Method and system for secure transmission of small data of MTC device group

Abstract

Disclosed is a method for secure transmission of small data of a machine type communication (MTC) device group, comprising a process wherein an MTC device and an MTC-Interworking Function (MTC-IWF) generate a shared key KIWF on the basis of a GBA procedure, the MTC device and a bootstrapping server (BSF) performing AKA authentication: a home subscriber server (HSS) determines whether the MTC device belongs to the MTC device group and whether said device has small data transmission and reception capabilities; if said device belongs to said group and has said capabilities, an AKA authentication vector generated on the basis of the MTC device group key is sent to said BSF; the BSF carries out AKA authentication with the MTC device on the basis of the received AKA authentication vector. Also disclosed is a system for secure transmission of small data of an MTC device group.

Claims

1. A secure Small Data Transmission (SDT) method for a Machine Type Communication (MTC) device group, comprising a process of generating, by an MTC device and an MTC Interworking Function (MTC-IWF), a shared key K.sub.IWF on the basis of a Generic Bootstrapping Architecture (GBA) key agreement process: sending, by the MTC device, to a Bootstrapping Server Function (BSF), an initialization request carrying MTC device identification information and MTC device group identification information; after receiving the initialization request from the MTC device, sending, by the BSF, to a Home Subscriber Server (HSS), a retrieval request carrying the MTC device identification information, MTC device SDT capability information and the MTC device group identification information; determining, by the HSS, whether the MTC device belongs to the MTC device group or not according to the MTC device identification information and the MTC device group identification information; when determining that the MTC device belongs to the MTC device; group, determining, by the HSS, whether the MTC device has a small data sending and receiving capability or not; when determining that the MTC device belongs to the MTC device group and has the small data sending and receiving capability, sending, by the HSS, user security configuration information and an Authentication and Key Agreement (AKA) authentication vector generated on the basis of an MTC device group key to the BSF; and performing, by the BSF, AKA authentication with the MTC device according to the received AKA authentication vector; and after the AKA authentication between the BSF and the MTC device succeeds, generating, by the MTC device and the BSF, a root key Ks; and generating, by the MTC device, the BSF and the MTC-IWF, K.sub.IWF on the basis of the root key Ks in the GBA key agreement process; wherein the method further comprises: after at least one MTC device in the MTC device group creates a shared key K.sub.IWF, in a GBA key agreement process between a further MTC device and the MTC-IWF: performing, by the BSF, AKA vector authentication with the further MTC device according to a recently adopted authentication vector corresponding to the MTC device group identifier after determining that there is K.sub.IWF being used according to the MTC device group identification information and the user security configuration information, and after authentication succeeds, generating, by the further MTC device and the BSF, a root key Ks; and generating, by the further MTC device, the BSF and the MTC-IWF, K.sub.IWF on the basis of the root key Ks in the GBA key agreement process.

2. The method according to claim 1, further comprising: after generation of K.sub.IWF, performing data transmission between the MTC device and the MTC-IWF according to K.sub.IWF.

3. The method according to claim 2, wherein determining, by the HSS, whether the MTC device has the small data sending and receiving capability or not specifically comprises: determining, by the HSS, whether the MTC device has the small data sending and receiving capability or not according to the MTC device SDT capability information.

4. The method according to claim 2, wherein determining, by the HSS, whether the MTC device has the small data sending and receiving capability or not specifically comprises: determining, by the HSS, whether the MTC device has the small data sending and receiving capability or not according to stored subscription information, the subscription information comprising the MTC device SDT capability information.

5. The method according to claim 1, further comprising: after generating K.sub.IWF on the basis of the root key Ks, generating, by the MTC device and the BSF, a data encryption key and/or a data integrity protection key on the basis of K.sub.IWF, and sending the data encryption key and/or data integrity protection key to the MTC-IWF.

