CN101394664B - Mobile node, method and system for implementing media irrelevant switching - Google Patents
Mobile node, method and system for implementing media irrelevant switching Download PDFInfo
- Publication number
- CN101394664B CN101394664B CN2007101541423A CN200710154142A CN101394664B CN 101394664 B CN101394664 B CN 101394664B CN 2007101541423 A CN2007101541423 A CN 2007101541423A CN 200710154142 A CN200710154142 A CN 200710154142A CN 101394664 B CN101394664 B CN 101394664B
- Authority
- CN
- China
- Prior art keywords
- service
- shared key
- mobile node
- network side
- protected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/005—Control or signalling for completing the hand-off involving radio access media independent information, e.g. MIH [Media independent Hand-off]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明涉及一种移动节点、实现媒体无关切换的方法及系统,方法包括:移动节点从网络侧获得经过共享密钥保护的服务信息;验证所述共享密钥;验证通过后,所述移动节点根据所述服务信息向所述网络侧发送切换准备请求消息,所述切换准备请求消息经过第一共享密钥保护;所述网络侧接收所述切换准备请求消息,验证所述第一共享密钥,将所述移动节点接入目标服务点,完成切换。有效解决了媒体无关切换的安全问题,保证了媒体无关服务和媒体无关切换的安全。移动节点包括服务信息获取模块、验证模块、请求模块及消息保护模块;系统包括消息发送模块、系统消息保护模块、消息接收模块、系统验证模块及切换模块,保证了媒体无关切换的安全。
The present invention relates to a mobile node, a method and a system for realizing media-independent handover. The method includes: the mobile node obtains service information protected by a shared key from the network side; verifies the shared key; after passing the verification, the mobile node Send a handover preparation request message to the network side according to the service information, the handover preparation request message is protected by a first shared key; the network side receives the handover preparation request message, and verifies the first shared key , and connect the mobile node to the target service point to complete the handover. The security problem of media-independent switching is effectively solved, and the security of media-independent services and media-independent switching is guaranteed. The mobile node includes a service information acquisition module, a verification module, a request module and a message protection module; the system includes a message sending module, a system message protection module, a message receiving module, a system verification module and a switching module, which ensures the safety of media-independent switching.
Description
技术领域 technical field
本发明涉及无线通信技术,尤其涉及媒体无关切换技术。 The invention relates to wireless communication technology, in particular to media-independent switching technology. the
背景技术 Background technique
媒体无关切换是指通过支持不同媒体类型之间的切换,使得移动用户在网间漫游时能自动选择最好的网络连接类型并无缝切换话路,以实现在IEEE802.3/802.11/802.16/3GPP/3GPP2等系统之间的漫游切换。 Media-independent switching means that by supporting switching between different media types, mobile users can automatically select the best network connection type and seamlessly switch voice channels when roaming between networks, so as to realize IEEE802.3/802.11/802.16/ Roaming handover between 3GPP/3GPP2 and other systems. the
目前,媒体无关切换技术主要是通过移动节点(Mobile Node,MN)上的媒体无关切换功能(Media Independent Handover Function,MIHF)模块、MN服务附着点(serving PoA)的媒体无关切换服务点(MIH Point of Service,简称MIH PoS)、MN候选PoA的MIH PoS、不包括MN PoA的MIH PoS以及不包括MN PoA的MIH非服务点(Non-PoS)来实现移动用户在IEEE802.3/802.11/802.16/3GPP/3GPP2等系统之间的漫游切换。其中,MN servingPoA的MIH PoS指可以直接和具有MIH功能的MN交互MIH消息的MIH网络实体,即当前为MN服务的PoS,也即处于服务状态的POS(ServingPoS);MN候选PoA的MIH PoS指可以直接和具备MIH功能的MN交互MIH消息的MIH网络实体,即候选POS;不包括MN的PoA的MIH PoS指可以和具备MIH功能的MN直接交互MIH消息的MIH网络实体,例如有线网络中的具备MIHF的Router;不包括MN的PoA的MIH Non-PoS指可以直接和其它MIH网络实体交互MIH消息的MIH网络实体,但是该网络实体不可以直接和具有MIH功能的MN交互MIH消息。 At present, the media independent handover technology is mainly through the media independent handover function (Media Independent Handover Function, MIHF) module on the mobile node (Mobile Node, MN), the media independent handover service point (MIH Point) of the MN serving point of attachment (serving PoA). of Service (MIH PoS for short), MIH PoS of MN candidate PoA, MIH PoS excluding MN PoA, and MIH non-service point (Non-PoS) excluding MN PoA to realize mobile users’ communication in IEEE802.3/802.11/802.16/ Roaming handover between 3GPP/3GPP2 and other systems. Among them, the MIH PoS of the MN servingPoA refers to the MIH network entity that can directly exchange MIH messages with the MN with MIH function, that is, the PoS currently serving the MN, that is, the POS (ServingPoS) in the serving state; the MIH PoS of the MN candidate PoA refers to MIH network entities that can directly exchange MIH messages with MNs with MIH functions, that is, candidate POS; MIH PoS excluding PoA of MNs refers to MIH network entities that can directly exchange MIH messages with MNs with MIH functions, such as POS in wired networks Router with MIHF; MIH Non-PoS without MN PoA refers to MIH network entities that can directly exchange MIH messages with other MIH network entities, but this network entity cannot directly exchange MIH messages with MNs that have MIH functions. the
具体切换时,首先,Serving PoS为MN提供MIH能力发现过程中确定的MIH服务,包括: When switching specifically, first, Serving PoS provides MN with the MIH service determined in the MIH capability discovery process, including:
MIH事件服务(MIES):提供关于链路特征、链路状态和链路质量的动态变化的事件分类、事件过滤和事件。 MIH Event Service (MIES): Provides event classification, event filtering, and events on dynamic changes in link characteristics, link status, and link quality. the
MIH命令服务(MICS):提供上层管理和控制与切换和移动性相关的链路行为。 MIH Command Service (MICS): Provides upper layer management and control of link behaviors related to handover and mobility. the
MIH信息服务(MIIS):提供服务网络和周围网络的特征和业务的详细信息,这些信息用于有效的系统接入和切换决定。 MIH Information Service (MIIS): Provides detailed information on the characteristics and services of the serving network and surrounding networks, which are used for efficient system access and handover decisions. the
其次,MN根据提供的MIH服务决定查询要切换的目标网络是否允许接入后,向网络侧Serving PoS发起查询请求,在网络侧Serving PoS返回切换命令的情况下,向目标网络的PoS发送切换请求进行切换。 Secondly, after the MN determines whether the target network to be switched is allowed to access according to the provided MIH service, it initiates a query request to the Serving PoS on the network side, and sends a switching request to the PoS of the target network when the Serving PoS on the network side returns a switching command to switch. the
在实现本发明的过程中,发明人发现现有技术至少存在以下问题:PoS为MN提供MIH服务以及MN切换网络的过程中,MN与各网络实体之间的信息交互缺乏安全保护,因此,媒体无关切换存在安全问题。 In the process of realizing the present invention, the inventor finds that the prior art has at least the following problems: in the process of PoS providing MIH service for MN and MN switching network, the information interaction between MN and each network entity lacks security protection, therefore, the media There are security issues with irrelevant switching. the
发明内容Contents of the invention
本发明实施例的第一方面是提供一种实现媒体无关切换的方法,用以解决媒体无关切换的安全问题。 The first aspect of the embodiments of the present invention is to provide a method for implementing media-independent handover, so as to solve the security problem of media-independent handover. the
本发明实施例的第二方面是提供一种移动节点,使移动节点能进行安全媒体无关切换。 The second aspect of the embodiments of the present invention is to provide a mobile node, which enables the mobile node to perform secure media-independent handover. the
本发明实施例的第三方面是提供一中实现媒体无关切换的系统,以实现安全媒体无关切换。 The third aspect of the embodiments of the present invention is to provide a system for realizing media-independent handover, so as to realize secure media-independent handover. the
