CN101926151B - Method and communication network system for establishing security conjunction - Google Patents
Method and communication network system for establishing security conjunctionDownload PDFInfo
- Publication number
- CN101926151B CN101926151BCN200980102466.XACN200980102466ACN101926151BCN 101926151 BCN101926151 BCN 101926151BCN 200980102466 ACN200980102466 ACN 200980102466ACN 101926151 BCN101926151 BCN 101926151B
- Authority
- CN
- China
- Prior art keywords
- security
- relay station
- terminal
- base station
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Translated fromChinese
Description
Translated fromChinese本申请要求于2008年1月30日提交中国专利局,申请号为200810065263.5,发明名称为“建立安全关联的方法和通信网络系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with application number 200810065263.5 and titled "Method and Communication Network System for Establishing Security Association" filed with China Patent Office on January 30, 2008, the entire contents of which are incorporated herein by reference Applying.
技术领域technical field
本发明涉及无线通信领域,尤其涉及一种建立安全关联的方法和通信网络系统。The invention relates to the field of wireless communication, in particular to a method for establishing a security association and a communication network system.
背景技术Background technique
为了提高链路预算和蜂窝系统的覆盖,用户终端可以通过中继站来接收服务,中继站的引入衍生了空中接口的新功能,并进一步增强了系统的分布式处理特性。中继站的部署可以提升系统的无线接入性能,可以覆盖阴影区域,扩大基站的有线覆盖半径,增强特定区域数据速率。In order to improve the link budget and the coverage of the cellular system, user terminals can receive services through relay stations. The introduction of relay stations derives new functions of the air interface and further enhances the distributed processing characteristics of the system. The deployment of relay stations can improve the wireless access performance of the system, cover shadow areas, expand the wired coverage radius of base stations, and enhance data rates in specific areas.
在长期演进(Long Term Evolution,LTE)系统之后的进一步演进中,无线接入技术自身进行多方位的强化,其中,无线中继站是其中一个重要方向。由于在LTE系统中引入了中继站,因此,终端和网络之间建立安全关联的过程不可避免地涉及到中继站。LTE系统中的安全保护分为接入网和核心网两部分,因此,需要保证引入中继站后的LTE系统设计的复杂性和安全性,并利用中继系统的良好特性,实现优良的移动通信系统。In the further evolution after the Long Term Evolution (LTE) system, the wireless access technology itself is strengthened in multiple directions, and the wireless relay station is one of the important directions. Since the relay station is introduced in the LTE system, the process of establishing a security association between the terminal and the network inevitably involves the relay station. The security protection in the LTE system is divided into two parts: the access network and the core network. Therefore, it is necessary to ensure the complexity and security of the LTE system design after the introduction of the relay station, and to use the good characteristics of the relay system to realize an excellent mobile communication system .
如图1所示,在电气电子工程师协会(Institute of Electrical andElectronics Engineers,IEEE)16j标准中介绍了关于终端通过中继与网络侧建立安全关联的方法,具体如下:As shown in Figure 1, the Institute of Electrical and Electronics Engineers (Institute of Electrical and Electronics Engineers, IEEE) 16j standard introduces a method for establishing a security association between a terminal and the network side through a relay, as follows:
终端通过中继站向网络侧进行同步和注册,通过公共密钥管理协议,与鉴权服务器获得基本密钥序列(Master Session Key,MSK);The terminal synchronizes and registers with the network side through the relay station, and obtains the basic key sequence (Master Session Key, MSK) with the authentication server through the public key management protocol;
鉴权服务器把MSK发送给基站,基站根据该MSK派生得到鉴权密钥(Authentication Key,AK);The authentication server sends the MSK to the base station, and the base station derives an authentication key (Authentication Key, AK) according to the MSK;
基站通过中继站将该鉴权密钥发送给终端;The base station sends the authentication key to the terminal through the relay station;
终端和中继站通过三方握手的方式同步AK,根据AK派生得到数据加密密钥(Traffic Encryption Key,TEK)的加密密钥(KeyEncryption Key,KEK),TEK由基站产生;The terminal and the relay station synchronize the AK through a three-way handshake, and the encryption key (KeyEncryption Key, KEK) of the data encryption key (Traffic Encryption Key, TEK) is derived from the AK, and the TEK is generated by the base station;
终端和中继站之间通过TEK请求过程获得TEK。The TEK is obtained through the TEK request process between the terminal and the relay station.
在实现本发明的过程中,发明人发现现有技术至少存在以下问题:在现有的LTE系统中,LTE系统的密钥比IEEE 16j系统中的安全密钥多,而且密钥产生的过程比较复杂,因此,当LTE系统引入中继站后,没有适合的建立终端和网络之间的安全关联的方法,也不适用采用现有技术中的安全流程来建立终端与网络之间的安全关联。In the process of realizing the present invention, the inventor found that the prior art has at least the following problems: in the existing LTE system, the keys of the LTE system are more than the security keys in the IEEE 16j system, and the process of key generation is relatively Therefore, when the LTE system introduces the relay station, there is no suitable method for establishing a security association between the terminal and the network, and it is not suitable to adopt the security procedure in the prior art to establish the security association between the terminal and the network.
发明内容Contents of the invention
本发明实施例提供了一种建立终端和网络侧安全关联的方法网络侧,在LTE演进系统中引入中继站后,在终端和网络之间建立安全关联。An embodiment of the present invention provides a method for establishing a security association between a terminal and a network side. The network side establishes a security association between the terminal and the network after a relay station is introduced into the LTE evolution system.
本发明实施例提供一种建立终端和网络侧安全关联的方法,包括:接收由中继站转发终端发送的接入请求消息;根据所述接入请求消息对终端鉴权认证后获得共享根密钥;选择安全算法,所述安全算法为所述终端和网络侧支持的算法;并根据所述共享根密钥派生基站密钥;通过所述中继站向所述终端发送安全模式命令,所述安全模式命令中包含所述安全算法。An embodiment of the present invention provides a method for establishing a security association between a terminal and a network side, including: receiving an access request message sent by a terminal forwarded by a relay station; and obtaining a shared root key after authenticating the terminal according to the access request message; Select a security algorithm, the security algorithm is an algorithm supported by the terminal and the network side; and derive a base station key according to the shared root key; send a security mode command to the terminal through the relay station, the security mode command Contains the security algorithm described in .