6. A secure Small Data Transmission (SDT) method for a Machine Type Communication (MTC) device group, comprising a process of generating, by an MTC device and an MTC Interworking Function (MTC-IWF), a shared key K.sub.IWF on the basis of a Generic Bootstrapping Architecture (GBA) key agreement process: sending, by the MTC device, to a Bootstrapping Server Function (BSF), an initialization request carrying MTC device identification information and MTC device group identification information; after receiving the initialization request from the MTC device, sending, by the BSF, to a Home Subscriber Server (HSS), a retrieval request carrying the MTC device identification information, MTC device SDT capability information and the MTC device group identification information; determining, by the HSS, whether the MTC device belongs to the MTC device group or not according to the MTC device identification information and the MTC device group identification information; when determining that the MTC device belongs to the MTC device group, determining, by the HSS, whether the MTC device has a small data sending and receiving capability or not; when determining that the MTC device belongs to the MTC device group and has the small data sending and receiving capability, sending, by the HSS, user security configuration information and an Authentication and Key Agreement (AKA) authentication vector generated on the basis of an MTC device group key to the BSF; performing, by the BSF, AKA authentication with the MTC device according to the received AKA authentication vector; and after the AKA authentication between the BSF and the MTC device succeeds, generating, by the MTC device and the BSF, a root key Ks; and generating, by the MTC device, the BSF and the MTC-IWF, K.sub.IWF on the basis of the root key Ks in the GBA key agreement process; wherein the method further comprises: after at least one MTC device in the MTC device group creates a shared key K.sub.IWF on the basis of a root key Ks generated by the at least one MTC device and the BSF after the AKA authentication between the at least one MTC device and the BSF succeeds, and the user security configuration information is generated, in a GBA key agreement process between a further MTC device and the MTC-IWF: performing, by the BSF, AKA vector authentication with the further MTC device according to a recently adopted authentication vector corresponding to the MTC device group identifier after determining that there is a data encryption key and/or data integrity protection key being used according to the MTC device group identification information and the user security configuration information, and after authentication succeeds, generating, by the further MTC device and the BSF, a root key Ks; and generating, by the further MTC device, the BSF and the MTC-IWF, K.sub.IWF on the basis of the root key Ks in the GBA key agreement process.

7. A Bootstrapping Server Function (BSF), comprising: a first receiving module, configured to receive an initialization request from a Machine Type Communication (MTC) device, the initialization request carrying MTC device identification information, MTC device SDT capability information and MTC device group identification information; a retrieval request sending module, configured to, after receiving the initialization request from the MTC, send, to a Home Subscriber Server (HSS), a retrieval request carrying the MTC device identification information, MTC device SDT capability information and the MTC device group identification information; a second Authentication and Key Agreement (AKA) authentication module, configured to perform AKA authentication with the MTC device according to an AKA authentication vector, the AKA authentication vector being generated by the HSS on the basis of an MTC device group key; a second root key generation module, configured to, after the AKA authentication with the MTC device succeeds, generate a root key Ks with the MTC device; and a second key agreement module, configured to perform Generic Bootstrapping Architecture (GBA) key agreement with the MTC device and an MTC Interworking Function (MTC-IWF), wherein the BSF further comprises: a first determination module, configured to determine whether there is a shared key K.sub.IWF being used or not according to the MTC device group identification information and user security configuration information; when the first determination module determines that there is K.sub.IWF being used according to the MTC device group identification information and the user security configuration information, the second AKA authentication module is further configured to perform AKA vector authentication with a further MTC device according to a recently adopted authentication vector corresponding to the MTC device group identifier.

8. A Bootstrapping Server Function (BSF), comprising: a first receiving module, configured to receive an initialization request from a Machine Type Communication (MTC) device, the initialization request carrying MTC device identification information, MTC device SDT capability information and MTC device group identification information; a retrieval request sending module, configured to, after receiving the initialization request from the MTC, send, to a Home Subscriber Server (HSS), a retrieval request carrying the MTC device identification information, MTC device SDT capability information and the MTC device group identification information; a second Authentication and Key Agreement (AKA) authentication module, configured to perform AKA authentication with the MTC device according to an AKA authentication vector, the AKA authentication vector being generated by the HSS on the basis of an MTC device group key; a second root key generation module, configured to, after the AKA authentication with the MTC device succeeds, generate a root key Ks with the MTC device; and a second key agreement module, configured to perform Generic Bootstrapping Architecture (GBA) key agreement with the MTC device and an MTC Interworking Function (MTC-IWF); wherein the BSF further comprises: a second determination module, configured to determine whether there is a data encryption key and/or data integrity protection key being used or not according to the MTC device group identification information and user security configuration information, when the second determination module determines that there is a data encryption key and/or data integrity protection key being used according to the MTC device group identification information and the user security configuration information, the second AKA authentication module is further configured to perform AKA vector authentication with a further MTC device according to a recently adopted authentication vector corresponding to the MTC device group identifier.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a diagram of an MTC device group-based secure SDT system according to an embodiment of the disclosure;

(2) FIG. 2 is a flowchart of an MTC device group-based shared key creation method for secure SDT according to embodiment 1 of the disclosure;

