CN101355809B - Method and system for negotiating and initiating safety context - Google Patents
Method and system for negotiating and initiating safety context Download PDFInfo
- Publication number
- CN101355809B CN101355809B CN200810160865.9A CN200810160865A CN101355809B CN 101355809 B CN101355809 B CN 101355809B CN 200810160865 A CN200810160865 A CN 200810160865A CN 101355809 B CN101355809 B CN 101355809B
- Authority
- CN
- China
- Prior art keywords
- safe context
- sgsn
- key identifier
- context
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present invention discloses a method for the negotiated invocation of a security context. User equipment is shifted from an evolved universal terrestrial radio access network to a universal terrestrial radio access network or global system for mobile communications enhanced data rate GSM evolved entity radio access network GERAN. The method comprises that the user equipment dispatches a routing area refresh request message or an attachment request message to a service GPRS support node SGSN; a type designator and a key identifier of the security context are carried in the message; the type designator of the security context indicates that the security context selected by the user equipment is a mapping security context or a cache security context. The user equipment and the network side negotiate the security context by the method to ensure the sameness of the security contexts at the two sides.
Description
Technical field
The present invention relates to moving communicating field, in particular to a kind of when shifting between the different radio connecting system for UE, the method and system of negotiating and initiating safety context.
Background technology
3GPP long evolving system (LTE, Long Term Evolution) by the land radio access web (EUTRAN of evolution, Evolved UMTS Terrestrial Radio Access Network) and grouping system (the Evolved Packet System of evolution, abbreviation EPS) core net (Evolved Packet Core is called for short EPC) forms.
Wherein, EPC comprises mobile management unit (MME, mobility management entity), and mobile management unit is responsible for the processing of ambulant management, Non-Access Stratum signaling and the chain of command related works such as management of user security model.Wherein, MME preserves the root key K of EUTRAN
ASME(KeyAccess Security Management Entity, connection security management entity key), and use K
ASMEWith the root key K of up NAS SQN (Non-Access Stratum sequence number) generation for the Access Layer of eNB (evolved Node B, the base station of evolution) use
ENB(Key eNB, the base station key of evolution).Connection security management entity key collection identifier (K
ASMEKey Set identifier for Access SecurityManagement Entity) KSI
ASMEIt is key K
ASMEStatus identifier (perhaps being Ciphering Key Sequence Number), length is 3 bits, is used between network and the subscriber equipment (UE, User Equipment) identification and retrieval to key.When UE and network connect, can pass through KSI
ASMENotify the other side to use before storage key, thereby set up safe context, avoid each connection all will carry out Authentication and Key Agreement (AKA, Authentication and Key Association), save Internet resources, when key owing to finishing life cycle or other reason need to delete the time, UE is with KSI
ASMEBe made as " 111 ".
Wherein, in EUTRAN, base station equipment is the base station (eNB, evolvedNode-B) of evolution, mainly is responsible for radio communication, wireless communications management and the contextual management of mobility.
The equipment of being responsible for the management of the contextual management of packet domain mobility and/or user security model in the 3GPP UMTS system is SGSN (Serving GPRS Support Node, Serving GPRS Support Node).SGSN also is responsible for UMTS wireless access network (UTRAN, Universal Terrestrial Radio AccessNetwork) authentication and the safety management of part, and preserve key IK (Integrity Key, Integrity Key), CK (Ciphering Key, encryption key).The key identifier symbol (or being called Ciphering Key Sequence Number) of CK/IK is KSI (Key Set identifier, key set identifier), and its effect and using method are similar to the KSI among the EPS
ASME, all be between UE and the network to identification and the retrieval of key, length also is 3 bits.When KSI equaled " 111 ", expression did not have operable key, and KSI is invalid.When UE is connected to consult to set up UMTS and connects safely with SGSN, when if UE has stored operable key, UE issues SGSN with the KSI that stores, whether the KSI of SGSN checking storage is identical with the KSI of UE storage, if consistent, then adopt the set of cipher key negotiation to establish safety context of storage, and KSI is beamed back the key that UE confirms its use.If UE does not store the key of usefulness, then KSI is set to " 111 ", then issue SGSN, SGSN is checked through KSI for after " 111 ", sends authentication request message to HLR/HSS, and UE and network are made AKA again, produce new set of cipher key.
The equipment that the GPRS/EDGE system is responsible for the management of the contextual management of packet domain mobility and/or user security model also is SGSN, SGSN is responsible for GPRS/EDGE wireless access network (GERAN, GPRS/EDGE Radio Access Network) authentication and the safety management of part, and there is a GERAN encryption key Kc (Ciphering key), the key identifier of Kc is CKSN (Ciphering keysequence Number, encryption key sequence number), act on the same with KSI with using method.
