CN100583743C - Distributing method for transmission key - Google Patents

Abstract

This invention provides a method for distributing transmission cryptographic keys including: A, MSS judges if the current state is synchronous with BS, if so, then it sets a specific field in the cryptographic key requirement information to ask for new transmission cryptographic keys only, otherwise, it sets specific field to express asking for new and old two sets of keys at the same time, B, the MSS transmits the request information with specific field to the BS, C, The BS receives the information and transmits the new, or new and old two sets keys to the MSS via key response information based on the meaning expressed by the specific field, D, the MSS receives said information to record the carried cryptographic key. This invention also provides a distribution method for transmission cryptographic key decided by BS.

Description

Translated fromChinese

传输密钥的分发方法Distribution method of transport key

技术领域technical field

本发明涉及IEEE802.16无线接入标准技术领域，特别是指传输密钥的分发方法。The invention relates to the technical field of IEEE802.16 wireless access standard, in particular to a method for distributing transmission keys.

背景技术Background technique

IEEE802.16无线接入标准的MAC层中定义了一个专门的安全子层，用来完成基站(BS)与移动终端(MSS)之间的身份认证、授权、业务数据加解密等功能。对于数据加解密的过程，具体地说是：原始的业务数据(而非管理消息，管理消息是不需要加密的)在发送端发送前，先经过发送端安全子层的加密过程形成密文数据，然后发送；在接收端，将接收到的密文数据经过接收端的安全子层的解密过程恢复成原始的业务数据。The MAC layer of the IEEE802.16 wireless access standard defines a special security sublayer, which is used to complete functions such as identity authentication, authorization, and service data encryption and decryption between the base station (BS) and mobile terminal (MSS). For the process of data encryption and decryption, specifically: the original business data (not management messages, which do not need to be encrypted) is encrypted by the security sub-layer of the sender before being sent by the sender to form ciphertext data , and then send; at the receiving end, the received ciphertext data is restored to the original business data through the decryption process of the security sub-layer of the receiving end.

为了能够在接收方正确解密数据，发送方和接收方需要在业务数据发送之前协商好将要使用的加解密算法和相应的密钥。使用加密防止信息被窃取的方式有一个基本原则，就是：不能期望使用秘密的算法，只能通过使用秘密的密钥来达到加密的目的。因此，在发送数据前协商的加解密算法应该是公开的算法，是不需要频繁更换的，而与之相对应的密钥是需要定时更新的，以期达到较高的安全性。In order to be able to correctly decrypt the data at the receiver, the sender and the receiver need to negotiate the encryption and decryption algorithm and the corresponding key to be used before sending the business data. There is a basic principle in the way of using encryption to prevent information from being stolen, that is: you cannot expect to use a secret algorithm, and you can only achieve the purpose of encryption by using a secret key. Therefore, the encryption and decryption algorithm negotiated before sending data should be a public algorithm that does not need to be changed frequently, and the corresponding key needs to be updated regularly to achieve higher security.

对于高层的业务数据来说，安全子层的加解密过程是透明的，因此不能出现由于密钥更新而导致业务数据中断的情况。这就需要一种技术来保证密钥更新过程中数据业务的连续性。For high-level business data, the encryption and decryption process of the security sub-layer is transparent, so the business data cannot be interrupted due to key update. This requires a technology to ensure the continuity of data services during the key update process.

现有协议中定义了完整的管理消息和操作流程来完成加密业务数据所使用的传输密钥(TEK)的更新，并保证了在TEK更新的过程中不会中断业务数据。现对其过程详细描述如下。The existing protocol defines a complete management message and operation process to complete the update of the transmission key (TEK) used for encrypting service data, and ensures that the service data will not be interrupted during the TEK update process. Now its process is described in detail as follows.

