirmation messages, especially when there is a lot of user data, it can save a lot of network equipment and network transmission resources.

通过对下发的密钥进行加密,增强了下发的密钥的安全性。By encrypting the delivered key, the security of the delivered key is enhanced.

而通过对所生成的密钥添加标识,便于UE在需要的时候快速选择正确的密钥进行解密。By adding an identifier to the generated key, it is convenient for the UE to quickly select the correct key for decryption when needed.

另外,通过根据密钥请求中的时间相关信息以及单位时长内的费用,计算并扣除时间相关信息所对应的费用,从而可以实现分时段收费,满足用户需求。In addition, by calculating and deducting the fee corresponding to the time-related information according to the time-related information in the key request and the fee per unit duration, it is possible to realize charging by time intervals and meet user needs.

以上对本发明所提供的一种密钥下发方法和设备通过实施例进行了详细介绍,以上实施例的说明只是用于帮助理解本发明的方法及其思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The method and device for issuing a key provided by the present invention have been described in detail above through the embodiments, and the descriptions of the above embodiments are only used to help understand the method and the idea of the present invention; at the same time, for those of ordinary skill in the art , according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary, the contents of this specification should not be construed as limiting the present invention.

Claims (14)

1.一种密钥下发方法,其特征在于,包括:1. A key delivery method, characterized in that, comprising: 接收携带有时间相关信息的密钥请求;Receive a key request carrying time-related information; 根据当前具体时刻以及设置的密钥变化频率,从设置的密钥链中获取所述时间相关信息所对应的至少一个密钥,并将所述密钥下发。According to the current specific time and the set key change frequency, at least one key corresponding to the time-related information is obtained from the set key chain, and the key is issued. 2.如权利要求1所述的密钥下发方法,其特征在于,进一步包括:2. The key delivery method according to claim 1, further comprising: 根据当前具体时刻以及设置的所述密钥变化频率,在确定的时间段内采用从所述密钥链中获取的该时间段对应的密钥对数据进行加密并下发。According to the current specific time and the set frequency of changing the key, the key corresponding to the time period acquired from the key chain is used to encrypt the data within a determined time period and deliver it. 3.如权利要求1或2所述的密钥下发方法,其特征在于,所述密钥链由一个根密钥和一个单向函数生成。3. The key distribution method according to claim 1 or 2, wherein the key chain is generated by a root key and a one-way function. 4.如权利要求3所述的密钥下发方法,其特征在于,进一步包括:4. The key delivery method according to claim 3, further comprising: 按照设置的频率更换所述根密钥、单向函数至少其中一个。At least one of the root key and the one-way function is replaced according to a set frequency. 5.如权利要求2所述的密钥下发方法,其特征在于,将所述密钥下发之前进一步包括:5. The key delivery method according to claim 2, further comprising: before delivering the key: 对所述密钥添加标识。Add an identifier to the key. 6.如权利要求5所述的密钥下发方法,其特征在于,所述标识为索引号或者时间戳。6. The key distribution method according to claim 5, wherein the identification is an index number or a time stamp. 7.如权利要求1所述的密钥下发方法,其特征在于,进一步包括:7. The key delivery method according to claim 1, further comprising: 根据所述时间相关信息,以及设置的单位时长内的费用,进行相应的计费处理。According to the time-related information and the set fee per unit duration, corresponding billing processing is performed. 8.如权利要求1或7所述的密钥下发方法,其特征在于,所述时间相关信息具体为用户请求的时长、用户请求的时间段、用户请求的服务节目至少其中一项。8. The key delivery method according to claim 1 or 7, wherein the time-related information is specifically at least one of the duration requested by the user, the time period requested by the user, and the service program requested by the user. 9.一种密钥下发设备,其特征在于,包括:9. A key delivery device, characterized in that it comprises: 接收单元,用于接收携带有时间相关信息的密钥请求;a receiving unit, configured to receive a key request carrying time-related information; 存储单元,用于存储设置的密钥变化频率以及设置的密钥链;The storage unit is used to store the set key change frequency and the set key chain; 密钥获取单元,用于根据当前具体时刻以及所述存储单元中存储的设置的密钥变化频率,从所述存储单元存储的密钥链中,获取所述时间相关信息所对应的至少一个密钥;A key acquisition unit, configured to acquire at least one key corresponding to the time-related information from the key chain stored in the storage unit according to the current specific time and the set key change frequency stored in the storage unit. key; 密钥下发单元,用于将从所述密钥获取单元所获取的密钥下发。A key delivery unit, configured to deliver the key obtained from the key acquisition unit. 10.如权利要求9所述的密钥下发设备,其特征在于,进一步包括:10. The key issuing device according to claim 9, further comprising: 加密单元,用于根据当前具体时刻以及密钥变化频率,在确定的时间段内采用从所述密钥链中获取的该时间段对应的密钥对数据进行加密;An encryption unit, configured to encrypt data within a determined time period using the key corresponding to the time period obtained from the key chain according to the current specific time and the key change frequency; 数据下发单元,用于将加密单元加密后的数据进行下发。The data delivery unit is configured to deliver the data encrypted by the encryption unit. 11.如权利要求9所述的密钥下发设备,其特征在于,进一步包括:密钥链生成单元,用于通过一个根密钥和一个单向函数生成所述密钥链。11. The key issuing device according to claim 9, further comprising: a key chain generating unit, configured to generate the key chain by using a root key and a one-way function. 12.如权利要求11所述的密钥下发设备,其特征在于,进一步包括:参数更新单元,用于按照设置的频率更新所述密钥链生成单元中的根密钥和/或单向函数。12. The key distribution device according to claim 11, further comprising: a parameter update unit, configured to update the root key and/or one-way key in the key chain generation unit according to a set frequency function. 13.如权利要求9至12任一项所述的密钥下发设备,其特征在于,进一步包括:标识添加单元,用于对所述密钥获取单元所获取的密钥添加标识。13. The key delivery device according to any one of claims 9 to 12, further comprising: an identification adding unit, configured to add an identification to the key acquired by the key acquisition unit. 14.如权利要求9所述的密钥下发设备,其特征在于,进一步包括:费用管理单元,用于根据所述时间相关信息,以及设置的单位时长内的费用,进行相应的计费处理。14. The key issuing device according to claim 9, further comprising: a fee management unit, configured to perform corresponding billing processing according to the time-related information and the set fee per unit duration .
CN2007101230477A 2007-06-22 2007-06-22 A key distribution method and device Expired - Fee Related CN101330379B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101230477A CN101330379B (en) 2007-06-22 2007-06-22 A key distribution method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101230477A CN101330379B (en) 2007-06-22 2007-06-22 A key distribution method and device