When UE transferred to objective network network (such as UTRAN/GERAN) from EUTRAN, MME used K
ASMEFor objective network generates ciphering key K, IK, and this is issued SGSN (if objective network is GERAN, SGSN further hints obliquely at IK, CK and is Kc) to key.Therefore may there be two group keys in UE and SGSN: the one, and the key that both sides have consulted before shifting is called buffer memory key (cached Key); Another group is by K
ASMEThe key that mapping is come is called mapping key (MappedKey).For saving resource, present system requirements, UE and objective network all have the buffer memory key during when the idle transfer of UE (Routing Area Update etc.) if to UTRAN/GERAN, then use buffer memory Key Establishing safe context (to be called the buffer memory safe context, Cached Security Context), if do not have, then be to use mapping key to set up corresponding safe context (to be called the mapping safe context, MappedSecurity Context), wherein safety above comprises key, key identifier etc.
To enable corresponding key by key identifier between UE and the network.No matter be at EUTRAN or UTRAN/GERAN, the value of key identifier all when AKA by network allocation to UE.In the prior art scheme, because a kind of negotiation mechanism that whether needs to produce mapping key is not provided, so UE is when transferring to the UTRAN/GERAN network from the EUTRAN free time at every turn, and MME is with KSI
ASMEIssue together SGSN with IK, CK (mapping key), SGSN is with KSI
ASMEValue be assigned to KSI or CKSN, i.e. KSI (CKSN)=KSI
ASMEBecause the length of the identification identifier of key only has three bits, and the value of the identification identifier of mapping key and buffer memory cryptographic-key identification identifier is to distribute in different network elements, therefore it is the same with the identification identifier of buffer memory key mapping key to occur, double sign appears, after causing UE and network negotiate to enable safe context, it is the same and key is inconsistent cryptographic-key identification identifier that UE and network use to occur, causes communication disruption.
Therefore, after transfer occurring, it is inconsistent key to occur between UE and the network, must guarantee that the identical key of two group key identifiers does not appear in SGSN.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of UE method of negotiating and initiating safety context during idle transfer the between different system, guarantees the consistency of the safe context that UE and network both sides use.
In order to solve the problems of the technologies described above, the invention provides a kind of method of negotiating and initiating safety context, subscriber equipment is transferred to universal land radio access web UTRAN or global system for mobile communications enhanced data rates for gsm evolution entity wireless access network GERAN from the land radio access web EUTRAN of evolution, comprises:
User equipment (UE) transmission Routing Area Update request message or Attach Request message are to Serving GPRS Support Node SGSN, context type designator safe to carry and key identifier in the message, the safe context that described safe context type indicator equipment for indicating user is selected are mapping safe context or buffer memory safe context.
Further, said method also can have following characteristics, when described safe context type indicator equipment for indicating user select be the buffer memory safe context time, the key identifier that carries in the described message is the key identifier of buffer memory key, when described safe context type indicator equipment for indicating user is selected to be the mapping safe context, the key identifier that carries in the described message is the key identifier of mapping key, perhaps is set to sky.
Further, said method also can have following characteristics, and described user equipment (UE) arranges safe context type indicator and key identifier field in the described request message before sending Routing Area Update request message or Attach Request message, specifically comprises:
UE checks whether there is available buffer memory key:
If there is available buffer memory key, then do not produce the mapping security parameter, what the value of safe context type indicator was set to that equipment for indicating user selects is the buffer memory safe context, and put the key identifier of buffer memory key into the key identifier field, use the buffer memory safe context to the route update request or adhere to request and carry out integrity protection;
If there is not available buffer memory key; what the value of safe context type indicator was set to that equipment for indicating user selects is the mapping safe context; the key identifier of the mapping key that EUTRAN is forwarded is put the key identifier field into; perhaps the key identifier field directly is set to " sky ", Routing Area Update request or Attach Request message are not subject to integrity protection.
Further, said method also can have following characteristics, after described SGSN receives described Routing Area Update request or Attach Request message, checks the safe context type indicator in this message; If the selected safe context of safe context type indicator equipment for indicating user is the buffer memory safe context, then SGSN uses the integrality of buffer memory safe context checking Routing Area Update or Attach Request message.