(3) FIG. 3 is a flowchart of an MTC device group-based shared key creation method for secure SDT according to embodiment 2 of the disclosure;

(4) FIG. 4 is an MTC device group-based shared key creation method for secure SDT according to embodiment 3 of the disclosure;

(5) FIG. 5 is a flowchart of an MTC device group-based shared key creation method for secure SDT according to embodiment 4 of the disclosure;

(6) FIG. 6 is a structure block diagram of an MTC device group-based secure SDT system according to embodiment 5 of the disclosure;

(7) FIG. 7 is a structure block diagram of a BSF according to embodiment 6 of the disclosure; and

(8) FIG. 8 is a structure block diagram of a BSF according to embodiment 7 of the disclosure.

DETAILED DESCRIPTION

(9) The disclosure will be described below with reference to the drawings and embodiments in detail. It is important to note that the embodiments in the disclosure and characteristics in the embodiments may be combined under the condition of no conflicts.

(10) As shown in FIG. 1, a secure SDT system for an MTC device group in the disclosure includes: the MTC device group and a device in the MTC device group, the MTC device being configured to store MTC device group information and information about a shared key for SDT; a BSF, configured to perform a GBA key agreement process and store and maintain MTC user security configuration information; an HSS, configured to manage and maintain MTC device information and MTC device group information, generate the MTC user security configuration information and generate an AKA authentication vector on the basis of an MTC device group key; and an MTC-IWF, configured to implement a Network Attached Storage (NAS) server function, and store the MTC user security configuration information and the information about the shared key for SDT.

(11) Embodiment 1

(12) In embodiment 1, an MTC device creates a shared key K.sub.IWF with an MTC-IWF when being required to perform SDT, as shown in FIG. 2, specifically including the following steps.

(13) Step 200: the MTC device (MTC device 1 in an MTC device group shown in FIG. 2) sends an initialization request to a BSF, the initialization request including MTC device identification information, for example, an International Mobile Subscriber Identity (IMSI), and further including MTC device group identification information and small data sending/receiving capability information of the MTC device.

(14) Step 201: the BSF sends a retrieval request to an HSS, the retrieval request including the MTC device identification information and the MTC device group identification information and further including the small data sending/receiving capability information of the MTC device.

(15) Step 202: the BSF gets back, MTC user security configuration information and an AKA authentication vector generated on the basis of an MTC device group key, from the HSS according to the MTC device group identification information, that is, the HSS sends the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF.

(16) The HSS checks the MTC device identification information and MTC device group identification information in the retrieval request according to stored MTC device information and MTC device group information at first, and when it is determined that the MTC device belongs to the MTC device group, the HSS sends the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF; and in addition, when the HSS checks the MTC device identification information and MTC device group identification information in the retrieval request and after it is determined that the MTC device belongs to the MTC device group, the HSS may further check an SDT capability of the MTC device, for example, check a small data sending/receiving capability of the MTC device according to subscription information of the MTC device, to determine whether to send the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF or not.

(17) Step 203: the BSF stores the received MTC user security configuration information and the received AKA authentication vector, and performs an AKA authentication process with the MTC device according to the received AKA authentication vector, and after the AKA authentication process is ended, the MTC device and the BSF generate a GBA root key Ks.

(18) Step 204: the MTC device, an MTC-IWF and the BSF perform a GBA key agreement process, and the shared key K.sub.IWF configured to protect SDT is generated between the MTC device and the MTC-IWF on the basis of the GBA root key Ks; and in addition, the BSF sends the MTC user security configuration information to the MTC-IWF for storage in the GBA key agreement process.

(19) Embodiment 2

(20) In embodiment 2, an MTC device and an MTC-IWF further generate a small data encryption key and a small data integrity protection key on the basis of creating a shared key K.sub.IWF, as shown in FIG. 3, specifically including the following steps.

(21) Step 300: the MTC device (MTC device 1 in an MTC device group shown in FIG. 3) sends an initialization request to a BSF, the initialization request including MTC device identification information, for example, an IMSI, and further including MTC device group identification information and small data sending/receiving capability information of the MTC device.

(22) Step 301: the BSF sends a retrieval request to an HSS, the retrieval request including the MTC device identification information and the MTC device group identification information and further including the small data sending/receiving capability information of the MTC device.

(23) Step 302: the BSF gets back, MTC user security configuration information and an AKA authentication vector generated on the basis of an MTC device group key, from the HSS according to the MTC device group identification information, that is, the HSS sends the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF.