本发明实施例还公开了一种通信网络系统,包括:第一接收单元,用于接收由中继站转发终端发送的接入请求消息;密钥获取单元,用于根据所述第一接收单元接收到的接入请求消息对终端鉴权认证后获得共享根密钥;选择单元,用于选择安全算法,所述安全算法为所述终端和网络侧都支持的算法;派生单元,用于根据所述密钥获取单元得到的共享根密钥派生基站密钥;第一发送单元,用于通过所述中继站向终端发送安全模式命令,所述安全模式命令中包含所述选择单元选择的安全算法。The embodiment of the present invention also discloses a communication network system, including: a first receiving unit, configured to receive an access request message sent by a terminal forwarded by a relay station; a key acquisition unit, configured to The access request message obtains the shared root key after authentication and authentication of the terminal; the selection unit is used to select a security algorithm, and the security algorithm is an algorithm supported by both the terminal and the network side; the derivation unit is used to select according to the The base station key is derived from the shared root key obtained by the key acquisition unit; the first sending unit is configured to send a security mode command to the terminal through the relay station, and the security mode command includes the security algorithm selected by the selection unit.
与现有技术相比,本发明实施例具有以下优点:Compared with the prior art, the embodiment of the present invention has the following advantages:
根据本发明实施例提供的方案,网络侧在接收到终端通过中继站发送的接入请求后,选择用于建立安全关联的安全算法,并通过中继站向所述终端发送安全模式命令,在所述安全模式命令中包括所选择的安全算法,终端在得到安全算法后,与网络侧建立安全关联,解决了LTE系统中引入中继站后,终端与网络侧之间建立安全关联的问题,而且本发明实施例提供的技术方案继承了LTE系统的安全机制,在基本不改变现有的安全机制下和不增加系统复杂度的前提下,保证了加入中继站后的移动通信系统的安全性。According to the solution provided by the embodiment of the present invention, after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station. The mode command includes the selected security algorithm. After the terminal obtains the security algorithm, it establishes a security association with the network side, which solves the problem of establishing a security association between the terminal and the network side after the relay station is introduced in the LTE system, and the embodiment of the present invention The technical solution provided inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after adding the relay station without basically changing the existing security mechanism and without increasing the complexity of the system.
附图说明Description of drawings
图1所示为现有技术中IEEE 16j标准中终端与网络侧建立安全关联的方法示意图;FIG. 1 is a schematic diagram of a method for establishing a security association between a terminal and a network side in the IEEE 16j standard in the prior art;
图2所示为本发明第一实施例中终端与网络侧建立安全关联的方法示意图;FIG. 2 is a schematic diagram of a method for establishing a security association between a terminal and a network side in the first embodiment of the present invention;
图3所示为本发明第二实施例中终端与网络侧建立安全关联的方法示意图;FIG. 3 is a schematic diagram of a method for establishing a security association between a terminal and a network side in a second embodiment of the present invention;
图4所示为本发明第三实施例中终端与网络侧建立安全关联的方法示意图;FIG. 4 is a schematic diagram of a method for establishing a security association between a terminal and a network side in a third embodiment of the present invention;
图5所示为本发明第四实施例中终端与网络侧建立安全关联的方法示意图;FIG. 5 is a schematic diagram of a method for establishing a security association between a terminal and a network side in a fourth embodiment of the present invention;
图6所示为本发明第五实施例中终端与网络侧建立安全关联的方法示意图;FIG. 6 is a schematic diagram of a method for establishing a security association between a terminal and a network side in a fifth embodiment of the present invention;
图7为本发明第六实施例中一种通信网络系统的结构示意图。Fig. 7 is a schematic structural diagram of a communication network system in the sixth embodiment of the present invention.
具体实施例specific embodiment
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
为了使本发明的具体技术方案、发明目的更加清楚,下面结合具体的实施例和附图作进一步说明。In order to make the specific technical solution and the purpose of the invention clearer, further description will be made below in conjunction with specific embodiments and accompanying drawings.
参照图2,介绍本发明第一实施例,关于一种建立终端和网络侧安全关联的方法,该方法优先应用于LTE系统及其演进系统中。具体包括:Referring to FIG. 2 , the first embodiment of the present invention is introduced, which relates to a method for establishing a security association between a terminal and a network side, which is preferably applied in the LTE system and its evolution system. Specifically include:
步骤201:接收由中继站转发终端发送的接入请求消息。Step 201: Receive an access request message sent by a terminal forwarded by a relay station.
步骤202:根据所述接入请求消息对终端鉴权认证后获得共享根密钥。Step 202: Obtain a shared root key after authenticating the terminal according to the access request message.
步骤203:选择安全算法,所述安全算法为所述终端和网络侧支持的算法。Step 203: Select a security algorithm, where the security algorithm is an algorithm supported by the terminal and the network side.
步骤204:根据所述共享根密钥派生基站密钥。Step 204: Deriving a base station key according to the shared root key.
步骤205:通过所述中继站向所述终端发送安全模式命令,所述安全模式命令中包含所述安全算法。Step 205: Send a security mode command to the terminal through the relay station, where the security mode command includes the security algorithm.
通过本实施例提供的方法,网络侧在接收到终端通过中继站发送的接入请求后,选择用于建立安全关联的安全算法,并通过中继站向所述终端发送安全模式命令,在所述安全模式命令中包括所选择的安全算法,终端在得到安全算法后,就可以与网络侧建立安全关联,解决了LTE系统中引入中继站后,终端与网络侧之间建立安全关联的问题,而且本发明实施例提供的技术方案继承了LTE系统的安全机制,在基本不改变现有的安全机制下和不增加系统复杂度的前提下,保证了加入中继站后的移动通信系统的安全性。Through the method provided in this embodiment, after receiving the access request sent by the terminal through the relay station, the network side selects a security algorithm for establishing a security association, and sends a security mode command to the terminal through the relay station. The command includes the selected security algorithm, and after the terminal obtains the security algorithm, it can establish a security association with the network side, which solves the problem of establishing a security association between the terminal and the network side after the introduction of the relay station in the LTE system, and the implementation of the present invention The technical solution provided by the example inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after adding the relay station without basically changing the existing security mechanism and without increasing the complexity of the system.