Further, said method also can have following characteristics, if when the safe context that described safe context type indicator equipment for indicating user is selected was the buffer memory safe context, described SGSN also must carry out following steps:
Whether the described SGSN relatively key identifier in routing update request or the Attach Request message is consistent with the key identifier in self the buffer memory safe context, if inconsistent, notice UE safety context negotiation is unsuccessful, re-starts Authentication and Key Agreement AKA; If consistent, described SGSN notification source mobile management unit MME does not generate or transmits the mapping security parameter, perhaps directly deletes the mapping security parameter that source MME sends.
Further, said method also can have following characteristics, and described SGSN is by context request or differentiate that specific flag bit notification source MME does not generate or transmit the mapping security parameter in the request message.
Further; said method also can have following characteristics; described SGSN is when relatively the key identifier in routing update request or the Attach Request message is consistent with the key identifier in self the buffer memory safe context; described SGSN determines to enable the buffer memory safe context; type and the key identifier of the safe context enabled are put into respectively safe context type indicator and key identifier field; beam back UE by the SGSN response message; UE checks whether it is correct, and described SGNS response message is among the integrity protection of buffer memory safe context.
Further, said method also can have following characteristics, if the safe context that described safe context type indicator equipment for indicating user is selected is the mapping safe context, described SGSN enables the mapping safe context that is sent by source MME; Type and the key identification of the safe context enabled are put into respectively safe context type indicator and key identifier field; send to UE by the SGSN response message; UE checks whether it is correct, and this SGSN response message is among the integrity protection of mapping safe context.
Further, said method also can have following characteristics, and described SGSN response message is Routing Area Update acceptance or adheres to and accept message that perhaps other are with the message of safe mode command.
Further, said method also can have following characteristics, after described UE receives described SGNS response message, checks whether key identifier and safe context type indicator be correct, if correct, then send out Routing Area Update or adheres to end to UE; Otherwise notice UE safety context negotiation is unsuccessful, again Authentication and Key Agreement AKA.
The present invention also proposes a kind of system of negotiating and initiating safety context, comprises user equipment (UE) and Serving GPRS Support Node SGSN, wherein:
Described subscriber equipment also comprises:
Key identifier and designator fill module, are used for notification target SGSN, the safe context that the UE expectation is used;
Check context consistency module, for checking whether the safe context that SGSN enables is consistent with UE;
Described SGSN comprises:
Safe context is selected determination module, and the safe context that the UE expectation that is used for sending according to subscriber equipment is used judges that enabling the buffer memory safe context still shines upon safe context;
Enable selected safe context module, be used for enabling the safe context that safe context selects determination module to judge, and the information of the safe context enabled is sent to subscriber equipment.
Further, said system also can have following characteristics, described key identifier and designator fill module and also are used for: the safe context type indicator and the key identifier field that fill Routing Area Update request message or Attach Request message, and described message sent to Serving GPRS Support Node SGSN, the safe context that described safe context type indicator equipment for indicating user is selected is mapping safe context or buffer memory safe context;
Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether the safe context type of carrying in the message is consistent with key identifier with the selected safe context type of UE with key identifier;
Described safe context selects determination module also to be used for, receive Routing Area Update request message or Attach Request message that subscriber equipment sends, judge according to the safe context type indicator that carries in the message and select the buffer memory safe context still to shine upon safe context;
Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and the type of the safe context enabled and counterpart keys identifier thereof put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
Further, said system also can have following characteristics, described key identifier and designator fill module check and whether have available buffer memory key, if there is passable buffer memory key, what the value of safe context type indicator was set to that equipment for indicating user selects is the buffer memory safe context, and put the key identifier of buffer memory key into the key identifier field, use the buffer memory safe context to the route update request or adhere to request and carry out integrity protection; If there is not available buffer memory key, what then the value of safe context type indicator is set to that equipment for indicating user selects is the mapping safe context, put the key identifier of mapping key into the key identifier field, perhaps the key identifier field directly is set to " sky ".
Further, said system also can have following characteristics, described safe context is selected determination module, judge that the safe context that described safe context type indicator equipment for indicating user is selected is the buffer memory safe context, and when described key identifier is consistent with the key identifier in self the buffer memory safe context, described safe context is selected determination module to judge and is selected the buffer memory safe context, be the mapping safe context if judge the safe context that described safe context type indicator equipment for indicating user is selected, described safe context is selected determination module to judge and is selected the mapping safe context.
Further, said system also can have following characteristics, and described system also comprises mobile management unit MME, and MME further comprises special sign position checking module, is used for checking the special sign position, judges whether MME needs to generate transmission mapping security parameter;
Described SGSN also comprises special sign position module is set, and is used for arranging the special sign position, and whether notice MME needs to generate is transmitted the mapping security parameter;
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicate the described special sign position module that arranges special sign position notice MME is set does not need to generate or transmit and shine upon security parameter.