首先，协议规定了加密业务数据和解密业务数据时采用相同的密钥，即采用对称的加解密算法。使用的密钥均由BS产生，然后应MSS的请求发送给MSS。First of all, the agreement stipulates that the same key is used when encrypting business data and decrypting business data, that is, using a symmetrical encryption and decryption algorithm. The keys used are all generated by the BS, and then sent to the MSS at the request of the MSS.

其次，目前技术包括了密钥的更新和分发两个过程。图1描述了详细过程。Secondly, the current technology includes two processes of updating and distributing keys. Figure 1 describes the detailed process.

密钥更新过程在BS侧完成，参见图1右侧部分所示。BS始终维护了新旧两个TEK，两个TEK的生命周期有一半是相互重叠的。在当前较旧的TEK生命周期到期时，也就是当前较新的TEK的生命周期的二分之一处时，BS产生一个更新的TEK，同时将到期的TEK作废。此时较新的TEK变成当前较旧的TEK，而新产生的TEK变成当前较新的TEK。The key update process is completed on the BS side, as shown in the right part of Fig. 1 . BS has always maintained two TEKs, the old and the new, and half of the life cycles of the two TEKs overlap each other. When the life cycle of the current older TEK expires, that is, at half of the life cycle of the current newer TEK, the BS generates an updated TEK and at the same time invalidates the expired TEK. At this point the newer TEK becomes the current older TEK, and the newly generated TEK becomes the current newer TEK.

结合图1举例说明：当前BS持有TEK0和TEK1两个传输密钥，下标较大的传输密钥较新。当TEK0到期时，也就是TEK1生命周期的二分之一处，产生一个新的传输密钥TEK2，同时将TEK0作废。当TEK1到期时，产生TEK3，依此类推。以上描述的传输密钥更新过程由BS控制持续进行，且不受MSS的影响。An example is illustrated in FIG. 1: the BS currently holds two transmission keys TEK0 and TEK1, and the transmission key with a larger subscript is newer. When TEK0 expires, which is half of the life cycle of TEK1, a new transmission key TEK2 is generated and TEK0 is invalidated at the same time. When TEK1 expires, TEK3 is generated, and so on. The transmission key update process described above is continuously performed under the control of the BS and is not affected by the MSS.

密钥分发过程则由BS和MSS配合完成。MSS在一个恰当的时间(这个时间对本发明没有影响，因此不做深入说明)向BS发送密钥请求消息(KeyRequest)，请求新的传输密钥TEK。BS收到该消息后，将当前所持有的新旧两套传输密钥(TEKn，TEKn+1)用密钥响应消息(Key Response)发送给发出请求的MSS。以上描述的请求----响应过程周期性地发生，从而实现MSS上的传输密钥TEK周期性地更新。The key distribution process is completed by the cooperation of BS and MSS. The MSS sends a key request message (KeyRequest) to the BS at an appropriate time (this time has no influence on the present invention, so no further explanation will be given) to request a new transmission key TEK. After receiving the message, the BS sends the old and new transmission keys (TEKn, TEKn+1) currently held to the requesting MSS with a key response message (Key Response). The request-response process described above occurs periodically, so that the transmission key TEK on the MSS is periodically updated.

分析上述密钥分发过程，BS在响应MSS发送的密钥请求消息(KeyRequest)时，总是将当前BS所持有的新旧两套TEK发送给发出请求的MSS，如：MSS发送第n次密钥请求消息后，BS在响应消息中将TEKn和TEKn+1发送给MSS；在MSS发送第n+1次密钥请求消息后，BS会在响应消息中将TEKn+1和TEKn+2发送给MSS。可以看到TEKn+1在两次响应消息中各发送了一次，而对于MSS来说第二次发送的TEKn+1是重复信息，完全没有必要。Analyzing the key distribution process above, when the BS responds to the key request message (KeyRequest) sent by the MSS, it always sends the old and new sets of TEK currently held by the BS to the requesting MSS. After the key request message, the BS sends TEKn and TEKn+1 to the MSS in the response message; after the MSS sends the n+1 key request message, the BS sends TEKn+1 and TEKn+2 to the MSS in the response message MSS. It can be seen that TEKn+1 is sent once in the two response messages, but for the MSS, the TEKn+1 sent for the second time is repeated information, which is completely unnecessary.