参照图3,介绍本发明第二实施例,关于一种建立终端和网络侧安全关联的方法。在该实施例中,终端为初次接入网络(detached toactive),具体过程包括:Referring to FIG. 3 , the second embodiment of the present invention is introduced, which relates to a method for establishing a security association between a terminal and a network side. In this embodiment, the terminal is detached to active for the first time, and the specific process includes:
步骤301:终端向中继站发送接入请求消息,该接入请求消息中包括终端能力和终端身份。Step 301: the terminal sends an access request message to the relay station, and the access request message includes terminal capability and terminal identity.
终端能力可以包括终端自身所支持的算法。终端身份可以为临时移动用户识别号码(Temporary Mobile Subscriber Identify,TMSI)或国际移动用户识别号码(International Mobile Subscriber Identity,IMSI)等表示终端身份的标识。Terminal capabilities may include algorithms supported by the terminal itself. The terminal identity can be a temporary mobile subscriber identification number (Temporary Mobile Subscriber Identify, TMSI) or an international mobile subscriber identification number (International Mobile Subscriber Identity, IMSI), which represents the terminal identity.
步骤302:中继站将终端发送的接入请求消息发送给基站。Step 302: the relay station sends the access request message sent by the terminal to the base station.
步骤303:基站接收到中继站发送的接入请求消息后,将该接入请求消息转发给移动管理实体;基站在转发时,还可以将基站自身的基站能力告知移动管理实体,基站能力可以包括基站自身所支持的算法。Step 303: After receiving the access request message sent by the relay station, the base station forwards the access request message to the mobility management entity; when forwarding, the base station can also inform the mobility management entity of the base station capability of the base station itself, and the base station capability can include base station Algorithms supported by itself.
步骤304:移动管理实体将接收到的接入请求消息中的中继标识发送给归属用户服务器。Step 304: the mobility management entity sends the relay identifier in the received access request message to the home subscriber server.
步骤305:归属用户服务器根据终端身份生成鉴权向量,该鉴权向量用于终端和网络侧之间的交互认证,包括随机数RAND、期望响应XRES(EXpected user RESponse)、鉴权符号AUTN(AUTN=SQNIIAMFIIMAC)、共享根密钥(Key Access System ManagementEntity,Kasme)。Step 305: The home user server generates an authentication vector according to the identity of the terminal, which is used for interactive authentication between the terminal and the network side, including random number RAND, expected response XRES (Expected user RESponse), authentication symbol AUTN (AUTN =SQNIIAMFIIMAC), shared root key (Key Access System Management Entity, Kasme).
步骤306:归属用户服务器在生成鉴权向量之后,将鉴权向量发送给移动管理实体。Step 306: After generating the authentication vector, the home subscriber server sends the authentication vector to the mobility management entity.
步骤307:移动管理实体将随机数RAND和鉴权符号AUTN发送给基站。Step 307: The mobility management entity sends the random number RAND and the authentication symbol AUTN to the base station.
步骤308:基站将接收到的随机数RAND和鉴权符号AUTN发送给中继站。Step 308: the base station sends the received random number RAND and authentication symbol AUTN to the relay station.
步骤309:中继站将接收到的随机数RAND和鉴权符号AUTN发送给终端。Step 309: the relay station sends the received random number RAND and authentication symbol AUTN to the terminal.
步骤310:终端验证AUTN,终端计算期望完整性校验码XMAC=f(SQNIIRANDIIAMF),若等于AUTN中的完整性校验码MAC,并且序列号SQN在有效范围,则认为对网络鉴权成功,若验证成功,则根据RAND计算得到响应值RES。Step 310: the terminal verifies the AUTN, the terminal calculates the expected integrity check code XMAC=f(SQNIIRANDIIAMF), if it is equal to the integrity check code MAC in the AUTN, and the serial number SQN is in the valid range, then it is considered that the network authentication is successful, If the verification is successful, the response value RES is calculated according to RAND.
步骤311:终端向中继站发送响应消息,响应消息中包含RES。Step 311: the terminal sends a response message to the relay station, and the response message includes RES.
步骤312:中继站将终端发送的响应消息发送给基站。Step 312: the relay station sends the response message sent by the terminal to the base station.
步骤313:基站将接收到的响应消息发送给移动管理实体。Step 313: the base station sends the received response message to the mobility management entity.
步骤314:移动管理实体验证RES是否和鉴权向量中的XRES相同,如果相同,则通过对终端的认证,终端和移动管理实体获得共享根密钥Kasme。Step 314: The MME verifies whether the RES is the same as the XRES in the authentication vector. If they are the same, the terminal and the MME obtain the shared root key Kasme through the authentication of the terminal.
步骤315:移动管理实体根据终端能力和基站能力,选择安全算法,所述安全算法为所述终端和网络侧都支持的算法,包括接入层安全算法,接入层安全算法可以包括无线资源控制(Radio ResourceControl,RRC)算法和用户面(User Plane,UP)算法等;可以根据移动管理实体选择的安全算法以及共享根密钥Kasme派生得到基站密钥。Step 315: The mobility management entity selects a security algorithm according to the terminal capability and the base station capability, and the security algorithm is an algorithm supported by both the terminal and the network side, including an access layer security algorithm, and the access layer security algorithm may include radio resource control (Radio Resource Control, RRC) algorithm and user plane (User Plane, UP) algorithm, etc.; the base station key can be derived from the security algorithm selected by the mobility management entity and the shared root key Kasme.
所述安全算法还可以包括:非接入层(Non-Access Stratum,NAS)算法。The security algorithm may also include: a non-access stratum (Non-Access Stratum, NAS) algorithm.
步骤316:移动管理实体发送安全算法和基站密钥。Step 316: the mobility management entity sends the security algorithm and the base station key.
所述安全算法和基站密钥可以包含在移动管理实体发送给基站的消息中。The security algorithm and base station key may be included in the message sent by the mobility management entity to the base station.
步骤317:基站发送安全算法和完整性校验码发送给中继站。Step 317: the base station sends the security algorithm and the integrity check code to the relay station.
所述安全算法和完整性校验码可以包含在安全模式命令中。The security algorithm and integrity check code may be included in the security mode command.
