阅读说明：本技术 锚密钥生成方法、设备以及系统 (Anchor key generation method, device and system ) 是由 吴�荣 张博 甘露 于 2018-04-25 设计创作，主要内容包括：本申请实施例提供了一种锚密钥生成方法,设备以及系统。其中,所述方法包括：第一通讯设备接收第二通讯设备发送指示标识,其中,指示标识用于指示终端的接入方式；第一通讯设备向第三通讯设备发送指示标识；第一通讯设备接收第三通讯设备返回的中间密钥,其中,中间密钥是根据指示标识生成的；第一通讯设备根据中间密钥生成锚密钥,其中,锚密钥对应终端的接入方式；第一通讯设备将锚密钥发送给第二通讯设备,以供第二通讯设备根据锚密钥为接入方式推衍下层密钥。上述方法能够为不同的接入方式生成统一的锚密钥,并且实现了将不同接入方式的锚密钥,以及基于锚密钥生成的下层密钥进行隔离。(The embodiment of the application provides an anchor key generation method, equipment and a system. Wherein the method comprises the following steps: the method comprises the steps that first communication equipment receives an indication mark sent by second communication equipment, wherein the indication mark is used for indicating an access mode of a terminal; the first communication equipment sends an indication mark to the third communication equipment; the first communication equipment receives an intermediate key returned by the third communication equipment, wherein the intermediate key is generated according to the indication identifier; the first communication equipment generates an anchor key according to the intermediate key, wherein the anchor key corresponds to the access mode of the terminal; the first communication equipment sends the anchor key to the second communication equipment so that the second communication equipment can derive the lower-layer key according to the anchor key as an access mode. The method can generate uniform anchor keys for different access modes, and realizes the isolation of the anchor keys of different access modes and the lower layer keys generated based on the anchor keys.)

The system for generating the anchor key is characterized by comprising an authentication server, a safe anchor point and a unified data management network element;

the unified data management network element is used for generating an intermediate key according to an indication identifier, a confidentiality key and an integrity key of an operator network accessed by a terminal, and sending the intermediate key to the authentication server;

the authentication server is used for receiving the intermediate key returned by the unified data management network element;

the authentication server is further used for obtaining an anchor key according to the intermediate key;

the authentication server is used for sending the anchor key to the safety anchor point;

the safe anchor point is used for acquiring a derived key according to the anchor key;

and the safety anchor point is further configured to, when the access mode of the terminal is a non-3GPP access mode, obtain an access point key of the non-3GPP access mode according to the derived key.

The system of claim 1,

the authentication server is specifically configured to generate an extended master session key EMSK' according to the intermediate key;

the authentication server is further used for obtaining an anchor key according to the EMSK'.

The system of claim 2,

the authentication server is specifically configured to generate the anchor key according to the EMSK' and an indication identifier of an operator network to which the terminal accesses.

The system according to any of claims 1 to 3, wherein said obtaining an access point key of said non-3GPP access scheme based on a derived key comprises:

and determining an access point key of the non-3GPP access mode according to the uplink count value of the non-access layer message and the deduction key.

The system according to any one of claims 1 to 4,

and the safety anchor point is further configured to, when the access mode of the terminal is a 3GPP access mode, obtain a base station key of the 3GPP access mode according to the derived key.

The system according to any one of claims 1 to 5, wherein said obtaining a derivative key from said anchor key comprises:

and generating the deduction key according to the anchor key and the identifier of the safe anchor point.

The system according to any one of claims 1 to 6, wherein the generating of the intermediate key according to the indication, the confidentiality key and the integrity key of the operator network to which the terminal accesses comprises:

wherein, (CK1 ', IK 1') is the intermediate key, KDF is a key generation algorithm, SQN is the latest sequence number, NAI is an indication identifier of an operator network to which the terminal accesses, CK is a confidentiality key, IK is an integrity key, AK is an anonymity key, and the meaning of the key is an exclusive or operation.

A method for generating a derivative key, the method comprising:

the terminal generates an intermediate key according to the indication identifier, the confidentiality key and the integrity key of the operator to which the terminal is accessed;

the terminal obtains an anchor key K according to the intermediate key_seaf；

The terminal obtains a derived secret key K according to the anchor secret key_amf；

When the type of the terminal access network is a non-3GPP access type, the terminal accesses the network according to the K_amfObtaining the non-3GPP access modeAn access point key.

The method of claim 8, wherein the terminal is configured to perform the K-mapping according to the K_amfAcquiring the access point key of the non-3GPP access mode comprises the following steps:

the terminal according to the uplink count value of the non-access stratum message and the K_amfAnd acquiring the access point key of the non-3GPP access mode.

The method according to claim 8 or 9, wherein the terminal obtains an anchor key according to the intermediate key, and comprises:

and the terminal generates an expanded master session key EMSK 'according to the intermediate key and acquires an anchor key according to the EMSK'.

The method of claim 10, wherein the obtaining an anchor key according to the EMSK' comprises:

and the terminal generates the anchor key according to the EMSK' and the indication identifier of the operator to which the terminal is accessed.

The method according to any one of claims 8 to 11, further comprising:

when the type of the terminal access network is 3GPP access type, the terminal accesses the network according to the K_amfObtaining a base station key K_gNB。

The method according to any one of claims 8 to 12, wherein said obtaining a derivative key from said anchor key comprises:

and acquiring the deduction key according to the identification of the access and mobile management network element and the anchor key.

A terminal comprising a processor and a memory, the memory having program code stored therein, the processor performing the following when the program code is executed:

generating an intermediate key according to the indication identifier, the confidentiality key and the integrity key of the operator to which the terminal is accessed;

obtaining an anchor key K according to the intermediate key_seaf；

Obtaining derived secret key K according to anchor secret key_amf；

When the type of the terminal access network is a non-3GPP access type, according to the K_amfAnd acquiring the access point key of the non-3GPP access mode.

The terminal of claim 14, wherein the K is a function of the K_amfAcquiring the access point key of the non-3GPP access mode comprises the following steps:

according to the uplink count value of the non-access stratum message and the K_amfAnd acquiring the access point key of the non-3GPP access mode.

The terminal according to claim 14 or 15, wherein the obtaining an anchor key according to the intermediate key comprises:

and generating an expanded master session key EMSK 'according to the intermediate key, and acquiring an anchor key according to the EMSK'.

The terminal of claim 16, wherein the obtaining an anchor key according to the EMSK' comprises:

and generating the anchor key according to the EMSK' and the indication identifier of the operator to which the terminal is accessed.

The terminal according to any of claims 14 to 17, wherein the processor is further configured to:

when the type of the terminal access network is 3GPP access type, the terminal accesses the network according to the K_amfObtaining a base station key K_gNB。

The terminal according to any of claims 14 to 18, wherein said obtaining a derived key according to the anchor key comprises:

and acquiring the deduction key according to the identification of the access and mobile management network element and the anchor key.