The present invention also proposes a kind of method of negotiating and initiating safety context, subscriber equipment is transferred to universal land radio access web UTRAN or global system for mobile communications enhanced data rates for gsm evolution entity wireless access network GERAN from the land radio access web EUTRAN of evolution, comprises:
Subscriber equipment transmission Routing Area Update request message or Attach Request message carry or do not carry key identifier to Serving GPRS Support Node in the message;
Described Serving GPRS Support Node is after SGSN receives described Routing Area Update request or adheres to message, if carry the buffer memory key that key identifier and SGSN have and this key identifier is corresponding in the message, then SGSN determines to enable the buffer memory safe context, if do not carry key identifier in the message, then SGSN determines to enable the mapping safe context.
Further, said method also can have following characteristics, and described subscriber equipment determines whether carry key identifier in the following way in update inquiry information or Attach Request message:
UE checks whether there is available buffer memory key:
If there is available buffer memory key, then do not produce the mapping security parameter, in Routing Area Update request message or Attach Request message, carry the key identifier of buffer memory key, use the buffer memory safe context to route update request or all or part of integrity protection that carries out of Attach Request message;
If there is not available buffer memory key; then use the EUTRAN security parameter to generate the mapping security parameter; do not carry key identifier at the Routing Area Update request message, use the mapping safe context to route update request or all or part of integrity protection that carries out of Attach Request message.
Further, said method also can have following characteristics, after described SGSN receives Routing Area Update request message or Attach Request message, if in the message with key identifier, also must carry out following steps:
At first check by the key identifier of receiving whether SGSN has the buffer memory key the same with UE, if have, SGSN notification source MME does not generate or transmits the mapping security parameter, or the direct mapping security parameter that receives from source MME of deleting, if do not have, then AKA is made in the failure of SGSN notice UE safety context negotiation again.
Further, said method also can have following characteristics, and described SGSN is by context request or differentiates that specific flag bit notification source MME does not generate or transmit the mapping security parameter in the request message.
Further, said method also can have following characteristics, and described method also comprises:
Described SGSN accepts message by Routing Area Update or adheres to accept message key identifier corresponding to safe context of enabling issued UE;
After described UE receives, check whether the selected key identifier of both sides is consistent; If consistent, UE sends out Routing Area Update or adheres to end to SGSN; If inconsistent, described UE notifies described SGSN safety context negotiation unsuccessful, again AKA.
The present invention also proposes a kind of system of negotiating and initiating safety context, comprises user equipment (UE) and Serving GPRS Support Node, wherein:
Described UE also comprises:
Determine whether to be with the key identifier module, be used for notification target SGSN, the safe context that the UE expectation is used;
Check key identifier consistency module, be used for checking whether the selected safe context of SGSN is consistent with UE.
Described SGSN also comprises:
Module is enabled in the safe context judgement, is used for judging using the buffer memory safe context still to shine upon safe context;
Enable selected safe context module, be used for enabling safe context and judge the safe context of enabling the module judgement, and key identifier corresponding to safe context of enabling sent to subscriber equipment.
Further, said system also can have following characteristics, whether described decision is with the key identifier module also to be used for: whether have the buffer memory key at the Routing Area Update request message or Attach Request message carries or do not carry key identifier according to this locality, if the buffer memory key is arranged, carry the key identifier of buffer memory key in described message kind, if there is not the buffer memory key, do not carry key identifier; And described message sent to Serving GPRS Support Node SGSN;
Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether carry key identifier in the message consistent with the selected key identifier of UE;
Described safe context selects determination module also to be used for, and receives Routing Area Update request message or Attach Request message that subscriber equipment sends, judges that according to whether carrying key identifier in the message selection buffer memory safe context still shines upon safe context;
Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and the key identifier of the correspondence of the safe context enabled put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
Further, said system also can have following characteristics, and described system also comprises MME, comprises to determine whether mapping security parameter module need to be provided, special sign position in context request/Attach Request message that inspection SGSN sends, thus determine whether will provide the mapping security parameter;
Described SGSN also comprises special sign position module is set, and whether be used for needs to generate or transmit the mapping security parameter by context request message/Attach Request message notice MME;
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicates the described special sign position module notice MME that arranges not need generation or transmit the mapping security parameter.
The method and system of safe context is selected in the negotiation that the present invention proposes, safe context type indicator and key identifier have been defined, UE and target SGSN are by safe context type indicator and key identifier, consult to select safe context, perhaps consult to select safe context by whether carrying key identifier, guaranteed that UE and SGSN can not have mapping safe context and buffer memory safe context simultaneously, when having solved UE and having transferred to UTRAN/GERAN from EUTRAN, the asynchronous problem with the network side safety context of UE.