(24) The HSS checks the MTC device identification information and MTC device group identification information in the retrieval request according to stored MTC device information and MTC device group information at first, and when it is determined that the MTC device belongs to the MTC device group, the HSS sends the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF; and in addition, when the HSS checks the MTC device identification information and MTC device group identification information in the retrieval request and after it is determined that the MTC device belongs to the MTC device group, the HSS may further check an SDT capability of the MTC device, for example, check a small data sending/receiving capability of the MTC device according to subscription information of the MTC device, to determine whether to send the MTC user security configuration information and the AKA authentication vector generated on the basis of the MTC device group key to the BSF or not.

(25) Step 303: the BSF stores the received MTC user security configuration information and the received AKA authentication vector, and performs an AKA authentication process with the MTC device according to the received AKA authentication vector, and after the AKA authentication process is ended, the MTC device and the BSF generate a GBA root key Ks.

(26) Step 304: the MTC device, the MTC-IWF and the BSF perform a GBA key agreement process, and the shared key K.sub.IWF configured to protect SDT is generated between the MTC device and the MTC-IWF on the basis of the GBA root key Ks. When generating K.sub.IWF, the BSF may further generate a next-level key, for example, an encryption key and an integrity protection key, configured to protect secure SDT through K.sub.IWF according to a system requirement or an SDT security protection requirement, and then sends generated key information to the MTC-IWF for storage. In addition, the BSF sends the MTC user security configuration information to the MTC-IWF for storage in the GBA key agreement process. When generating K.sub.IWF, the MTC device may further generate the next-level key, such as the encryption key and the integrity protection key, configured to protect secure SDT through K.sub.IWF according to the system requirement or the SDT security protection requirement.

(27) Embodiment 3

(28) In embodiment 3, a further MTC device in an MTC device group creates a shared key K.sub.IWF with an MTC-IWF when being required to perform SDT, as shown in FIG. 4, specifically including the following steps.

(29) Step 400: the MTC device (MTC device 2 in the MTC device group shown in FIG. 4) sends an initialization request to a BSF, the initialization request including MTC device identification information, for example, an IMSI, and further including MTC device group identification information and small data sending/receiving capability information of the MTC device.

(30) Step 401: the BSF determines whether there is a key K.sub.IWF being used or not according to the MTC device group identification information in the initialization request of the MTC device and MTC user security configuration information stored in the BSF.

(31) Step 402: if it is determined that there is a key K.sub.IWF being used, the BSF directly performs an AKA authentication process with the MTC device according to a recently adopted AKA authentication vector corresponding to an MTC device group identifier, and after the AKA authentication process is ended, the MTC device and the BSF generate a GBA root key Ks.

(32) Step 403: the MTC device further generates the shared key K.sub.IWF configured to protect SDT on the basis of the GBA root key Ks.

(33) Embodiment 4

(34) In embodiment 4, when a further MTC device in an MTC device group is required to perform SDT, the MTC device further generates a small data encryption key and a small data integrity protection key which are shared with an MTC-IWF on the basis of a key K.sub.IWF, as shown in FIG. 5, specifically including the following steps.

(35) Step 500: the MTC device (MTC device 2 in the MTC device group shown in FIG. 5) sends an initialization request to a BSF, the initialization request including MTC device identification information, for example, an IMSI, and further including MTC device group identification information and small data sending/receiving capability information of the MTC device.

(36) Step 501: the BSF determines whether there are an encryption key and an integrity key being used or not according to the MTC device group identification information in the initialization request of the MTC device and MTC user security configuration information stored in the BSF.

(37) Step 502: if it is determined that there are an encryption key and an integrity key being used, the BSF directly performs an AKA authentication process with the MTC device according to a recently adopted AKA authentication vector corresponding to an MTC device group identifier, and after the AKA authentication process is ended, the MTC device and the BSF generate a GBA root key Ks.

(38) Step 503: the MTC device further generates K.sub.IWF on the basis of the GBA root key Ks.

(39) Step 504: the MTC device further generates the encryption key and the integrity key which are configured to protect SDT on the basis of K.sub.IWF.