本发明第一方面通过一些实施例提供了以下技术方案:一种实现媒体无关切换的方法,包括: The first aspect of the present invention provides the following technical solutions through some embodiments: a method for realizing media-independent switching, comprising:
移动节点从网络侧获得经过共享密钥保护的服务信息; The mobile node obtains the service information protected by the shared key from the network side;
验证所述共享密钥; verify said shared secret;
验证通过后,所述移动节点根据所述服务信息向所述网络侧发送切换准备请求消息,所述切换准备请求消息经过第一共享密钥保护; After passing the verification, the mobile node sends a handover preparation request message to the network side according to the service information, and the handover preparation request message is protected by the first shared key;
所述网络侧接收所述切换准备请求消息,验证所述第一共享密钥,将所述移动节点接入目标服务点,完成切换具体为: The network side receives the handover preparation request message, verifies the first shared key, connects the mobile node to the target service point, and completes the handover as follows:
所述网络侧验证所述第一共享密钥; The network side verifies the first shared key;
验证通过后,所述网络侧根据所述切换准备请求消息,向所述移动节点返回经过所述第一共享密钥保护的切换命令或切换准备响应消息; After the verification is passed, the network side returns a handover command or a handover preparation response message protected by the first shared key to the mobile node according to the handover preparation request message;
所述网络侧接收所述移动节点发送的经过所述第一共享密钥保护的切换执行请求消息,并验证所述第一共享密钥; The network side receives the handover execution request message protected by the first shared key sent by the mobile node, and verifies the first shared key;
验证通过后,所述网络侧根据所述切换执行请求消息向所述移动节点返回经过所述第一共享密钥保护的切换执行响应消息; After the verification is passed, the network side returns a handover execution response message protected by the first shared key to the mobile node according to the handover execution request message;
所述网络侧接收所述移动节点发送的经过第五共享密钥保护的密钥生成请求消息,并验证所述第五共享密钥; The network side receives the key generation request message protected by the fifth shared key sent by the mobile node, and verifies the fifth shared key;
验证通过后,所述网络侧向所述移动节点返回经过第六共享密钥保护的密钥生成响应消息; After the verification is passed, the network side returns a key generation response message protected by the sixth shared key to the mobile node;
所述移动节点验证所述第六共享密钥,验证通过后,完成切换; The mobile node verifies the sixth shared key, and completes the handover after the verification is passed;
或者具体为: or specifically:
所述网络侧验证所述第一共享密钥; The network side verifies the first shared key;
验证通过后,所述网络侧根据所述切换准备请求消息,向所述移动节点返回经过所述第一共享密钥保护的切换命令或切换准备响应消息; After the verification is passed, the network side returns a handover command or a handover preparation response message protected by the first shared key to the mobile node according to the handover preparation request message;
所述网络侧接收所述移动节点发送的经过第五共享密钥保护的密钥生成请求消息,并验证所述第五共享密钥; The network side receives the key generation request message protected by the fifth shared key sent by the mobile node, and verifies the fifth shared key;
验证通过后,所述网络侧根据所述密钥生成请求消息向所述移动节点返回经过第六共享密钥保护的密钥生成响应消息; After the verification is passed, the network side returns a key generation response message protected by the sixth shared key to the mobile node according to the key generation request message;
所述网络侧接收所述移动节点发送的经过所述第一共享密钥保护的切换执行请求消息,并验证所述第一共享密钥; The network side receives the handover execution request message protected by the first shared key sent by the mobile node, and verifies the first shared key;
验证通过后,所述网络侧向所述移动节点返回经过所述第一共享密钥保护的切换执行响应消息; After the verification is passed, the network side returns a handover execution response message protected by the first shared key to the mobile node;
所述移动节点验证所述第一共享密钥,验证通过后,完成切换。 The mobile node verifies the first shared key, and completes the handover after the verification is passed. the
通过共享密钥对服务过程及切换过程中的消息进行保护,使恶意截获消息的第三者无法获得媒体无关切换过程中的内容,从而有效解决了媒体无关切换的安全问题,保证了媒体无关服务和媒体无关切换的安全。 The message in the service process and switching process is protected by the shared key, so that a third party who maliciously intercepts the message cannot obtain the content in the process of media-independent switching, thus effectively solving the security problem of media-independent switching and ensuring media-independent services Security for media-independent switching. the
本发明第二方面通过一些实施例提供了以下技术方案:一种移动节点,包括: The second aspect of the present invention provides the following technical solutions through some embodiments: a mobile node, comprising:
服务信息获取模块,用于从网络侧获得经过共享密钥保护的服务信息,还用于接收所述网络侧发送的经过第一共享密钥保护的切换命令或切换准备响应消息及切换执行响应消息、切换执行响应消息,及经过第六共享密钥保护的密钥生成响应消息; A service information acquisition module, configured to obtain service information protected by a shared key from the network side, and also configured to receive a handover command or a handover preparation response message and a handover execution response message sent by the network side and protected by a first shared key , Handover execution response message, and key generation response message protected by the sixth shared key;
验证模块,用于验证所述共享密钥,还用于验证所述第六共享密钥; A verification module, used to verify the shared key, and also used to verify the sixth shared key;
请求模块,用于在所述验证模块验证所述共享密钥通过的情况下,根据所述服务信息向所述网络侧发送切换准备请求消息,还用于根据所述切换命令或切换准备响应消息向所述网络侧发送经过第一共享密钥保护的切换执行请求消息;向所述网络侧发送密钥生成请求消息; A requesting module, configured to send a handover preparation request message to the network side according to the service information when the verification module verifies that the shared key passes, and to send a handover preparation request message to the network side according to the handover command or handover preparation response message Sending a handover execution request message protected by the first shared key to the network side; sending a key generation request message to the network side;
消息保护模块,用于用第一共享密钥保护所述切换准备请求消息,还用于用所述第一共享密钥保护所述切换执行请求消息,用第五共享密钥保护所述密钥生成请求消息。 A message protection module, configured to protect the handover preparation request message with a first shared key, protect the handover execution request message with the first shared key, and protect the key with a fifth shared key Generate a request message. the
本方案通过消息保护模块及验证模块等模块,有效保证了移动节点收发消息的安全,使得移动节点能够与具有安全保护功能的网络侧媒体无关切换系统进行交互,从而保证了移动节点安全的接收发送信息,实现了移 动节点安全的媒体无关切换。 This solution effectively ensures the security of sending and receiving messages by the mobile node through the message protection module and verification module, so that the mobile node can interact with the network-side media-independent handover system with security protection functions, thus ensuring the safe receiving and sending of the mobile node Information, to achieve a secure media-independent handover of the mobile node. the
本发明第三方面通过一些实施例提供了以下技术方案:一种实现媒体无关切换的系统,包括: The third aspect of the present invention provides the following technical solutions through some embodiments: a system for realizing media-independent switching, comprising:
消息发送模块,用于向移动节点发送服务信息; The message sending module is used to send service information to the mobile node;
系统消息保护模块,用于用共享密钥保护所述服务信息; A system message protection module, configured to protect the service information with a shared key;
消息接收模块,用于接收所述移动节点发送的经过第一共享密钥保护的切换准备请求消息; A message receiving module, configured to receive a handover preparation request message protected by the first shared key sent by the mobile node;
系统验证模块,用于验证所述第一共享密钥; A system verification module, configured to verify the first shared key;