基站在发送安全算法时,可以通过基站密钥对将发送的内容进行安全保护,生成完整性校验码,并将该完整性校验码发送给中继站。When the base station transmits the security algorithm, it can use the base station key to protect the content to be transmitted, generate an integrity check code, and send the integrity check code to the relay station.
步骤318:中继站将接收到的安全算法和完整性校验码发送给终端。Step 318: the relay station sends the received security algorithm and integrity check code to the terminal.
步骤319:终端接收到安全算法和完整性校验码后,对中继站转发的消息进行完整性验证,验证成功后,向中继站发送验证确认消息。Step 319: After receiving the security algorithm and the integrity check code, the terminal performs integrity verification on the message forwarded by the relay station, and sends a verification confirmation message to the relay station after the verification is successful.
步骤320:中继站向基站发送接收到的验证确认消息。Step 320: the relay station sends the received verification confirmation message to the base station.
步骤321:基站将接收到的验证确认消息发送给移动管理实体。Step 321: the base station sends the received verification confirmation message to the mobility management entity.
步骤322:移动管理实体接收到验证确认消息后,至此,终端和基站之间完成了安全算法协商和密钥协商,完成了安全关联的建立。Step 322: After the MME receives the verification confirmation message, the security algorithm negotiation and key negotiation are completed between the terminal and the base station, and the establishment of the security association is completed.
在本实施例中,可选的,在步骤302中,中继站在发送接入请求消息时,可以将自身的中继能力发送给移动管理实体,则在步骤315中,移动管理实体可以根据终端能力、中继能力和基站能力进行选择安全算法。In this embodiment, optionally, in
在本实施例步骤301至步骤322所提供的方案中,中继站没有终端和基站之间的安全关联,也没有关于终端的任何信息,中继站仅仅透明地传送终端和网络侧之间的消息。本实施例还可以进一步包括以下步骤,可以使得本实施例中的中继站可以获得终端和基站之间的安全关联,以建立终端和中继站之间的安全关联,使得终端和中继站之间的通信更加安全。In the solution provided in
步骤323:基站向中继站发送终端和基站建立的安全关联密钥(如RRC密钥和UP密钥)以及安全算法(如RRC算法和UP算法),该安全关联密钥由基站生成;中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护,中继站和基站之间的安全关联是中继站和基站之间预先存在的,由中继站在接入网络后确立,用以保护基站和中继站之间发送信息的安全。Step 323: the base station sends the security association key (such as the RRC key and the UP key) and the security algorithm (such as the RRC algorithm and the UP algorithm) established by the terminal and the base station to the relay station, and the security association key is generated by the base station; the relay station and the base station The messages sent between them can be protected by the security association between the relay station and the base station. The security association between the relay station and the base station is pre-existing between the relay station and the base station. It is established by the relay station after accessing the network to protect the base station and the base station. Security of information sent between relay stations.
步骤324:中继站收到基站发送的密钥和相关算法后,使用中继站和基站间建立的安全关联做校验,向基站返回确认消息。Step 324: After receiving the key and related algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station for verification, and returns a confirmation message to the base station.
本实施例中,如果中继站具有产生小区无线网络临时标识(RadioNetwork Temporary Identifier,C-RNTI)的功能,则步骤323中,基站可向中继站发送基站密钥以及安全算法,如RRC算法和UP算法;中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。在步骤324中,中继站接收到基站发送的基站密钥和算法后,根据基站密钥和C-RNTI派生得到安全关联密钥,如RRC密钥和UP密钥,中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。在这种情况下,中继站获得的与终端之间建立的安全关联与基站和中继站之间的安全关联不同,当中继站接收到终端发送的消息时,中继站需要首先根据中继站和终端之间的安全关联进行解密,然后利用中继站和基站之间的安全关联进行重新加密,再进行转发;同样,当中继站接收到基站发送的消息时,首先根据中继站和基站之间的安全关联进行解密,然后利用中继站和终端之间的安全关联进行加密,再发送给终端。In this embodiment, if the relay station has the function of generating a radio network temporary identifier (RadioNetwork Temporary Identifier, C-RNTI), then in
步骤323和步骤324中,中继站被动地从基站接收消息,并获得终端与网络侧的安全关联,该方法中,中继站可以主动向基站请求获取相关安全关联,因此,步骤323和步骤324可以分别为步骤323’和步骤324’,具体如下:In
步骤323’:中继站向基站发送终端安全关联请求,请求基站发送终端和基站已经建立好的安全关联相关信息,中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。Step 323': The relay station sends a terminal security association request to the base station, requesting the base station to send information related to the security association that has been established between the terminal and the base station, and the messages sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
步骤324’:基站向中继站发送请求回应消息,该消息中包含安全算法,如RRC算法和UP算法,以及基站生成的安全关联密钥,如RRC密钥和UP密钥;若该中继站可以产生C-RNTI,基站可以不直接发送RRC密钥和UP密钥,而在该回应消息中包含安全算法和基站密钥。中继站根据接收到的信息,可以获得终端和基站之间的安全关联信息。Step 324': The base station sends a request response message to the relay station, which contains security algorithms, such as RRC algorithm and UP algorithm, and security association keys generated by the base station, such as RRC key and UP key; if the relay station can generate C - RNTI, the base station may not directly send the RRC key and the UP key, but include the security algorithm and the base station key in the response message. According to the received information, the relay station can obtain the security association information between the terminal and the base station.
参照图4,下面介绍本发明第三实施例,关于建立终端和网络侧安全关联的方法,在本实施例中,终端已经经过初始接入网络,处于空闲状态进入激活状态的过程(idle to active),该方法包括:Referring to Fig. 4, the third embodiment of the present invention will be introduced below. Regarding the method of establishing a security association between the terminal and the network side, in this embodiment, the terminal has gone through the initial access to the network, is in an idle state and enters an active state (idle to active ), which includes:
步骤401:终端通过中继站向网络侧发送接入请求消息,该消息中包括TMSI、和共享根密钥标识符(Key Set Identifier Access SystemManagement Entity,KSIasme),由于终端已经接入过网络,网络侧设备都已经获知终端的终端能力,因此,在接入请求消息中可以不包括终端能力,除非终端能力发生更改。Step 401: The terminal sends an access request message to the network side through the relay station. The message includes TMSI and a shared root key identifier (Key Set Identifier Access System Management Entity, KSIasme). Since the terminal has already accessed the network, the network side device The terminal capability of the terminal has already been known, therefore, the terminal capability may not be included in the access request message unless the terminal capability changes.