(40) Embodiment 5

(41) The embodiment discloses a security SDT system for an MTC device group, as shown in FIG. 6, including an MTC device 10, a BSF 20, an MTC-IWF 30 and an HSS 40, in which:

(42) the MTC device 10 includes:

(43) a storage module 11, configured to store MTC device identification information and MTC device group information, the MTC device group information including MTC device group identification information and MTC device group key information;

(44) an initialization request sending module 12 configured to send, to the BSF 20, an initialization request carrying the MTC device identification information and the MTC device group identification information;

(45) a first AKA authentication module 13, configured to perform AKA authentication with the BSF 20 according to an AKA authentication vector, the AKA authentication vector being generated by the HSS 40 on the basis of an MTC device group key;

(46) a first root key generation module 14, configured to, after the AKA authentication between the BSF 20 succeeds, generate a root key Ks with the BSF 20; and

(47) a first key agreement module 15, configured to perform GBA key agreement with the BSF 20 and the MTC-IWF 30.

(48) The BSF 20 includes:

(49) a first receiving module 21, configured to receive the initialization request from the MTC device 10, the initialization request carrying the MTC device identification information and the MTC device group identification information;

(50) a retrieval request sending module 22 configured to, after receiving the initialization request from the MTC device 10, send, to the HSS 40, a retrieval request carrying the MTC device identification information and the MTC device group identification information;

(51) a second AKA authentication module 23, configured to perform AKA authentication with the MTC device 10 according to the AKA authentication vector, the AKA authentication vector being generated by the HSS 40 on the basis of the MTC device group key;

(52) a second root key generation module 24, configured to, after the AKA authentication with the MTC device 10 succeeds, generate the root key Ks with the MTC device 10; and

(53) a second key agreement module 25, configured to perform GBA key agreement with the MTC device 10 and the MTC-IWF 30.

(54) The HSS 40 includes:

(55) a second receiving module 41, configured to receive the retrieval request from the BSF 20, the retrieval request carrying the MTC device identification information and MTC device group identification information;

(56) a determination module 42, configured to determine whether the MTC device 10 belongs to the MTC device group and has a small data sending and receiving capability or not;

(57) an authentication vector generation module 43, configured to, after the determination module 42 determines that the MTC device belongs to the MTC device group and has the small data sending and receiving capability, generate the AKA authentication vector on the basis of the MTC device group key; and

(58) an authentication vector sending module 44, configured to send the generated AKA authentication vector to the BSF 20.

(59) Embodiment 6

(60) The embodiment discloses a BSF, as shown in FIG. 7, including:

(61) a first receiving module 21, configured to receive an initialization request from an MTC device, the initialization request carrying MTC device identification information and MTC device group identification information;

(62) a first determination module 26, configured to determine whether there is a shared key K.sub.IWF being used or not according to the MTC device group identification information and user security configuration information;

(63) a second AKA authentication module 23, configured to perform AKA vector authentication with the MTC device according to a recently adopted authentication vector corresponding to an MTC device group identifier;

(64) a second root key generation module 24, configured to, after the AKA authentication with the MTC device succeeds, generate a root key Ks with the MTC device; and

(65) a second key agreement module 25, configured to perform GBA key agreement with the MTC device and an MTC-IWF.

(66) Embodiment 7

(67) The embodiment discloses a BSF, as shown in FIG. 8, including:

(68) a first receiving module 21, configured to receive an initialization request from an MTC device, the initialization request carrying MTC device identification information and MTC device group identification information;

(69) a second determination module 27, configured to determine whether there is a data encryption key and/or data integrity protection key being used or not according to the MTC device group identification information and user security configuration information;

(70) a second AKA authentication module 23, configured to perform AKA vector authentication with the MTC device according to a recently adopted authentication vector corresponding to an MTC device group identifier;

(71) a second root key generation module 24, configured to, after the AKA authentication with the MTC device succeeds, generate a root key Ks with the MTC device; and

(72) a second key agreement module 25, configured to perform GBA key agreement with the MTC device and an MTC-IWF.

(73) The above are only the preferred embodiments of the disclosure and not intended to limit the scope of protection of the disclosure.

Method and system for secure transmission of small data of MTC device group

Assignee

Inventors

Cpc classification

Classification Explorer

H04W12/06

ELECTRICITY

Classification Explorer

H04W12/76

ELECTRICITY

Classification Explorer

H04W12/0431

ELECTRICITY

Classification Explorer

H04W12/04

ELECTRICITY

Classification Explorer

H04W4/70

ELECTRICITY

Classification Explorer

H04L2463/061

ELECTRICITY

International classification

Classification Explorer

H04M1/66

ELECTRICITY

Classification Explorer

H04W12/04

ELECTRICITY

Classification Explorer

H04W12/06

ELECTRICITY

Classification Explorer

H04W4/00

ELECTRICITY

Abstract

Claims

Description