切换模块,用于根据所述切换准备请求消息将所述移动节点接入目标服务点,完成切换。 A handover module, configured to connect the mobile node to a target service point according to the handover preparation request message to complete handover. the
本方案通过消息保护模块及验证模块等模块,有效保护了切换为移动节点服务网络的过程中的各种消息,避免了恶意截获消息的第三者获得切换过程中的消息内容,解决了媒体无关切换中的安全问题,保证了媒体无关切换中服务与切换的安全。 This solution effectively protects various messages during the process of switching to the mobile node service network through the message protection module and verification module, avoiding the third party who maliciously intercepts the message from obtaining the message content during the switching process, and solves the problem of media irrelevance. The security problem in switching ensures the security of services and switching in media-independent switching. the
下面通过附图和实施例,对本发明的技术方案做进一步的详细描述。 The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments. the
附图说明Description of drawings
图1为本发明媒体无关切换的方法实施例中缺省安全架构示意图; Fig. 1 is a schematic diagram of a default security architecture in a method embodiment of media-independent handover of the present invention;
图2为本发明媒体无关切换的方法实施例中直接安全架构示意图; Fig. 2 is a schematic diagram of a direct security architecture in a method embodiment of a media-independent handover of the present invention;
图3为本发明实现媒体无关切换的方法第一实施例的信令流程图; Fig. 3 is the signaling flowchart of the first embodiment of the method for realizing media-independent handover in the present invention;
图4为本发明实现媒体无关切换的方法第二实施例的信令流程图; Fig. 4 is the signaling flowchart of the second embodiment of the method for realizing media-independent handover in the present invention;
图5为本发明移动节点实施例的结构示意图; Fig. 5 is a schematic structural diagram of a mobile node embodiment of the present invention;
图6为本发明媒体无关切换系统实施例的结构示意图。 FIG. 6 is a schematic structural diagram of an embodiment of a media-independent handover system according to the present invention. the
具体实施方式Detailed ways
本发明实现媒体无关切换的方法实施例中,MN与各网络实体均具备MIH功能,通过建立MN与各网络实体间以及各网络实体之间的安全联盟(Security Association,SA),形成MIH的安全架构。其中,SA的建立通过在MN与各网络实体之间或各网络实体之间的共享密钥来实现。为了便于说明,本发明实施例中,将MN与网络侧Serving PoS之间的共享密钥称之为第一共享密钥(Kms),该密钥需要在MN获得服务信息之前生成;将Serving PoS与信息服务器之间的共享密钥称之为第二共享密钥(Kns),该密钥可动态生成也可静态配置,可视实际需求而定;将MN与信息服务器之间的密钥称之为第三共享密钥(Kmn),该密钥需要动态生成;将Serving PoS与各候选PoS之间的共享密钥称之为第四共享密钥(Kcs);将MN与认证授权计费服务器(AAA Server)之间的共享密钥称之为第五共享密钥 (Kma);将MN与目标PoS之间的共享密钥称之为第六共享密钥(Kmc);并且,根据MN的MIHF是否需要明确MIH新的通信对端,将安全架构分为缺省安全架构与直接安全架构。 In the embodiment of the method for realizing media-independent handover in the present invention, both the MN and each network entity have the MIH function, and the security of the MIH is formed by establishing a security association (Security Association, SA) between the MN and each network entity and between each network entity. architecture. Wherein, the establishment of the SA is realized through a shared key between the MN and each network entity or between each network entity. For ease of description, in the embodiments of the present invention, the shared key between the MN and the network side Serving PoS is referred to as the first shared key (Kms), which needs to be generated before the MN obtains service information; the Serving PoS The shared key between the MN and the information server is called the second shared key (Kns), which can be dynamically generated or statically configured, depending on actual needs; the key between the MN and the information server is called It is the third shared key (Kmn), which needs to be dynamically generated; the shared key between Serving PoS and each candidate PoS is called the fourth shared key (Kcs); The shared key between the servers (AAA Server) is called the fifth shared key (Kma); the shared key between the MN and the target PoS is called the sixth shared key (Kmc); and, according to MN Whether MIHF needs to specify the new communication peer of MIH, and divide the security architecture into default security architecture and direct security architecture. the
缺省安全架构下,MN的MIHF只需要知道Serving PoA的MIH PoS的MIHF是否存在,网络中的其他MIHF对MN来说均不可见。对于MN的MIHF来说,只需要建立与Serving PoA的MIH PoS的MIHF之间的SA,并向它请求所有服务。缺省安全架构如图1所示,实线表示直接相连,虚线表示不能直接相连,粗线表示具有与MN的MIHF相关的安全保护的连接。其他连接可能存在安全联盟但是与MN的MIHF不相关。 Under the default security architecture, the MIHF of the MN only needs to know whether the MIHF of the MIH of the Serving PoA and the MIHF of the PoS exist, and other MIHFs in the network are invisible to the MN. For the MIHF of the MN, it only needs to establish the SA with the MIHF of the MIH of the Serving PoA and the MIHF of the PoS, and request all services from it. The default security architecture is shown in Figure 1. The solid line indicates a direct connection, the dotted line indicates a non-direct connection, and the thick line indicates a connection with security protection related to the MN's MIHF. Security associations may exist for other connections but are not related to the MN's MIHF. the
在直接安全架构下,MN的MIHF需要知道Serving PoA的MIH PoS的MIHF的存在,还需要知道网络中的其他MIHF的存在。对于MN的MIHF来说,它需要建立与所有需要与之交互的MIHF之间的安全关联,并分别向它们请求相应的服务。其架构可如图2所示,实线表示直接相连,虚线表示不能直接相连,粗线表示具有与MN的MIHF相关的安全保护的连接。其他连接可能存在安全联盟但是与MN的MIHF不相关。需要特别说明的是,粗的虚线也表明他们之间存在安全联盟,尽管他们不能直接相连。图1与图2中MIH PoS为网络侧不包括MN的PoA的功能模块,可以与具备MIH功能的MN直接交互,例如有线网络中具备MIH功能的路由器。 Under the direct security framework, the MIHF of the MN needs to know the existence of the MIHF of the MIH of the Serving PoA and the MIHF of the PoS, and also needs to know the existence of other MIHFs in the network. For the MIHF of the MN, it needs to establish security associations with all MIHFs that need to interact with it, and request corresponding services from them respectively. Its architecture can be shown in Figure 2, where the solid line indicates direct connection, the dotted line indicates no direct connection, and the thick line indicates the connection with security protection related to the MN's MIHF. Security associations may exist for other connections but are not related to the MN's MIHF. It should be noted that the thick dotted line also indicates that there is a security association between them, although they cannot be directly connected. In Figure 1 and Figure 2, MIH PoS is a functional module that does not include the PoA of the MN on the network side, and can directly interact with MNs with MIH functions, such as routers with MIH functions in wired networks. the
方法实施例一 Method embodiment one
图3为本发明实现媒体无关切换的方法第一实施例的信令流程图,本实施例以缺省安全架构为例,切换过程具体为: Figure 3 is a signaling flow chart of the first embodiment of the method for realizing media-independent handover according to the present invention. This embodiment takes the default security architecture as an example, and the handover process is specifically as follows:
步骤101:MN向Serving PoS发送经过Kms保护的服务请求消息“[MIH_Service-REQ]Kms”,保证了MN与Serving PoS之间的安全;“[MIH_Service-REQ]Kms”表示“MIH_Service-REQ”消息经过Kms保护,以下情况类似。 Step 101: MN sends a Kms-protected service request message "[MIH_Service-REQ]Kms" to Serving PoS, which ensures the security between MN and Serving PoS; "[MIH_Service-REQ]Kms" means "MIH_Service-REQ" message After Kms protection, the following situations are similar. the
步骤102:Serving PoS接收“[MIH_Service-REQ]Kms”消息,并验证 Kms,保证了消息的可靠性。 Step 102: Serving PoS receives the "[MIH_Service-REQ]Kms" message and verifies the Kms to ensure the reliability of the message. the
验证通过后,Serving PoS向MN发送经过Kms保护的服务响应消息“[MIH_Service-RSP]Kms”,“[MIH_Service-RSP]Kms”消息中包含有MN请求的服务信息; After the verification is passed, the Serving PoS sends the Kms-protected service response message "[MIH_Service-RSP]Kms" to the MN, and the "[MIH_Service-RSP]Kms" message contains the service information requested by the MN;
