[go: up one dir, main page]

WO2008034368A1 - A method, system, mobile node and correspondent node for generating the binding management key - Google Patents

A method, system, mobile node and correspondent node for generating the binding management key Download PDF

Info

Publication number
WO2008034368A1
WO2008034368A1 PCT/CN2007/070453 CN2007070453W WO2008034368A1 WO 2008034368 A1 WO2008034368 A1 WO 2008034368A1 CN 2007070453 W CN2007070453 W CN 2007070453W WO 2008034368 A1 WO2008034368 A1 WO 2008034368A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
message
public key
binding
public
Prior art date
Application number
PCT/CN2007/070453
Other languages
French (fr)
Chinese (zh)
Inventor
Chunqiang Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008034368A1 publication Critical patent/WO2008034368A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present invention relates to mobile network technologies, and in particular, to a method, system, mobile node and communication node for generating a binding management key in a mobile IPv6 network.
  • Mobile IPV6 is a solution for mobility at the network layer.
  • a mobile node MN, Mobile Node
  • CN communication node
  • HA Home Agent
  • the mobile IPv6 specification requires that the mobile node moves from one link to another without interrupting the ongoing communication using the Home Address (HoA), the mobility of the node to the transport layer and other high-level protocols. It is transparent, and a mobile node can be uniquely identified by its home address.
  • the mobile node When the mobile node roams to the foreign network, it will generate a care-address (CoA, Care of Address) in a certain way, and notify the home agent through the binding update message, and the home agent intercepts the report sent to the mobile node's home network and the mobile node.
  • CoA Care of Address
  • the packet is forwarded to the mobile node through the tunnel mode.
  • the packet needs to be sent to the home agent through the tunnel mode.
  • the home agent decapsulates the tunnel packet and forwards the packet to the CN.
  • the MN referred to herein refers to the mobile node of IPv6.
  • the communication method in which the mobile node and the communication peer transit through the home agent is called a triangle routing mode, which obviously increases the communication delay, and there is a large header cost such as communication with the mobile node, and the mobile node is added to the hometown. Link burden, routing may not be optimized enough. Therefore, if the current location information (ie, the care-of address) of the mobile node is notified to the communication peer, the communication between the communication peer and the mobile node can be transferred without going through the home agent.
  • the method in which such a communication peer directly communicates with the mobile node is called a route optimization mode.
  • the route optimization mode of mobile IPv6 can avoid the above problems in the triangular routing mode.
  • the mobile node In order for the CN to send the message directly to the mobile node, the mobile node needs to advertise its current location information to the CN through a Binding Update (BU, Binding Update) message, which requires protection of the BU message, otherwise the mobile node and Communication between peers is vulnerable. For example: An attacker replaces Co A in a BU message with a forged Co A, and the mobile node cannot receive the message sent by the CN.
  • BU Binding Update
  • FIG. 1 is a schematic diagram of a process of using a return route reachability in the prior art.
  • the mobile node attempts to communicate with the CN using the route optimization mode, it sends a Home Test Init (HoTI, Home Test Init) and a Care Test Init (CoTI) message to the CN.
  • HoTI Home Test Init
  • CoTI Care Test Init
  • Home secret, secret generation token First ( 64, HMAC-SHA1 ( Ken, HoA I Nonce I
  • Hand over the secret generation token First ( 64, HMAC-SHA1 ( Ken, CoA I Nonce II ) ) where Ken is known only to CN.
  • the key, Nonce is a random number generated by the CN, and HMAC-SHA1 is an algorithm for generating a Hash Message Authentication Code (HMAC) using the SHA1 with a key.
  • HMAC Hash Message Authentication Code
  • MAC Message Authentication Code
  • the implementation of the method requires that the attacker cannot simultaneously spoof two CoT and HoT messages on the two links between the HA and the CN and between the MN and the CN. In fact, the attacker can eavesdrop on the CoT or HoT message by selecting the appropriate location.
  • the following is an example of the network diagram of the mobile node in Figure 2 to illustrate the situation.
  • the two links between the HA and the MN and between the MN and the CN have a common link, and the C link, the eavesdropper can audate both CoT and HoT at any position on the C link. Message.
  • CoT and HoT messages are easily available for node cooperation on two different links. After obtaining CoT and HoT, the attacker can calculate Kbm and naturally forge a BU message.
  • the analog MN When a malicious node selects an appropriate location, such as on the link between the HA and the CN, the analog MN sends CoTI and HoTI messages to the CN through the RRP. Because of the lack of necessary identity authentication information, CN naturally cannot distinguish this. Whether the CoTI and HoTI messages are messages sent by the fake MN, it is also difficult to generate a suitable binding entry.
  • Kbm SHAl (Home Secret Generation Token) can be used to generate the MAC in the BU message.
  • the main object of the present invention is to provide a party that generates a binding management key.
  • the method and system can provide a more secure binding management key generation mechanism and implement more effective protection of BU messages.
  • Another main object of the present invention is to provide a mobile node and a communication node, which are capable of generating a binding management key by exchanging keys to provide a more secure protection function for BU messages.
  • the present invention discloses a method for generating a binding management key.
  • the method includes:
  • the MN and the CN calculate their respective public keys according to the key exchange algorithm used and exchange the public keys with each other;
  • the MN uses the public key from the CN and its own private key, calculates the binding management key according to the key exchange algorithm, uses the binding management key to generate binding authorization data, and carries the binding authorization data in the binding update. Send to the CN in the BU message;
  • the CN uses the public key from the MN and its own private key, calculates the binding management key according to the key exchange algorithm, and uses the binding management key calculated by itself to perform the binding authorization data in the received BU message. verification.
  • the method further includes: setting a key exchange algorithm in the MN and the CN in advance.
  • the method further includes: MN and CN negotiate to obtain a currently used key exchange algorithm.
  • MN and CN negotiate to obtain a currently used key exchange algorithm, including:
  • the MN sends the information of the key exchange algorithm supported by itself to the CN, and the CN determines the currently used key exchange algorithm according to the information of the key exchange algorithm supported by the MN and the key exchange algorithm supported by the MN.
  • the MN sends the information of the key exchange algorithm supported by the MN to the CN, including:
  • the MN carries the information of the key exchange algorithm supported by itself in the initial HOTI message or/and the handover test initial CoTI message sent to the home of the CN.
  • the MN and the CN calculate the respective public keys according to the key exchange algorithm used and exchange the public keys with each other, including:
  • CN refers to the public key cryptosystem of the key exchange algorithm that both the MN and the MN can support.
  • the CN's public key is sent to the MN; the MN generates its own private key based on the public key cryptosystem parameters from the CN, calculates its own public key, and sends the calculated public key to the CN.
  • the CN sends the public key and the public key cryptosystem parameter to the MN, including: the CN carries the public key in the home test HoT message sent to the MN, and carries the public key in the handover test CoT message sent to the MN. Key cryptosystem parameter; or, CN carries the public key cryptosystem parameter in the home test HoT message sent to the MN, and carries the public key in the handover test CoT message sent to the MN.
  • the CN sends the public key and the public key cryptosystem parameter to the MN, including: the CN carries the public key and the public key cryptosystem parameter in the home test HoT message sent to the MN; or, the CN is sent to The MN's handover test CoT message carries the public key and the public key cryptosystem parameters.
  • the system further includes: an entity for providing an authentication function; when the CN sends the public key calculated by itself to the MN, the CN further adds a digital signature to the message carrying the public key; After the message carrying the public key of the CN, accessing the entity for providing the authentication function, and performing identity authentication on the CN according to the digital signature in the message;
  • the MN When the MN sends the self-calculated public key to the CN, the MN further adds a digital signature to the message carrying the public key; after receiving the message carrying the public key of the MN, the CN accesses the information for providing the authentication function.
  • the entity authenticates the MN according to the digital signature in the message.
  • the method further includes: the CN generates the binding authorization data by using the binding management key calculated by the CN, and carries the binding authorization data in the binding confirmation BA message to be sent to the MN; the MN uses the binding management calculated by itself. The key verifies the binding authorization data in the received BA message.
  • Next_Kbm is a new binding management key
  • Kbm is the original binding management key
  • Expression is composed of any one or more of CN, home address Ho A , CoA, Nonce, Cookies, and pseudo.
  • the random function PRF ( ) represents a function that pseudo-randomizes Expression under the action of Kbm.
  • the MN when the MN still communicates with the CN, but the link of the MN is switched to change the CoA, the HoTI message and the HoT message need not be sent between the MN and the CN, and the CN's public key for key exchange is The bearer is carried in the CoT message and sent to the MN. As long as the public key and/or the private key are still in the lifetime, the CN and the MN no longer update the public key and/or private key used for the key exchange.
  • the CN uses the same private key as each MN uses the key exchange to generate the binding management key.
  • the message authentication code MAC is used to protect the binding management key that is still valid.
  • the message carrying the new public key is used.
  • the invention discloses a system for generating a binding management key, the system comprising: a MN and a CN; the CN pre-storing its own private key;
  • the CN sends its own public key and system parameters of the key exchange algorithm to the MN, and uses the public key from the MN and the private key pre-stored by itself, and calculates the binding tube according to the key exchange algorithm.
  • the authentication key is used to verify the binding authorization data in the received BU message by using the binding management key calculated by itself;
  • the MN generates a private key and calculates its own public key according to the key exchange algorithm system parameters sent by the CN, and sends the calculated public key to the CN, using the public key from the CN and its own private key, pressing the key
  • the switching algorithm calculates the binding management key, generates the binding authorization data by using the binding management key, and carries the binding authorization data in the BU message and sends it to the CN.
  • the CN is further used to generate the binding authorization data by using the binding management key calculated by the self, and the binding authorization data is carried in the binding confirmation BA message and sent to the MN;
  • the binding authorization data in the received BA message is verified by using the binding management key calculated by itself.
  • the system further includes: a home agent HA; the MN carries the information of the key exchange algorithm supported by the MN in the HoTI message and the CoTI message sent to the CN, and sends the HoTI message to the CN by using the HA
  • the CN W HoTI message and the information of the key exchange algorithm carried in the CoTI message determine the currently used key exchange algorithm.
  • the system further includes: HA; the CN carries the public key calculated by the CN in the HoT message or the CoT message sent to the MN, and carries the public key cryptosystem parameter corresponding to the key exchange algorithm in the sending To the MN's HoT message or CoT message, and send the HoT message to the MN through the HA.
  • the system further includes: HA; the MN carries the information of the key exchange algorithm supported by itself in the HoTI message and the CoTI message sent to the CN; and uses the public key cryptosystem parameter from the CN to generate its own private Key, and the public key is calculated, and the calculated public key and the generated binding authorization data are carried in the BU message and sent to the CN; the CN is based on the received HoTI message and the key in the CoTI message.
  • the information of the exchange algorithm determines the currently used key exchange algorithm; uses the HoT message according to the predetermined public key cryptosystem parameter corresponding to the key exchange algorithm and the public key calculated by the self-preserved private key And the CoT message carries the public key and the public key cryptosystem parameter respectively and sends them to the MN; using the public key in the BU message and its own private key, and calculating the binding management key according to the key exchange algorithm;
  • the HA is used to forward HoTI messages and HoT messages between the MN and the CN.
  • the system further includes: an entity for providing an authentication function, configured to save the trusted data and provide an identity authentication function; the CN is further configured to carry the public key calculated by the self to the MN Adding a digital signature to the message of the public key; after receiving the message carrying the public key of the MN, accessing the entity for providing the authentication function, performing identity authentication on the MN according to the digital signature in the message;
  • the public key calculated by the user is sent to the CN, the digital signature is added to the message carrying the public key; after receiving the message carrying the public key of the CN, accessing the entity for providing the authentication function, according to the The digital signature in the message authenticates the CN.
  • the present invention also discloses a MN for transmitting a BU message to the CN when initiating communication with the CN;
  • the MN includes:
  • a key exchange unit configured to receive a public key from the CN, calculate a public key, and send the public key to the CN, use a public key from the CN and its own private key, calculate a binding management key according to a key exchange algorithm, and use the tied
  • the management key generates the binding authorization data, and carries the binding authorization data in the BU message sent to the CN.
  • the MN further includes: a verification unit, configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message.
  • the present invention further discloses a CN for receiving a BU message from a MN when the MN initiates communication with the CN;
  • the CN includes:
  • a key exchange unit configured to receive a public key and a BU message from the MN, calculate the public key, and send the public key to the MN, using a public key from the MN and its own private key, and calculating according to a key exchange algorithm Get the binding management key;
  • the verification unit is configured to receive the BU message from the MN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the MN carried in the BU message.
  • the key exchange unit is further configured to generate the binding authorization data by using the binding management key calculated by the self, and carry the binding authorization data in the BA message sent to the MN.
  • the method, system, mobile node and communication node for generating a binding management key provided by the present invention can combine a key exchange and a return route reachability process to generate a binding management key, and use the generated binding.
  • the management key is used to protect the binding update message of the mobile IPv6, and the attack initiated by the third party to calculate the Kbm by eavesdropping on the HoT and CoT messages can be avoided, and the security of the communication in the mobile IPv6 route optimization mode is improved.
  • FIG. 1 is a schematic diagram of a return route reachable process in the prior art.
  • FIG. 2 is a networking diagram of communication performed by a mobile node.
  • FIG. 3 is a schematic diagram of a process flow of a preferred embodiment of the method of the present invention.
  • FIG. 4 is a schematic diagram of a specific structure of a binding management key system according to the present invention.
  • FIG. 5 is a schematic diagram of a specific structure of a mobile node device according to the present invention.
  • FIG. 6 is a schematic diagram of a specific structure of a communication node device according to the present invention. Mode for carrying out the invention
  • the present invention provides a method for combining a key exchange and a return route reachability procedure (RRP) to generate a binding management key, and a method for how to update the binding management key subsequently.
  • RRP return route reachability procedure
  • the main processing of the present invention includes: When the MN and the CN communicate using the route optimization mode At the same time, the MN first initiates registration with the peer. At this time, the two negotiate the key exchange algorithm used, such as: an elliptic curve key exchange algorithm or a Diffie-Hdlman key exchange algorithm. After determining the key exchange algorithm used, the CN sends the public key cryptosystem parameter and the public key PKcn used for key exchange to the MN, and the MN generates its own private according to the public key cryptosystem parameters sent by the CN.
  • the key exchange algorithm used such as: an elliptic curve key exchange algorithm or a Diffie-Hdlman key exchange algorithm.
  • the key is used to calculate the corresponding public key PKmn, and the binding management key (Kbm) is calculated by the key exchange algorithm using the received public key PKcn and its own private key, and the binding update message (BU) is generated by using the Kbm.
  • Binding authorization data such as MAC.
  • the MN sends a BU message carrying the binding authorization data and the public key PKmn to the CN, and then the CN calculates the binding management key using the public key PKmn and the self-preserved private key, and then uses the binding management key to verify the BU message. Further, the CN generates the binding authorization data by using the generated binding management key and carries it in the binding confirmation message (BA) message, and returns it to the MN, and the MN uses the binding management key generated by the MN to verify the BA.
  • BA binding confirmation message
  • the MN may carry the information of the key exchange algorithm that can be supported by the MN when transmitting the HoTI and the CoTI message, and the CN determines the currently used key exchange algorithm according to the HoTI and the CoTI message; and the CN can calculate the obtained public key system by itself.
  • the parameters and the public key PKcn are respectively carried in the HoT and CoT messages and sent to the MN.
  • FIG. 3 is a schematic diagram of a process flow of a preferred embodiment of the method of the present invention. As shown in Figure 3, the specific processing steps include:
  • Step 301 The MN sends a HoTI message to the CN through the HA, where the HoTI message carries information of a key exchange algorithm supported by the MN.
  • Step 302 The MN sends a CoTI message to the CN, where the CoTI message carries information of a key exchange algorithm supported by the MN.
  • Step 303 The CN determines the currently used key exchange algorithm according to the received information of the HoTI message and the key exchange algorithm in the CoTI message. Then, using the determined key exchange algorithm, using a preset private Key 1 and the public key cryptosystem corresponding to the key exchange algorithm The public key 1 is calculated by the system parameters.
  • Step 304 The CN sends a HoT message to the MN through the HA, where the HoT message carries the public key 1.
  • Step 305 The CN sends a CoT message to the MN, where the CoT message carries the public key cryptosystem parameter described in step 303.
  • the CN sends the public key 1 and the public key cryptosystem parameters to the MN through the HoT message and the CoT message respectively. Therefore, the HoT message may also carry the public key cryptosystem parameter in step 304, and the CoT message is performed in step 305. Carry the public key 1.
  • the public key 1 and public key cryptosystem parameters may also be included in the same message and sent to the MN, such as a HoT message or a CoT message.
  • Step 306 The MN extracts the public key 1 and the public key cryptosystem parameters from the received HoT message and the CoT message; uses the public key cryptosystem parameter to generate its own private key 2 and calculates the public key 2; uses the public key 1 And the private key 2 calculates the binding management key according to the key exchange algorithm; and then uses the calculated binding management key to generate the binding authorization data.
  • Step 307 The MN sends a BU message to the CN, where the BU message carries the binding authorization data and the public key 2 calculated by the MN.
  • Step 308 The CN extracts the public key 2 from the received BU message, calculates the Kbm by using the public key 2 and the pre-stored private key 1 according to the key exchange algorithm, and uses the Kbm to verify the binding carried in the BU message. Authorize the data to verify the MN.
  • the Kbm generated by the CN is the same as the Kbm generated by the MN, the binding authorization data carried in the BU message can be verified, that is, the MN can pass the CN verification; otherwise, the MN cannot pass the CN verification.
  • Step 309 The CN calculates the Kbm generated binding authorization data by using step 308.
  • Step 310 The CN sends a BA message to the MN, where the BA message carries the binding authorization data generated by the CN step 309.
  • Step 311 The MN uses the Kbm calculated by itself to verify the binding authorization data in the BA message to implement verification of the CN. Similarly, if the Kbm generated by the CN is the same as the Kbm generated by the MN, the CN can pass the verification by the MN; otherwise, the CN cannot pass the verification by the MN.
  • the information of the key exchange algorithm, the public key 1, the public key 2, the public key cryptosystem parameter, the binding authorization data, and the like are carried in the existing HoTI, HoT, CoTI, CoT in the return route reachable process.
  • the present invention does not limit the specific message carrying the information, and the solution of the present invention can also carry other information to carry the information, and the object of the present invention can be achieved.
  • the invention can be implemented by various key exchange algorithms.
  • the two most common algorithms are the elliptic curve key exchange algorithm and the Diffie-Hdlman key exchange algorithm.
  • the binding management key generation method of the present invention will be described in detail below in conjunction with an elliptic curve key exchange algorithm and a Diffie-Hdlman key exchange algorithm.
  • p is a positive integer
  • Fp is a finite field
  • a and b are positive integers on Fp
  • G is the base point on the elliptic curve E ( Fp )
  • n is a prime number and is the order of the base point G.
  • the securely stored private key 1) is divided into two parts and sent to the MN in a HoT message and a CoT message, respectively.
  • Ks can be used, or K can be used as the binding management key (Kbm).
  • Expression can be composed of CN, Ho A, Co A, Nonce, Cookies, etc., or it can be empty;
  • PRF ( Ks , Expression ) A function that performs pseudo-random processing on Expression under the action of the key Ks, which can be used for message authentication and derivation of a key. It can be a function such as HMAC_MD5, HMAC-SHA1, HMAC-SHA256.
  • the MN generates the binding authorization data by using the calculated Kbm, sends a BU message carrying the binding authorization data, carries the Nonce option in the BU message, and places the public key 2 (ie, R,) in the BU option to send to the BU.
  • CN After receiving the BU message, the CN checks the Nonce option. After checking, the CN uses the public key 2 and the private key 1 to calculate the binding management key.
  • the Kbm is calculated, and the binding authorization data carried in the BU message is verified by using Kbm.
  • the CN may also use Kbm to generate binding authorization data and carry it in the BA message and return it to the MN, and the MN uses the Kbm generated by itself to verify the binding authorization data in the BA message.
  • the CN uses the same private key when performing route optimization with multiple MNs, that is, when multiple MNs initiate communication to the same CN, the CN and each When the MN interacts to generate a binding management key, the private key used is the same.
  • DOS denial of service
  • the public key cryptosystem parameter to be selected is (p, g), where p is a prime number, g is a finite field F p generator, and g ⁇ p.
  • x mod p (where X is the private key 1 saved by the CN) is divided into two parts and placed in the HoT and CoT messages and sent to the MN. The MN checks the message after receiving the HoT message and the CoT message.
  • the MN generates the binding authorization data by using the calculated Kbm, sends a BU message carrying the binding authorization data, needs to carry the Nonce option in the BU message, and sends the public key 2 (ie, Y) in the option of the BU message.
  • multiple MNs can use the same private key when performing route optimization with the same CN.
  • the attacker cannot extract the Kbm used by the MN and the CN even if the public key and the public key cryptosystem parameters in the HoT and CoT messages are intercepted, and the MN can not be sent to the CN to generate the binding authorization data.
  • BU messages to implement the attack.
  • the present invention may generate the binding management key by using an anonymous key exchange method. That is, the digital signature is not included in the message involving the key exchange.
  • the time stamp mechanism can be used to provide the protection function. For example, when a message carrying a key exchange carries a timestamp, when the MN does not receive the message carrying the public key within a certain time limit, the MN determines that the CN is attacked and discards the message from the CN.
  • the entity that provides the authentication function with the trusted data is set in the network, and the message related to the key exchange (such as: HoT message, CoT) Digital signatures are added to messages, etc. for identity authentication.
  • the CN or the MN may use the data signature in the message to access the entity providing the authentication function to complete the identity verification.
  • PRF Ks, Expression
  • Ks Ks, Expression
  • Ks Ks, Expression
  • the derivation of the key which can be HMAC_MD5, HMAC-SHA1, HMAC-SHA256 and other functions.
  • the RRP in this time does not have to interact with the ⁇ / ⁇ message, only the CoTI/CoT message is reserved, and the CN is used for the key.
  • the exchanged public key will be placed in the CoT message and sent to the MN.
  • the CN and MN may not have to update the public-private key pair used for the key exchange.
  • the CN and the MN will generate a new public key using the message involving the key exchange, and may generate a message authentication code using Ks (MAC, Message Authentication).
  • the present invention also discloses a system for generating a binding management key.
  • Figure 4 is a specific embodiment of the system.
  • the system includes: MN and CN.
  • MN and CN negotiate a key exchange algorithm through a HoTI message, and/or through HoT
  • the public key is transmitted, the HoTI message and the HoT message need to be forwarded by the HA, and the system may further include: HA.
  • the MN and the CN exchange their respective public keys through HoT messages, BU messages, etc.
  • the digital signature may be further added to the message carrying the public key for the message receiving end to authenticate the message sending end.
  • an entity for providing an authentication function needs to be further configured as shown in FIG. 4, and an end of the MN and the CN accesses an entity for providing an authentication function after receiving the message carrying the public key, according to the entity The digital signature carried in the message authenticates the other end of the MN and the CN.
  • the invention also discloses a mobile node (MN) device.
  • Figure 5 is a specific embodiment of the MN.
  • the MN is configured to send a BU message to the CN when initiating communication with the CN;
  • the MN includes: a key exchange unit, configured to receive a public key from the CN, calculate the public key, and send the message to the CN, using the public from the CN.
  • the key and the private key of the key are calculated by the key exchange algorithm, and the binding management key is generated by using the binding management key, and the binding authorization data is carried in the BU message sent to the CN.
  • the MN may further include: a verification unit, configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message.
  • a verification unit configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message.
  • the present invention discloses a communication node (CN).
  • Figure 6 is a specific embodiment of the CN.
  • the CN is configured to receive a BU message from the MN when the MN initiates communication with the CN;
  • the CN includes: a key exchange unit, configured to receive a public key and a BU message from the MN, calculate the public key, and send the public key to the MN, Using the public key from the MN and the private key pre-stored by itself, the binding management key is calculated according to the key exchange algorithm;
  • the verification unit is configured to receive the BU message from the MN, and use the binding management key generated by the key exchange unit.
  • BU message The binding authorization data of the MN carried in the verification is performed.
  • the key exchange unit is further configured to generate the binding authorization data by using the binding management key calculated by the self, and carry the binding authorization data in the BA message sent to the MN.
  • the invention combines the key exchange and the return route reachability process to generate a binding management key, and uses the generated binding management key to protect the binding update message of the mobile IPv6, thereby preventing the third party from eavesdropping on the HoT and CoT messages.
  • the attack initiated by Kbm is calculated to improve the security of communication in the mobile IPv6 route optimization mode.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for generating the binding management key, comprises: mobile node (MN) and correspondent node calculate respective public key according to an used key switching algorithm and exchange the public key; MN calculates a binding management key using the public key from CN and owned private key based on the key switching algorithm, generates the binding authorization data using the binding management key, and sends the binding authorization data carried in the binding update BU message to CN; CN calculates a binding management key using the public key from MN and owned private key based on the key switching algorithm, and authenticates the binding authorization data in the received BU message using the owned calculating binding management key. A system, MN and CN are also provided. The security of the binding management key generating process can be enhanced.