Description of drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, consists of the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not consist of improper restriction of the present invention.In the accompanying drawings:
Fig. 1 provides in the first embodiment of the invention indication of security type context to echo the schematic diagram of key identifier field.
When Fig. 2 provides in the first embodiment of the invention UE to transfer to UTRAN/GERAN under the EUTRAN idle condition, the method flow diagram of negotiating and initiating safety context.
Fig. 3 provides when UE is from the EUTRAN Routing Area Update to UTRAN/GERAN in the first embodiment of the invention, the signaling process figure of negotiating and initiating safety context.
When Fig. 4 provides first embodiment of the invention UE to be attached to UTRAN/GERAN from EUTRAN, the signaling process figure of negotiating and initiating safety context.
When Fig. 5 provides in the first embodiment of the invention UE to transfer to UTRAN/GERAN under the EUTRAN idle condition, negotiating and initiating safety context system configuration schematic diagram.
Fig. 6 provides the another kind of system configuration schematic diagram of consulting to select encryption key method in the first embodiment of the invention.
When Fig. 7 provides in the second embodiment of the invention UE to transfer to UTRAN/GERAN under the EUTRAN idle condition, the method flow diagram of negotiating and initiating safety context.
When Fig. 8 provides in the second embodiment of the invention UE to transfer to UTRAN/GERAN under the EUTRAN idle condition, the signaling process figure of negotiating and initiating safety context.
When Fig. 9 provides in the second embodiment of the invention UE to transfer to UTRAN/GERAN under the EUTRAN idle condition, the system configuration schematic diagram of negotiating and initiating safety context method.
Figure 10 provides the system configuration schematic diagram of another kind of negotiating and initiating safety context method in the second embodiment of the invention.
Embodiment
Below with reference to the accompanying drawings and in conjunction with the embodiments, describe the present invention in detail.
The main thought of negotiation safe context method of the present invention is, when subscriber equipment sends the Routing Area Update request message or adheres to message, context type designator safe to carry and key identifier in message, the safe context type that equipment for indicating user is selected, after SGSN receives, judge the safe context type that subscriber equipment is selected according to designator, select safe context.
Fig. 1 illustrates safe context type indicator (Security Context Type Indicator, referred to as designator) and the corresponding relation figure of key identifier, what wherein indicator field was used for the selection of expression subscriber equipment is buffer memory context or mapping context, be that the key identifier field belongs to buffer memory key identifier or mapping key identifier, in the present invention in order to express easily, indicator field is defined as 1 bit, what represent the subscriber equipment selection during for " 1 " is the buffer memory context, represents the mapping context that subscriber equipment is selected during for " 0 ".Also can indicator field be defined as several bits according to the needs of system, represent respectively buffer memory context and mapping context with other different values, the present invention is not construed as limiting this.The key identifier part is according to the value of safe context type indicator, take up the key identifier (designator is " 0 ") of mapping key or the key identifier (designator is " 1 ") of buffer memory key, when when designator is " 0 ", representing the mapping safe context, also can according to requirement of system design, the key identifier field be set to " sky ".
Above-mentioned relation figure represents the in logic bundle relation of key identifier and safe context type indicator, do not represent that designator and key identifier field are must be continuous or adjacent fields, can be defined in positions different in the signaling message with safe context type indicator and key identifier according to requirement of system design.
Fig. 2 illustrates UE under the EUTRAN idle condition, and when transferring to UTRAN or GERAN, the method flow diagram of negotiating and initiating safety context may further comprise the steps:
Step S201, the UE decision free time is transferred to (Idle mobility) to UTRAN or GERAN;
UE filled first safe context type indicator and corresponding key identifier field in the request message before sending out Routing Area Update request or Attach Request message, concrete grammar comprises step S202 to S204:
Step S202, UE checks whether there is available buffer memory key, if having, turns step S203, otherwise, turn step S204;
Step S203, if there is available buffer memory key, then safe context type indicator field is set to " 1 ", and put the key identifier of buffer memory key into the key identifier field, use the buffer memory safe context to Routing Area Update or adhere to request and make integrity protection, UE does not produce mapping key and key identifier thereof simultaneously, turns step S205;
Step S204, if there is not available buffer memory key, UE then uses the security parameter of EUTRAN to generate the mapping security parameter, the mapping security parameter comprises mapping key and key identifier thereof, the safe context type indicator is set to " 0 ", just the key identifier of the mapping key that forwards of EUTRAN is put the key identifier field into, perhaps the key identifier field is set to sky;
Step S205, UE issues target SGSN by sending out Routing Area Update/Attach Request message with safe context type indicator and key identifier.