步骤402至步骤414可以参照第二实施例中步骤302至步骤314描述的内容。Step 402 to step 414 may refer to the content described in
步骤415:移动管理实体根据共享根密钥派生基站密钥。Step 415: the mobility management entity derives the base station key according to the shared root key.
步骤416:移动管理实体将基站密钥发送给基站。Step 416: the mobility management entity sends the base station key to the base station.
步骤417:基站发送安全模式命令给中继站,并在该命令中包含安全算法和完整性校验码。Step 417: the base station sends a security mode command to the relay station, and includes a security algorithm and an integrity check code in the command.
步骤418:中继站将接收到的安全算法和完整性校验码发送给终端。Step 418: the relay station sends the received security algorithm and integrity check code to the terminal.
步骤419:终端接收到中继站发送的安全算法和完整性校验码后,对中继站转发的消息进行完整性验证,验证成功后,终端向中继站发送验证确认消息。Step 419: After receiving the security algorithm and the integrity check code sent by the relay station, the terminal performs integrity verification on the message forwarded by the relay station. After the verification is successful, the terminal sends a verification confirmation message to the relay station.
步骤420:中继站向基站转发验证确认消息。Step 420: the relay station forwards the verification confirmation message to the base station.
步骤421:基站接收到验证确认消息后,进行安全校验,则终端和基站之间完成了安全算法和密钥协商。Step 421: After receiving the verification confirmation message, the base station performs security verification, and the security algorithm and key negotiation between the terminal and the base station are completed.
步骤422:基站发送确认消息给移动管理实体,告知其安全关联建立。Step 422: the base station sends an acknowledgment message to the mobility management entity, informing it of the establishment of the security association.
在本实施例步骤401至步骤422所提供的方案中,中继站不存在终端和基站之间的安全关联,中继站仅仅透明地传送终端和基站之间的消息。本实施例还可以进一步包括以下步骤,可以使得本实施例中的中继站可以获得终端和基站之间的安全关联:In the solution provided in steps 401 to 422 of this embodiment, the relay station does not have a security association between the terminal and the base station, and the relay station only transparently transmits messages between the terminal and the base station. This embodiment may further include the following steps, so that the relay station in this embodiment can obtain the security association between the terminal and the base station:
步骤423:基站向中继站发送基站自身生成的安全关联密钥,如RRC密钥和UP密钥,以及安全算法,如RRC算法和UP算法;中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。Step 423: The base station sends the security association key generated by the base station itself to the relay station, such as the RRC key and the UP key, and the security algorithm, such as the RRC algorithm and the UP algorithm; the messages sent between the relay station and the base station can be passed between the relay station and the base station The security association between them is protected.
步骤424:中继站收到基站发送的密钥和算法后,使用中继站和基站间建立的安全关联做校验,向基站返回确认信息。Step 424: After receiving the key and algorithm sent by the base station, the relay station uses the security association established between the relay station and the base station for verification, and returns confirmation information to the base station.
本实施例中,如果中继站具有产生C-RNTI的功能,则步骤423中,基站可向中继站发送基站密钥以及安全算法,如RRC算法和UP算法;中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。在步骤424中,中继站接收到基站发送的基站密钥和算法后,根据基站密钥和C-RNTI派生得到安全关联密钥,如RRC密钥和UP密钥,中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。在这种情况下,中继站获得的与终端之间建立的安全关联与基站和中继站之间的安全关联不同,当中继站接收到终端发送的消息时,中继站需要首先根据中继站和终端之间的安全关联进行解密,然后利用中继站和基站之间的安全关联进行重新加密,再进行转发;同样,当中继站接收到基站发送的消息时,首先根据中继站和基站之间的安全关联进行解密,然后利用中继站和终端之间的安全关联进行加密,再发送给终端。In this embodiment, if the relay station has the function of generating C-RNTI, then in step 423, the base station can send the base station key and security algorithm, such as RRC algorithm and UP algorithm, to the relay station; the message sent between the relay station and the base station can pass through the relay station The security association between the base station and the base station is protected. In step 424, after receiving the base station key and algorithm sent by the base station, the relay station derives the security association key, such as RRC key and UP key, from the base station key and C-RNTI, and the message sent between the relay station and the base station It can be protected by a security association between the relay station and the base station. In this case, the security association established between the relay station and the terminal is different from the security association between the base station and the relay station. Decrypt, then use the security association between the relay station and the base station to re-encrypt, and then forward; similarly, when the relay station receives the message sent by the base station, it first decrypts according to the security association between the relay station and the base station, and then uses the relay station and the The security association between terminals is encrypted and then sent to the terminal.
步骤423和步骤424中,中继站被动地从基站接收消息,并获得终端与网络侧的接入层安全关联信息,该方法中,中继站可以主动向基站请求获取相关安全关联,因此,步骤423和步骤424可以分别为步骤423’和步骤424’,具体如下:In steps 423 and 424, the relay station passively receives messages from the base station and obtains the access layer security association information between the terminal and the network side. In this method, the relay station can actively request the base station to obtain relevant security associations. Therefore, step 423 and step 424 can be step 423' and step 424' respectively, specifically as follows:
步骤423’:中继站向基站发送终端安全关联请求,请求基站发送终端和基站已经建立好的安全关联密钥,中继站和基站之间发送的消息可以通过中继站和基站之间的安全关联进行保护。Step 423': The relay station sends a terminal security association request to the base station, requesting the base station to send the security association key established between the terminal and the base station, and the messages sent between the relay station and the base station can be protected by the security association between the relay station and the base station.