综上所述，现有IEEE802.16协议提供的密钥分发流程中，BS总是无条件地将其当前所持有的新旧两套TEK发送给MSS，在大部分情况下重复发送TEK增加了空口开销。To sum up, in the key distribution process provided by the existing IEEE802.16 protocol, the BS always unconditionally sends the old and new sets of TEK it currently holds to the MSS. overhead.

发明内容Contents of the invention

有鉴于此，本发明的主要目的在于提供了传输密钥的分发方法，以使减少现有传输密钥分发流程中不必要的空口开销。In view of this, the main purpose of the present invention is to provide a transmission key distribution method, so as to reduce unnecessary air interface overhead in the existing transmission key distribution process.

本发明提供的密钥分发方法，该方法包括以下步骤：The key distribution method provided by the present invention comprises the following steps:

A1、当移动终端MSS判断当前状态为MSS第一次发送密钥请求消息时，或当MSS判断当前状态为MSS的传输密钥状态机与基站BS失步后又重新建立同步的状态时，则设置密钥请求消息为仅请求新的传输密钥；否则设置密钥请求消息为请求新旧两套传输密钥；A1. When the mobile terminal MSS judges that the current state is that the MSS sends a key request message for the first time, or when the MSS judges that the current state is that the MSS's transmission key state machine and the base station BS have lost synchronization and re-establish synchronization, then Set the key request message to request only the new transmission key; otherwise set the key request message to request the old and new transmission keys;

B1、MSS将所述密钥请求消息发送给BS，通知BS根据所接收到的所述密钥请求消息，确定出密钥请求消息是仅请求新的传输密钥、或请求新旧两套传输密钥，并对应地将新的传输密钥、或新旧两套传输密钥通过密钥响应消息传送给MSS；B1. The MSS sends the key request message to the BS, and notifies the BS to determine whether the key request message only requests a new transmission key or two sets of transmission keys, based on the received key request message. key, and correspondingly transmit the new transmission key, or the old and new transmission keys, to the MSS through the key response message;

C1、MSS接收所述密钥响应消息，记录该消息所携带的传输密钥。C1. The MSS receives the key response message, and records the transmission key carried in the message.

可选的，步骤A1所述设置密钥请求消息为仅请求新的传输密钥、或请求新旧两套传输密钥是通过设置密钥请求消息中一特定字段的不同值来表示的；步骤B1所述确定出密钥请求消息是仅请求新的传输密钥、或请求新旧两套传输密钥是根据所述特定字段不同值确定出的。Optionally, the setting of the key request message in step A1 is to only request a new transmission key, or to request the old and new sets of transmission keys, which is expressed by setting a different value of a specific field in the key request message; step B1 It is determined that the key request message only requests a new transmission key, or requests that the old and new sets of transmission keys be determined according to different values of the specific field.

可选的，步骤A1所述设置密钥请求消息为仅请求新的传输密钥、或请求新旧两套传输密钥是通过设置密钥请求消息中是否包含一特定字段来表示的；步骤B1所述确定出密钥请求消息是仅请求新的传输密钥、或请求新旧两套传输密钥是根据密钥请求消息中是否包含所述特定字段确定出的。Optionally, the set key request message in step A1 is to request only a new transmission key, or to request the old and new sets of transmission keys, which is indicated by whether the set key request message contains a specific field; the set key request message in step B1 It is determined that whether the key request message only requests the new transmission key, or requests the old and new sets of transmission keys is determined according to whether the key request message contains the specific field.