Description

生成绑定管理密钥的方法、 系统、 移动节点及通信节点 技术领域  Method, system, mobile node and communication node for generating binding management key
本发明涉及移动网络技术,特别涉及一种移动 IPv6网络中生成绑定 管理密钥的方法、 系统、 移动节点及通信节点。 发明背景  The present invention relates to mobile network technologies, and in particular, to a method, system, mobile node and communication node for generating a binding management key in a mobile IPv6 network. Background of the invention
目前, 随着计算机网络技术和移动通信计算的快速发展, 对网络提 供移动性提出了需求, 移动 IPV6是一种在网络层解决移动性的方案。  At present, with the rapid development of computer network technology and mobile communication computing, there is a demand for network mobility. Mobile IPV6 is a solution for mobility at the network layer.
移动 IPv6网络中有三种基本的网络实体: 移动节点 (MN, Mobile Node),通信节点(CN, Correspondent Node),以及家乡代理(HA, Home Agent)。 移动 IPv6的规范要求, 移动节点从一条链路移动到另一链路的 过程中, 不中断使用家乡地址(HoA, Home Address)正在进行的通信, 节点的移动性对传输层和其它高层协议都是透明的, 一个移动节点可以 通过家乡地址唯一的识别出。 当移动节点漫游到外地网络时, 会通过一 定方式生成转交地址(CoA, Care of Address), 并通过绑定更新消息通 知家乡代理, 家乡代理会截获发送到移动节点家乡网络和移动节点通信 的报文, 再通过隧道模式转发给移动节点; 当移动节点向 CN发送报文 时, 需要将报文通过隧道模式发送到家乡代理, 由家乡代理对隧道报文 进行解封装后转发给 CN。 本文所称的 MN均指 IPv6的移动节点。  There are three basic network entities in a mobile IPv6 network: a mobile node (MN, Mobile Node), a communication node (CN, Correspondent Node), and a home agent (HA, Home Agent). The mobile IPv6 specification requires that the mobile node moves from one link to another without interrupting the ongoing communication using the Home Address (HoA), the mobility of the node to the transport layer and other high-level protocols. It is transparent, and a mobile node can be uniquely identified by its home address. When the mobile node roams to the foreign network, it will generate a care-address (CoA, Care of Address) in a certain way, and notify the home agent through the binding update message, and the home agent intercepts the report sent to the mobile node's home network and the mobile node. Then, the packet is forwarded to the mobile node through the tunnel mode. When the mobile node sends a packet to the CN, the packet needs to be sent to the home agent through the tunnel mode. The home agent decapsulates the tunnel packet and forwards the packet to the CN. The MN referred to herein refers to the mobile node of IPv6.
这种移动节点和通信对端经过家乡代理中转的通信方式被称为三 角路由模式, 该方式显然会增加通信时延, 存在着诸如与移动节点通信 的报文头部开销大、 增加移动节点家乡链路负担、 路由可能不够优化等 问题。 因此, 如果将移动节点当前的位置信息(即转交地址)告诉通信 对端 , 通信对端和移动节点之间的通信便可以不必经过家乡代理中转, 此种通信对端与移动节点直接通信的方法称为路由优化模式。 移动 IPv6 的路由优化模式可以避免三角路由模式存在的上述问题。为了让 CN可以 将报文直接发送到移动节点 , 需要移动节点将其当前的位置信息通过绑 定更新 ( BU, Binding Update ) 消息通告给 CN, 这就需要对 BU消息进 行保护, 否则移动节点和通信对端之间的通信很容易受到攻击。 比如: 一个攻击者用一个伪造的 Co A代替 BU报文中的 Co A,移动节点就无法收 到 CN发送的报文。 The communication method in which the mobile node and the communication peer transit through the home agent is called a triangle routing mode, which obviously increases the communication delay, and there is a large header cost such as communication with the mobile node, and the mobile node is added to the hometown. Link burden, routing may not be optimized enough. Therefore, if the current location information (ie, the care-of address) of the mobile node is notified to the communication peer, the communication between the communication peer and the mobile node can be transferred without going through the home agent. The method in which such a communication peer directly communicates with the mobile node is called a route optimization mode. The route optimization mode of mobile IPv6 can avoid the above problems in the triangular routing mode. In order for the CN to send the message directly to the mobile node, the mobile node needs to advertise its current location information to the CN through a Binding Update (BU, Binding Update) message, which requires protection of the BU message, otherwise the mobile node and Communication between peers is vulnerable. For example: An attacker replaces Co A in a BU message with a forged Co A, and the mobile node cannot receive the message sent by the CN.
目前业界提出了一种通过使用返回路由可达过程(RRP, Return Routability Procedure ) 的方法生成绑定管理密钥 ( Kbm, binding management key) ,使用该 Kbm保护 ΜΝ和 CN之间的 BU与绑定确认( BA, Binding Acknowledge)消息。 图 1为现有技术中的使用返回路由可达过程 示意图。 如图 1所示, 当移动节点试图和 CN使用路由优化模式进行通信 时, 便会向 CN发送家乡测试初始 (HoTI, Home Test Init)和转交测试初 始 (CoTI, Care Test Init ) 消息。 设定 CN可以支持并允许使用路由优化 模式和移动节点通信。  At present, the industry proposes a method of generating a binding management key (Kbm, binding management key) by using a Return Routability Procedure (RRP), and using the Kbm to protect the BU and binding between the UI and the CN. Confirm (BA, Binding Acknowledge) message. FIG. 1 is a schematic diagram of a process of using a return route reachability in the prior art. As shown in Figure 1, when the mobile node attempts to communicate with the CN using the route optimization mode, it sends a Home Test Init (HoTI, Home Test Init) and a Care Test Init (CoTI) message to the CN. Setting CN can support and allow communication with mobile nodes using route optimization mode.
当 CN收到 ΗοΉ消息后, 按下面的方法计算家乡秘密生成令牌: 家乡秘、密生成令牌 = First ( 64, HMAC-SHA1 ( Ken, HoA I Nonce I When CN receives the ΗοΉ message, it calculates the home secret generation token according to the following method: Home secret, secret generation token = First ( 64, HMAC-SHA1 ( Ken, HoA I Nonce I
0 ) ) 0 ) )
当 CN收到 CoTI消息后 , 按下面的方法计算转交秘密生成令牌: 转交秘密生成令牌 = First ( 64, HMAC-SHA1 ( Ken, CoA I Nonce I I ) ) 其中, Ken是只有 CN才知道的密钥, Nonce是由 CN生成的随机数, HMAC-SHA1是指使用带密钥的 SHA1生成哈希消息鉴别码( HMAC, Hash Message Authentication Code ) 的算法。 CN把生成的家乡秘密生成 令牌放在 HoT消息中发送给移动节点 , 把生成的转交秘密生成令牌放在 CoT消息中发给移动节点。 移动节点在收到 CN发来的 HoT和 CoT消息, 并通过 Cookies检查后, 取出其中的家乡秘密生成令牌和转交秘密生成令牌 , 便可计算出 Kbm = SHA1 (家乡秘密生成令牌 I 转交秘密生成令牌)。 当移动节点向 CN注 销绑定关系时, 使用 Kbm = SHA1 (家乡秘密生成令牌 )来生成 BU消息 中的消息鉴别码 ( MAC , Message Authentication Code )。 When the CN receives the CoTI message, it calculates the handover secret generation token as follows: Hand over the secret generation token = First ( 64, HMAC-SHA1 ( Ken, CoA I Nonce II ) ) where Ken is known only to CN. The key, Nonce is a random number generated by the CN, and HMAC-SHA1 is an algorithm for generating a Hash Message Authentication Code (HMAC) using the SHA1 with a key. The CN sends the generated home secret generation token to the mobile node in the HoT message, and places the generated handover secret generation token in the CoT message and sends it to the mobile node. After receiving the HoT and CoT messages sent by the CN, and checking the cookies, the mobile node retrieves the home secret generation token and the handover secret generation token, and can calculate Kbm = SHA1 (home secret generation token I transfer) Secret generation token). When the mobile node deregisters the binding relationship with the CN, Kbm = SHA1 (Home Secret Generation Token) is used to generate a message authentication code (MAC, Message Authentication Code) in the BU message.
该方法的实现, 需要假定攻击者无法同时在 HA与 CN之间及 MN与 CN之间的两条链路上窃听到 CoT和 HoT两个报文。 事实上, 攻击者通过 选择合适的位置便可窃听到 CoT或 HoT的消息, 下面以图 2的移动节点实 现通信的组网图为例, 来说明此种情况。 图 2中, HA与 MN之间以及 MN 与 CN之间的两条链路具有公共链路, C链路, 则窃听者位于 C链路上的 任何一位置都可以窃听到 CoT和 HoT两个报文。 另外, 两个不同链路上 的节点合作也很容易可以获得 CoT和 HoT报文。 在获得 CoT和 HoT后, 攻 击者就可以计算出 Kbm, 自然也能伪造出 BU消息。  The implementation of the method requires that the attacker cannot simultaneously spoof two CoT and HoT messages on the two links between the HA and the CN and between the MN and the CN. In fact, the attacker can eavesdrop on the CoT or HoT message by selecting the appropriate location. The following is an example of the network diagram of the mobile node in Figure 2 to illustrate the situation. In Figure 2, the two links between the HA and the MN and between the MN and the CN have a common link, and the C link, the eavesdropper can audate both CoT and HoT at any position on the C link. Message. In addition, CoT and HoT messages are easily available for node cooperation on two different links. After obtaining CoT and HoT, the attacker can calculate Kbm and naturally forge a BU message.
当某恶意节点通过选择一个适当的位置, 比如在位于 HA和 CN之间 的链路上 , 模拟 MN通过 RRP向 CN发 CoTI和 HoTI消息 , 由于缺乏必要的 身份认证信息, CN自然无法辨别出此 CoTI和 HoTI消息是否为假冒 MN发 送的消息, 也难以生成合适的绑定条目。 尤其, 当发送 BU取消绑定关系 时, 如果某恶意节点窃听到了 HoT消息, 便可使用 Kbm = SHAl (家乡秘 密生成令牌)来生成 BU消息中的 MAC, CN在收到此 BU消息时, 就会使 用 Kbm = SHAl (家乡秘密生成令牌)来验证 BU消息, 并在验证通过后 取消相应的绑定条目, 这可能会导致家乡网络的过载。  When a malicious node selects an appropriate location, such as on the link between the HA and the CN, the analog MN sends CoTI and HoTI messages to the CN through the RRP. Because of the lack of necessary identity authentication information, CN naturally cannot distinguish this. Whether the CoTI and HoTI messages are messages sent by the fake MN, it is also difficult to generate a suitable binding entry. In particular, when a BU is unbound, if a malicious node steals a HoT message, Kbm = SHAl (Home Secret Generation Token) can be used to generate the MAC in the BU message. When the CN receives the BU message, Kbm = SHAl (home secret generation token) is used to verify the BU message, and the corresponding binding entry is canceled after the verification is passed, which may cause overload of the home network.
总之, 现有的通过 RRP生成 Kbm的方法安全性非常有限。 发明内容  In summary, the existing methods of generating Kbm through RRP are very limited. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种生成绑定管理密钥的方 法及系统, 能够提供一种更为安全的绑定管理密钥生成机制, 并对 BU 消息实施更为有效的保护。 In view of this, the main object of the present invention is to provide a party that generates a binding management key. The method and system can provide a more secure binding management key generation mechanism and implement more effective protection of BU messages.
本发明的另一主要目的在于提供一种移动节点和通信节点, 二者能 够通过交换密钥的方式生成绑定管理密钥, 以为 BU消息提供更安全的 保护功能。  Another main object of the present invention is to provide a mobile node and a communication node, which are capable of generating a binding management key by exchanging keys to provide a more secure protection function for BU messages.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
本发明公开了一种生成绑定管理密钥的方法, 当 MN发起与 CN之 间的通信时, 该方法包括:  The present invention discloses a method for generating a binding management key. When the MN initiates communication with the CN, the method includes:
MN和 CN根据所使用的密钥交换算法计算各自的公钥并相互交换 公钥;  The MN and the CN calculate their respective public keys according to the key exchange algorithm used and exchange the public keys with each other;
MN使用来自 CN的公钥和自身的私钥、 按密钥交换算法计算得到 绑定管理密钥, 使用该绑定管理密钥生成绑定授权数据, 并将绑定授权 数据携带在绑定更新 BU消息中发送至 CN;  The MN uses the public key from the CN and its own private key, calculates the binding management key according to the key exchange algorithm, uses the binding management key to generate binding authorization data, and carries the binding authorization data in the binding update. Send to the CN in the BU message;
CN使用来自 MN的公钥和自身的私钥、 按密钥交换算法计算得到 绑定管理密钥, 使用自身计算得到的绑定管理密钥对所收到的 BU消息 中的绑定授权数据进行验证。  The CN uses the public key from the MN and its own private key, calculates the binding management key according to the key exchange algorithm, and uses the binding management key calculated by itself to perform the binding authorization data in the received BU message. verification.
该方法进一步包括: 预先在 MN和 CN中设定密钥交换算法。  The method further includes: setting a key exchange algorithm in the MN and the CN in advance.
该方法进一步包括: MN和 CN协商得到当前使用的密钥交换算法。 上述方案中 , 所述 MN和 CN协商得到当前使用的密钥交换算法 , 包括:  The method further includes: MN and CN negotiate to obtain a currently used key exchange algorithm. In the foregoing solution, the MN and the CN negotiate to obtain a currently used key exchange algorithm, including:
MN将自身支持的密钥交换算法的信息发送至 CN, CN根据该 MN 支持的密钥交换算法的信息以及自身所支持的密钥交换算法确定当前 使用的密钥交换算法。  The MN sends the information of the key exchange algorithm supported by itself to the CN, and the CN determines the currently used key exchange algorithm according to the information of the key exchange algorithm supported by the MN and the key exchange algorithm supported by the MN.
