The NGN is an integrated open network architecture that incorporates various services such as voice, data, multimedia and the like and provides real-time session services to users. Network equipments thereof include a small number of core devices and a large number of user terminals. In the network, interactions with the Public Switched Telephone Network (PSTN)/Public Land Mobile Network (PLMN) are circuit-based and hence relatively secure, but interactions between other network devices are transported over a packet-based core network and various packet access networks. Over the open IP network, the NGN is liable to illegal attacks, and particularly, there are a large number of packet terminals in the NGN that can be initiators of illegal attacks.
There has been no any satisfactory solution for the NGN security, and it is still a blank regarding how to incorporate a key distribution process that is the basis for the network security together with characteristics of the NGN. In the prior art, the key negotiation approach as defined in the network layer security standard IPSec (Network Layer Security) is the Internet Key Exchange (IKE) protocol, and the key negotiation approach of the transport layer security standard TLS (Transport Layer Security) is achieved through the Handshake protocol as defined in the TLS specifications. Here, the key encryption and exchange of the IKE protocol adopts the Diffie-Hellman algorithm that defines a group of 5 D-H parameters (i.e., a prime number p and a base number g). This encryption algorithm features a strong robustness and a long length of key. As seen from the above, the IKE is both a strict and a rather complex key exchange protocol, and the Handshake protocol enables a one-side (mainly for a server) or two-side authentication between a client and the server. Moreover, the encryption algorithm and key and the verification algorithm and key used in the negotiation protocol as well as the session parameters obtained through a negotiation can be reused by the recording protocol for a plurality of connections, thus avoiding the overhead resulted from negotiating new session parameters for each connection. Also, the protocol can ensure that the negotiation process will be reliable and the resultant shared key will be secure.
Although all the above key distribution protocols are standard and strict, they have the same drawback of failing to be incorporated with the concrete characteristics of the NGN. The NGN is a relatively close network and includes a series of network-side servers (e.g., a soft switch, an application server, and various gateways) and a large number of access terminals, the terminals and the network devices are under the management and control of one operator, and there exists an administrative domain which manages the devices therein and assists in achieving the feature of intercommunication between cross-domain users. Also, all the terminals have to be registered in the administrative domain. These characteristics of the NGN determine that a centralized key distribution approach is suitable for the NGN. However, all the above key distribution protocols involve a direct negotiation of keys between terminals or two mainframes, which eventually results in that the traffic in the system grows in geometric progression and the key distribution efficiency is degraded, and brings a lot of inconvenience to the whole network system and the key management, thus being not accommodated to the concrete characteristics of the NGN.