步骤424’:基站向中继站发送请求回应消息,该消息中包含安全算法,如RRC算法和UP算法,以及基站生成的安全关联密钥,如RRC密钥和UP密钥;若该中继站可以产生C-RNTI,基站可以不直接发送安全关联密钥,而在该回应消息中包含安全算法和基站密钥。中继站根据基站密钥和C-RNTI派生得到安全关联密钥,如RRC密钥和UP密钥,从而可以获得和终端之间的安全关联。Step 424': The base station sends a request response message to the relay station, which contains security algorithms, such as RRC algorithm and UP algorithm, and security associated keys generated by the base station, such as RRC key and UP key; if the relay station can generate C - RNTI, the base station may not directly send the security association key, but include the security algorithm and the base station key in the response message. The relay station derives security association keys, such as RRC keys and UP keys, from the base station key and the C-RNTI, so as to obtain security associations with the terminal.
下面介绍本发明第四实施例,如图5所示,关于终端和基站建立安全关联的方法,根据本实施例提供的技术方案,可以加快整个系统建立安全关联的时间,本实施例包含步骤501至步骤522,与第二实施例中的步骤301至步骤322基本相同,区别在于在步骤517中,基站在将安全算法和完整性校验码发送给中继站的同时,将基站自身生成的安全关联密钥,如RRC密钥和UP密钥,发送给中继站;在步骤520中,中继站转发终端确认命令的同时,还发送中继站接收到终端安全关联的确认消息。The fourth embodiment of the present invention is introduced below. As shown in FIG. 5, regarding the method for establishing a security association between a terminal and a base station, according to the technical solution provided in this embodiment, the time for establishing a security association in the entire system can be accelerated. This embodiment includes step 501 Step 522 is basically the same as
若该中继站具备产生C-RNTI的功能,则在步骤517中,基站将安全算法和完整性校验码发送给中继站的同时,将基站密钥发送给中继站,中继站可以根据基站密钥和C-RNTI派生得到安全关联密钥;在步骤520中,中继站转发终端确认命令的同时,还发送中继站接收到终端安全关联的确认消息。If the relay station has the function of generating C-RNTI, then in step 517, the base station sends the security algorithm and the integrity check code to the relay station, and at the same time sends the base station key to the relay station, and the relay station can use the base station key and the C-RNTI The RNTI derives the security association key; in step 520, while the relay station forwards the terminal confirmation command, it also sends a confirmation message that the relay station receives the terminal security association.
在本实施例中,实现了终端和基站之间建立安全关联同时,也实现终端和中继站之间安全关联的建立,因此,节省了整个系统建立安全关联的时间。In this embodiment, the establishment of the security association between the terminal and the base station is realized, and the establishment of the security association between the terminal and the relay station is also realized, so the time for establishing the security association of the whole system is saved.
下面介绍本发明第五实施例,如图6所示,本实施例包含步骤601至步骤622,与第三实施例中的步骤401至步骤422基本相同,区别在于在步骤617中,基站在发送安全模式命令的同时,把基站自身生成的安全关联密钥,如RRC密钥和UP密钥,发送给中继站;在步骤620中,中继站转发终端确认命令的同时,还发送中继站接收到终端安全关联信息的确认消息。The fifth embodiment of the present invention is introduced below. As shown in FIG. 6, this embodiment includes
若该中继站具备产生C-RNTI的功能,则在步骤617中,基站在发送安全模式命令的同时,将基站密钥发送给中继站,中继站可以根据基站密钥和C-RNTI派生得到安全关联密钥;在步骤620中,中继站转发终端确认命令的同时,还发送中继站接收到终端安全关联的确认消息。If the relay station has the function of generating C-RNTI, then in
在本实施例中,实现了终端和基站之间建立安全关联同时,也实现终端和中继站之间安全关联的建立,因此,节省了整个系统建立安全关联的时间。In this embodiment, the establishment of the security association between the terminal and the base station is realized, and the establishment of the security association between the terminal and the relay station is also realized, so the time for establishing the security association of the whole system is saved.
本发明实施例提供的技术方案,解决了LTE系统中引入中继站后,终端经过中继站和基站实现安全关联的建立的问题,不仅可以使得终端通过中继站与基站建立安全关联,进一步,可以建立终端和中继站之间的安全关联,从而使得整个系统的通信更加安全,同时,还可以节省在LTE中继系统中建立安全关联的时间。另外,本发明实施例提供的技术方案继承了LTE系统的安全机制,在基本不改变现有的安全机制下,融合了中继站的转发特征和分布式特性,在不增加系统复杂度的前提下,保证了加入中继站后的移动通信系统的安全性。The technical solution provided by the embodiment of the present invention solves the problem that the terminal establishes a security association with the base station through the relay station after the introduction of the relay station in the LTE system. It not only enables the terminal to establish a security association with the base station through the relay station, but also establishes the terminal and the relay station The security association between them makes the communication of the whole system more secure, and at the same time, it can also save the time of establishing the security association in the LTE relay system. In addition, the technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system. Without basically changing the existing security mechanism, it integrates the forwarding characteristics and distributed characteristics of the relay station. Without increasing the complexity of the system, The security of the mobile communication system after adding the relay station is guaranteed.
本发明第六实施例,参照图7,关于一种通信网络系统700,包括第一接收单元701,用于接收由中继站转发终端发送的接入请求消息;密钥获取单元702,用于根据所述第一接收单元701接收到的接入请求消息对终端鉴权认证后获得共享根密钥;选择单元703,用于选择安全算法,所述安全算法为所述终端和基站都支持的算法;派生单元704,用于根据所述密钥获取单元702得到的共享根密钥派生基站密钥;第一发送单元705,用于通过中继站向终端发送安全模式命令,所述安全模式命令中包含选择单元703选择的安全算法。In the sixth embodiment of the present invention, referring to FIG. 7 , a
进一步,第一接收单元701还用于接收终端通过中继站发送的验证确认消息。Further, the
以上实施例提供的方案中,中继站没有终端和基站之间的安全关联,也没有关于终端的任何信息,中继站仅仅透明地传送终端和基站之间的消息,优选的,该通信网络系统还包括第二发送单元和第二接收单元;派生单元还用于生成网络侧安全关联密钥;In the solutions provided by the above embodiments, the relay station has no security association between the terminal and the base station, nor does it have any information about the terminal, and the relay station only transparently transmits messages between the terminal and the base station. Preferably, the communication network system also includes a second Two sending units and a second receiving unit; the deriving unit is also used to generate a security association key on the network side;
第二发送单元用于在第一接收单元接收到终端发送的验证确认消息后,发送安全算法和网络侧安全关联密钥给中继站;The second sending unit is configured to send the security algorithm and the network-side security association key to the relay station after the first receiving unit receives the verification confirmation message sent by the terminal;
第二接收单元用于接收中继站发送的确认消息,所述确认消息为所述中继站在根据安全算法、安全关联密钥,得到和终端之间的安全关联密钥后向网络侧发送的确认消息。The second receiving unit is used to receive the confirmation message sent by the relay station, and the confirmation message is the confirmation message sent to the network side after the relay station obtains the security association key with the terminal according to the security algorithm and the security association key.