本发明提供了另一种传输密钥分发方法，该方法包括以下步骤：The present invention provides another transmission key distribution method, which includes the following steps:

A5、基站BS接收移动终端MSS所发送的密钥请求消息，当BS判断MSS当前状态为MSS第一次发送密钥请求消息时，或当BS判断MSS当前状态为MSS的传输密钥状态机与BS失步后又重新建立同步的状态时，设置密钥响应消息仅传送新的传输密钥；否则，设置密钥响应消息为传送新旧两套传输密钥；A5. The base station BS receives the key request message sent by the mobile terminal MSS. When the BS judges that the current state of the MSS is the first time the MSS sends the key request message, or when the BS judges that the current state of the MSS is the transmission key state machine of the MSS and When the BS is out of sync and re-establishes the synchronization state, set the key response message to only transmit the new transmission key; otherwise, set the key response message to transmit the old and new sets of transmission keys;

B5、BS将所述密钥响应消息发送给MSS，通知MSS记录所接收到的密钥响应消息中所携带的传输密钥。B5. The BS sends the key response message to the MSS, and notifies the MSS to record the transmission key carried in the received key response message.

其中，步骤A5进一步包括：设置密钥响应消息中一特定字段的不同值来表示为仅传送新的传输密钥、或传送新旧两套传输密钥；Wherein, step A5 further includes: setting a different value of a specific field in the key response message to indicate that only the new transmission key is transmitted, or that two sets of transmission keys, the old and the new, are transmitted;

步骤B5进一步包括：根据所述特定字段不同值确定所述密钥响应消息携带的是新的传输密钥、或新旧两套传输密钥。Step B5 further includes: determining whether the key response message carries a new transmission key or two sets of old and new transmission keys according to the different values of the specific field.

其中，步骤A5进一步包括：设置密钥响应消息中是否包含一特定字段来表示为仅传送新的传输密钥、或传送新旧两套传输密钥；步骤B5进一步包括：根据密钥响应消息中是否包含所述特定字段确定所述密钥响应消息携带的是新的传输密钥、或新旧两套传输密钥。Among them, step A5 further includes: setting whether a specific field is included in the key response message to indicate that only the new transmission key is transmitted, or two sets of transmission keys, the old and the new, are transmitted; step B5 further comprises: according to whether the key response message contains Including the specific field determines whether the key response message carries a new transmission key, or two sets of old and new transmission keys.

较佳的，所述特定字段为1个比特位。Preferably, the specific field is 1 bit.

可选的，所述特定字段为密钥请求消息中新增的字段或者是密钥请求消息中原有的未使用的备用字段。Optionally, the specific field is a newly added field in the key request message or an original unused spare field in the key request message.

可选的，所述特定字段为密钥响应消息中新增的字段或者是密钥响应消息中原有的未使用的备用字段。Optionally, the specific field is a newly added field in the key response message or an original unused spare field in the key response message.

由上述方法可以看出，本发明密钥的请求方MSS可以明确通知被请求方BS所请求的传输密钥，BS根据MSS的指示做出相应的响应，是仅发送新的传输密钥还是发送新旧两套传输密钥。或者由BS方根据MSS是否与BS处于同步状态，直接判断出是仅发送新的传输密钥还是发送新旧两套传输密钥，并通知MSS其发送的密钥类型，避免了在MSS和BS同步的情况下，不必要的两遍的传输密钥的发送。It can be seen from the above method that the requester MSS of the key of the present invention can clearly notify the requested transmission key to the requested party BS, and the BS makes a corresponding response according to the indication of the MSS, whether to send only a new transmission key or send a new transmission key. The old and new sets of transfer keys. Or the BS side can directly determine whether to send only the new transmission key or the old and new transmission keys according to whether the MSS is in synchronization with the BS, and notify the MSS of the type of key it sends, avoiding synchronization between the MSS and the BS In the case of unnecessary transmission of the transmission key twice.

附图说明Description of drawings

图1为密钥更新示意图。Figure 1 is a schematic diagram of key update.

