Search

US-12621659-B2 - Key negotiation method, apparatus, and system

US12621659B2US 12621659 B2US12621659 B2US 12621659B2US-12621659-B2

Abstract

This application provides a key negotiation method, apparatus, and system, and may be applied to the communications field, for example, short-range communication (including a cockpit domain). During key negotiation between a first device and a second device, the first device notifies, by using first information, the second device of all key negotiation algorithms supported by the first device, and the second device selects, from the received key negotiation algorithms supported by the first device, a key negotiation algorithm supported by the second device. In this way, the key negotiation algorithm selected by the second device is supported by both the first device and the second device.

Inventors

  • Yong Wang
  • Jing Chen

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260505
Application Date
20221128

Claims (20)

  1. 1 . A method, wherein the method comprises: performing, by a first device in a wireless communications system, wireless data transmission with a second device in the wireless communications system, wherein performing the wireless data transmission comprises: sending, by the first device, first information to the second device, wherein the first information indicates N key negotiation algorithms, N is an integer greater than or equal to 1, and the N key negotiation algorithms are algorithms supported by the first device; receiving, by the first device, second information from the second device, wherein the second information indicates a target key negotiation algorithm and comprises a first key negotiation parameter, the target key negotiation algorithm is a key negotiation algorithm that is in the N key negotiation algorithms and that is supported by the second device, and the first key negotiation parameter is a key negotiation parameter that is corresponding to the second device and that is obtained based on the target key negotiation algorithm; generating, by the first device, a target key based on the target key negotiation algorithm and the first key negotiation parameter; obtaining, by the first device, a second key negotiation parameter corresponding to the first device based on the target key negotiation algorithm; sending, by the first device, third information to the second device, wherein the third information comprises the second key negotiation parameter, and the second key negotiation parameter is used by the second device to generate the target key; and encrypting or decrypting, by the first device and based on the target key, data transmitted between the first device and the second device.
  2. 2 . The method according to claim 1 , wherein sending the third information to the second device comprises: sending, to the second device, the third information that has been processed by using an integrity protection algorithm.
  3. 3 . The method according to claim 1 , wherein the first information is further used to indicate priority information of the N key negotiation algorithms, and wherein: the first information comprises identification information of the N key negotiation algorithms, and the identification information is arranged or encapsulated based on the priority information of the N key negotiation algorithms.
  4. 4 . The method according to claim 1 , wherein the target key negotiation algorithm is a key negotiation algorithm having the highest priority in one or more key negotiation algorithms of the N key negotiation algorithms that are supported by the second device.
  5. 5 . The method according to claim 1 , wherein the third information further comprises first authentication data, and the first authentication data is obtained after the first device performs authentication processing on the second information.
  6. 6 . The method according to claim 5 , wherein the authentication processing further comprises authentication processing performed based on a preset shared key.
  7. 7 . The method according to claim 1 , wherein the method further comprises: receiving and attempting to verify fourth information from the second device, wherein: the fourth information comprises second authentication data, and the second authentication data is obtained after authentication processing is performed on the third information.
  8. 8 . The method according to claim 7 , wherein the fourth information has been processed by using an integrity protection algorithm.
  9. 9 . The method according to claim 1 wherein the method comprises: receiving and attempting to verify fourth information sent by the second device, wherein: the fourth information comprises third authentication data, and the third authentication data is obtained after authentication processing is performed on the third information and the N key negotiation algorithms indicated in the first information.
  10. 10 . The method according to claim 1 , wherein sending the first information comprises: sending the first information in a broadcast manner.
  11. 11 . The method according to claim 1 , wherein the first device includes a base station, an access node, a wireless relay node, a wireless backhaul node, a router, a repeater, a bridge, or a switch.
  12. 12 . The method according to claim 1 , wherein the second device includes a base station, an access node, a wireless relay node, a wireless backhaul node, a router, a repeater, a bridge, or a switch.
  13. 13 . The method according to claim 1 , wherein the wireless communications system includes a long term evolution (LTE) system or a new radio (NR) system.
  14. 14 . A method, wherein the method comprises: performing, by a second device in a wireless communications system, wireless data transmission with a first device in the wireless communications system, wherein performing the wireless data transmission comprises: receiving, by the second device, first information from the first device, wherein the first information indicates N key negotiation algorithms supported by the first device, and N is an integer greater than or equal to 1; determining, by the second device, a target key negotiation algorithm, wherein the target key negotiation algorithm is a key negotiation algorithm that is in the N key negotiation algorithms and that is supported by the second device; generating, by the second device, a first key negotiation parameter based on the target key negotiation algorithm; sending, by the second device, second information to the first device, wherein the second information indicates the target key negotiation algorithm and comprises the first key negotiation parameter; receiving, by the second device, third information from the first device, wherein the third information indicates a second key negotiation parameter corresponding to the first device, and the second key negotiation parameter is obtained based on the target key negotiation algorithm; generating, by the second device, a target key based on the second key negotiation parameter and the target key negotiation algorithm; and encrypting or decrypting, by the second device and based on the target key, data transmitted between the first device and the second device.