这样,可以使得本实施例中的中继站可以获得终端和基站之间的安全关联,以建立终端和中继站之间的安全关联,使得终端和中继站之间的通信更加安全。In this way, the relay station in this embodiment can obtain the security association between the terminal and the base station, so as to establish the security association between the terminal and the relay station, making the communication between the terminal and the relay station more secure.
如果中继站可以产生C-RNTI,则在建立中继站和终端之间的安全关联时,优选的,该通信网络系统还可以包括第三发送单元和第三接收单元,If the relay station can generate the C-RNTI, when establishing the security association between the relay station and the terminal, preferably, the communication network system may further include a third sending unit and a third receiving unit,
第三发送单元用于在第一接收单元接收到终端发送的验证确认消息后,发送安全算法和基站密钥给中继站,所述中继站产生C-RNTI;The third sending unit is configured to send the security algorithm and the base station key to the relay station after the first receiving unit receives the verification confirmation message sent by the terminal, and the relay station generates a C-RNTI;
第三接收单元用于接收中继站发送的确认消息,所述确认消息为所述中继站在根据C-RNTI以及接收到的基站密钥和安全算法得到和所述终端之间的安全关联密钥后向网络侧发送的确认消息。The third receiving unit is used to receive the confirmation message sent by the relay station, the confirmation message is the security association key between the terminal and the terminal obtained by the relay station according to the C-RNTI and the received base station key and security algorithm Confirmation message sent by the network side.
中继站除了可以被动地接收通信网络系统发送的相关安全关联信息外,还可以主动地向通信网络系统请求相关安全关联信息,优选的,该通信网络系统还包括第四发送单元和第四接收单元;In addition to passively receiving relevant security-related information sent by the communication network system, the relay station can also actively request relevant security-related information from the communication network system. Preferably, the communication network system further includes a fourth sending unit and a fourth receiving unit;
第四接收单元用于接收中继站发送的终端安全关联请求;派生单元还用于生成网络侧安全关联密钥;The fourth receiving unit is used to receive the terminal security association request sent by the relay station; the derivation unit is also used to generate a network side security association key;
第四发送单元用于向中继站发送请求回应消息,该消息包括安全算法和网络侧的安全关联密钥。The fourth sending unit is configured to send a request response message to the relay station, where the message includes a security algorithm and a security association key on the network side.
当中继站可以产生C-RNTI时,当通信网络系统接收到中继站的请求时,可以不直接发送安全关联密钥,而是发送基站密钥,优选的,该通信网络系统还包括第五发送单元和第五接收单元;When the relay station can generate the C-RNTI, when the communication network system receives the request from the relay station, it may not directly send the security association key, but the base station key. Preferably, the communication network system also includes a fifth sending unit and The fifth receiving unit;
第五接收单元用于接收中继站向网络侧发送的终端安全关联请求;The fifth receiving unit is configured to receive the terminal security association request sent by the relay station to the network side;
第五发送单元用于向中继站发送请求回应消息,该消息包括安全算法和基站密钥;The fifth sending unit is used to send a request response message to the relay station, where the message includes a security algorithm and a base station key;
第五接收单元还用于接收中继站在根据C-RNTI以及接收到的基站密钥和安全算法得到终端的安全关联密钥后向基站发送的确认消息。The fifth receiving unit is also used to receive the confirmation message sent by the relay station to the base station after obtaining the security association key of the terminal according to the C-RNTI, the received base station key and the security algorithm.
通过本发明实施例提供通信网络系统,可以使得在LTE演进系统中实现终端通过中继站与网络侧之间建立安全关联,并且进一步可以建立终端和中继站之间的安全关联,使得通信更加安全,另外,本发明实施例提供的技术方案继承了LTE系统的安全机制,在基本不改变现有的安全机制下和不增加系统复杂度的前提下,保证了加入中继站后的移动通信系统的安全性。The communication network system provided by the embodiment of the present invention can realize the establishment of a security association between the terminal and the network side through the relay station in the LTE evolution system, and further establish a security association between the terminal and the relay station, making the communication more secure. In addition, The technical solution provided by the embodiment of the present invention inherits the security mechanism of the LTE system, and ensures the security of the mobile communication system after adding the relay station without basically changing the existing security mechanism and without increasing the complexity of the system.
通过以上的实施例的描述,本领域的技术人员可以清楚地了解到本发明,可以通过硬件实现,也可以借助软件加必要的通用硬件平台的方式来实现。基于这样的理解,本发明的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or by means of software plus a necessary general hardware platform. Based on this understanding, the technical solution of the present invention can be embodied in the form of software products, which can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.), including several The instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in various embodiments of the present invention.
总之,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.