上述方案中, 所述 MN将自身支持的密钥交换算法的信息发送至 CN, 包括: MN在发往 CN的家乡测试初始 HoTI消息或 /和转交测试初始 CoTI 消息中分别携带自身支持的密钥交换算法的信息。 In the above solution, the MN sends the information of the key exchange algorithm supported by the MN to the CN, including: The MN carries the information of the key exchange algorithm supported by itself in the initial HOTI message or/and the handover test initial CoTI message sent to the home of the CN.
上述方案中 , 所述 MN和 CN根据所使用的密钥交换算法计算各自 的公钥并相互交换公钥, 包括:  In the above solution, the MN and the CN calculate the respective public keys according to the key exchange algorithm used and exchange the public keys with each other, including:
CN把自身和 MN均可以支持的密钥交换算法的公钥密码系统参和 CN refers to the public key cryptosystem of the key exchange algorithm that both the MN and the MN can support.
CN的公钥发送给 MN; MN才艮据来自 CN的公钥密码系统参数, 生成自 身的私钥、 计算出自身的公钥, 并将计算得到的公钥发送至 CN。 The CN's public key is sent to the MN; the MN generates its own private key based on the public key cryptosystem parameters from the CN, calculates its own public key, and sends the calculated public key to the CN.
上述方案中, 所述 CN发送公钥和公钥密码系统参数给 MN, 包括: CN在发往 MN的家乡测试 HoT消息中携带该公钥 ,在发往 MN的 转交测试 CoT消息中携带该公钥密码系统参数; 或者, CN在发往 MN 的家乡测试 HoT消息中携带该公钥密码系统参数,在发往 MN的转交测 试 CoT消息中携带该公钥。  In the above solution, the CN sends the public key and the public key cryptosystem parameter to the MN, including: the CN carries the public key in the home test HoT message sent to the MN, and carries the public key in the handover test CoT message sent to the MN. Key cryptosystem parameter; or, CN carries the public key cryptosystem parameter in the home test HoT message sent to the MN, and carries the public key in the handover test CoT message sent to the MN.
上述方案中, 所述 CN发送公钥和公钥密码系统参数给 MN, 包括: CN在发往 MN的家乡测试 HoT消息中携带该公钥和该公钥密码系 统参数; 或者, CN在发往 MN的转交测试 CoT消息中携带该公钥和该 公钥密码系统参数。  In the above solution, the CN sends the public key and the public key cryptosystem parameter to the MN, including: the CN carries the public key and the public key cryptosystem parameter in the home test HoT message sent to the MN; or, the CN is sent to The MN's handover test CoT message carries the public key and the public key cryptosystem parameters.
上述方案中, 所述系统进一步包括: 用于提供认证功能的实体; 所述 CN在发送自身计算得到的公钥至 MN时, 进一步在携带该公 钥的消息中加入数字签名; MN在收到携带 CN的公钥的消息之后 , 访 问所述用于提供认证功能的实体, 根据该消息中的数字签名对 CN进行 身份认证;  In the above solution, the system further includes: an entity for providing an authentication function; when the CN sends the public key calculated by itself to the MN, the CN further adds a digital signature to the message carrying the public key; After the message carrying the public key of the CN, accessing the entity for providing the authentication function, and performing identity authentication on the CN according to the digital signature in the message;
所述 MN在发送自身计算得到的公钥至 CN时, 进一步在携带该公 钥的消息中加入数字签名; CN在收到携带 MN的公钥的消息之后, 访 问所述用于提供认证功能的实体,根据该消息中的数字签名对 MN进行 身份认证。 该方法进一步包括: CN使用自身计算得到的绑定管理密钥生成绑 定授权数据, 并将该绑定授权数据携带在绑定确认 BA 消息中发送至 MN; MN使用自身计算得到的绑定管理密钥对所收到的 BA消息中的绑 定授权数据进行验证。 When the MN sends the self-calculated public key to the CN, the MN further adds a digital signature to the message carrying the public key; after receiving the message carrying the public key of the MN, the CN accesses the information for providing the authentication function. The entity authenticates the MN according to the digital signature in the message. The method further includes: the CN generates the binding authorization data by using the binding management key calculated by the CN, and carries the binding authorization data in the binding confirmation BA message to be sent to the MN; the MN uses the binding management calculated by itself. The key verifies the binding authorization data in the received BA message.
上述方案中, 当 MN的转交地址 CoA未改变且仍和该 CN通信、并 需要使用新的绑定管理密钥时, MN和该 CN 原有的绑定管理密钥 计算得到新的绑定管理密钥, 包括:  In the above solution, when the MN's care-of address CoA is unchanged and still communicates with the CN, and a new binding management key is needed, the MN and the CN's original binding management key are calculated to obtain a new binding management. Key, including:
Next_Kbm = PRF ( Kbm, Expression )  Next_Kbm = PRF ( Kbm, Expression )
其中, Next_Kbm为新的绑定管理密钥, Kbm为原有的绑定管理密 钥, Expression由 CN, 家乡地址 Ho A , CoA, Nonce, Cookies中的任 一项或任一多项构成, 伪随机函数 PRF ( ) 表示在 Kbm 作用下对 Expression进行伪随机处理的函数。  Next_Kbm is a new binding management key, Kbm is the original binding management key, and Expression is composed of any one or more of CN, home address Ho A , CoA, Nonce, Cookies, and pseudo. The random function PRF ( ) represents a function that pseudo-randomizes Expression under the action of Kbm.
上述方案中, 当 MN仍然与该 CN通信, 但 MN的链路发生切换而 使 CoA改变时, MN和 CN之间不必再发送 HoTI消息和 HoT消息 , CN 的用于密钥交换的公钥被携带在 CoT消息中发送给 MN, 只要公钥和 / 或私钥仍在生存期, CN和 MN不再更新用于密钥交换的公钥和 /或私钥。  In the above solution, when the MN still communicates with the CN, but the link of the MN is switched to change the CoA, the HoTI message and the HoT message need not be sent between the MN and the CN, and the CN's public key for key exchange is The bearer is carried in the CoT message and sent to the MN. As long as the public key and/or the private key are still in the lifetime, the CN and the MN no longer update the public key and/or private key used for the key exchange.
上述方案中, 当多个 MN发起了与同一 CN之间的通信时, 该 CN 与各个 MN使用密钥交换生成绑定管理密钥时使用的私钥相同。  In the above solution, when a plurality of MNs initiate communication with the same CN, the CN uses the same private key as each MN uses the key exchange to generate the binding management key.
上述方案中, 当绑定管理密钥的生存期即将过期但仍未泄密、 CN 和 MN计算得到新的公钥时, 使用该仍在有效期的绑定管理密钥生成消 息鉴别码 MAC来保护用于携带该新的公钥的消息。  In the above solution, when the lifetime of the binding management key is about to expire but is still not leaked, and the CN and the MN calculate a new public key, the message authentication code MAC is used to protect the binding management key that is still valid. The message carrying the new public key.
本发明公开了一种生成绑定管理密钥的系统, 该系统包括: MN和 CN; 所述 CN预存自身的私钥;  The invention discloses a system for generating a binding management key, the system comprising: a MN and a CN; the CN pre-storing its own private key;
所述 CN将自身的公钥和密钥交换算法的系统参数发送给 MN, 使 用来自 MN的公钥和自身预存的私钥、按密钥交换算法计算得到绑定管 理密钥, 使用自身计算得到的绑定管理密钥对所收到的 BU消息中的绑 定授权数据进行验证; The CN sends its own public key and system parameters of the key exchange algorithm to the MN, and uses the public key from the MN and the private key pre-stored by itself, and calculates the binding tube according to the key exchange algorithm. The authentication key is used to verify the binding authorization data in the received BU message by using the binding management key calculated by itself;
所述 MN根据 CN发送来的密钥交换算法系统参数, 生成私钥并计 算自身的公钥, 把计算出的公钥发送给 CN, 使用来自 CN的公钥和自 身的私钥、 按密钥交换算法计算得到绑定管理密钥, 使用该绑定管理密 钥生成绑定授权数据, 并将绑定授权数据携带在 BU消息中发送至 CN。  The MN generates a private key and calculates its own public key according to the key exchange algorithm system parameters sent by the CN, and sends the calculated public key to the CN, using the public key from the CN and its own private key, pressing the key The switching algorithm calculates the binding management key, generates the binding authorization data by using the binding management key, and carries the binding authorization data in the BU message and sends it to the CN.
上述方案中, 所述 CN进一步用于使用自身计算得到的绑定管理密 钥生成绑定授权数据, 并将该绑定授权数据携带在绑定确认 BA消息中 发送至 MN; 所述 MN进一步用于使用自身计算得到的绑定管理密钥对 所收到的 BA消息中的绑定授权数据进行验证。  In the foregoing solution, the CN is further used to generate the binding authorization data by using the binding management key calculated by the self, and the binding authorization data is carried in the binding confirmation BA message and sent to the MN; The binding authorization data in the received BA message is verified by using the binding management key calculated by itself.
上述方案中, 该系统进一步包括: 家乡代理 HA; 所述 MN在发往 CN的 HoTI消息和 CoTI消息中携带自身支持的密钥交换算法的信息, 并通过所述 HA将该 HoTI消息发送至 CN; 所述 CN W HoTI消息和 CoTI消息中携带的密钥交换算法的信息确定当前使用的密钥交换算法。  In the above solution, the system further includes: a home agent HA; the MN carries the information of the key exchange algorithm supported by the MN in the HoTI message and the CoTI message sent to the CN, and sends the HoTI message to the CN by using the HA The CN W HoTI message and the information of the key exchange algorithm carried in the CoTI message determine the currently used key exchange algorithm.
上述方案中, 该系统进一步包括: HA; 所述 CN将自身计算得到的 公钥携带在发往 MN的 HoT消息或 CoT消息中, 将对应于密钥交换算 法的公钥密码系统参数携带在发往 MN的 HoT消息或 CoT消息中, 并 通过所述 HA发送该 HoT消息至 MN。  In the above solution, the system further includes: HA; the CN carries the public key calculated by the CN in the HoT message or the CoT message sent to the MN, and carries the public key cryptosystem parameter corresponding to the key exchange algorithm in the sending To the MN's HoT message or CoT message, and send the HoT message to the MN through the HA.
上述方案中,该系统进一步包括: HA;所述 MN在发往 CN的 HoTI 消息和 CoTI消息中分别携带自身支持的密钥交换算法的信息; 使用来 自 CN的公钥密码系统参数生产自身的私钥, 并计算得到公钥, 并将计 算得到的公钥和所生成的绑定授权数据携带在 BU消息中发送至 CN; 所述 CN才 据所收到的 HoTI消息和 CoTI消息中的密钥交换算法的信息 确定当前使用的密钥交换算法; 根据预定的对应于该密钥交换算法的公 钥密码系统参数、以及自身预存的私钥计算得到的公钥,使用 HoT消息 和 CoT 消息来分别携带该公钥和该公钥密码系统参数并将其发送至 MN; 使用 BU 消息中的公钥和自身的私钥、 按密钥交换算法计算得到 绑定管理密钥; 所述 HA用于转发 MN和 CN之间的 HoTI消息和 HoT 消息。 In the above solution, the system further includes: HA; the MN carries the information of the key exchange algorithm supported by itself in the HoTI message and the CoTI message sent to the CN; and uses the public key cryptosystem parameter from the CN to generate its own private Key, and the public key is calculated, and the calculated public key and the generated binding authorization data are carried in the BU message and sent to the CN; the CN is based on the received HoTI message and the key in the CoTI message. The information of the exchange algorithm determines the currently used key exchange algorithm; uses the HoT message according to the predetermined public key cryptosystem parameter corresponding to the key exchange algorithm and the public key calculated by the self-preserved private key And the CoT message carries the public key and the public key cryptosystem parameter respectively and sends them to the MN; using the public key in the BU message and its own private key, and calculating the binding management key according to the key exchange algorithm; The HA is used to forward HoTI messages and HoT messages between the MN and the CN.
上述方案中, 该系统进一步包括: 用于提供认证功能的实体, 用于 保存可信数据并提供身份认证功能; 所述 CN进一步用于在发送自身计 算得到的公钥至 MN时, 在携带该公钥的消息中加入数字签名; 在收到 携带 MN的公钥的消息之后, 访问所述用于提供认证功能的实体, 根据 该消息中的数字签名对 MN进行身份认证; 所述 MN进一步用于在发 送自身计算得到的公钥至 CN时,在携带该公钥的消息中加入数字签名; 在收到携带 CN的公钥的消息之后,访问所述用于提供认证功能的实体, 根据该消息中的数字签名对 CN进行身份认证。  In the above solution, the system further includes: an entity for providing an authentication function, configured to save the trusted data and provide an identity authentication function; the CN is further configured to carry the public key calculated by the self to the MN Adding a digital signature to the message of the public key; after receiving the message carrying the public key of the MN, accessing the entity for providing the authentication function, performing identity authentication on the MN according to the digital signature in the message; When the public key calculated by the user is sent to the CN, the digital signature is added to the message carrying the public key; after receiving the message carrying the public key of the CN, accessing the entity for providing the authentication function, according to the The digital signature in the message authenticates the CN.
本发明还公开了一种 MN, 该 MN用于在发起与 CN之间的通信时 发送 BU消息至 CN; 该 MN包括:  The present invention also discloses a MN for transmitting a BU message to the CN when initiating communication with the CN; the MN includes:
密钥交换单元, 用于从 CN接收公钥, 计算得到公钥并发送给 CN, 使用来自 CN的公钥和自身的私钥、 按密钥交换算法计算得到绑定管理 密钥, 使用该绑定管理密钥生成绑定授权数据, 并将绑定授权数据携带 在发往 CN的 BU消息中。  a key exchange unit, configured to receive a public key from the CN, calculate a public key, and send the public key to the CN, use a public key from the CN and its own private key, calculate a binding management key according to a key exchange algorithm, and use the tied The management key generates the binding authorization data, and carries the binding authorization data in the BU message sent to the CN.
