With the rapid development of Internet services and wide application of wireless networks, increasing demands on the wireless system are proposed to ensure the security of the mobile subscriber. The demands mainly include: equipment authentication, subscriber authentication, and service authorization, security channel establishment and confidential information exchange between a wireless subscriber and an access point (AP) or a base station (BS), and confidential channel establishment and confidential information exchange between the BS and an authenticator and between the authenticator and an authentication server. The above demands are not required to be considered in a private network.
FIG. 1 shows a conventional centralized worldwide interoperability microwave access (WiMAX) security network architecture system. In the architecture, the authenticator and the BS are located in different physical entities, functions of the authenticator and a key distributor are realized in the authenticator, and functions of an authentication relay and a key receiver are realized in the BS.
FIG. 2 shows a conventional distributed WiMAX security network architecture system. In the architecture, the authenticator and the BS are located in the same physical entity, and the entity realizes the functions of the authenticator, the authentication relay, the key distributor, and the key receiver at the same time.
The functions of each network element (including logic network elements) in the centralized and the distributed WiMAX security network architecture system are described as follows.
The BS provides a security channel between a terminal MS and the BS, including compression and encryption of air interface data, and provides confidential information exchange with the MS.
The authenticator provides an agent function for MS authentication, authorization, and accounting functions, and is realized in the same physical entity with the key distributor.
The authenticator relay realizes the relay of an authentication request and a response message during an authentication course.
The key distributor is realized in the same physical entity with the authenticator, and adapted to generate an air interface key AK shared between the BS and the MS according to root key information equivalent to the MS provided by the authentication server and distribute the AK to the key receiver.
The key receiver is realized in the BS, and adapted to receive the AK generated by the key distributor and derive other keys between the BS and the MS.
In addition, a complete security network architecture system also includes a back-end network authentication server and a mobile terminal MS.
The authentication, authorization, and accounting (AAA) server mainly realizes the MS authentication, authorization, and accounting functions, and exchanges information required by the generation of the key with the MS through a key generation mechanism set there-between. The information is exchanged before the security channel is built, so a key algorithm adopted between the authentication server and the MS must ensure that the information leak does not affect the security mechanism. The main functions of the server include: realizing the MS authentication, authorization, and accounting functions; generating and distributing the root key information to the authenticator; and when the subscriber information is changed, notifying the authenticator and other network elements of the result of the information change in time.
The MS is a mobile subscriber equipment, and mainly adapted to initiate the authentication and authorization in the security architecture, exchange information required by the generation of the root key with the authentication server, generate the root key, and generate the AK and information about other derived keys required by the confidentiality on the air interface according to the root key.
A mobile Internet protocol (MIP) system mainly includes the following functional entities: a mobile node (MN), a foreign agent (FA), and a home agent (HA). The MN initiates a mobile IP (MIP) registration request to the HA through the FA. On receiving the MIP registration request, the HA maps a care of address (CoA) of the MN to a home address (HoA) of the MN, and since then, all the data packets received by the HA having a destination address being the HoA of the MN are forwarded to the CoA address of the MN, i.e., the address of the FA in MIPv4. In order to ensure the security, the MIP message usually carries an authentication extension (AE), for example, the AE between the MN and the HA (MN-HA-AE). When receiving an MIP registration request carrying the MN-HA-AE, the HA computes a local authentication value according to the already-known key information, and then compares the local authentication value with the MN-HA-AE carried in the data packet. If the comparison result shows that the local authentication value is the same as the MN-HA-AE, the authentication is passed and the MIP registration request is processed; otherwise, the MIP registration request is rejected.
When the pre-obtained key information does not exist between the MN and the HA, the MN performs the authentication on the MIP registration request by using the key information between the MN and the AAA server.
In the conventional WiMAX technique, the MIP registration key is generally computed according to the IP address of the HA and/or the FA in the following formulae:MN-HA-K:H(MIP-RK,“MIP4 MN HA”,HA-IP);MN-FA-K:H(MIP-RK,“MN FA”,FA-IP);FA-HA-K:H(MIP-RK,“FAN HA”,FA-IP,HA-IP,nonce).
In a request for comments (RFC) 3957, the following algorithm is specified, in which the MIP registration key is computed by using a random number, an MN identifier (MN-ID), and a shared key between the MN and the AAA server.key=HMAC-SHA1(AAA-key,{Nonce∥MN-ID})
The MIP has two forms in the WiMAX: a client MIP (CMIP) and a proxy MIP (PMIP). For a terminal supporting the MIP protocol (as shown in 3a), the MN is the mobile terminal MS when operating in the CMIP mode. On the contrary, for a terminal not supporting the MIP protocol (as shown in FIG. 3b), a PMIP-client entity is created on a network side for realizing the function of the MIP as the MN.
In the conventional WiMAX system, a method for generating and distributing the key includes the following two types.
1. The Generation and Distribution of a PMIPv4 Key
During an access validation course, the AAA generates an extended master session key (EMSK), then computes a root key of the MIP (MIP-RK), and derives the keys between the MN and the HA, the MN and the FA, and the FA and the HA. Then, according to the method described in Section 3.5 of RFC2868, the key between the MN and the HA, optionally between the MN and the FA and between the FA and the HA, is encrypted and transmitted to a network attached storage (NAS). According to the key between the MN and the HA, the PMIP-client directly computes the MN-HA-AE and sends a mobile IP registration request. On receiving the registration request, the HA determines whether it is necessary to request the AAA server for the MIP key.
2. The Generation and Distribution of a CMIPv4 Key
During the access validation course, the AAA server generates the EMSK, then computes the MIP-RK, and derives the keys between the MN and the HA, the MN and the FA, and the FA and the HA. If the MN initially does not know the address of the HA, it is impossible for the MN to compute the key between the MN and the HA, and even if all 0/1 are used, it is still necessary to update or notify the AAA server after obtaining the real HA-IP. An HA related key is obtained from the AAA server during the first MIP registration request.
During the process of realizing the present invention, the inventors found that the method for generating and distributing the key in the prior art has at least the following problems.
1. The PMIP-client cannot compute the AE between the MN and the AAA server (MN-AAA-AE), and if the computation is required, the shared key between the MN and the AAA server (MN-AAA-K) must be distributed. The MN-AAA-K is not suitable to be distributed.
2. In the case of the re-validation and FA migration, the manner of knowing the key update by the HA is not unified (for example, the key update may be known in the following manners: when the HA cannot perform the validation on the AE, when the registration request carries the MN-AAA-AE, when a security parameter index (SPI) is changed, or according to the MIP registration request content HA-IP), and the existing RFC is not used.
3. When the HA is not distributed by the AAA server, the AAA server needs to obtain the IP address of the HA practically adapted to compute the key between the MN and the HA.
4. During the computation of the key according to the IP address, it is necessary to distinguish the IP addresses of different terminals, which is very complicated.
5. If the MN initially does not know the address of the HA, it is impossible for the MN to compute the key between the MN and the HA, and even if all 0/1 are used, it is still necessary to update or notify the AAA server after obtaining the real HA-IP.