Key distribution method

US 7,813,509 B2
Filed: 01/31/2005
Issued: 10/12/2010
Est. Priority Date: 02/16/2004
Status: Active Grant

First Claim

Patent Images

1. A key distribution method applied in the Next Generation Network comprising a terminal, a soft switch and an authentication center, comprising:

the terminal sending a registration request message to the soft switch for a registration;

the soft switch sending an authentication request message to the authentication center for the authentication for the terminal; and

the authentication center authenticating the terminal, generating a session key for the terminal and the soft switch, and sending the session key to the soft switch, so as to be distributed to the terminal upon a successful authentication;

wherein the step of the authentication center authenticating the terminal comprises;

the authentication center generating a first verification word for the terminal according to a key Kc shared with the terminal, encrypting the session key with the shared key Kc, and returning the encrypted session key and the first verification word to the soft switch;

the soft switch returning a registration failure response message to the terminal to notify the terminal of a registration failure;

the terminal generating a second verification word according to the key Kc shared with the authentication center, and sending a registration message containing the second verification word to the soft switch for a registration again; and

the soft switch authenticating the terminal according to the first verification word and the second verification word;

wherein the step of the soft switch distributing the session key to the terminal comprises;

the soft switch returning to the terminal a registration success response message containing the session key encrypted with the shared key Kc, and sending a terminal authentication success message to the authentication center; and

the terminal decrypting the session key encrypted by the authentication center according to the shared key Kc.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key distribution method for the next generation network (NGN), includes steps of: (a) a terminal sending a registration request message to a soft switch; (b) the soft switch sending an authentication request message to an authentication center; (c) the authentication center authenticating the terminal, then the soft switch distributing the session key to the terminal after the registration authentication being passed. The invention implements the key distribution during the registration authentication, thus the traffic is smaller, and it could be associated with the specialties of the NGN, and improve the efficiency of solving the security problem, the registration authentication of the terminal and the distribution of the key are more suitable specifically for the NGN.

Citations

10 Claims

1. A key distribution method applied in the Next Generation Network comprising a terminal, a soft switch and an authentication center, comprising:
- the terminal sending a registration request message to the soft switch for a registration;
  
  the soft switch sending an authentication request message to the authentication center for the authentication for the terminal; and
  
  the authentication center authenticating the terminal, generating a session key for the terminal and the soft switch, and sending the session key to the soft switch, so as to be distributed to the terminal upon a successful authentication;
  
  wherein the step of the authentication center authenticating the terminal comprises;
  
  the authentication center generating a first verification word for the terminal according to a key Kc shared with the terminal, encrypting the session key with the shared key Kc, and returning the encrypted session key and the first verification word to the soft switch;
  
  the soft switch returning a registration failure response message to the terminal to notify the terminal of a registration failure;
  
  the terminal generating a second verification word according to the key Kc shared with the authentication center, and sending a registration message containing the second verification word to the soft switch for a registration again; and
  
  the soft switch authenticating the terminal according to the first verification word and the second verification word;
  
  wherein the step of the soft switch distributing the session key to the terminal comprises;
  
  the soft switch returning to the terminal a registration success response message containing the session key encrypted with the shared key Kc, and sending a terminal authentication success message to the authentication center; and
  
  the terminal decrypting the session key encrypted by the authentication center according to the shared key Kc.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The key distribution method according to claim 1, wherein the method further comprises:
    - the terminal sending to the soft switch a list of security mechanisms supported by the terminal and priority information of each security mechanism;
      
      the soft switch choosing an appropriate security mechanism for communication according to the list of security mechanisms and the priority information of each security mechanism of the terminal.
  - 3. The key distribution method according to claim 1,wherein the registration request message and the registration message are SIP protocol registration messages, and the registration failure response message is a SIP protocol response message;
    - orwherein the registration request message is a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message is a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message is an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, and the registration message is a registration request message in the H.323 protocol.
  - 4. The key distribution method according to claim 1,wherein the registration request message and the registration message are SIP protocol registration messages, the registration failure response message is a SIP protocol response message, and the registration success response message is a SIP protocol registration request success message;
    - orwherein the registration request message is a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message and the registration success response message are a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message and the registration success response message are an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, the registration message is a registration request message in the H.323 protocol, and the registration success response message is a registration success message in the H.323 protocol.
  - 5. The key distribution method according to claim 2,wherein the registration request message and the registration message are SIP protocol registration messages, the registration failure response message is a SIP protocol response message, and the registration success response message is a SIP protocol registration request success message;
    - orwherein the registration request message is a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message and the registration success response message are a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message and the registration success response message are an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, the registration message is a registration request message in the H.323 protocol, and the registration success response message is a registration success message in the H.323 protocol.