上述方案中, 该 MN进一步包括: 验证单元, 用于接收来自 CN的 BA消息, 使用密钥交换单元生成的绑定管理密钥对该 BA消息中携带 的 CN的绑定授权数据进行验证。  In the above solution, the MN further includes: a verification unit, configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message.
本发明又公开了一种 CN, 该 CN用于在 MN发起与 CN之间的通 信时接收来自 MN的 BU消息; 该 CN包括:  The present invention further discloses a CN for receiving a BU message from a MN when the MN initiates communication with the CN; the CN includes:
密钥交换单元, 用于从 MN接收公钥和 BU消息, 计算得到公钥并 发送给 MN, 使用来自 MN的公钥和自身的私钥、 按密钥交换算法计算 得到绑定管理密钥; a key exchange unit, configured to receive a public key and a BU message from the MN, calculate the public key, and send the public key to the MN, using a public key from the MN and its own private key, and calculating according to a key exchange algorithm Get the binding management key;
验证单元, 用于接收来自 MN的 BU消息, 使用密钥交换单元生成 的绑定管理密钥对 BU消息中携带的 MN的绑定授权数据进行验证。  The verification unit is configured to receive the BU message from the MN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the MN carried in the BU message.
上述方案中, 所述密钥交换单元进一步用于使用自身计算得到的绑 定管理密钥生成绑定授权数据, 并在发往 MN的 BA消息中携带该绑定 授权数据。  In the above solution, the key exchange unit is further configured to generate the binding authorization data by using the binding management key calculated by the self, and carry the binding authorization data in the BA message sent to the MN.
因此, 本发明所提供的生成绑定管理密钥的方法、 系统、 移动节点 及通信节点, 能够将密钥交换和返回路由可达过程结合起来生成绑定管 理密钥, 使用所生成的绑定管理密钥来保护移动 IPv6的绑定更新消息, 能避免第三方通过窃听 HoT、 CoT消息计算出 Kbm而发起的攻击, 提高 了移动 IPv6路由优化模式下通信的安全性。 附图简要说明  Therefore, the method, system, mobile node and communication node for generating a binding management key provided by the present invention can combine a key exchange and a return route reachability process to generate a binding management key, and use the generated binding. The management key is used to protect the binding update message of the mobile IPv6, and the attack initiated by the third party to calculate the Kbm by eavesdropping on the HoT and CoT messages can be avoided, and the security of the communication in the mobile IPv6 route optimization mode is improved. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为现有技术中使用返回路由可达过程的示意图。  FIG. 1 is a schematic diagram of a return route reachable process in the prior art.
图 2为移动节点实现通信的组网图。  FIG. 2 is a networking diagram of communication performed by a mobile node.
图 3为本发明方法一较佳实施例处理流程示意图。  FIG. 3 is a schematic diagram of a process flow of a preferred embodiment of the method of the present invention.
图 4为本发明中一种生成绑定管理密钥系统的具体结构示意图。 图 5为本发明中一种移动节点设备的具体结构示意图。  FIG. 4 is a schematic diagram of a specific structure of a binding management key system according to the present invention. FIG. 5 is a schematic diagram of a specific structure of a mobile node device according to the present invention.
图 6为本发明中一种通信节点设备的具体结构示意图。 实施本发明的方式  FIG. 6 is a schematic diagram of a specific structure of a communication node device according to the present invention. Mode for carrying out the invention
下面结合附图及具体实施例对本发明再作进一步详细的说明。 本发明给出了将密钥交换和返回路由可达过程 ( RRP ) 结合生成绑 定管理密钥的方法, 并给出了后续如何更新绑定管理密钥的方法。  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. The present invention provides a method for combining a key exchange and a return route reachability procedure (RRP) to generate a binding management key, and a method for how to update the binding management key subsequently.
本发明的主要处理包括: 当 MN和 CN使用路由优化模式进行通信 时, MN首先要向对端发起注册,此时二者协商所使用的密钥交换算法, 如: 椭圆曲线的密钥交换算法或 Diffie-Hdlman密钥交换算法等。 在确 定了所使用的密钥交换算法后, CN将公钥密码系统参数和自身用于密 钥交换的公钥 PKcn发送给 MN, MN根据 CN发送来的公钥密码系统参 数, 生成自身的私钥并计算相应的公钥 PKmn, 使用收到的公钥 PKcn 和自身私钥按密钥交换算法计算得出绑定管理密钥 (Kbm ), 并使用该 Kbm生成绑定更新消息(BU )中诸如 MAC等的绑定授权数据。 MN发 送携带绑定授权数据和公钥 PKmn的 BU消息至 CN, 然后 CN使用公 钥 PKmn和自身预存的私钥计算得到绑定管理密钥, 再使用该绑定管理 密钥验证 BU消息。 进一步地, CN使用所生成的绑定管理密钥生成绑 定授权数据并将其携带在绑定确认消息 (BA ) 消息中返回给 MN, 由 MN使用自身已生成的绑定管理密钥验证 BA消息。 The main processing of the present invention includes: When the MN and the CN communicate using the route optimization mode At the same time, the MN first initiates registration with the peer. At this time, the two negotiate the key exchange algorithm used, such as: an elliptic curve key exchange algorithm or a Diffie-Hdlman key exchange algorithm. After determining the key exchange algorithm used, the CN sends the public key cryptosystem parameter and the public key PKcn used for key exchange to the MN, and the MN generates its own private according to the public key cryptosystem parameters sent by the CN. The key is used to calculate the corresponding public key PKmn, and the binding management key (Kbm) is calculated by the key exchange algorithm using the received public key PKcn and its own private key, and the binding update message (BU) is generated by using the Kbm. Binding authorization data such as MAC. The MN sends a BU message carrying the binding authorization data and the public key PKmn to the CN, and then the CN calculates the binding management key using the public key PKmn and the self-preserved private key, and then uses the binding management key to verify the BU message. Further, the CN generates the binding authorization data by using the generated binding management key and carries it in the binding confirmation message (BA) message, and returns it to the MN, and the MN uses the binding management key generated by the MN to verify the BA. Message.
其中, MN可在发送 HoTI和 CoTI消息时携带自身可以支持的密钥 交换算法的信息, CN根据 HoTI和 CoTI消息确定出当前使用的密钥交 换算法; 而 CN可将自身计算得到的公钥系统参数及公钥 PKcn分别携 带在 HoT和 CoT消息中发送给 MN。  The MN may carry the information of the key exchange algorithm that can be supported by the MN when transmitting the HoTI and the CoTI message, and the CN determines the currently used key exchange algorithm according to the HoTI and the CoTI message; and the CN can calculate the obtained public key system by itself. The parameters and the public key PKcn are respectively carried in the HoT and CoT messages and sent to the MN.
图 3为本发明方法一较佳实施例处理流程示意图。 如图 3所示, 具 体处理步骤包括:  FIG. 3 is a schematic diagram of a process flow of a preferred embodiment of the method of the present invention. As shown in Figure 3, the specific processing steps include:
步骤 301: MN通过 HA发送 HoTI消息至 CN, 该 HoTI消息中携 带 MN所支持的密钥交换算法的信息。  Step 301: The MN sends a HoTI message to the CN through the HA, where the HoTI message carries information of a key exchange algorithm supported by the MN.
步骤 302: MN发送 CoTI消息至 CN, 该 CoTI消息中携带 MN所 支持的密钥交换算法的信息。  Step 302: The MN sends a CoTI message to the CN, where the CoTI message carries information of a key exchange algorithm supported by the MN.
步骤 303: CN才 据所收到的 HoTI消息和 CoTI消息中的密钥交换 算法的信息, 确定当前使用的密钥交换算法; 然后, 采用所确定的密钥 交换算法, 使用预先设定的私钥 1以及密钥交换算法对应的公钥密码系 统参数计算得到公钥 1。 Step 303: The CN determines the currently used key exchange algorithm according to the received information of the HoTI message and the key exchange algorithm in the CoTI message. Then, using the determined key exchange algorithm, using a preset private Key 1 and the public key cryptosystem corresponding to the key exchange algorithm The public key 1 is calculated by the system parameters.
步骤 304: CN通过 HA发送 HoT消息至 MN, 该 HoT消息中携带 公钥 1。  Step 304: The CN sends a HoT message to the MN through the HA, where the HoT message carries the public key 1.
步骤 305: CN发送 CoT消息至 MN, 该 CoT消息中携带步骤 303 所述的公钥密码系统参数。  Step 305: The CN sends a CoT message to the MN, where the CoT message carries the public key cryptosystem parameter described in step 303.
这里, CN是分别通过 HoT消息和 CoT消息发送公钥 1和公钥密码 系统参数至 MN的,所以,也可由步骤 304所述 HoT消息携带公钥密码 系统参数, 而由步骤 305所述 CoT消息携带公钥 1。 此外, 公钥 1和公 钥密码系统参数还可包含在同一消息中发送给 MN,如 HoT消息或 CoT 消息等。  Here, the CN sends the public key 1 and the public key cryptosystem parameters to the MN through the HoT message and the CoT message respectively. Therefore, the HoT message may also carry the public key cryptosystem parameter in step 304, and the CoT message is performed in step 305. Carry the public key 1. In addition, the public key 1 and public key cryptosystem parameters may also be included in the same message and sent to the MN, such as a HoT message or a CoT message.
步骤 306: MN从所收到的 HoT消息和 CoT消息中提取公钥 1和公 钥密码系统参数; 使用公钥密码系统参数, 生成自身的私钥 2并计算得 到公钥 2;使用公钥 1和私钥 2按密钥交换算法计算得到绑定管理密钥; 再使用计算得到的绑定管理密钥生成绑定授权数据。  Step 306: The MN extracts the public key 1 and the public key cryptosystem parameters from the received HoT message and the CoT message; uses the public key cryptosystem parameter to generate its own private key 2 and calculates the public key 2; uses the public key 1 And the private key 2 calculates the binding management key according to the key exchange algorithm; and then uses the calculated binding management key to generate the binding authorization data.
步骤 307: MN发送 BU消息至 CN, 该 BU消息中携带 MN计算得 到的绑定授权数据和公钥 2。  Step 307: The MN sends a BU message to the CN, where the BU message carries the binding authorization data and the public key 2 calculated by the MN.
步骤 308: CN从所收到的 BU消息中提取公钥 2, 使用该公钥 2和 自身预存的私钥 1按密钥交换算法计算得到 Kbm, 并使用该 Kbm验证 BU消息中携带的绑定授权数据, 以验证 MN。这里,若 CN生成的 Kbm 与 MN生成的 Kbm相同, 则 BU消息中携带的绑定授权数据能够通过 验证, 也就是 MN能通过 CN的验证; 否则, MN不能通过 CN的验证。  Step 308: The CN extracts the public key 2 from the received BU message, calculates the Kbm by using the public key 2 and the pre-stored private key 1 according to the key exchange algorithm, and uses the Kbm to verify the binding carried in the BU message. Authorize the data to verify the MN. Here, if the Kbm generated by the CN is the same as the Kbm generated by the MN, the binding authorization data carried in the BU message can be verified, that is, the MN can pass the CN verification; otherwise, the MN cannot pass the CN verification.
在 CN完成对 MN的 BU消息的验证之后 , 还可进一步包括: 步骤 309: CN使用步骤 308计算得到 Kbm生成绑定授权数据。 步骤 310: CN发送 BA消息至 MN,该 BA消息中携带 CN步骤 309 生成的绑定授权数据。 步骤 311 : MN使用自身计算得到的 Kbm验证 BA消息中的绑定授 权数据, 以实现对 CN的验证。 同样, 若 CN生成的 Kbm与 MN生成的 Kbm相同, 则 CN能通过 MN的验证; 否则, CN不能通过 MN的验证。 After the CN completes the verification of the BU message of the MN, the method further includes: Step 309: The CN calculates the Kbm generated binding authorization data by using step 308. Step 310: The CN sends a BA message to the MN, where the BA message carries the binding authorization data generated by the CN step 309. Step 311: The MN uses the Kbm calculated by itself to verify the binding authorization data in the BA message to implement verification of the CN. Similarly, if the Kbm generated by the CN is the same as the Kbm generated by the MN, the CN can pass the verification by the MN; otherwise, the CN cannot pass the verification by the MN.
在上述实施例中, 密钥交换算法的信息、 公钥 1、 公钥 2、 公钥密 码系统参数、 绑定授权数据等携带于返回路由可达过程中现有的 HoTI、 HoT、 CoTI、 CoT、 BU或 BA消息中, 但本发明并不限定携带这些信息 的具体消息, 本发明方案也可采用其它消息来携带这些信息, 均能实现 本发明目的。  In the foregoing embodiment, the information of the key exchange algorithm, the public key 1, the public key 2, the public key cryptosystem parameter, the binding authorization data, and the like are carried in the existing HoTI, HoT, CoTI, CoT in the return route reachable process. In the BU, BA or BA message, but the present invention does not limit the specific message carrying the information, and the solution of the present invention can also carry other information to carry the information, and the object of the present invention can be achieved.
本发明可采用多种密钥交换算法来实现, 最常见的两种算法就是椭 圆曲线密钥交换算法和 Diffie-Hdlman密钥交换算法。 为进一步详细阐 述本发明实现原理, 以下分别结合椭圆曲线的密钥交换算法和 Diffie-Hdlman 密钥交换算法对本发明的绑定管理密钥生成方法加以详 细说明。  The invention can be implemented by various key exchange algorithms. The two most common algorithms are the elliptic curve key exchange algorithm and the Diffie-Hdlman key exchange algorithm. To further explain the implementation principle of the present invention in detail, the binding management key generation method of the present invention will be described in detail below in conjunction with an elliptic curve key exchange algorithm and a Diffie-Hdlman key exchange algorithm.