图2为本发明由MSS决策实现的密钥分发流程图。Fig. 2 is a flowchart of key distribution realized by MSS decision-making in the present invention.

图3为本发明由BS决策实现的密钥分发流程图。Fig. 3 is a flow chart of key distribution realized by BS decision-making in the present invention.

具体实施方式Detailed ways

分析现有技术的方案，可以看出，在正常的情况下，MSS与BS同步时，在MSS发送第n次密钥请求信息时，MSS已经存储有当前的密钥TEKn，因此，实际是不需要BS再发送TEKn给MSS。而仅在一些MSS和BS并不同步的特殊的情况下，才会使得BS发送的新旧密钥和MSS记录的密钥都不相同，也仅在MSS和BS不同步时，MSS才需要BS发送的新旧两套TEK。Analyzing the solutions in the prior art, it can be seen that under normal circumstances, when the MSS and the BS are synchronized, when the MSS sends the key request information for the nth time, the MSS has already stored the current key TEKn. BS needs to send TEKn to MSS again. Only in some special cases where the MSS and BS are not synchronized will the new and old keys sent by the BS and the keys recorded by the MSS be different, and only when the MSS and the BS are not synchronized, the MSS needs the BS to send Two sets of old and new TEK.

其中，上述MSS和BS并不同步的情况包括：Among them, the above-mentioned situations where the MSS and the BS are not synchronized include:

a)MSS第一次发送密钥请求消息(Key Request)时，可以认为是MSS要求与BS同步的时刻；a) When the MSS sends a key request message (Key Request) for the first time, it can be considered as the moment when the MSS requires synchronization with the BS;

b)MSS的TEK状态机与BS失步后又重新建立同步时。b) When the TEK state machine of the MSS loses synchronization with the BS and re-establishes synchronization.

对于MSS，在发送密钥请求消息前，非常清楚自己当前是否处于以上列出的两种情况，因此可以由MSS来决定是同时请求新旧两套传输密钥还是只请求当前较新的传输密钥。For MSS, before sending the key request message, it is very clear whether it is currently in the two situations listed above, so MSS can decide whether to request the old and new sets of transmission keys at the same time or only request the current newer transmission key .

同时，由于在正常情况下，MSS与BS之间TEK的状态机是处于同步状态的，因此BS也非常清楚MSS当前是否是处于以上列出的两种情况，因此BS同样可以决定是同时将新旧两套传输密钥发送给请求的MSS，还是只将当前较新的传输密钥发送给请求的MSS。At the same time, since under normal circumstances, the state machine of the TEK between the MSS and the BS is in a synchronized state, the BS is also very clear whether the MSS is currently in the two situations listed above, so the BS can also decide whether to synchronize the old and new Whether two sets of transmission keys are sent to the requesting MSS, or only the current newer transmission key is sent to the requesting MSS.

下面针对两种不同的情况(由MSS决策如何请求还是由BS决策如何响应)，对本发明提供的方案进行分别说明。In the following, the solutions provided by the present invention will be described separately for two different situations (the MSS decides how to request or the BS decides how to respond).

对于第一种情况：由MSS决策如何请求。本发明方案在现有的密钥请求消息(Key Request)中，增加一个指示标记NewKeyOnly。MSS使用该指示标记通知BS是只请求较新的传输密钥(置NewKeyOnly＝1)，还是同时请求新旧两套传输密钥(置NewKeyOnly＝0)。BS端根据密钥请求消息中的指示标记确定是只发送较新的传输密钥(NewKeyOnly＝1)，还是同时将新旧两套传输密钥发送给请求的MSS(NewKeyOnly＝0)。For the first case: MSS decides how to request. The solution of the present invention adds an indication mark NewKeyOnly in the existing key request message (Key Request). The MSS uses this indicator to inform the BS whether to request only the newer transmission key (set NewKeyOnly=1), or to request the old and new transmission keys at the same time (set NewKeyOnly=0). The BS determines whether to send only the newer transmission key (NewKeyOnly=1) or to send the old and new transmission keys to the requesting MSS at the same time according to the indicator in the key request message (NewKeyOnly=0).