Claims (6)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200980102466.XACN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810065263.5 | 2008-01-30 | ||
| CN2008100652635ACN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
| CN200980102466.XACN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
| PCT/CN2009/070273WO2009094942A1 (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101926151A CN101926151A (en) | 2010-12-22 |
| CN101926151Btrue CN101926151B (en) | 2013-01-02 |
Family
ID=40912286
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100652635AExpired - Fee RelatedCN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
| CN200980102466.XAExpired - Fee RelatedCN101926151B (en) | 2008-01-30 | 2009-01-22 | Method and communication network system for establishing security conjunction |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100652635AExpired - Fee RelatedCN101500229B (en) | 2008-01-30 | 2008-01-30 | Method for establishing security association and communication network system |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN101500229B (en) |
| WO (1) | WO2009094942A1 (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102090093B (en) | 2009-04-30 | 2013-04-17 | 华为技术有限公司 | Method and device for establishing security mechanism of air interface link |
| TWI430674B (en)* | 2009-08-14 | 2014-03-11 | Ind Tech Res Inst | Security method in wireless communication method having relay node |
| US8605904B2 (en) | 2009-08-14 | 2013-12-10 | Industrial Technology Research Institute | Security method in wireless communication system having relay node |
| CN102056160B (en)* | 2009-11-03 | 2013-10-09 | 华为技术有限公司 | A method, device and system for key generation |
| US8904167B2 (en)* | 2010-01-22 | 2014-12-02 | Qualcomm Incorporated | Method and apparatus for securing wireless relay nodes |
| CN101951554A (en)* | 2010-08-25 | 2011-01-19 | 中兴通讯股份有限公司 | Method and system for realizing pre-access of encrypted conference call |
| CN101931955B (en)* | 2010-09-03 | 2015-01-28 | 中兴通讯股份有限公司 | Authentication method, device and system |
| CN101945386B (en)* | 2010-09-10 | 2015-12-16 | 中兴通讯股份有限公司 | A kind of method and system realizing safe key synchronous binding |
| CN101945387B (en)* | 2010-09-17 | 2015-10-21 | 中兴通讯股份有限公司 | The binding method of a kind of access layer secret key and equipment and system |
| CN101931953B (en)* | 2010-09-20 | 2015-09-16 | 中兴通讯股份有限公司 | Generate the method and system with the safe key of apparatus bound |
| CN101977378B (en)* | 2010-09-30 | 2015-08-12 | 中兴通讯股份有限公司 | Information transferring method, network side and via node |
| CN107071768B (en)* | 2012-02-22 | 2020-03-20 | 华为技术有限公司 | Method, device and system for establishing security context |
| WO2014075238A1 (en)* | 2012-11-14 | 2014-05-22 | 华为技术有限公司 | Security processing method for mobile communication, macro base station, micro base station and user equipment |
| CN108112013B (en)* | 2013-03-13 | 2020-12-15 | 华为技术有限公司 | Data transmission method, device and system |
| CN104581710B (en)* | 2014-12-18 | 2018-11-23 | 中国科学院信息工程研究所 | A method and system for securely transmitting LTE user IMSI on an air interface |
| CN108464019A (en)* | 2016-02-04 | 2018-08-28 | 华为技术有限公司 | A security parameter transmission method and related equipment |
| WO2018126452A1 (en)* | 2017-01-06 | 2018-07-12 | 华为技术有限公司 | Authorization verification method and device |
| CN109842881B (en)* | 2017-09-15 | 2021-08-31 | 华为技术有限公司 | Communication method, related device, and system |
| CN109561429B (en)* | 2017-09-25 | 2020-11-17 | 华为技术有限公司 | Authentication method and device |
| CN110381608B (en)* | 2018-04-13 | 2021-06-15 | 华为技术有限公司 | Method and device for data transmission in relay network |
| CN110536289B (en)* | 2018-12-24 | 2024-11-26 | 中兴通讯股份有限公司 | Key issuing method and device, mobile terminal, communication equipment and storage medium |
| CN111866884B (en)* | 2019-04-26 | 2022-05-24 | 华为技术有限公司 | A safety protection method and device |
| CN116321143A (en)* | 2021-12-20 | 2023-06-23 | 中国移动通信有限公司研究院 | A verification method, device, and storage medium |
| US20240128798A1 (en)* | 2022-10-18 | 2024-04-18 | Nokia Technologies Oy | Implementation of attachment for passive iot device communication with ambient energy source |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601943A (en)* | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | A Method of Selecting Secure Communication Algorithm |
| CN1764195A (en)* | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
| CN1773904A (en)* | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | A General Security Level Negotiation Method |
| CN1921379A (en)* | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006096017A1 (en)* | 2005-03-09 | 2006-09-14 | Electronics And Telecommunications Research Institute | Authentication method and key generating method in wireless portable internet system |
- 2008
- 2008-01-30CNCN2008100652635Apatent/CN101500229B/ennot_activeExpired - Fee Related
- 2009
- 2009-01-22WOPCT/CN2009/070273patent/WO2009094942A1/enactiveApplication Filing
- 2009-01-22CNCN200980102466.XApatent/CN101926151B/ennot_activeExpired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1601943A (en)* | 2003-09-25 | 2005-03-30 | 华为技术有限公司 | A Method of Selecting Secure Communication Algorithm |
| CN1773904A (en)* | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | A General Security Level Negotiation Method |
| CN1921379A (en)* | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
| CN1764195A (en)* | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Non peer-to-peer entity safety grade arranging method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101926151A (en) | 2010-12-22 |
| CN101500229A (en) | 2009-08-05 |
| CN101500229B (en) | 2012-05-23 |
| WO2009094942A1 (en) | 2009-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101926151B (en) | Method and communication network system for establishing security conjunction | |
| CN113225176B (en) | Key acquisition method and device | |
| EP2421292B1 (en) | Method and device for establishing security mechanism of air interface link | |
| CN109587688B (en) | Security in Inter-System Mobility | |
| JP6727294B2 (en) | User equipment UE access method, access device, and access system | |
| CN108293223B (en) | Data transmission method, user equipment and network side equipment | |
| US9667413B2 (en) | Encryption realization method and system | |
| WO2019019736A1 (en) | Security implementation method, and related apparatus and system | |
| US10798082B2 (en) | Network authentication triggering method and related device | |
| CN103609154B (en) | A wireless local area network access authentication method, device and system | |
| CN108781366A (en) | Authentication Mechanisms for 5G Technology | |
| JP2012217207A (en) | Exchange of key material | |
| WO2016134536A1 (en) | Key generation method, device and system | |
| WO2009097789A1 (en) | Method and communication system for establishing security association | |
| CN109496412A (en) | Authentication using Privacy ID | |
| CN108880813A (en) | A kind of implementation method and device of attachment flow | |
| CN107820242A (en) | A kind of machinery of consultation of authentication mechanism and device | |
| CN104602229B (en) | A kind of efficient initial access authentication method for WLAN and 5G combination network application scenarios | |
| CN102572819B (en) | Method, device and system for generating secret key | |
| WO2022237561A1 (en) | Communication method and apparatus | |
| KR20100021690A (en) | Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system | |
| Lin et al. | Performance Evaluation of the Fast Authentication Schemes in GSM-WLAN Heterogeneous Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee | Granted publication date:20130102 |