1、 基于椭圆曲线密钥交换算法的机制  1. Mechanism based on elliptic curve key exchange algorithm
设定: 椭圆曲线 (EC, Elliptical Curve ) 的方程为 y2= x3+ax+b, 椭 圆曲线的公钥密码系统参数为 (p, a, b, G, n ), 该公钥密码系统参数 被预先计算好并设定于 CN中。 其中, p是正整数, Fp是有限域, a和 b 是 Fp上的正整数, G是椭圆曲线 E ( Fp )上的基点, n是素数、 为基点 G的阶。 Setting: The equation of elliptic curve (EC, Elliptical Curve) is y 2 = x 3 +ax+b, and the parameters of the public key cryptosystem of elliptic curve are (p, a, b, G, n ), the public key cryptosystem The parameters are pre-calculated and set in the CN. Where p is a positive integer, Fp is a finite field, a and b are positive integers on Fp, G is the base point on the elliptic curve E ( Fp ), and n is a prime number and is the order of the base point G.
CN在收到 MN发来的 HoTI和 CoTI消息后, 把预先计算好的 (p, a, b, G, n ) 以及计算得到的公钥 1, R = rG (其中 r<n, 是由 CN安全保存 的私钥 1 ) , 分成两部分, 分别放在 HoT消息和 CoT消息中发送给 MN。 MN收到 HoT和 CoT消息后检查消息中的 Cookies ,检查通过后 MN根据从 HoT消息和 CoT消息中提取的(p, a, b, G, n )计算得到公钥 2, R,= r,G ( r,<n, 是由 MN根据来自 CN的公钥密码系统参数计算得到的私钥 2 ) , 并使用公钥 1和私钥 2计算得到绑定管理密钥 , Ks = r'R = r'rG或 K = PRF ( Ks , Expression ) 。 其中, 可以用 Ks , 也可以用 K作为绑定管理密钥 ( Kbm ) , Expression可以由 CN、 Ho A, Co A, Nonce、 Cookies等组合 而成的, 也可以为空; PRF ( Ks , Expression )表示在密钥 Ks作用下对 Expression进行伪随机处理的函数,可以用于消息认证及密钥的派生 ,它 可以是 HMAC_MD5、 HMAC—SHA1 , HMAC—SHA256等函数。 After receiving the HoTI and CoTI messages sent by the MN, the CN calculates the pre-computed (p, a, b, G, n) and the calculated public key 1, R = rG (where r < n, is CN The securely stored private key 1) is divided into two parts and sent to the MN in a HoT message and a CoT message, respectively. After receiving the HoT and CoT messages, the MN checks the cookies in the message. After checking, the MN calculates the public key 2, R, = r according to the (p, a, b, G, n) extracted from the HoT message and the CoT message. G ( r, <n, is the private key 2 calculated by the MN based on the public key cryptosystem parameters from the CN), And use the public key 1 and private key 2 to calculate the binding management key, Ks = r'R = r'rG or K = PRF ( Ks , Expression ). Among them, Ks can be used, or K can be used as the binding management key (Kbm). Expression can be composed of CN, Ho A, Co A, Nonce, Cookies, etc., or it can be empty; PRF ( Ks , Expression ) A function that performs pseudo-random processing on Expression under the action of the key Ks, which can be used for message authentication and derivation of a key. It can be a function such as HMAC_MD5, HMAC-SHA1, HMAC-SHA256.
然后, MN利用计算得到的 Kbm生成绑定授权数据, 发送携带该绑 定授权数据的 BU消息, 在 BU消息中携带 Nonce选项, 把公钥 2 (即 R,) 放在 BU的选项中发送到 CN。 CN收到 BU消息后对 Nonce选项进行检查, 检查通过后使用公钥 2以及私钥 1计算得到绑定管理密钥, Ks = rR, = rr'G = r,rG, 与 MN按照同样的方法计算得到 Kbm, 并使用 Kbm验证 BU消息 中携带的绑定授权数据。进一步地, CN也可使用 Kbm生成绑定授权数据 并将其携带在 BA消息中返回给 MN, 由 MN使用自身生成的 Kbm对该 BA 消息中的绑定授权数据进行验证。  Then, the MN generates the binding authorization data by using the calculated Kbm, sends a BU message carrying the binding authorization data, carries the Nonce option in the BU message, and places the public key 2 (ie, R,) in the BU option to send to the BU. CN. After receiving the BU message, the CN checks the Nonce option. After checking, the CN uses the public key 2 and the private key 1 to calculate the binding management key. Ks = rR, = rr'G = r, rG, in the same way as the MN. The Kbm is calculated, and the binding authorization data carried in the BU message is verified by using Kbm. Further, the CN may also use Kbm to generate binding authorization data and carry it in the BA message and return it to the MN, and the MN uses the Kbm generated by itself to verify the binding authorization data in the BA message.
其中, 为了防止拒绝服务( DOS , Denial of Service )攻击 , CN在和 多个 MN之间进行路由优化时使用同一个私钥, 即: 多个 MN向同一 CN 发起通信时, 该 CN与每一 MN进行交互以生成绑定管理密钥时, 所使用 的私钥相同。  In order to prevent a denial of service (DOS) attack, the CN uses the same private key when performing route optimization with multiple MNs, that is, when multiple MNs initiate communication to the same CN, the CN and each When the MN interacts to generate a binding management key, the private key used is the same.
2、 基于 Diffie-Hdlman密钥交换算法的机制  2. Mechanism based on Diffie-Hdlman key exchange algorithm
设定: Diffie-Hdlman密钥交换算法中, 需要选择的公钥密码系统参 数为 (p, g ) , 其中 p是素数, g是有限域 Fp生成元, 且 g<p。 Setting: In the Diffie-Hdlman key exchange algorithm, the public key cryptosystem parameter to be selected is (p, g), where p is a prime number, g is a finite field F p generator, and g < p.
CN在收到 MN发来的 HoTI和 CoTI消息后,把预先计算好的公钥密码 系统参数(p, g ) , 以及使用公钥密码参数和私钥 1计算得到的公钥 1, X =gx mod p (其中, X是由 CN安全保存的私钥 1 )分成两部分, 分别放 在 HoT和 CoT消息中发送给 MN。 MN收到 HoT消息和 CoT消息后检查消息 中的 Cookies , 并在检查通过后根据 (p, g )和私钥 2计算得到公钥 2, Y=gy mod p (其中, y是由 MN根据来自 CN的公钥系统密码参数计算得到 的私钥 2 ) , 再使用公钥 1和私钥 2计算得到绑定管理密钥 (Kbm ) , Ks = Xy mod p = gxy mod p或 K = PRF ( Ks I Expression )。 其中, Ks和 K均表 示绑定管理密钥 , PRF及 Expression的含义如前面所述。 After receiving the HoTI and CoTI messages sent by the MN, the CN calculates the pre-computed public key cryptosystem parameters (p, g) and the public key 1 and X = g calculated using the public key cryptographic parameters and the private key 1. x mod p (where X is the private key 1 saved by the CN) is divided into two parts and placed in the HoT and CoT messages and sent to the MN. The MN checks the message after receiving the HoT message and the CoT message. Cookies in , and after the check is passed, the public key 2, Y=g y mod p is calculated according to (p, g) and private key 2 (where y is calculated by the MN based on the public key system cryptographic parameters from the CN The private key 2), and then use the public key 1 and the private key 2 to calculate the binding management key (Kbm), Ks = X y mod p = g xy mod p or K = PRF ( Ks I Expression ). Where Ks and K both represent the binding management key, and the meanings of PRF and Expression are as described above.
然后, MN利用计算得到的 Kbm生成绑定授权数据, 发送携带绑定 授权数据的 BU消息, 在 BU消息中需要携带 Nonce选项, 并把公钥 2 (即 Y )放在 BU消息的选项中发送到 CN。 CN在收到 BU消息后对 Nonce选项 进行检查, 并在检查通过后计算 Kbm, Ks=Yx mod p = gyx mod p, 并使 用 Kbm验证 BU消息中的绑定授权数据。 进一步地, CN也可使用 Kbm生 成绑定授权数据并将其携带在 BA消息中返回给 MN, 由 MN使用自身生 成的 Kbm对该 BA消息中的绑定授权数据进行验证。 Then, the MN generates the binding authorization data by using the calculated Kbm, sends a BU message carrying the binding authorization data, needs to carry the Nonce option in the BU message, and sends the public key 2 (ie, Y) in the option of the BU message. To CN. The CN checks the Nonce option after receiving the BU message, and calculates Kbm, Ks=Y x mod p = g yx mod p after the check is passed, and uses Kbm to verify the binding authorization data in the BU message. Further, the CN may also use Kbm to generate binding authorization data and carry it in the BA message and return it to the MN, and the MN uses the Kbm generated by the MN to verify the binding authorization data in the BA message.
这里, 为了防止 DOS攻击, 多个 MN在与同一 CN之间进行路由优化 时也可使用同一个私钥。  Here, in order to prevent DOS attacks, multiple MNs can use the same private key when performing route optimization with the same CN.
应用了上述实施例之后, 攻击者即使截获了 HoT和 CoT消息中的公 钥和公钥密码系统参数也无法推算出 MN和 CN使用的 Kbm, 也就无法模 仿 MN生成绑定授权数据向 CN发送 BU消息来实现攻击。  After the above embodiment is applied, the attacker cannot extract the Kbm used by the MN and the CN even if the public key and the public key cryptosystem parameters in the HoT and CoT messages are intercepted, and the MN can not be sent to the CN to generate the binding authorization data. BU messages to implement the attack.
另外, 在无法安全获取公钥的情况下, 即网络中并未设置存有可信 数据的能提供认证功能的认证实体, 本发明可采用基于匿名密钥交换的 方式生成绑定管理密钥, 即涉及密钥交换的消息中不加入数字签名, 在 这一机制中, 可以使用时间戳机制来提供防护功能。 比如: 在涉及密钥 交换的消息中携带时间戳, MN在一定时限内未收到携带公钥的消息时 即判定 CN受到攻击, 丢弃来自 CN的消息。  In addition, in the case that the public key cannot be securely obtained, that is, the authentication entity capable of providing the authentication function with the trusted data is not set in the network, the present invention may generate the binding management key by using an anonymous key exchange method. That is, the digital signature is not included in the message involving the key exchange. In this mechanism, the time stamp mechanism can be used to provide the protection function. For example, when a message carrying a key exchange carries a timestamp, when the MN does not receive the message carrying the public key within a certain time limit, the MN determines that the CN is attacked and discards the message from the CN.
而在可安全获得公钥的情况下, 即网络中设置了存有可信数据的能 提供认证功能的实体, 可在涉及密钥交换的消息 (如: HoT消息、 CoT 消息等) 中加入数字签名, 以供身份认证。 此时, CN或 MN在收到涉及 密钥交换的消息时, 可使用消息中的数据签名访问该提供认证功能的实 体, 以完成身份验证。 In the case that the public key can be obtained securely, that is, the entity that provides the authentication function with the trusted data is set in the network, and the message related to the key exchange (such as: HoT message, CoT) Digital signatures are added to messages, etc. for identity authentication. At this time, when receiving the message related to the key exchange, the CN or the MN may use the data signature in the message to access the entity providing the authentication function to complete the identity verification.
当 MN的 CoA未改变且仍然和原先的 CN通信、 并需要使用新的 Kbm 保护 BU消息时,就涉及更新绑定管理密钥的处理。为了避免过多的密码 学运算, 可以使用原有的绑定管理密钥采用预定算法计算得到新的绑定 管理密钥。 如: 使用下面的方法生成新的绑定管理密钥, 其可称为 Next_Kbm, 且可表示为 Next_Kbm = PRF ( Kbm, Expression ) 。 其中, Expression可以是由 CN、 Ho A, CoA、 Nonce, Cookies等组合而成的, PRF ( Ks, Expression )表示在密钥 Ks作用下对 Expression进行伪随机处 理的函数, 可以用于消息认证及密钥的派生 , 它可以是 HMAC_MD5、 HMAC—SHA1 , HMAC—SHA256等函数。  When the MN's CoA is unchanged and still communicates with the original CN and needs to use the new Kbm to protect the BU message, it involves updating the binding management key. In order to avoid excessive cryptographic operations, a new binding management key can be calculated using a predetermined algorithm using a predetermined binding management key. For example: Use the following method to generate a new binding management key, which can be called Next_Kbm, and can be expressed as Next_Kbm = PRF ( Kbm, Expression ). Among them, Expression can be a combination of CN, Ho A, CoA, Nonce, Cookies, etc. PRF ( Ks, Expression ) represents a function of pseudo-random processing of Expression under the action of key Ks, which can be used for message authentication and The derivation of the key, which can be HMAC_MD5, HMAC-SHA1, HMAC-SHA256 and other functions.
当 MN仍然和原先的 CN通信、 但 MN的链路发生切换而使 Co A改变 时, 此时的 RRP中可以不必交互 ΗοΉ/ΗοΤ消息, 只保留 CoTI/CoT消息, CN的用于进行密钥交换的公钥将被放在 CoT消息中发送给 MN, 只要密 钥仍在生存期, CN和 MN可以不必更新用于密钥交换的公私钥对。 在通 过密钥交换生成的 Ks生存期即将过期但仍未泄密的情况下, CN和 MN将 使用涉及密钥交换的消息生成新的公钥时, 可以使用 Ks生成消息鉴别码 ( MAC, Message Authentication Code )来保护该涉及密钥交换的消息的 完整性, 这样, 在匿名密钥交换方式和 RRP结合的情形中, 只要可以保 障第一次执行密钥交换未遭"中间人攻击", 那么后续的密钥交换也不会 遭受"中间人攻击"。  When the MN still communicates with the original CN, but the link of the MN is switched to change the Co A, the RRP in this time does not have to interact with the ΗοΉ/ΗοΤ message, only the CoTI/CoT message is reserved, and the CN is used for the key. The exchanged public key will be placed in the CoT message and sent to the MN. As long as the key is still in the lifetime, the CN and MN may not have to update the public-private key pair used for the key exchange. In the case that the Ks lifetime generated by the key exchange is about to expire but still not leaked, the CN and the MN will generate a new public key using the message involving the key exchange, and may generate a message authentication code using Ks (MAC, Message Authentication). Code) to protect the integrity of the message involving the key exchange, so that in the case of the combination of the anonymous key exchange method and the RRP, as long as the first execution of the key exchange is not protected by the "man in the middle", then the subsequent Key exchanges are also not subject to "man in the middle" attacks.