步骤103:MN接收“[MIH_Service-RSP]Kms”,并验证Kms,验证通过后,安全有效地获得了周围网络信息等服务信息。 Step 103: The MN receives "[MIH_Service-RSP]Kms" and verifies the Kms. After passing the verification, the MN securely and effectively obtains service information such as surrounding network information. the
验证通过后,MN根据服务信息选择目标网络,并向Serving PoS发起经过Kms保护的切换准备请求消息“[MIH_Prepare-REQ]Kms”,以查询目标网络是否允许自己接入,“[MIH_Prepare-REQ]Kms”中可携带MN准备查询的PoS信息; After the verification is passed, the MN selects the target network according to the service information, and sends a Kms-protected handover preparation request message "[MIH_Prepare-REQ]Kms" to the Serving PoS to query whether the target network allows itself to access, "[MIH_Prepare-REQ] Kms" can carry the PoS information that the MN is about to query;
步骤104:Serving PoS接收“[MIH_Prepare-REQ]Kms”,并验证Kms; Step 104: Serving PoS receives "[MIH_Prepare-REQ]Kms" and verifies the Kms;
验证通过后,Serving PoS向各候选PoS发送经过Kcs保护的资源查询请求消息“[MIH_Query-REQ]Kcs”; After the verification is passed, the Serving PoS sends the Kcs-protected resource query request message “[MIH_Query-REQ]Kcs” to each candidate PoS;
步骤105:各候选PoS接收“[MIH_Query-REQ]Kcs”,并验证Kcs; Step 105: Each candidate PoS receives "[MIH_Query-REQ]Kcs" and verifies Kcs;
验证通过后,各候选PoS判断本服务点是否可接入MN,向Serving PoS返回经过Kcs保护的资源查询响应消息“[MIH_Query-RSP]Kcs”,“[MIH_Query-RSP]Kcs”包含判断结果;并且,若判断可接入,则还可为该MN预留资源。 After the verification is passed, each candidate PoS judges whether the service point can access the MN, and returns the Kcs-protected resource query response message "[MIH_Query-RSP]Kcs" to the Serving PoS, and "[MIH_Query-RSP]Kcs" contains the judgment result; In addition, if it is determined that the access is available, resources may also be reserved for the MN. the
步骤106:Serving PoS接收“[MIH_Query-RSP]Kcs”,并验证Kcs; Step 106: Serving PoS receives "[MIH_Query-RSP]Kcs" and verifies Kcs;
验证通过后,Serving PoS根据判断结果为MN选择接入的目标服务点,并向MN发送经过Kms保护的切换命令,切换命令中包含有目标PoS信息;或者Serving PoS向MN发送经过Kms保护的切换准备响应消息“[MIH_Prepare-RSP]Kms”,“[MIH_Prepare-RSP]Kms”中包含有判断结果;Serving PoS收到“[MIH_Prepare-RSP]Kms”后,可立即下发给MN,也可等所有的候选PoS都返回结果后下发给MN。 After the verification is passed, the Serving PoS selects the target service point for the MN to access according to the judgment result, and sends a switch command protected by Kms to the MN, and the switch command contains the target PoS information; or Serving PoS sends a switch protected by Kms to the MN Prepare the response message “[MIH_Prepare-RSP]Kms”, “[MIH_Prepare-RSP]Kms” contains the judgment result; Serving PoS can send it to MN immediately after receiving “[MIH_Prepare-RSP]Kms”, or wait All candidate PoS will return the result and send it to MN. the
步骤107:MN接收切换命令或“[MIH_Prepare-RSP]Kms”,并验证 Kms; Step 107: The MN receives the handover command or "[MIH_Prepare-RSP]Kms" and verifies the Kms;
验证通过后,MN根据切换命令向Serving PoS发送经过Kms保护的切换执行请求消息“[MIH_Commit-REQ]Kms”;或MN从“[MIH_Prepare-RSP]Kms”获得判断结果,并根据判断结果向Serving PoS发送经过Kms保护的“[MIH_Commit-REQ]Kms”;“[MIH_Commit-REQ]Kms”中包含有目标PoS信息,如目标PoS的IP地址、网络接入标识(Network Access Identifier,NAI)或MIHF的标识符(ID)等标识符; After the verification is passed, the MN sends the Kms-protected handover execution request message “[MIH_Commit-REQ]Kms” to the Serving PoS according to the handover command; or the MN obtains the judgment result from “[MIH_Prepare-RSP]Kms”, and sends the Serving PoS sends "[MIH_Commit-REQ]Kms" protected by Kms; "[MIH_Commit-REQ]Kms" contains target PoS information, such as the IP address of the target PoS, Network Access Identifier (NAI) or MIHF Identifiers (ID) and other identifiers;
步骤108:Serving PoS接收“[MIH_Commit-REQ]Kms”,并验证Kms; Step 108: Serving PoS receives "[MIH_Commit-REQ]Kms" and verifies the Kms;
验证通过后,Serving PoS用Kcs保护“MIH_Commit-REQ”消息,得到“[MIH_Commit-REQ]Kcs”,并根据目标PoS信息将“[MIH_Commit-REQ]Kcs”发送给目标PoS; After the verification is passed, the Serving PoS uses Kcs to protect the "MIH_Commit-REQ" message, obtains "[MIH_Commit-REQ]Kcs", and sends "[MIH_Commit-REQ]Kcs" to the target PoS according to the target PoS information;
步骤109:目标PoS接收“[MIH_Commit-REQ]Kcs”,并验证Kcs; Step 109: Target PoS receives "[MIH_Commit-REQ] Kcs" and verifies Kcs;
验证通过后,目标PoS向Serving PoS返回经Kcs保护的切换执行响应消息“[MIH_Commit-RSP]Kcs”; After the verification is passed, the target PoS returns the Kcs-protected switching execution response message “[MIH_Commit-RSP]Kcs” to the Serving PoS;
步骤110:Serving PoS接收“[MIH_Commit-RSP]Kcs”,并验证Kcs; Step 110: Serving PoS receives "[MIH_Commit-RSP]Kcs" and verifies Kcs;
验证通过后,Serving PoS用Kms保护“MIH_Commit-RSP”消息得到“[MIH_Commit-RSP]Kms”,并发送给MN; After the verification is passed, Serving PoS protects the "MIH_Commit-RSP" message with Kms to get "[MIH_Commit-RSP]Kms" and sends it to the MN;
步骤111:MN接收“[MIH_Commit-RSP]Kms”,并验证Kms; Step 111: MN receives "[MIH_Commit-RSP]Kms" and verifies Kms;
验证通过后,MN通过目标PoS向AAA服务器发送经过Kma保护的密钥生成请求消息“[MIH_Key-REQ]Kma”; After the verification is passed, the MN sends the Kma-protected key generation request message “[MIH_Key-REQ]Kma” to the AAA server through the target PoS;
步骤112:目标PoS通过“AAA REQ”消息将“[MIH_Key-REQ]Kma”转发给AAA服务器; Step 112: The target PoS forwards "[MIH_Key-REQ]Kma" to the AAA server through the "AAA REQ" message;
步骤113:AAA服务器接收“AAA REQ”,获得“[MIH_Key-REQ]Kma”后,验证Kma; Step 113: The AAA server receives "AAA REQ", and after obtaining "[MIH_Key-REQ]Kma", verifies Kma;
验证通过后,AAA服务器生成Kmc,并向目标PoS发送“ AAA RSP”, 返回验证结果以及Kmc; After the verification is passed, the AAA server generates Kmc, sends "AAA RSP" to the target PoS, and returns the verification result and Kmc;
步骤114:目标PoS向MN返回经过Kmc保护的密钥生成响应消息“[MIH_Key-RSP]Kmc”; Step 114: The target PoS returns the key generation response message “[MIH_Key-RSP]Kmc” protected by Kmc to the MN;
步骤115:MN接收“[MIH_Key-RSP]Kmc”,验证Kmc;验证通过后,完成切换。之后,MN也可向目标PoS发送切换完成消息“[MIH_Complete-REQ]Kmc”,待目标PoS返回响应消息“[MIH_Complete-RSP]Kmc”,确认切换完成。 Step 115: The MN receives “[MIH_Key-RSP]Kmc” and verifies the Kmc; after passing the verification, the handover is completed. Afterwards, the MN can also send a handover completion message “[MIH_Complete-REQ]Kmc” to the target PoS, and wait for the target PoS to return a response message “[MIH_Complete-RSP]Kmc” to confirm the handover completion. the
本实施例中,Serving PoS接收“[MIH_Service-REQ]Kms”消息后,还可在Kms验证通过的情况下,进一步判断自身是否存储MN所请求的信息,若是,则执行:Serving PoS向MN发送经过Kms保护的服务响应消息“[MIH_Service-RSP]Kms”;否则,Serving PoS向信息服务器发送“[MIH_Service-REQ]Kns”,信息服务器接收“[MIH_Service-REQ]Kns”消息,验证Kns通过后,向Serving PoS返回包含MN请求的服务信息的“[MIH_Service-RSP]Kns”消息;Serving PoS接收“[MIH_Service-RSP]Kns”消息,通过验证Kns后获得信息,然后执行:Serving PoS向MN发送经过Kms保护的服务响应消息“[MIH_Service-RSP]Kms”。在Kms没有通过验证的情况下,Serving PoS向MN返回失败信息。 In this embodiment, after the Serving PoS receives the "[MIH_Service-REQ]Kms" message, it can further judge whether it stores the information requested by the MN if the Kms verification is passed. If so, execute: Serving PoS sends the message to the MN The service response message “[MIH_Service-RSP]Kms” protected by Kms; otherwise, Serving PoS sends “[MIH_Service-REQ]Kns” to the information server, and the information server receives the “[MIH_Service-REQ]Kns” message, after verifying that Kns passes , return the "[MIH_Service-RSP]Kns" message containing the service information requested by the MN to the Serving PoS; the Serving PoS receives the "[MIH_Service-RSP]Kns" message, obtains the information after verifying the Kns, and then executes: Serving PoS sends to the MN Kms-protected service response message "[MIH_Service-RSP]Kms". In the case that Kms fails to pass the verification, Serving PoS returns a failure message to the MN. the