下面参见图2示出的流程图对本发明的所述第一种方法进行详细说明。对于BS侧，仍和背景技术所述持续维护两个传输密钥的轮流更新，而当MSS在一定时间请求获得更新的传输密钥时，包括以下步骤：The first method of the present invention will be described in detail below with reference to the flow chart shown in FIG. 2 . For the BS side, the continuous update of the two transmission keys is still maintained as described in the background technology, and when the MSS requests to obtain an updated transmission key at a certain time, the following steps are included:

步骤201～203：MSS判断当前状态是否处于与BS的同步状态，若是，则设置密钥请求消息中的NewKeyOnly＝1，表示仅请求新的传输密钥；否则，设置密钥请求消息中的NewKeyOnly＝0，表示同时请求新旧两套传输密钥。Steps 201-203: MSS judges whether the current state is in synchronization with the BS, if so, sets NewKeyOnly=1 in the key request message, indicating that only a new transmission key is requested; otherwise, sets NewKeyOnly in the key request message ＝0, means to request the old and new sets of transmission keys at the same time.

其中，当MSS判断当前状态为MSS第一次发送密钥请求消息的状态，或MSS的TEK状态机与BS失步后又重新建立同步的状态时，都视为未与BS处于同步状态。Among them, when the MSS judges that the current state is the state where the MSS sends the key request message for the first time, or when the TEK state machine of the MSS loses synchronization with the BS and re-establishes synchronization, it is regarded as not being in synchronization with the BS.

步骤204：MSS将携带NewKeyOnly的密钥请求消息发送给BS。Step 204: The MSS sends a key request message carrying NewKeyOnly to the BS.

步骤205～206：BS接收所述密钥请求消息，读取消息中的NewKeyOnly值，当NewKeyOnly＝1时，通过密钥响应消息将较新的传输密钥发送给MSS；当NewKeyOnly＝0时，通过密钥响应消息将新旧两套传输密钥发送给MSS。Steps 205-206: BS receives the key request message, reads the NewKeyOnly value in the message, and when NewKeyOnly=1, sends a newer transmission key to the MSS through a key response message; when NewKeyOnly=0, Send the old and new transmission keys to the MSS through the key response message.

步骤207：MSS接收并记录BS发送的密钥。Step 207: MSS receives and records the key sent by BS.

对于第二种情况：由BS决策如何响应。本发明方案在现有的密钥响应消息(Key Response)中增加一个指示标记NewKeyOnly。BS使用该指示标记通知MSS是只包含一个较新的传输密钥(置NewKeyOnly＝1)，还是同时包含了新旧两套传输密钥(置NewKeyOnly＝0)。MSS端根据密钥响应消息中的指示标记获知BS是只发送了较新的传输密钥(NewKeyOnly＝1)，还是发送了新旧两套传输密钥(NewKeyOnly＝0)。For the second case: it is up to the BS to decide how to respond. The solution of the present invention adds an indication mark NewKeyOnly in the existing key response message (Key Response). The BS uses this indicator to inform the MSS whether it contains only one newer transmission key (set NewKeyOnly=1), or contains both the new and old sets of transmission keys (set NewKeyOnly=0). The MSS knows from the indicator in the key response message whether the BS has only sent the newer transmission key (NewKeyOnly=1), or whether it has sent the old and new transmission keys (NewKeyOnly=0).