基于上述本发明方法, 本发明还公开了一种生成绑定管理密钥的系 统。 图 4即为该系统的一种具体实施方式。 该系统包括: MN和 CN。 当 MN与 CN之间通过 HoTI消息协商密钥交换算法、和 /或通过 HoT消 息传递公钥时 , HoTI消息和 HoT消息需要通过 HA转发 , 则该系统可 进一步包括: HA。 此外, 在 MN和 CN通过 HoT消息、 BU消息等来交 换各自的公钥时, 还可进一步在携带公钥的消息中加入数字签名以供消 息的接收端对消息发送端进行身份验证, 此时本发明系统中需要进一步 设置用于提供认证功能的实体如图 4所示的认证中心等, MN和 CN中 的一端在收到携带公钥的消息后, 访问用于提供认证功能的实体, 根据 该消息中携带的数字签名对 MN和 CN中的另一端进行身份认证。 Based on the above method of the present invention, the present invention also discloses a system for generating a binding management key. Figure 4 is a specific embodiment of the system. The system includes: MN and CN. When the MN and the CN negotiate a key exchange algorithm through a HoTI message, and/or through HoT When the public key is transmitted, the HoTI message and the HoT message need to be forwarded by the HA, and the system may further include: HA. In addition, when the MN and the CN exchange their respective public keys through HoT messages, BU messages, etc., the digital signature may be further added to the message carrying the public key for the message receiving end to authenticate the message sending end. In the system of the present invention, an entity for providing an authentication function needs to be further configured as shown in FIG. 4, and an end of the MN and the CN accesses an entity for providing an authentication function after receiving the message carrying the public key, according to the entity The digital signature carried in the message authenticates the other end of the MN and the CN.
由于, 本发明系统中各实体的工作原理与前面方法所述相同, 这里 就不再对系统内部各实体的处理作重复描述。  Since the working principle of each entity in the system of the present invention is the same as that described in the previous method, the processing of each entity in the system will not be repeatedly described herein.
本发明还公开了一种移动节点 (MN )设备。 图 5即为该 MN的一 种具体实施方式。 该 MN用于在发起与 CN之间的通信时发送 BU消息 至 CN; 该 MN包括: 密钥交换单元, 用于从 CN接收公钥, 计算得到 公钥并发送给 CN, 使用来自 CN的公钥和自身的私钥、 按密钥交换算 法计算得到绑定管理密钥, 使用该绑定管理密钥生成绑定授权数据, 并 将绑定授权数据携带在发往 CN的 BU消息中。该 MN还可进一步包括: 验证单元, 用于接收来自 CN的 BA消息, 使用密钥交换单元生成的绑 定管理密钥对该 BA消息中携带的 CN的绑定授权数据进行验证。 关于 该 MN的详细工作原理在前面方法实施例中均有描述, 这里对此就不再 重述。  The invention also discloses a mobile node (MN) device. Figure 5 is a specific embodiment of the MN. The MN is configured to send a BU message to the CN when initiating communication with the CN; the MN includes: a key exchange unit, configured to receive a public key from the CN, calculate the public key, and send the message to the CN, using the public from the CN The key and the private key of the key are calculated by the key exchange algorithm, and the binding management key is generated by using the binding management key, and the binding authorization data is carried in the BU message sent to the CN. The MN may further include: a verification unit, configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message. The detailed working principle of the MN is described in the previous method embodiments, and will not be repeated here.
此外, 本发明公开了一种通信节点 (CN )。 图 6即为 CN的一种具 体实施方式。 该 CN用于在 MN发起与 CN之间的通信时接收来自 MN 的 BU消息; 该 CN包括: 密钥交换单元, 用于从 MN接收公钥和 BU 消息, 计算得到公钥并发送给 MN, 使用来自 MN的公钥和自身预存的 私钥、 按密钥交换算法计算得到绑定管理密钥; 验证单元, 用于接收来 自 MN的 BU消息, 使用密钥交换单元生成的绑定管理密钥对 BU消息 中携带的 MN的绑定授权数据进行验证。 该密钥交换单元还可进一步用 于使用自身计算得到的绑定管理密钥生成绑定授权数据, 并在发往 MN 的 BA消息中携带该绑定授权数据。 Furthermore, the present invention discloses a communication node (CN). Figure 6 is a specific embodiment of the CN. The CN is configured to receive a BU message from the MN when the MN initiates communication with the CN; the CN includes: a key exchange unit, configured to receive a public key and a BU message from the MN, calculate the public key, and send the public key to the MN, Using the public key from the MN and the private key pre-stored by itself, the binding management key is calculated according to the key exchange algorithm; the verification unit is configured to receive the BU message from the MN, and use the binding management key generated by the key exchange unit. BU message The binding authorization data of the MN carried in the verification is performed. The key exchange unit is further configured to generate the binding authorization data by using the binding management key calculated by the self, and carry the binding authorization data in the BA message sent to the MN.
本发明通过将密钥交换和返回路由可达过程结合起来生成绑定管 理密钥, 使用所生成的绑定管理密钥保护移动 IPv6的绑定更新消息, 避 免了第三方通过窃听 HoT、 CoT消息计算出 Kbm而发起的攻击, 提高了 移动 IPv6路由优化模式下通信的安全性。  The invention combines the key exchange and the return route reachability process to generate a binding management key, and uses the generated binding management key to protect the binding update message of the mobile IPv6, thereby preventing the third party from eavesdropping on the HoT and CoT messages. The attack initiated by Kbm is calculated to improve the security of communication in the mobile IPv6 route optimization mode.
以上所述仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。 凡在本发明的精神和原则之内所作的任何修改、 等同替换、 改 进等, 均包含在本发明的保护范围内。  The above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权利要求书 Claim
1、 一种生成绑定管理密钥的方法, 其特征在于, 当移动节点 MN 发起与通信节点 CN之间的通信时, 该方法包括:  A method for generating a binding management key, characterized in that, when the mobile node MN initiates communication with the communication node CN, the method comprises:
MN和 CN根据所使用的密钥交换算法计算各自的公钥并相互交换 公钥;  The MN and the CN calculate their respective public keys according to the key exchange algorithm used and exchange the public keys with each other;
MN使用来自 CN的公钥和自身的私钥、 按密钥交换算法计算得到 绑定管理密钥, 使用该绑定管理密钥生成绑定授权数据, 并将绑定授权 数据携带在绑定更新 BU消息中发送至 CN;  The MN uses the public key from the CN and its own private key, calculates the binding management key according to the key exchange algorithm, uses the binding management key to generate binding authorization data, and carries the binding authorization data in the binding update. Send to the CN in the BU message;
CN使用来自 MN的公钥和自身的私钥、 按密钥交换算法计算得到 绑定管理密钥, 使用自身计算得到的绑定管理密钥对所收到的 BU消息 中的绑定授权数据进行验证。  The CN uses the public key from the MN and its own private key, calculates the binding management key according to the key exchange algorithm, and uses the binding management key calculated by itself to perform the binding authorization data in the received BU message. verification.
2、 根据权利要求 1所述的方法, 其特征在于, 在所述 MN和 CN 计算各自的公钥前, 该方法进一步包括: 预先在 MN和 CN中设定密钥 交换算法。  2. The method according to claim 1, wherein before the MN and the CN calculate respective public keys, the method further comprises: setting a key exchange algorithm in the MN and the CN in advance.
3、 根据权利要求 1所述的方法, 其特征在于, 在所述 MN和 CN 计算各自的公钥前, 该方法进一步包括: MN和 CN协商得到当前使用 的密钥交换算法。  The method according to claim 1, wherein before the MN and the CN calculate the respective public keys, the method further comprises: the MN and the CN negotiate to obtain a currently used key exchange algorithm.
4、 根据权利要求 3所述的方法, 其特征在于, 所述 MN和 CN协 商得到当前使用的密钥交换算法, 包括:  The method according to claim 3, wherein the MN and the CN negotiate to obtain a currently used key exchange algorithm, including:
MN将自身支持的密钥交换算法的信息发送至 CN, CN根据该 MN 支持的密钥交换算法的信息以及自身所支持的密钥交换算法确定当前 使用的密钥交换算法。  The MN sends the information of the key exchange algorithm supported by itself to the CN, and the CN determines the currently used key exchange algorithm according to the information of the key exchange algorithm supported by the MN and the key exchange algorithm supported by the MN.
5、 根据权利要求 4所述的方法, 其特征在于, 所述 MN将自身支 持的密钥交换算法的信息发送至 CN, 包括:  The method according to claim 4, wherein the MN sends the information of the key exchange algorithm supported by the MN to the CN, including:
MN在发往 CN的家乡测试初始 HoTI消息或 /和转交测试初始 CoTI 消息中分别携带自身支持的密钥交换算法的信息。 The MN tests the initial HoTI message or/and the handover test initial CoTI in the hometown sent to CN. The message carries the information of the key exchange algorithm supported by itself.
6、 根据权利要求 1所述的方法, 其特征在于, 所述 MN和 CN根 据所使用的密钥交换算法计算各自的公钥并相互交换公钥, 包括:  The method according to claim 1, wherein the MN and the CN calculate the respective public keys according to the key exchange algorithm used and exchange the public keys with each other, including:
CN根据所使用的密钥交换算法计算自身的公钥, 并把自身和 MN 均支持的密钥交换算法的公钥密码系统参数和 CN的公钥发送给 MN;  The CN calculates its own public key according to the key exchange algorithm used, and sends the public key cryptosystem parameters of the key exchange algorithm supported by itself and the MN and the public key of the CN to the MN;
MN根据来自 CN的公钥密码系统参数, 生成自身的私钥、 计算出 自身的公钥 , 并将计算得到的公钥发送至 CN。  The MN generates its own private key based on the public key cryptosystem parameters from the CN, calculates its own public key, and sends the calculated public key to the CN.
7、根据权利要求 6所述的方法, 其特征在于, 所述 CN发送公钥密 码系统参数和 CN的公钥给 MN , 包括:  The method according to claim 6, wherein the CN sends the public key cryptosystem parameter and the public key of the CN to the MN, including:
CN在发往 MN的家乡测试 HoT消息中携带该公钥 ,在发往 MN的 转交测试 CoT消息中携带该公钥密码系统参数; 或者,  The CN carries the public key in the home test of the MN, and carries the public key cryptosystem parameter in the handover test CoT message sent to the MN; or
CN在发往 MN的家乡测试 HoT消息中携带该公钥密码系统参数, 在发往 MN的转交测试 CoT消息中携带该公钥; 或者,  The CN carries the public key cryptosystem parameter in the home test of the MN, and carries the public key in the handover test CoT message sent to the MN; or
CN将该公钥和该公钥密码系统参数一同携带在发往 MN的家乡测 试 HoT消息或转交测试 CoT消息中。  The CN carries the public key along with the public key cryptosystem parameters in the Home Test HoT message or the Care Test CoT message addressed to the MN.
8、根据权利要求 6所述的方法, 其特征在于, 所述 CN根据所使用 的密钥交换算法计算自身的公钥, 包括:  The method according to claim 6, wherein the CN calculates its own public key according to the key exchange algorithm used, and includes:
CN根据密钥交换算法的公钥密码系统参数、 以及自身预存的私钥、 计算得到自身的公钥。  The CN calculates its own public key according to the public key cryptosystem parameters of the key exchange algorithm and the private key pre-stored by itself.
9、 根据权利要求 6所述的方法, 其特征在于, 所述 MN将计算得 到的公钥发送至 CN, 包括:  The method according to claim 6, wherein the MN sends the calculated public key to the CN, including:
MN将计算得到的公钥携带在 BU消息中发送至 CN。  The MN carries the calculated public key in the BU message and sends it to the CN.
10、 根据权利要求 6至 9任一项所述的方法, 其特征在于, 所述系 统进一步包括: 用于提供认证功能的实体;  The method according to any one of claims 6 to 9, wherein the system further comprises: an entity for providing an authentication function;
所述 CN在发送自身计算得到的公钥至 MN时, 进一步在携带该公 钥的消息中加入数字签名; MN在收到携带 CN的公钥的消息之后 , 访 问所述用于提供认证功能的实体, 根据该消息中的数字签名对 CN进行 身份认证; When the CN sends the public key calculated by itself to the MN, the CN further carries the public Adding a digital signature to the message of the key; after receiving the message carrying the public key of the CN, the MN accesses the entity for providing the authentication function, and performs identity authentication on the CN according to the digital signature in the message;
所述 MN在发送自身计算得到的公钥至 CN时, 进一步在携带该公 钥的消息中加入数字签名; CN在收到携带 MN的公钥的消息之后, 访 问所述用于提供认证功能的实体,根据该消息中的数字签名对 MN进行 身份认证。  When the MN sends the self-calculated public key to the CN, the MN further adds a digital signature to the message carrying the public key; after receiving the message carrying the public key of the MN, the CN accesses the information for providing the authentication function. The entity authenticates the MN according to the digital signature in the message.
11、根据权利要求 6至 9任一项所述的方法,其特征在于,所述 CN 和 MN中的一端在发送自身计算得到的公钥至另一端时, 进一步在携带 该公钥的消息中加入时间戳, 根据消息中的时间戳判断另一端是否在预 设的时长内返回消息, 若是, 则进一步处理来自另一端的消息; 否则丢 弃来自该另一端的消息。  The method according to any one of claims 6 to 9, wherein one of the CN and the MN is further in the message carrying the public key when transmitting the public key calculated by itself to the other end. Add a timestamp, judge whether the other end returns the message within the preset duration according to the timestamp in the message, and if so, further process the message from the other end; otherwise, discard the message from the other end.
12、 根据权利要求 1至 9任一项所述的方法, 其特征在于, 在所述 CN对绑定授权数据进行验证后, 该方法进一步包括:  The method according to any one of claims 1 to 9, wherein after the CN verifies the binding authorization data, the method further includes:
CN使用自身计算得到的绑定管理密钥生成绑定授权数据, 并将该 绑定授权数据携带在绑定确认 BA消息中发送至 MN;  The CN generates the binding authorization data by using the binding management key calculated by itself, and carries the binding authorization data in the binding confirmation BA message and sends it to the MN;
MN使用自身计算得到的绑定管理密钥对所收到的 BA消息中的绑 定授权数据进行验证。  The MN uses the binding management key calculated by itself to verify the binding authorization data in the received BA message.
13、 根据权利要求 1或 9所述的方法, 其特征在于, 当 MN的转交 地址 CoA未改变且仍和该 CN通信、 并需要使用新的绑定管理密钥时, 该方法进一步包括: MN和该 CN ^据原有的绑定管理密钥计算得到新 的绑定管理密钥 Next_Kbm = PRF ( Kbm, Expression ),  The method according to claim 1 or 9, wherein when the care-of address CoA of the MN is unchanged and still communicating with the CN, and a new binding management key is needed, the method further comprises: MN And the CN calculates a new binding management key Next_Kbm = PRF ( Kbm, Expression ) according to the original binding management key.
其中, Next_Kbm为新的绑定管理密钥, Kbm为原有的绑定管理密 钥, Expression由 CN, 家乡地址 Ho A , CoA, Nonce, Cookies中的任 一项或任一多项构成, 伪随机函数 PRF ( ) 表示在 Kbm 作用下对 Expression进行伪随机处理的函数。 Next_Kbm is a new binding management key, Kbm is the original binding management key, and Expression is composed of any one or more of CN, home address Ho A , CoA, Nonce, Cookies, and pseudo. The random function PRF ( ) indicates that under the action of Kbm Expression performs pseudo-random processing of functions.
14、 根据权利要求 13所述的方法, 其特征在于, 所述 PRF ( )为: HMAC_MD5、 HMAC—SHA1或 HMAC_SHA256。  The method according to claim 13, wherein the PRF ( ) is: HMAC_MD5, HMAC_SHA1 or HMAC_SHA256.
15、 根据权利要求 1至 9任一项所述的方法, 其特征在于, 当 MN 仍然与该 CN通信, 但 MN的链路发生切换而使 CoA改变时, MN和 CN之间不必再发送 HoTI消息和 HoT消息, CN的用于密钥交换的公钥 被携带在 CoT消息中发送给 MN, 只要公钥和 /或私钥仍在生存期, CN 和 MN不再更新用于密钥交换的公钥和 /或私钥。  The method according to any one of claims 1 to 9, characterized in that, when the MN still communicates with the CN, but the link of the MN is switched to change the CoA, the HoTI does not need to be sent between the MN and the CN. Message and HoT message, CN's public key for key exchange is carried in the CoT message and sent to the MN. As long as the public key and/or private key are still in the lifetime, CN and MN are no longer updated for key exchange. Public key and / or private key.
16、 根据权利要求 1或 9所述的方法, 其特征在于, 当多个 MN发 起与同一 CN之间的通信时, 该 CN与各个 MN使用密钥交换生成绑定 管理密钥时使用的私钥相同。  The method according to claim 1 or 9, wherein when the plurality of MNs initiate communication with the same CN, the private use of the binding management key is generated by the CN and each MN using a key exchange. The keys are the same.
17、 根据权利要求 6至 9任一项所述的方法, 其特征在于, 当绑定 管理密钥的生存期即将过期但仍未泄密、 CN和 MN计算得到新的公钥 时, 使用该仍在有效期的绑定管理密钥生成消息鉴别码 MAC来保护用 于携带该新的公钥的消息。  The method according to any one of claims 6 to 9, characterized in that, when the lifetime of the binding management key is about to expire but is still not leaked, and the CN and the MN calculate a new public key, the use is still The binding management key of the validity period generates a message authentication code MAC to protect the message for carrying the new public key.
18、 根据权利要求 1至 9任一项所述的方法, 其特征在于, 所述密 钥交换算法为椭圆曲线密钥交换算法或 Diffie - Hellman密钥交换算法。  The method according to any one of claims 1 to 9, wherein the key exchange algorithm is an elliptic curve key exchange algorithm or a Diffie-Hellman key exchange algorithm.
19、 一种生成绑定管理密钥的系统, 该系统包括: MN和 CN; 其 特征在于, 所述 CN预存自身的私钥;  A system for generating a binding management key, the system comprising: a MN and a CN; wherein the CN pre-stores its own private key;
所述 CN将自身的公钥和密钥交换算法的系统参数发送给 MN, 使 用来自 MN的公钥和自身预存的私钥、按密钥交换算法计算得到绑定管 理密钥, 使用自身计算得到的绑定管理密钥对所收到的 BU消息中的绑 定授权数据进行验证;  The CN sends its own public key and system parameters of the key exchange algorithm to the MN, and uses the public key from the MN and the private key pre-stored by itself, and calculates the binding management key according to the key exchange algorithm, and uses the self-calculation. The binding management key verifies the binding authorization data in the received BU message;
所述 MN根据 CN发送来的密钥交换算法系统参数, 生成私钥并计 算自身的公钥, 把计算出的公钥发送给 CN, 使用来自 CN的公钥和自 身的私钥、 按密钥交换算法计算得到绑定管理密钥, 使用该绑定管理密 钥生成绑定授权数据, 并将绑定授权数据携带在 BU消息中发送至 CN。 The MN generates a private key and calculates its own public key according to the key exchange algorithm system parameters sent by the CN, and sends the calculated public key to the CN, using the public key from the CN and the self. The private key of the body is calculated by the key exchange algorithm to obtain the binding management key, and the binding authorization data is generated by using the binding management key, and the binding authorization data is carried in the BU message and sent to the CN.
20、 根据权利要求 19所述的系统, 其特征在于,  20. The system of claim 19, wherein:
所述 CN进一步用于使用自身计算得到的绑定管理密钥生成绑定授 权数据, 并将该绑定授权数据携带在绑定确认 BA消息中发送至 MN; 所述 MN进一步用于使用自身计算得到的绑定管理密钥对所收到的 BA消息中的绑定授权数据进行验证。  The CN is further configured to generate the binding authorization data by using the binding management key calculated by the self, and the binding authorization data is carried in the binding confirmation BA message and sent to the MN; the MN is further used to calculate by using the self. The obtained binding management key verifies the binding authorization data in the received BA message.
21、 ^居权利要求 19所述的系统, 其特征在于, 所述 CN和 MN 进一步用于协商得到当前使用的密钥交换算法。  The system of claim 19, wherein the CN and the MN are further used to negotiate a currently used key exchange algorithm.
22、 根据权利要求 21 所述的系统, 其特征在于, 该系统进一步包 括: 家乡代理 HA;  The system according to claim 21, wherein the system further comprises: a home agent HA;
所述 MN在发往 CN的 HoTI消息和 CoTI消息中携带自身支持的密 钥交换算法的信息 , 并通过所述 HA将该 HoTI消息发送至 CN;  The MN carries the information of the key exchange algorithm supported by the MN in the HoTI message and the CoTI message sent to the CN, and sends the HoTI message to the CN through the HA;
所述 CN根据 HoTI消息和 CoTI消息中携带的密钥交换算法的信息 确定当前使用的密钥交换算法。  The CN determines the currently used key exchange algorithm according to the information of the key exchange algorithm carried in the HoTI message and the CoTI message.
23、 根据权利要求 19所述的系统, 其特征在于, 该系统进一步包 括二 HA;  The system according to claim 19, wherein the system further comprises two HAs;
所述 CN将自身计算得到的公钥携带在发往 MN的 HoT消息或 CoT 消息中, 将对应于密钥交换算法的公钥密码系统参数携带在发往 MN的 HoT消息或 CoT消息中, 并通过所述 HA发送该 HoT消息至 MN。  The CN carries the public key calculated by the CN in the HoT message or the CoT message sent to the MN, and carries the public key cryptosystem parameter corresponding to the key exchange algorithm in the HoT message or the CoT message sent to the MN, and The HoT message is sent to the MN through the HA.
24、 根据权利要求 21 所述的系统, 其特征在于, 该系统进一步包 括二 HA;  The system according to claim 21, wherein the system further comprises two HAs;
所述 MN在发往 CN的 HoTI消息和 CoTI消息中分别携带自身支持 的密钥交换算法的信息; 使用来自 CN的公钥密码系统参数生产自身的 私钥, 并计算得到公钥, 并将计算得到的公钥和所生成的绑定授权数据 携带在 BU消息中发送至 CN; The MN carries the information of the key exchange algorithm supported by itself in the HoTI message and the CoTI message sent to the CN; uses the public key cryptosystem parameter from the CN to generate its own private key, calculates the public key, and calculates The obtained public key and the generated binding authorization data Carry in the BU message and send to the CN;
所述 CN才 据所收到的 HoTI消息和 CoTI消息中的密钥交换算法的 信息确定当前使用的密钥交换算法; 根据预定的对应于该密钥交换算法 的公钥密码系统参数、 以及自身预存的私钥计算得到的公钥, 使用 HoT 消息和 CoT 消息来分别携带该公钥和该公钥密码系统参数并将其发送 至 MN; 使用 BU消息中的公钥和自身的私钥、 按密钥交换算法计算得 到绑定管理密钥;  Determining, by the CN, the currently used key exchange algorithm according to the information of the received HoTI message and the key exchange algorithm in the CoTI message; according to a predetermined public key cryptosystem parameter corresponding to the key exchange algorithm, and itself The public key calculated by the pre-stored private key, using the HoT message and the CoT message to carry the public key and the public key cryptosystem parameter respectively and send it to the MN; using the public key in the BU message and its own private key, pressing The key exchange algorithm calculates the binding management key;
所述 HA用于转发 MN和 CN之间的 HoTI消息和 HoT消息。  The HA is used to forward HoTI messages and HoT messages between the MN and the CN.
25、 根据权利要求 23或 24所述的系统, 其特征在于, 该系统进一 步包括:  25. A system according to claim 23 or 24, wherein the system further comprises:
用于提供认证功能的实体, 用于保存可信数据并提供身份认证功 所述 CN进一步用于在发送自身计算得到的公钥至 MN时, 在携带 该公钥的消息中加入数字签名; 在收到携带 MN的公钥的消息之后 , 访 问所述用于提供认证功能的实体,根据该消息中的数字签名对 MN进行 身份认证;  An entity for providing an authentication function for storing trusted data and providing identity authentication function. The CN is further configured to add a digital signature to a message carrying the public key when transmitting the public key calculated by the user to the MN; After receiving the message carrying the public key of the MN, accessing the entity for providing the authentication function, and performing identity authentication on the MN according to the digital signature in the message;
所述 MN进一步用于在发送自身计算得到的公钥至 CN时, 在携带 该公钥的消息中加入数字签名; 在收到携带 CN的公钥的消息之后 , 访 问所述用于提供认证功能的实体, 根据该消息中的数字签名对 CN进行 身份认证。  The MN is further configured to: when transmitting the public key calculated by the self to the CN, adding a digital signature to the message carrying the public key; after receiving the message carrying the public key of the CN, accessing the information for providing the authentication function The entity authenticates the CN based on the digital signature in the message.
26、 一种移动节点 MN, 该 MN用于在发起与 CN之间的通信时发 送 BU消息至 CN; 其特征在于, 该 MN包括:  26. A mobile node MN, the MN, configured to send a BU message to the CN when initiating communication with the CN; wherein the MN includes:
密钥交换单元, 用于从 CN接收公钥, 计算得到公钥并发送给 CN, 使用来自 CN的公钥和自身的私钥、 按密钥交换算法计算得到绑定管理 密钥, 使用该绑定管理密钥生成绑定授权数据, 并将绑定授权数据携带 在发往 CN的 BU消息中。 a key exchange unit, configured to receive a public key from the CN, calculate a public key, and send the public key to the CN, use a public key from the CN and its own private key, calculate a binding management key according to a key exchange algorithm, and use the tied The management key generates binding authorization data, and carries the binding authorization data. In the BU message sent to the CN.
27、 ^居权利要求 26所述的 MN, 其特征在于, 该 MN进一步包 括:  27. The MN of claim 26, wherein the MN further comprises:
验证单元, 用于接收来自 CN的 BA消息, 使用密钥交换单元生成 的绑定管理密钥对该 BA消息中携带的 CN的绑定授权数据进行验证。  The verification unit is configured to receive the BA message from the CN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the CN carried in the BA message.
28、 一种通信节点 CN, 该 CN用于在 MN发起与 CN之间的通信 时接收来自 MN的 BU消息; 其特征在于, 该 CN包括:  A communication node CN, the CN is configured to receive a BU message from the MN when the MN initiates communication with the CN, and the CN includes:
密钥交换单元, 用于从 MN接收公钥和 BU消息, 计算得到公钥并 发送给 MN, 使用来自 MN的公钥和自身的私钥、 按密钥交换算法计算 得到绑定管理密钥;  a key exchange unit, configured to receive a public key and a BU message from the MN, calculate the public key, and send the public key to the MN, and use the public key from the MN and the private key thereof to calculate the binding management key according to the key exchange algorithm;
验证单元, 用于接收来自 MN的 BU消息, 使用密钥交换单元生成 的绑定管理密钥对 BU消息中携带的 MN的绑定授权数据进行验证。  The verification unit is configured to receive the BU message from the MN, and use the binding management key generated by the key exchange unit to verify the binding authorization data of the MN carried in the BU message.
29、 根据权利要求 28所述的 CN, 其特征在于,  29. The CN of claim 28, wherein
所述密钥交换单元进一步用于使用自身计算得到的绑定管理密钥 生成绑定授权数据, 并在发往 MN的 BA消息中携带该绑定授权数据。  The key exchange unit is further configured to generate the binding authorization data by using the binding management key calculated by the self, and carry the binding authorization data in the BA message sent to the MN.
PCT/CN2007/070453 2006-09-18 2007-08-10 A method, system, mobile node and correspondent node for generating the binding management key WO2008034368A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610154198.4 2006-09-18
CN2006101541984A CN101150849B (en) 2006-09-18 2006-09-18 Method, system, mobile node and communication node for generating binding management key