MN获得服务信息的过程,还可用以下过程替换: The process for the MN to obtain service information can also be replaced by the following process:
信息服务器向各PoS广播“[MIH_Service]Kns”消息,其中Kns可因PoS而异; The information server broadcasts the "[MIH_Service]Kns" message to each PoS, where Kns can vary from PoS;
Serving PoS接收到“[MIH_Service]Kns”消息后,验证Kns,并在验证通过的情况下,将获得的服务信息通过“[MIH_Service]Kms”消息广播给所有的MN,其中Kms也可因MN而异; After receiving the "[MIH_Service]Kns" message, the Serving PoS verifies the Kns, and if the verification is passed, it broadcasts the obtained service information to all MNs through the "[MIH_Service]Kms" message, where Kms can also be changed by the MN different;
MN接收“[MIH_Service]Kms”消息,验证Kms后获得服务信息。 The MN receives the "[MIH_Service]Kms" message, and obtains the service information after verifying the Kms. the
本实施例媒体无关切换过程中,通过MN与Serving PoS之间建立SA,即利用共享密钥,保证了MN安全获取服务信息;通过MN与Serving PoS、 候选PoS、AAA服务器之间,以及PoS之间建立SA保证了网络切换的安全,从而整体上保证了媒体无关切换的安全。 In the media-independent handover process of this embodiment, the SA is established between the MN and the Serving PoS, that is, the shared key is used to ensure that the MN securely obtains service information; between the MN and the Serving PoS, candidate PoS, AAA server, and between Establishing an SA between them ensures the security of network switching, thus ensuring the security of media-independent switching as a whole. the
并且,由于MN默认的交互对象就是Serving PoS,因此,可以在进行MIH交互时不引入任何标识,减少了信令开销,便于无线传输。 Moreover, since the default interaction object of the MN is Serving PoS, no identification can be introduced during MIH interaction, which reduces signaling overhead and facilitates wireless transmission. the
对于简单IP和移动IP网络,由于这两种网络中MN不需要知道接入网其他路由器信息,只需要知道他的接入路由器(AR)即可,这种情况与不进行跨PoS访问的情况类似,因此AR与PoS角色类似,网络容易对AR进行简单升级后获得MIH功能,不需要进行跨PoS的访问,本方案可以方便地应用到简单IP和移动IP网络。 For simple IP and mobile IP networks, since the MN in these two networks does not need to know the information of other routers in the access network, it only needs to know its access router (AR). This situation is different from the situation without cross-PoS access Similar, so AR and PoS have similar roles, and the network can easily upgrade AR to obtain MIH function without cross-PoS access. This solution can be easily applied to simple IP and mobile IP networks. the
方法实施例二 Method embodiment two
图4为本发明实现媒体无关切换的方法第二实施例的信令流程图。本实施例以直接安全架构为例,切换过程具体为: FIG. 4 is a signaling flow chart of the second embodiment of the method for implementing media-independent handover according to the present invention. This embodiment takes the direct security architecture as an example, and the switching process is as follows:
步骤201:MN发送经过Kmn保护的服务请求消息“[MIH_Service-REQ]Kmn”; Step 201: MN sends the service request message “[MIH_Service-REQ]Kmn” protected by Kmn;
Serving PoS根据服务请求消息“[MIH_Service-REQ]Kmn”中的发送目标信息判断本服务点是否是MN的消息发送目标,若是,则保护消息的共享密钥应为第一共享密钥,Serving PoS可进行验证,验证通过后,ServingPoS向MN返回服务信息,类似方法实施例一中的:Serving PoS接收“[MIH_Service-REQ]Kms”消息,并验证Kms;验证通过后,Serving PoS向MN发送经过Kms保护的服务响应消息“[MIH_Service-RSP]Kms”; Serving PoS judges whether the service point is the message sending target of the MN according to the sending target information in the service request message “[MIH_Service-REQ]Kmn”. If so, the shared key for protecting the message should be the first shared key. Serving PoS It can be verified. After the verification is passed, the Serving PoS returns the service information to the MN. Similar to the method in Embodiment 1: the Serving PoS receives the "[MIH_Service-REQ] Kms" message and verifies the Kms; after the verification is passed, the Serving PoS sends the message to the MN. Kms-protected service response message "[MIH_Service-RSP]Kms";
步骤202:当Serving PoS判断本服务点不是MN的消息发送目标时,信息服务器接收“[MIH_Service-REQ]Kmn”,并验证Kmn; Step 202: When the Serving PoS judges that the service point is not the message sending target of the MN, the information server receives "[MIH_Service-REQ]Kmn" and verifies the Kmn;
验证通过后,信息服务器向MN发送经过Kmn保护的MN请求的服务响应消息“[MIH_Service-REQ]Kmn”,“[MIH_Service-REQ]Kmn”中包含有MN请求的服务信息; After the verification is passed, the information server sends the service response message "[MIH_Service-REQ]Kmn" protected by the MN to the MN, and "[MIH_Service-REQ]Kmn" contains the service information requested by the MN;
步骤203:MN接收“[MIH_Service-REQ]Kmn”消息,并验证Kmn;验 证通过后,MN获得服务信息。 Step 203: The MN receives the "[MIH_Service-REQ]Kmn" message, and verifies the Kmn; after passing the verification, the MN obtains the service information. the
MN根据服务信息选择目标PoS,并向Serving PoS发起经过Kms保护的“[MIH_Prepare-REQ]Kms”; The MN selects the target PoS according to the service information, and initiates the Kms-protected "[MIH_Prepare-REQ]Kms" to the Serving PoS;
步骤204:Serving PoS接收“[MIH_Prepare-REQ]Kms”,验证Kms; Step 204: Serving PoS receives "[MIH_Prepare-REQ]Kms" and verifies Kms;
验证通过后,Serving PoS向网络侧各候选PoS发送经过Kcs保护的“[MIH_Query-REQ]Kcs”; After the verification is passed, the Serving PoS sends the Kcs-protected "[MIH_Query-REQ]Kcs" to each candidate PoS on the network side;
步骤205:各候选PoS接收“[MIH_Query-REQ]Kcs”,并验证Kcs; Step 205: Each candidate PoS receives "[MIH_Query-REQ]Kcs" and verifies Kcs;
验证通过后,各候选PoS判断本服务点是否可接入MN,并向ServingPoS返回经过Kcs保护的“[MIH_Query-RSP]Kcs”,“[MIH_Query-RSP]Kcs”包含判断结果;并且,若判断可接入,则还可为该MN预留资源。 After the verification is passed, each candidate PoS judges whether the service point can access the MN, and returns the Kcs-protected "[MIH_Query-RSP]Kcs" to the ServingPoS, and "[MIH_Query-RSP]Kcs" contains the judgment result; and, if judged If access is available, resources can also be reserved for the MN. the
步骤206:Serving PoS接收“[MIH_Query-RSP]Kcs”,并验证Kcs; Step 206: Serving PoS receives "[MIH_Query-RSP]Kcs" and verifies Kcs;
验证通过后,Serving PoS向MN发送经过Kms保护的“[MIH_Prepare-RSP]Kms”消息,“[MIH_Prepare-RSP]Kms”中包含判断结果; After the verification is passed, the Serving PoS sends the Kms-protected "[MIH_Prepare-RSP]Kms" message to the MN, and "[MIH_Prepare-RSP]Kms" contains the judgment result;
步骤207:MN接收“[MIH_Prepare-RSP]Kms”,并验证Kms; Step 207: MN receives "[MIH_Prepare-RSP]Kms" and verifies Kms;
验证通过后,MN根据判断结果向可接入的候选PoS发送经过Kma保护的“[MIH_Key-REQ]Kma”; After the verification is passed, the MN sends the Kma-protected "[MIH_Key-REQ]Kma" to the accessible candidate PoS according to the judgment result;
步骤208:可接入的候选PoS将“[MIH_Key-REQ]Kma”通过“AAAREQ”转发给AAA服务器; Step 208: The accessible candidate PoS forwards "[MIH_Key-REQ]Kma" to the AAA server through "AAAREQ";
步骤209:AAA服务器接收“[MIH_Key-REQ]Kma”,并验证Kma; Step 209: The AAA server receives "[MIH_Key-REQ]Kma" and verifies Kma;
验证通过后,AAA服务器生成Kmc,并通过“AAA RSP”向可接入的PoS返回验证结果以及Kmc; After the verification is passed, the AAA server generates Kmc, and returns the verification result and Kmc to the accessible PoS through "AAA RSP";
步骤210:可接入的PoS接收验证结果以及Kmc,并向MN发送经过Kmc保护的“[MIH_Key-RSP]Kmc”; Step 210: The accessible PoS receives the verification result and Kmc, and sends "[MIH_Key-RSP]Kmc" protected by Kmc to the MN;
步骤211:MN接收“[MIH_Key-RSP]Kmc”,并验证Kmc; Step 211: MN receives "[MIH_Key-RSP]Kmc" and verifies Kmc;