Target SGSN judges first and enables which group key that concrete steps comprise step S206 to S209 in that send SGSN response message (such as Routing Area Update/adhere to and accept message) to UE front:
Step S206 after SGSN receives Routing Area Update/Attach Request message, checks the value of safe context type indicator in this message; If the safe context type indicator is " 1 ", turn step S207, if the safe context type indicator is " 0 ", turn step S209;
Step S207, if designator is " 1 ", then SGSN uses the integrality of buffer memory safe context checking Routing Area Update or Attach Request message, and whether the key identifier in the request message of further relatively receiving is consistent with the buffer memory key identifier of self, if inconsistent, turns step S213, notice UE routing update/adhere to unsuccessful, again if AKA consistent, turns step S208;
Step S208, if consistent, then represent SGSN and with UE identical buffer memory key is arranged, the mapping security parameter that SGSN deletion source MME sends over, the mapping security parameter comprises mapping key and key identifier etc., and perhaps by specific flag bit in context/discriminating request message, notification source MME does not generate or transmit the mapping security parameter, the buffer memory safe context is enabled in decision, turns step S210;
Step S209 if the safe context type indicator is " 0 ", then determines to enable the mapping safe context, enables and mapping security parameter that the source MME of preservation sends, and the mapping security parameter comprises mapping key and key identifier thereof etc.;
Step S210, SGSN accepts message by Routing Area Update/adhere to or other send back to UE with the signaling message of safe mode command type and key identifier that selected safe context is corresponding, the type of selected safe context can be put into the safe context type indicator, the key identifier of correspondence is put into the key identifier field, and this message is among the selected safe context integrity protection;
Step S211, UE check and confirm whether the selected safe context of both sides is consistent, checks namely whether key identifier is consistent with the safe context type indicator; If consistent, turn step S212; If inconsistent, turn step S213;
Step S212, UE send out Routing Area Update/adhere to end.
Step S213 notifies the other side's Routing Area Update/adhere to unsuccessful, again is AKA.
Or further if enable the buffer memory safe context, also can need not key identifier and safe context type indicator are sent back to UE according to requirement of system design.UE need not to reexamine safe context type indicator and key identifier.
When Fig. 3 shows UE from the EUTRAN routing update to UTRAN/GERAN, consult to select the signaling process figure of safe context, comprise as follows:
Step S301, UE according to self whether there being available buffer memory key, fills key identifier and safe context type indicator field when preparing to send out the Routing Area Update request;
Step S302, UE sends out the Routing Area Update request message to target SGSN, and key identifier and safe context type indicator are issued SGSN;
Step S303, after target SGSN is received the Routing Area Update request message, check safe context type indicator and key identifier, judge and determine to enable mapping safe context or buffer memory safe context, if determine to enable the buffer memory safe context, the mapping security parameter that SGSN deletion MME sends, perhaps SGSN is by the special sign position in the context request message, and notification source MME does not generate or transmits the mapping security parameter;
Step S304, SGSN send context request to source MME;
Step S305, source MME send context response to SGSN;
Step S306, SGSN enables selected safe context, and the key identifier that the safe context enabled is corresponding and safe context type indicator put into Routing Area Update and accept message, and use selected safe context that Routing Area Update is accepted message and make integrity protection;
Step S307, SGSN sends Routing Area Update and accepts message to UE;
Step S308, whether whether key identifier and safe context type indicator that UE inspection SGSN sends correct, namely consistent with the safe context type indicator with the selected key identifier of subscriber equipment;
Step S309, if key identifier and safe context type indicator are correct, then UE sends out the Routing Area Update end, otherwise the failure of notice SGSN safety context negotiation need to be AKA again.
Perhaps can be further, according to requirement of system design, if SGSN selects to enable the buffer memory context, can need not that safe context type indicator and key identifier are accepted message by Routing Area Update and beam back UE, UE need not to reexamine safe context type indicator and key identifier.
When Fig. 4 shows UE and is attached to UTRAN/GERAN from EUTRAN, consult to select the signaling process figure of safe context, comprise as follows:.