  15. 15 . The method according to claim 14 , wherein the third information has been processed by using an integrity protection algorithm.
  16. 16 . The method according to claim 14 , wherein the first information is further used to indicate priority information of the N key negotiation algorithms, the first information comprises identification information of the N key negotiation algorithms, and the identification information is arranged or encapsulated based on the priority information of the N key negotiation algorithms.
  17. 17 . The method according to claim 14 , wherein the target key negotiation algorithm is a key negotiation algorithm with the highest priority in one or more key negotiation algorithms of the N key negotiation algorithms that are supported by the second device.
  18. 18 . The method according to claim 14 , wherein the method further comprises: receiving first authentication data from the first device, wherein the first authentication data is obtained after the first device performs authentication processing on the second information.
  19. 19 . The method according to claim 18 , wherein the authentication processing further comprises authentication processing performed based on a preset key.
  20. 20 . The method according to claim 14 , further comprising: sending fourth information to the first device, wherein the fourth information comprises second authentication data, and the second authentication data is obtained after the second device performs authentication processing on the third information.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2020/093490, filed on May 29, 2020, the disclosure of which is hereby incorporated by reference in its entirety. TECHNICAL FIELD This application relates to the field of communications technologies, and in particular, to a key negotiation method, apparatus, and system, and may be specifically applied to short-range communication, for example, cockpit domain communication. BACKGROUND IKEv2 (Internet Key Exchange Version 2, Internet Key Exchange Version 2) is a protocol used to negotiate a key, and may be used to negotiate parameters such as a security protocol, an algorithm, and a key for an IPsec (Internet Protocol Security, Internet Protocol Security) tunnel. An IKEv2 negotiation process may be as follows: A negotiation packet sent by a sender device to a receiver device includes at least one key negotiation algorithm supported by the sender device, and a key negotiation parameter of one key negotiation algorithm corresponding to the sender device. After receiving the negotiation packet, the receiver device selects, from the key negotiation algorithms included in the negotiation packet, a key negotiation algorithm supported by the receiver device. If the key negotiation parameter of the sender device included in the negotiation packet does not correspond to the key negotiation algorithm selected by the receiver device, the receiver device sends, to the sender device, a packet including key negotiation algorithms supported by the receiver device, and then the sender device resends a negotiation packet based on the key negotiation algorithms supported by the receiver device. Consequently, a quantity of times of packet exchange between the sender device and the receiver device increases, resulting in low key negotiation efficiency. SUMMARY Embodiments of this application provide a key negotiation method, apparatus, and system, to improve key negotiation efficiency. According to a first aspect, the embodiments of this application provide a key negotiation method, including: sending first information, where the first information is used to indicate N key negotiation algorithms, N is an integer greater than or equal to 1, and the N key negotiation algorithms are algorithms supported by a sender device;receiving second information from a receiver device, where the second information is used to indicate a target key negotiation algorithm and includes a first key negotiation parameter, the target key negotiation algorithm is a key negotiation algorithm in the N key negotiation algorithms that is supported by the receiver device, and specifically, the first key negotiation parameter is a key negotiation parameter that is corresponding to the receiver device and that is obtained based on the target key negotiation algorithm, or the first key negotiation parameter is a key negotiation parameter generated by the receiver device based on the target key negotiation algorithm; andgenerating a target key based on the target key negotiation algorithm and the first key negotiation parameter. In a possible design, the method further includes: sending third information to the receiver device, where the third information includes a second key negotiation parameter, and the second key negotiation parameter is a key negotiation parameter that is corresponding to the sender device and that is obtained based on the target key negotiation algorithm. In a possible design, the sending third information to the receiver device includes: sending, to the receiver device, the third information that has been processed by using an integrity protection algorithm. In a possible design, the first information is further used to indicate priority information of the N key negotiation algorithms, where the first information includes identification information of the N key negotiation algorithms, and the identification information is arranged or encapsulated based on the priority information of the N key negotiation algorithms. In a possible design, the second information is further used to indicate M key negotiation algorithms supported by the receiver device, and M is an integer greater than or equal to 1. In a possible design, the generating a target key based on the target key negotiation algorithm and the first key negotiation parameter includes: determining that the target key negotiation algorithm is a key negotiation algorithm having the highest priority in key negotiation algorithms, in the N key negotiation algorithms, that are supported by the receiver device andgenerating the target key based on the target key negotiation algorithm and the first key negotiation parameter. Alternatively, in the possible design, the target key negotiation algorithm is a key negotiation algorithm having the highest priority in key negotiation algorithms, in the N key negotiation algorithms, that are supported by the receiver device. In a possibl