下面再参见图3示出的流程图，对本发明的所述第二种方法进行详细说明。对于BS侧，仍和背景技术所述持续维护两个传输密钥的轮流更新，而当MSS在一定时间请求获得更新的传输密钥时，包括以下步骤：Referring again to the flowchart shown in FIG. 3 , the second method of the present invention will be described in detail. For the BS side, the continuous update of the two transmission keys is still maintained as described in the background technology, and when the MSS requests to obtain an updated transmission key at a certain time, the following steps are included:

步骤301：MSS向BS发送密钥请求消息(Key Request)，请求获得更新的传输密钥。Step 301: The MSS sends a key request message (Key Request) to the BS, requesting to obtain an updated transmission key.

步骤302～306：BS接收所述密钥请求消息，判断所述MSS当前状态是否处于与BS的同步状态，若是，则设置密钥响应消息(Key Response)中的NewKeyOnly＝1，表示仅发送新的传输密钥，并将较新的传输密钥置于该密钥响应消息中发送给MSS；Steps 302-306: BS receives the key request message, and judges whether the current state of the MSS is in a synchronous state with the BS, and if so, sets NewKeyOnly=1 in the key response message (Key Response), indicating that only new keys are sent. the transmission key, and put the newer transmission key in the key response message and send it to MSS;

否则，设置密钥响应消息中的NewKeyOnly＝0，表示同时发送新旧两套传输密钥，并将新旧两套传输密钥置于该密钥响应消息中发送给MSS。Otherwise, set NewKeyOnly=0 in the key response message, indicating that the old and new transmission keys are sent at the same time, and put the old and new transmission keys in the key response message and send it to the MSS.

其中，当BS判断MSS当前状态为第一次发送密钥请求消息的状态，或MSS的TEK状态机与BS失步后又重新建立同步的状态时，都视为未与BS处于同步状态。Among them, when the BS judges that the current state of the MSS is the state of sending a key request message for the first time, or the TEK state machine of the MSS is out of sync with the BS and re-establishes the state of synchronization, it is regarded as not in the state of synchronization with the BS.

步骤307～308：MSS接收BS发送过来的密钥响应消息，并根据该密钥响应消息中的NewKeyOnly值确定所接收的传输密钥是仅包含新的传输密钥还是新旧两套传输密钥，并记录所述传输密钥。Steps 307-308: The MSS receives the key response message sent by the BS, and determines whether the received transmission key contains only the new transmission key or the old and new transmission keys according to the NewKeyOnly value in the key response message, And record the transfer key.

上述两个实施例采用的方案是增加指示标记(NewKeyOnly)的方式。该指示标记可以是新增的字段，也可以是现有消息中的备用字段。The solution adopted in the above two embodiments is to add an indicator (NewKeyOnly). The indicator can be a newly added field, or a spare field in an existing message.

另外，根据协议IEEE802.16的规定，在发送密钥请求消息或密钥请求响应消息时，是可以省略消息中的某些字段的，因此在判断MSS与BS不同步，要设置消息中的NewKeyOnly＝0的情况时，也可以省略掉NewKeyOnly字段，相应的在接收到不包含NewKeyOnly字段的该消息时，则认为NewKeyOnly＝0，执行NewKeyOnly＝0情况下的操作。In addition, according to the provisions of the protocol IEEE802.16, when sending a key request message or a key request response message, some fields in the message can be omitted, so when it is judged that the MSS and the BS are not synchronized, the NewKeyOnly in the message should be set In the case of = 0, the NewKeyOnly field can also be omitted, correspondingly when receiving the message that does not contain the NewKeyOnly field, it is considered that NewKeyOnly = 0, and the operation in the case of NewKeyOnly = 0 is performed.