Publications (2)

Publication Number Publication Date
CN101330379A CN101330379A (en) 2008-12-24
CN101330379B true CN101330379B (en) 2011-02-09

Family

ID=40205991

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101230477A Expired - Fee Related CN101330379B (en) 2007-06-22 2007-06-22 A key distribution method and device

Country Status (1)

Country Link
CN (1) CN101330379B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5634427B2 (en) * 2012-03-23 2014-12-03 株式会社東芝 KEY GENERATION DEVICE, KEY GENERATION METHOD, AND PROGRAM
CN107104952B (en) * 2017-04-01 2020-07-03 宇龙计算机通信科技(深圳)有限公司 Intelligent household user authentication method, user terminal and central control equipment
CN107370735A (en) * 2017-07-19 2017-11-21 深圳市盛路物联通讯技术有限公司 The encryption method at times and device of a kind of Internet of Things REPEATER DATA
CN107547516A (en) * 2017-07-24 2018-01-05 深圳市盛路物联通讯技术有限公司 The encryption method at times and device of internet-of-things terminal data
CN107819572B (en) * 2017-09-29 2021-01-22 北京比特大陆科技有限公司 Command transmission method and device and electronic equipment
CN109698978B (en) * 2018-12-27 2021-04-06 山东云缦智能科技有限公司 Access authentication system and method for engineering menu
CN109831298B (en) * 2019-01-31 2020-05-15 阿里巴巴集团控股有限公司 Method, node and storage medium for securely updating keys in blockchain
CN110008715B (en) * 2019-01-31 2020-05-05 阿里巴巴集团控股有限公司 Method for realizing privacy protection in block chain, node and storage medium
CN110266467B (en) * 2019-05-31 2021-04-27 创新先进技术有限公司 Method and device for implementing dynamic encryption based on block height
CN110263547B (en) * 2019-05-31 2021-07-20 创新先进技术有限公司 Method and device for realizing dynamic encryption based on contract state modification sequence
CN110611570B (en) * 2019-09-26 2022-03-22 鹏城实验室 A kind of encryption, key information provision and data acquisition method and device
CN112801785B (en) * 2021-01-13 2023-10-20 中央财经大学 Fair data transaction method and device based on blockchain intelligent contract
CN115348008B (en) * 2022-07-05 2025-01-03 广州江南科友科技股份有限公司 Key chain updating method, device, electronic device and storage medium
CN116318689B (en) * 2023-05-25 2023-07-28 天津市城市规划设计研究总院有限公司 Method and system for improving information transmission safety of Internet of things equipment by utilizing quantum key

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567812A (en) * 2003-06-19 2005-01-19 华为技术有限公司 A method for implementing sharing key update
CN1836423A (en) * 2003-08-18 2006-09-20 高通股份有限公司 Method and apparatus for time-based charging for broadcast-multicast services (BCMCS) in a wireless communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567812A (en) * 2003-06-19 2005-01-19 华为技术有限公司 A method for implementing sharing key update
CN1836423A (en) * 2003-08-18 2006-09-20 高通股份有限公司 Method and apparatus for time-based charging for broadcast-multicast services (BCMCS) in a wireless communication system

Also Published As

Publication number Publication date
CN101330379A (en) 2008-12-24

Similar Documents

Publication Publication Date Title
CN101330379B (en) A key distribution method and device
US8121296B2 (en) Method and apparatus for security in a data processing system
CA2496677C (en) Method and apparatus for secure data transmission in a mobile communication system
US7352868B2 (en) Method and apparatus for security in a data processing system
CN101513011B (en) Method and system for continuous transmission of encrypted data of a broadcast service to a mobile terminal device
JP5413859B2 (en) Encryption key distribution method in mobile broadcast system, method for receiving distribution of encryption key, and system therefor
CN115918119B (en) Key updating method, device, equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110209

Termination date: 20160622