验证通过后,MN从可接入的候选PoS中选择待接入目标PoS,并向Serving PoS发送经过Kms保护的“[MIH_Commit-REQ]Kms”; After the verification is passed, the MN selects the target PoS to be accessed from the accessible candidate PoS, and sends the Kms-protected "[MIH_Commit-REQ]Kms" to the Serving PoS;
步骤212:Serving PoS接收“[MIH_Commit-REQ]Kms”,并验证Kms; Step 212: Serving PoS receives "[MIH_Commit-REQ]Kms" and verifies Kms;
验证通过后,Serving PoS用Kcs保护“[MIH_Commit-REQ]Kcs”,并发送给目标PoS; After the verification is passed, Serving PoS protects "[MIH_Commit-REQ]Kcs" with Kcs and sends it to the target PoS;
步骤213:目标PoS接收“[MIH_Commit-REQ]Kcs”,并验证Kcs; Step 213: The target PoS receives "[MIH_Commit-REQ]Kcs" and verifies Kcs;
验证通过后,目标PoS向Serving PoS发送经过Kcs保护的“[MIH_Commit-RSP]Kcs”; After the verification is passed, the target PoS sends the Kcs-protected "[MIH_Commit-RSP]Kcs" to the Serving PoS;
步骤214:Serving PoS接收“[MIH_Commit-RSP]Kcs”,并验证Kcs; Step 214: Serving PoS receives "[MIH_Commit-RSP]Kcs" and verifies Kcs;
验证通过后,Serving PoS向MN发送经过Kms保护的“[MIH_Commit-RSP]Kms”; After the verification is passed, the Serving PoS sends the Kms-protected "[MIH_Commit-RSP]Kms" to the MN;
步骤215:MN接收“[MIH_Commit-RSP]Kms”,并验证Kms,完成切换。之后,MN也可向目标PoS发送切换完成消息“[MIH_Complete-REQ]Kmc”,待目标PoS返回响应消息“[MIH_Complete-RSP]Kmc”,确认切换完成。 Step 215: The MN receives "[MIH_Commit-RSP] Kms", and verifies the Kms, and completes the handover. Afterwards, the MN can also send a handover completion message “[MIH_Complete-REQ]Kmc” to the target PoS, and wait for the target PoS to return a response message “[MIH_Complete-RSP]Kmc” to confirm the handover completion. the
本实施例媒体无关切换过程中,通过MN与各PoS之间以及各PoS之间建立SA,即利用共享密钥,保证了MN安全获取服务信息以及网络切换过程的安全,从而整体上解决了媒体无关切换的安全问题。 In the media-independent handover process of this embodiment, the SA is established between the MN and each PoS and between each PoS, that is, the shared key is used to ensure that the MN securely obtains service information and the security of the network handover process, thereby solving the media problem as a whole. Security issues unrelated to switching. the
本实施例中,信息服务器接收到“[MIH_Service-REQ]Kmn”后,还可进一步根据“[MIH_Service-REQ]Kmn”中的发送目的信息判断本服务点是否是,并验证Kmn;并且,本实施例中获得服务信息的方法可用方法实施例一中获得服务信息的方法替换获得服务信息,也可通过Serving PoS广播服务消息“[MIH_Service]Kms”给MN获得服务信息,还可通过信息服务器将“[MIH_Service]Kmn”消息直接广播给MN,获得服务信息;本实施例中得到服务信息之后切换网络的过程也可用方法实施例一中获得服务信息之后的过程替换,安全实现MN的网络切换。 In this embodiment, after the information server receives "[MIH_Service-REQ]Kmn", it can further judge whether the service point is based on the sending purpose information in "[MIH_Service-REQ]Kmn", and verify the Kmn; and, this The method for obtaining the service information in the embodiment can be replaced by the method for obtaining the service information in the method embodiment 1. The service information can also be obtained by the MN through the Serving PoS broadcast service message "[MIH_Service]Kms", and the information server can also send the service information to the MN. The "[MIH_Service]Kmn" message is directly broadcast to the MN to obtain service information; the process of switching networks after obtaining the service information in this embodiment can also be replaced by the process after obtaining the service information in method embodiment 1, so as to safely realize the network switching of the MN. the
由于直接安全架构下,MN可区分密钥请求的对象,在原网络建立它与目标网络的SA,因此,该SA可在切换之后进行建立,降低了切换延迟。本实施例中,MN接收到“[MIH_Prepare-RSP]Kms”消息后,首先建立与所有可接入的候选PoS之间的SA,即生成MN与所有可接入的候选PoS间的共享密钥,然后向目标PoS发起切换执行请求消息,避免了切换执行过程中建立SA或因为无法建立而导致无法访问切换,节省了切换执行时间,加快了网络切换速度。如果MN需要访问一个位于家乡网络的信息服务器,他所在的拜访网络的Serving PoS可能与该信息服务器并没有安全联盟,可先建SA,然后访问切换,从而节约了访问切换时间。 Under the direct security architecture, the MN can distinguish the object of the key request and establish an SA between it and the target network in the original network. Therefore, the SA can be established after the handover, reducing the handover delay. In this embodiment, after receiving the "[MIH_Prepare-RSP]Kms" message, the MN first establishes SAs with all accessible candidate PoSs, that is, generates shared keys between the MN and all accessible candidate PoSs , and then initiate a handover execution request message to the target PoS, which avoids the establishment of SA during the handover execution process or the inability to access the handover because it cannot be established, saves handover execution time, and speeds up the network handover speed. If the MN needs to access an information server located in the home network, the Serving PoS of the visited network where he is located may not have a security association with the information server, so the SA can be established first, and then the access switch is performed, thereby saving the access switch time. the
上述实施例中,用共享密钥对消息进行保护,既可是加密也可是完整性保护,具体使用哪种方式由具体的协议确定。 In the above embodiment, the message is protected by using the shared key, which can be either encryption or integrity protection, and which method is used is determined by a specific protocol. the
移动节点实施例 Example of a mobile node
图5为本发明移动节点实施例的结构示意图,移动节点10包括:服务信息获取模块11、验证模块12、请求模块13及消息保护模块14;其中,服务信息获取模块11用于从网络侧获得经过共享密钥保护的服务信息;验证模块12用于验证所述共享密钥,如Kms、Kmn、Kmc;请求模块13用于在所述验证模块验证所述共享密钥通过的情况下,根据所述服务信息向所述网络侧发起切换准备请求消息;或向网络侧发送用于获取所述服务信息的服务请求消息;消息保护模块14用Kms保护所述切换准备请求消息、服务请求消息;或用Kmn保护服务请求消息。 FIG. 5 is a schematic structural diagram of a mobile node embodiment of the present invention. The mobile node 10 includes: a service information acquisition module 11, a verification module 12, a request module 13, and a message protection module 14; wherein, the service information acquisition module 11 is used to obtain from the network side Service information protected by a shared key; the verification module 12 is used to verify the shared key, such as Kms, Kmn, Kmc; the request module 13 is used to verify that the shared key is passed by the verification module, according to The service information initiates a handover preparation request message to the network side; or sends a service request message for obtaining the service information to the network side; the message protection module 14 protects the handover preparation request message and the service request message with Kms; Or protect service request messages with Kmn. the
本实施例中,服务信息获取模块还用于接收网络侧发送的经过Kms保护的切换命令或切换准备响应消息及切换执行响应消息,所述切换准备响应消息中包含有所述判断结果;所述请求模块还用于根据所述切换命令向所述服务点发送经过Kms保护的切换执行请求消息;或从所述切换准备响应消息获得所述判断结果,并根据所述判断结果向所述服务点发送经过Kms保护的切换执行请求消息;所述切换执行请求消息中包含有目标 服务点信息;请求模块还用于向所述网络侧的AAA服务器发送经过Kma保护的密钥生成请求消息;消息保护模块还用于用Kma保护所述密钥生成请求消息;服务信息获取模块还用于接收网络侧发送的经过Kmc保护的密钥生成响应消息;验证模块还用于验证Kmc。 In this embodiment, the service information acquisition module is further configured to receive a Kms-protected handover command or a handover preparation response message and a handover execution response message sent by the network side, wherein the handover preparation response message includes the judgment result; the The request module is further configured to send a Kms-protected handover execution request message to the service point according to the handover command; or obtain the judgment result from the handover preparation response message, and send the judgment result to the service point according to the judgment result Send the switching execution request message protected by Kms; The switching execution request message contains target service point information; The request module is also used to send the key generation request message protected by Kma to the AAA server on the network side; Message protection The module is also used to protect the key generation request message with Kma; the service information acquisition module is also used to receive the key generation response message protected by Kmc sent by the network side; the verification module is also used to verify Kmc. the