Step S401, UE according to self whether there being available buffer memory key, fill key identifier and safe context type indicator field when being ready for sending Attach Request message;
Step S402, UE sends Attach Request message to target SGSN, and key identifier and safe context type indicator are issued SGSN;
Step S403, after target SGSN is received Attach Request message, check safe context type indicator and key identifier, judge and use mapping safe context or buffer memory safe context, if use the buffer memory safe context, then SGSN directly deletes the mapping security parameter that MME sends, and perhaps SGSN is by differentiating the special sign position in the request message, and notification source MME does not generate or transmit the mapping security parameter;
Step S404, SGSN send the request of discriminating to source MME;
Step S405, source MME send and differentiate that response is to SGSN;
Step S406, SGSN enable selected safe context, and the key identifier that it is corresponding and safe context type indicator are put into to adhere to and accepted message;
Step S407, SGSN send to adhere to and accept message to UE, and this message is subjected among the integrity protection of selected safe context;
Step S408, UE check SGSN sends whether adhere to the key identifier of accepting in the message consistent with own selected key identifier and safe context type indicator with the safe context type indicator;
Step S409, if key identifier is consistent, then UE sends out and adheres to end to SGSN, otherwise the failure of notice safety context negotiation needs again AKA.
Perhaps can be further, according to requirement of system design, if SGSN selects to enable the buffer memory safe context, can need not safe context type indicator and key identifier are accepted message and beamed back UE by adhering to, UE need not to reexamine safe context type indicator and key identifier.
In an embodiment of the present invention, provide a kind of when transferring to UTRAN/ERAN for UE from the EUTRAN free time, consulted to select the system of key, as shown in Figure 5, comprised with lower unit:
UE comprises:
Key identifier and designator fill module, are used for notification target SGSN, the safe context that the UE expectation is used;
Described key identifier and designator fill module and also are used for: the safe context type indicator and the key identifier field that fill Routing Area Update request message or Attach Request message, and described message sent to Serving GPRS Support Node SGSN, the safe context that described safe context type indicator equipment for indicating user is selected is mapping safe context or buffer memory safe context;
Check context consistency module, be used for checking whether the selected safe context of SGSN is consistent with UE.Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether the safe context type of carrying in the message is consistent with key identifier with the selected safe context type of UE with key identifier;
SGSN comprises:
Safe context is selected determination module, is used for judging using the buffer memory safe context still to shine upon safe context; Described safe context selects determination module also to be used for, receive Routing Area Update request message or Attach Request message that subscriber equipment sends, judge according to the safe context type indicator that carries in the message and select the buffer memory safe context still to shine upon safe context;
Enable selected safe context module, be used for enabling the safe context that safe context selects determination module to judge, and the information of the safe context enabled is sent to subscriber equipment.Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and the type of the safe context enabled and counterpart keys identifier thereof put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
When the present invention also provides the another kind of UE of being used for to transfer to UTRAN/ERAN from the EUTRAN free time, consult to select the system of key, as shown in Figure 6, comprise with lower unit:
UE comprises: key identifier and designator fill module, check context consistency module, and SGSN comprises: safe context is selected determination module, enables selected safe context module.
Above-mentioned each Elementary Function is with each unit shown in Figure 5.
Described system also comprises mobile management unit MME, and MME further comprises special sign position checking module, is used for checking the special sign position, judges whether MME needs to generate transmission mapping security parameter;
Described SGSN also comprises special sign position module is set, and is used for arranging the special sign position, and whether notice MME needs to generate is transmitted the mapping security parameter;
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicate the described special sign position module that arranges special sign position notice MME is set does not need to generate to transmit and shine upon security parameter.
The method and system of key is selected in the negotiation of above-described embodiment, safe context type indicator and key identifier have been defined, UE and target SGSN are by safe context type indicator and key identifier, consult to select safe context, guaranteed that UE and SGSN can not have mapping safe context and buffer memory safe context simultaneously, when having solved UE and having transferred to UTRAN/GERAN from EUTRAN, the asynchronous problem with the network side safety context of UE.
The present invention also proposes another kind of method of consulting safe context, do not use the safe context type indicator, the safe context that only comes the equipment for indicating user expectation to enable by key identifier, when the Routing Area Update request message or adhere to when carrying key identifier in the message, what the expression subscriber equipment was enabled is the buffer memory safe context, when not carrying key identifier, what the expression subscriber equipment was enabled is the mapping safe context, and SGSN is according to this information and the subscriber equipment safe context of holding consultation.