6. A key distribution method applied in the Next Generation Network comprising a terminal, a signaling proxy, a soft switch and an authentication center, comprising:
- the terminal sending a registration request message through the signaling proxy to the soft switch for a registration;
  
  the soft switch sending an authentication request message to the authentication center for the authentication for the terminal; and
  
  the authentication center authenticating the terminal, generating a session key for the terminal and the signaling proxy, and sending the session key to the soft switch, so as to be distributed through the signaling proxy to the terminal upon a successful authentication;
  
  wherein the step of the authentication center authenticating the terminal comprises;
  
  the authentication center generating a first verification word for the terminal according to a key Kc shared with the terminal and a key Ksp shared with the signaling proxy, encrypting the session key respectively with the shared key Kc and the shared key Ksp, and returning the encrypted session key and the first verification word to the soft switch;
  
  the soft switch returning a registration failure response message through the signaling proxy to the terminal to notify the terminal of a registration failure;
  
  the terminal generating a second verification word according to the key Kc shared with the authentication center, and sending a registration message containing the second verification word to the signaling proxy to be forwarded to the soft switch for a registration again; and
  
  the soft switch authenticating the terminal according to the first verification word and the second verification word;
  
  wherein the step of the soft switch distributing the session key to the terminal comprises;
  
  the soft switch forwarding to the signaling proxy a terminal registration success response message containing the session key encrypted by the authentication center respectively with the shared keys Kc and Ksp, and the signaling proxy decrypting with the shared key Ksp the session key encrypted by the authentication center with the shared key Ksp, calculating a message verification word for the registration success response message with the decrypted session key, and forwarding to the terminal the registration success response message containing the message verification word and the session key encrypted with the shared key Kc; and
  
  the terminal decrypting the session key encrypted by the authentication center according to the shared key Kc, and authenticating with the decrypted session key the message authentication word of the message returned from the signaling proxy so as to authenticate an identity of the signaling proxy, an integrity of the message and whether security mechanism parameters of the terminal returned from the signaling proxy are correct.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The key distribution method according to claim 6, wherein the method further comprises:
    - the terminal sending to the signaling proxy a list of security mechanisms supported by the terminal and priority information of each security mechanism, and the signaling proxy choosing an appropriate security mechanism for communication according to the security mechanisms supported by the terminal and the priority information of each security mechanism.
  - 8. The key distribution method according to claim 6,wherein the registration request message and the registration message are SIP protocol registration messages, and the registration failure response message is a SIP protocol response message;
    - orwherein the registration request message comprises a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message is a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message is an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, and the registration message is a registration request message in the H.323 protocol.
  - 9. The key distribution method according to claim 6,wherein the registration request message and the registration message are SIP protocol registration messages, the registration failure response message is a SIP protocol response message, and the registration success response message is a SIP protocol registration request success message;
    - orwherein the registration request message comprises a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message and the registration success response message are a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message and the registration success response message are an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, the registration message is a registration request message in the H.323 protocol, and the registration success response message is a registration success message in the H.323 protocol.
  - 10. The key distribution method according to claim 7,wherein the registration request message and the registration message are SIP protocol registration messages, the registration failure response message is a SIP protocol response message, and the registration success response message is a SIP protocol registration request success message;
    - orwherein the registration request message comprises a system restart message and a corresponding response message in the MGCP protocol, the registration failure response message and the registration success response message are a notification request message and a corresponding response message in the MGCP protocol, and the registration message comprises a notification message and a corresponding response message in the MGCP protocol;
      
      orwherein the registration request message comprises a system service status change message and a corresponding response message in the H.248 protocol, the registration failure response message and the registration success response message are an attribute modification message and a corresponding response message in the H.248 protocol, and the registration message comprises a notification message and a corresponding response message in the H.248 protocol;
      
      orwherein the registration request message is a gatekeeper request message in the H.323 protocol, the registration failure response message is a gatekeeper rejection message in the H.323 protocol, the registration message is a registration request message in the H.323 protocol, and the registration success response message is a registration success message in the H.323 protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Wu, Dongjun, Yan, Jun
Primary Examiner(s)
ZIA, SYED

Application Number

US10/589,177
Publication Number

US 20070280482A1
Time in Patent Office

2,080 Days
Field of Search

None
US Class Current

380/278
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0869   for achieving mutual authen...

H04L 63/205   involving negotiation or de...

H04L 65/1043   Gateway controllers, e.g. m...

H04L 65/1073   Registration or de-registra...

H04L 65/1104   Session initiation protocol...

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/069   using certificates or pre-s...

H04W 60/00   Affiliation to network, e.g...

H04W 84/04   Large scale networks; Deep ...

Key distribution method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Key distribution method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links