Publications (1)

Publication Number Publication Date
WO2008034368A1 true WO2008034368A1 (en) 2008-03-27

Family

ID=39200187

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070453 WO2008034368A1 (en) 2006-09-18 2007-08-10 A method, system, mobile node and correspondent node for generating the binding management key

Country Status (2)

Country Link
CN (1) CN101150849B (en)
WO (1) WO2008034368A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113825134A (en) * 2021-09-29 2021-12-21 新华三技术有限公司 Network service authorization method, device and equipment

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8565434B2 (en) * 2008-05-27 2013-10-22 Qualcomm Incorporated Methods and systems for maintaining security keys for wireless communication
CN103685181A (en) * 2012-09-13 2014-03-26 北京大唐高鸿软件技术有限公司 Key negotiation method based on SRTP
CN105723648B (en) * 2013-10-30 2019-06-18 华为终端有限公司 A key configuration method, system and device
WO2015100675A1 (en) * 2013-12-31 2015-07-09 华为终端有限公司 Network configuration method, and related device and system
CN103680111B (en) * 2014-01-09 2017-01-25 西安电子科技大学 Method and system capable of verifying intelligent sensing terminal data aggregation
US9451032B2 (en) * 2014-04-10 2016-09-20 Palo Alto Research Center Incorporated System and method for simple service discovery in content-centric networks
US9705859B2 (en) * 2015-12-11 2017-07-11 Amazon Technologies, Inc. Key exchange through partially trusted third party
CN106533662A (en) * 2016-11-03 2017-03-22 北京奇虎科技有限公司 Methods and devices for transmitting network safety secret key
CN108777678B (en) * 2018-05-18 2020-12-11 北京邮电大学 A network key exchange system, device and method
CN109768982A (en) * 2019-01-23 2019-05-17 深圳市元征科技股份有限公司 A kind of encrypted transmission method and device based on Internet of Things
CN114513758B (en) * 2022-02-10 2023-06-20 深圳指芯物联技术有限公司 Automatic binding front-back locking method and system based on key exchange and intelligent door lock

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US1456993A (en) * 1920-02-16 1923-05-29 William H Miner Friction draft rigging
US20030211842A1 (en) * 2002-02-19 2003-11-13 James Kempf Securing binding update using address based keys
CN1543117A (en) * 2003-03-12 2004-11-03 ���ǵ�����ʽ���� Return Path Alternative Method for Secure Communications
CN1758651A (en) * 2004-09-07 2006-04-12 三星电子株式会社 Use Care-of Address (COA) binding protocol to come authenticating address ownership
US20070113075A1 (en) * 2005-11-10 2007-05-17 Ntt Docomo, Inc. Secure route optimization for mobile network using multi-key crytographically generated addresses

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE60336464D1 (en) * 2003-08-06 2011-05-05 Motorola Inc Method for validated communication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US1456993A (en) * 1920-02-16 1923-05-29 William H Miner Friction draft rigging
US20030211842A1 (en) * 2002-02-19 2003-11-13 James Kempf Securing binding update using address based keys
CN1543117A (en) * 2003-03-12 2004-11-03 ���ǵ�����ʽ���� Return Path Alternative Method for Secure Communications
CN1758651A (en) * 2004-09-07 2006-04-12 三星电子株式会社 Use Care-of Address (COA) binding protocol to come authenticating address ownership
US20070113075A1 (en) * 2005-11-10 2007-05-17 Ntt Docomo, Inc. Secure route optimization for mobile network using multi-key crytographically generated addresses

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113825134A (en) * 2021-09-29 2021-12-21 新华三技术有限公司 Network service authorization method, device and equipment

Also Published As

Publication number Publication date
CN101150849B (en) 2010-09-08
CN101150849A (en) 2008-03-26

Similar Documents

Publication Publication Date Title
CN101150849B (en) Method, system, mobile node and communication node for generating binding management key
US8918522B2 (en) Re-establishment of a security association
Arkko et al. Enhanced route optimization for mobile IPv6
JP5745626B2 (en) Method and apparatus for lightweight security solutions for host-based mobility and multihoming protocols
US8447979B2 (en) Method and apparatus for binding update between mobile node and correspondent node
Deng et al. Defending against redirect attacks in mobile IP
JP5250634B2 (en) Method and apparatus for use in a mobile communication network
US7233782B2 (en) Method of generating an authentication
JP2000083017A (en) Method for updating secret shared data in radio communication system
Shah et al. A TOTP‐Based Enhanced Route Optimization Procedure for Mobile IPv6 to Reduce Handover Delay and Signalling Overhead
CN101106568B (en) Method, device and system for generating care-of address and improving routing optimization security
CN101330438B (en) Safe communication method and system between nodes
Fathi et al. Leakage-resilient security architecture for mobile IPv6 in wireless overlay networks
Qiu et al. A PMIPv6-based secured mobility scheme for 6LoWPAN
Mayuri et al. A novel secure handover mechanism in PMIPV6 networks
WO2010003326A1 (en) A method for protecting the proxy neighbor discovery, and a system and related apparatus thereof
CN100536471C (en) Method for effective protecting signalling message between mobile route and hometown agent
Susanto et al. Per-connection return routability test in mobile IPv6
CN119051844A (en) Method for protecting key information in mobile IPv6 return path accessibility process
Susanto Functional Scheme for IPv6 Mobile Handoff
Modares et al. Securing binding update in mobile IPv6 using private key base binding update protocol
Elshakankiry Securing home and correspondent registrations in mobile IPv6 networks
Shah et al. Research Article A TOTP-Based Enhanced Route Optimization Procedure for Mobile IPv6 to Reduce Handover Delay and Signalling Overhead
Modares Enhancing Security in Mobile IPv6 with Private Key-Based Binding Update Protocol
Liu et al. Local key exchange for mobile IPv6 local binding security association

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07800929

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07800929

Country of ref document: EP

Kind code of ref document: A1