上述移动节点实施例通过验证、保护模块,使得移动节点能够安全地进行媒体无关切换。 The foregoing embodiments of the mobile node enable the mobile node to safely perform media-independent handover through the authentication and protection modules. the
系统实施例 System embodiment
图6为本发明媒体无关切换系统实施例的结构示意图,系统20包括消息发送模块21、系统消息保护模块22、消息接收模块23、系统验证模块24及切换模块25,系统消息保护模块22用于用共享密钥保护服务信息;然后由消息发送模块21向MN发送经过保护的服务信息;消息接收模块23用于接收MN发送的经过Kms保护的切换准备请求消息;系统验证模块24用于验证Kms;切换模块25用于根据所述切换准备请求消息将MN接入目标服务点,完成切换。 6 is a schematic structural diagram of an embodiment of the media-independent switching system of the present invention. The system 20 includes a message sending module 21, a system message protection module 22, a message receiving module 23, a system verification module 24, and a switching module 25. The system message protection module 22 is used for The service information is protected with a shared key; then the message sending module 21 sends the protected service information to the MN; the message receiving module 23 is used to receive the Kms-protected handover preparation request message sent by the MN; the system verification module 24 is used to verify the Kms ; The handover module 25 is used to connect the MN to the target service point according to the handover preparation request message to complete the handover. the
本实施例中,消息接收模块还可用于接收MN发送的经过Kms保护的服务请求消息;消息发送模块还可用于向MN发送包含服务信息的服务响应消息;系统消息保护模块还可用Kms保护所述服务响应消息。 In this embodiment, the message receiving module can also be used to receive the Kms-protected service request message sent by the MN; the message sending module can also be used to send a service response message containing service information to the MN; the system message protection module can also use Kms to protect the message. Service response message. the
切换模块可包括第一接收模块、第一验证模块、第一保护模块、第一发送模块、第二接收模块、第二验证模块、第二保护模块、第二发送模块、第三接收模块、第三验证模块、密钥生成模块及第三发送模块;其中,第一验证模块、第一保护模块、第一发送模块设于Serving PoS中,系统验证模块验证Kms通过后,第一保护模块用Kcs保护资源查询请求消息并由第一发送模块发送给候选PoS;第二接收模块、第二验证模块、第二保护模块、第二发送模块设于候选PoS或目标PoS,第二接收模块接收第一发送模块发送的资源查询请求消息,第二验证模块验证保护资源查询请求消息的Kcs,验证通过后,候选PoS生成资源查询响应消息,第二保护模 块用Kcs进行保护后,由第二发送模块发送给Serving PoS;第一接收模块接收资源查询响应消息,第一验证模块验证Kcs;第一保护模块用Kms保护切换准备响应消息后,由第一发送模块发送给MN;第一接收模块接收MN发送的经过Kms保护的切换执行请求消息,第一验证模块验证Kms,验证通过后,第一保护模块用Kcs保护切换执行请求消息,第一发送模块将经过Kcs保护的切换执行请求消息发送给第二接收模块,第二接收模块接收后,第二验证模块验证Kcs,验证通过后,目标PoS生成切换执行响应消息,第二保护模块用Kcs保护切换执行响应消息,第二发送模块将经过保护的切换执行响应消息发送给MN;第二接收模块接收MN发送的用Kma保护的密钥生成请求消息,第二发送模块将Kma保护的密钥生成请求消息发送给第三接收模块;第三接收模块、第三验证模块、密钥生成模块及第三发送模块设于AAA服务器中,第三接收模块接收密钥生成请求消息,第三验证模块验证Kma;验证通过后,密钥生成模块生成Kmc,第三发送模块将第三验证模块的验证结果及Kcs发送给第二接收模块;第二接收模块进行接收,目标PoS生成密钥生成响应消息,第二保护模块用Kmc保护密钥生成响应消息,第二发送模块将保护后的密钥生成响应消息发送给MN;第二接收模块接收MN发送的经过Kmc保护的切换完成请求消息,第二验证模块验证Kmc,验证通过后,目标PoS生成切换完成响应消息,第二保护模块用Kmc进行保护,第二发送模块将保护后的切换完成响应消息发送给MN。 The switching module may include a first receiving module, a first verification module, a first protection module, a first sending module, a second receiving module, a second verification module, a second protection module, a second sending module, a third receiving module, a second Three verification modules, a key generation module, and a third sending module; wherein, the first verification module, the first protection module, and the first sending module are set in Serving PoS, and after the system verification module verifies that Kms passes, the first protection module uses Kcs The protection resource query request message is sent to the candidate PoS by the first sending module; the second receiving module, the second verification module, the second protection module, and the second sending module are set at the candidate PoS or the target PoS, and the second receiving module receives the first The resource query request message sent by the sending module, the second verification module verifies and protects the Kcs of the resource query request message, after the verification is passed, the candidate PoS generates a resource query response message, after the second protection module uses Kcs to protect, the second sending module Send to Serving PoS; the first receiving module receives the resource query response message, and the first verification module verifies Kcs; after the first protection module prepares the response message with Kms protection switching, it is sent to the MN by the first sending module; the first receiving module receives the MN After the Kms-protected handover execution request message is sent, the first verification module verifies the Kms. After the verification is passed, the first protection module uses the Kcs protection handover execution request message, and the first sending module sends the Kcs-protected handover execution request message to the second Two receiving modules, after the second receiving module receives it, the second verification module verifies Kcs. After the verification is passed, the target PoS generates a switching execution response message, the second protection module uses Kcs to protect the switching execution response message, and the second sending module sends the protected The handover execution response message is sent to the MN; the second receiving module receives the Kma-protected key generation request message sent by the MN, and the second sending module sends the Kma-protected key generation request message to the third receiving module; the third receiving module , the third verification module, the key generation module and the third sending module are arranged in the AAA server, the third receiving module receives the key generation request message, and the third verification module verifies Kma; after the verification is passed, the key generation module generates Kmc, The third sending module sends the verification result and Kcs of the third verification module to the second receiving module; the second receiving module receives, and the target PoS generates a key generation response message, and the second protection module generates a response message with the Kmc protection key, The second sending module sends the protected key generation response message to the MN; the second receiving module receives the Kmc-protected switching completion request message sent by the MN, and the second verification module verifies Kmc. After the verification is passed, the target PoS generation switching is completed In response to the message, the second protection module uses Kmc for protection, and the second sending module sends the protected handover completion response message to the MN. the
上述系统实施例中,媒体无关切换系统还可包括判断模块,判断模块设于Serving PoS,用于判断本PoS是否是所述服务请求消息的发送目标,或判断自身是否存储有MN请求的信息;若本PoS是所述服务请求消息的发送目标,则Serving PoS执行相应操作,如验证Kms;若判断自身存储有MN请求的信息,则第一发送模块将MN请求的信息发送给MN。 In the above-mentioned system embodiment, the media-independent switching system may also include a judging module, the judging module is set in the Serving PoS, and is used to judge whether the PoS is the sending target of the service request message, or judge whether the information requested by the MN is stored in itself; If this PoS is the sending target of the service request message, the Serving PoS performs corresponding operations, such as verifying Kms; if it judges that it stores the information requested by the MN, the first sending module sends the information requested by the MN to the MN. the