本方案采用按需发送的方式很好地解决了传输密钥更新过程中不必要的空口开销问题。以DES-CBC加密算法为例，其使用的TEK本身长度为64bit，TEK生命周期32bit，TEK序列号2bit，CBC初始向量64bit，共计162bit，扣除密钥请求/响应消息中增加的NewKeyOnly标志位1bit。因此在一次密钥请求/响应的消息交互中本方案较现有方案实际节省161bit。This solution uses the method of sending on demand to solve the problem of unnecessary air interface overhead in the process of updating the transmission key. Taking the DES-CBC encryption algorithm as an example, the length of the TEK itself used is 64 bits, the life cycle of the TEK is 32 bits, the serial number of the TEK is 2 bits, and the CBC initial vector is 64 bits, totaling 162 bits, 1 bit of the NewKeyOnly flag added in the key request/response message is deducted. . Therefore, in a key request/response message exchange, this scheme actually saves 161 bits compared with the existing scheme.

以上所述仅为本发明的较佳实施例而已，并不用以限制本发明，凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (9)

1, a kind of transmission security key distribution method is characterized in that, this method may further comprise the steps:

A1, be that MSS is when sending secret key request message for the first time when mobile terminal MS S judges current state, or judge that when setting up synchronous state again after current state is transmission security key state machine and the base station BS step-out of MSS, it is the transmission security key that only please look for novelty that secret key request message then is set as MSS; Otherwise secret key request message is set is the new and old two cover transmission security keys of request;

B1, MSS send to BS with described secret key request message, BS is according to received described secret key request message for notice, determine secret key request message and be the transmission security key that only please look for novelty or ask new and old two cover transmission security keys, and accordingly will new transmission security key or new and old two overlap transmission security keys and send MSS to by key response message;

C1, MSS receive described key response message, write down the entrained transmission security key of this message.

2, method according to claim 1, it is characterized in that steps A 1 is described to be provided with secret key request message for the transmission security key that only please look for novelty or to ask new and old two cover transmission security keys be to represent by the different value that a specific fields in the secret key request message is set;

Step B1 is described, and to determine secret key request message be the transmission security key that only please look for novelty or ask new and old two cover transmission security keys to be determined according to described specific fields different value.

3, method according to claim 1, it is characterized in that steps A 1 is described to be provided with secret key request message for the transmission security key that only please look for novelty or ask new and old two cover transmission security keys whether to comprise a specific fields in the secret key request message and represent by being provided with;

Step B1 is described, and to determine secret key request message be the transmission security key that only please look for novelty or ask new and old two cover transmission security keys according to whether comprising described specific fields in the secret key request message to be determined.

4, a kind of transmission security key distribution method is characterized in that, this method may further comprise the steps:

The secret key request message that A5, base station BS mobile terminal receive MSS are sent, when BS judges the MSS current state is that MSS is when sending secret key request message for the first time, or key response message is set only transmits new transmission security key when setting up synchronous state again after the MSS current state is the transmission security key state machine of MSS and BS step-out when BS judges; Otherwise, key response message is set for transmitting new and old two cover transmission security keys;

B5, BS send to MSS with described key response message, and notice MSS writes down entrained transmission security key in the received key response message.

5, method according to claim 4 is characterized in that, steps A 5 further comprises: the different value that a specific fields in the key response message is set is expressed as and only transmits new transmission security key or transmit new and old two cover transmission security keys;

Step B5 further comprises: what notice MSS determined that described key response message carries according to described specific fields different value is new transmission security key or new and old two cover transmission security keys.

6, method according to claim 4 is characterized in that, steps A 5 further comprises: be provided with whether comprise in the key response message specific fields be expressed as only transmit new transmission security key or transmit new and old two the cover transmission security keys;

Step B5 further comprises: notice MSS is new transmission security key or new and old two cover transmission security keys according to what whether comprise in the key response message that described specific fields determines that described key response message carries.

According to claim 2,3,5 or 6 described methods, it is characterized in that 7, described specific fields is 1 bit.

According to claim 2 or 3 described methods, it is characterized in that 8, described specific fields is original untapped spare fields in field newly-increased in the secret key request message or the secret key request message.

According to claim 5 or 6 described methods, it is characterized in that 9, described specific fields is original untapped spare fields in field newly-increased in the key response message or the key response message.

Images