媒体无关切换系统还可包括创建模块,创建模块设于Serving PoS,若判 断模块判断Serving PoS没有存储MN请求的信息,则创建新服务请求消息,发送给信息服务器。 The media-independent switching system can also include a creation module, the creation module is located in the Serving PoS, if the judging module judges that the Serving PoS does not store the information requested by the MN, then create a new service request message and send it to the information server. the
上述系统实施例,通过系统保护模块、系统验证模块以及密钥生成模块,保证了媒体无关切换的安全。 In the above system embodiment, the security of the media-independent handover is guaranteed through the system protection module, the system verification module and the key generation module. the
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes. the
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention. the
Claims (19)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101541423A CN101394664B (en) | 2007-09-19 | 2007-09-19 | Mobile node, method and system for implementing media irrelevant switching |
| PCT/CN2008/072435 WO2009039782A1 (en) | 2007-09-19 | 2008-09-19 | A mobile node apparatus, a method for realizing media independent handover and the system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101541423A CN101394664B (en) | 2007-09-19 | 2007-09-19 | Mobile node, method and system for implementing media irrelevant switching |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101394664A CN101394664A (en) | 2009-03-25 |
| CN101394664B true CN101394664B (en) | 2012-01-04 |
Family
ID=40494684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101541423A Expired - Fee Related CN101394664B (en) | 2007-09-19 | 2007-09-19 | Mobile node, method and system for implementing media irrelevant switching |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101394664B (en) |
| WO (1) | WO2009039782A1 (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534931A (en) * | 2003-04-02 | 2004-10-06 | 华为技术有限公司 | A Method of Generating Dynamic Key in Wireless Local Area Network |
| CN1553730A (en) * | 2003-05-30 | 2004-12-08 | 华为技术有限公司 | A key agreement method for mobile station handover in wireless local area network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7496364B2 (en) * | 2004-11-05 | 2009-02-24 | Freescale Semiconductor, Inc. | Media-independent handover (MIH) method featuring a simplified beacon |
| CN100488142C (en) * | 2006-02-18 | 2009-05-13 | 华为技术有限公司 | Method for switching between heterogeneous networks |
| CN1968252B (en) * | 2006-06-29 | 2010-09-22 | 华为技术有限公司 | Media-Independent Link Switching Method |
-
2007
- 2007-09-19 CN CN2007101541423A patent/CN101394664B/en not_active Expired - Fee Related
-
2008
- 2008-09-19 WO PCT/CN2008/072435 patent/WO2009039782A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534931A (en) * | 2003-04-02 | 2004-10-06 | 华为技术有限公司 | A Method of Generating Dynamic Key in Wireless Local Area Network |
| CN1553730A (en) * | 2003-05-30 | 2004-12-08 | 华为技术有限公司 | A key agreement method for mobile station handover in wireless local area network |
Non-Patent Citations (1)
| Title |
|---|
| Junghoon Jee等.Handover Commands Update:: LB Issue- #18: Comment 495.《IEEE 802.21:21-06-0677-08-0000》.2006,A1.1节. * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009039782A1 (en) | 2009-04-02 |
| CN101394664A (en) | 2009-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12323939B2 (en) | Interworking function using untrusted network | |
| EP3627793B1 (en) | Session processing method and device | |
| JP5421274B2 (en) | Handover method between different radio access networks | |
| US20110078442A1 (en) | Method, device, system and server for network authentication | |
| CN102318381B (en) | Method for secure network based route optimization in mobile networks | |
| EP1713289B1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
| US20080026724A1 (en) | Method for wireless local area network user set-up session connection and authentication, authorization and accounting server | |
| US8914867B2 (en) | Method and apparatus for redirecting data traffic | |
| US20070118744A1 (en) | System and method for managing user equipment to access networks by using generic authentication architecture | |
| CN102187599A (en) | Non-access layer protocol operation support method for security protection in mobile communication system | |
| CN101841811B (en) | Pre-authentication method, equipment and system | |
| WO2010130191A1 (en) | Authentication method of switching access networks, system and device thereof | |
| CN114223232A (en) | Communication method and related equipment | |
| CN103402201B (en) | A kind of WiFi-WiMAX heterogeneous wireless network authentication method based on pre-authentication | |
| WO2010130132A1 (en) | Method and system for station switching when wireless terminal point completes wpi in convergent wlan | |
| CN101345995B (en) | Terminal cross-network switching method, device and system | |
| CN101600200A (en) | Handover method, mobile node and authentication access point between heterogeneous networks | |
| US9137661B2 (en) | Authentication method and apparatus for user equipment and LIPA network entities | |
| WO2022247812A1 (en) | Authentication method, communication device, and system | |
| Ohba et al. | Extensible authentication protocol (EAP) early authentication problem statement | |
| CN100563186C (en) | A method for establishing a secure channel in a wireless access network | |
| CN101321396B (en) | Mobile station switch implementing method and method for constructing safety access service network | |
| CN101394664B (en) | Mobile node, method and system for implementing media irrelevant switching | |
| WO2023216273A1 (en) | Key management method and apparatus, device, and storage medium | |
| WO2010124608A1 (en) | Method for implementing emergency service and home base station thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: CHANGZHOU XIAOGUO INFORMATION SERVICE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20140313 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518129 SHENZHEN, GUANGDONG PROVINCE TO: 213164 CHANGZHOU, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140313 Address after: 213164 building C, building 407-2-6, Tian An Digital City, 588 Chang Wu Road, Wujin hi tech Industrial Development Zone, Changzhou, Jiangsu, China Patentee after: Changzhou Xiaoguo Information Service Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: Huawei Technologies Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170816 Address after: 454991 Henan twelve Sanyang village, Sanyang Township, Wuzhi County, Hunan Province Patentee after: Yuan Yonglin Address before: 213164 building C, building 407-2-6, Tian An Digital City, 588 Chang Wu Road, Wujin hi tech Industrial Development Zone, Changzhou, Jiangsu, China Patentee before: Changzhou Xiaoguo Information Service Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180104 Address after: 471299 two groups in Chengguan Town, Chengguan Town, Ruyang County, Henan Province Patentee after: Wang Yanchao Address before: 454991 Henan twelve Sanyang village, Sanyang Township, Wuzhi County, Hunan Province Patentee before: Yuan Yonglin |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120104 Termination date: 20170919 |