Fig. 7 illustrates under the EUTRAN idle condition, and when transferring to UTRAN or GERAN, negotiating and initiating safety context product process figure may further comprise the steps:
Step S701, UE determines routing update (RAU, Router Area Update) or is attached to UTRAN or GERAN;
Whether UE determined first Routing Area Update request/Attach Request message with key identifier before sending out Routing Area Update request message or Attach Request message, concrete grammar comprises step S702 to S704:
Step S702, UE checks whether there is available buffer memory key, if having, turns step S703, if do not have, turns step S704;
Step S703, if there is available buffer memory key, then put the key identifier of buffer memory key into Routing Area Update request message/Attach Request message, and use the buffer memory safe context that it is done integrity protection, UE does not produce mapping security parameter (comprising mapping key and key identifier thereof etc.) simultaneously, turns step S705;
Step S704, if there is not available buffer memory key, UE then uses the security parameter of EUTRAN to generate the mapping security parameter, and use the mapping safe context that Route Area update inquiry information/Attach Request message is done integrity protection, wherein be not with key identifier in Routing Area Update request message/Attach Request message;
Step S705, UE sends out Routing Area Update request message/Attach Request message to target SGSN, this message part or all be among the integrity protection;
Target SGSN is accepted to judge first and enable which kind of safe context that concrete steps comprise step S706 to S709 before message/adhere to accepts message sending out Routing Area Update to UE:
After step S706, SGSN receive Routing Area Update request message/Attach Request message, whether check this message with key identifier, if having, turn step S707, if do not have, turn step S709;
Step S707, if Routing Area Update request message/Attach Request message with key identifier, SGSN then checks by the key identifier received whether SGSN has the same buffer memory key with UE; If have, turn step S708, if do not have, turn step S713;
Step S708, if SGSN has identical buffer memory key with UE, SGSN then deletes the mapping security parameter that receives from source MME, the mapping security parameter comprises mapping key and key identifier thereof etc.; Perhaps SGSN is by specific flag bit in context request or the discriminating request message, and notification source MME does not generate or transmit the mapping security parameter, determines to enable the buffer memory safe context, turns step S710;
Step S709, if do not have key identifier in Routing Area Update request message/Attach Request message, then SGSN determines to enable the mapping safe context, enables and mapping security parameter that the source MME of preservation sends.
Step S710, SGSN accept message/adhere to by Routing Area Update and accept the message key identifier that selected safe context is corresponding and issue UE;
Step S711, UE check whether the selected key identifier of both sides is consistent; If the selected key identifier of both sides is consistent, turn step S712; If the selected key identifier of both sides is not identical, turn step S713;
Step S712, UE send out Routing Area Update/adhere to end.
Step S713 notifies the other side's safety context negotiation unsuccessful.
When Fig. 8 showed UE and transfers to UTRAN/GERAN under the EUTRAN idle condition, the signaling process figure of negotiating and initiating safety context comprised as follows:.
Step S801, UE is preparing to send out Routing Area Update/when adhering to request, according to self whether there being available buffer memory key, whether decision Routing Area Update/Attach Request message is with key identifier;
Step S802, UE sends out Routing Area Update/Attach Request message to target SGSN, and this message key identifier portion or whole message are among the integrity protection;
Step S803, after target SGSN is received Routing Area Update/Attach Request message, judge and use mapping safe context or buffer memory safe context, if use the buffer memory safe context, SGSN directly deletes the mapping security parameter that source MME sends over, the mapping security parameter comprises mapping key and key identifier thereof etc., and perhaps SGSN is by special sign position in the context request message, and notification source MME does not generate or transmit the mapping security parameter;
Step S804, SGSN sends context/discriminating and asks to source MME;
Step S805, source MME sends context/discriminating and responds to SGSN;
Step S806, SGSN enable selected safe context, and the key identifier that it is corresponding is put into Routing Area Update/adhere to and accept message;
Step S807, SGSN transmission Routing Area Update/adhere to and accept message, this message is subjected to the integrity protection of selected safe context;
Step S808, whether the key identifier that UE inspection SGSN sends is with own selected consistent;
Step S809, if key identifier is consistent, then UE sends Routing Area Update/adhere to end, otherwise, the failure of UE notice SGSN safety context negotiation.
In an embodiment of the present invention, provide a kind of when transferring to UTRAN/GERAN for UE from the EUTRAN free time, the system of negotiating and initiating safety context as shown in Figure 9, comprises with lower unit:
UE comprises:
Determine whether to be with the key identifier module, be used for notification target SGSN, the safe context that the UE expectation is used; Whether described decision is with the key identifier module also to be used for: whether have the buffer memory key at the Routing Area Update request message or Attach Request message carries or do not carry key identifier according to this locality, if the buffer memory key is arranged, carry the key identifier of buffer memory key in described message kind, if there is not the buffer memory key, do not carry key identifier; And described message sent to Serving GPRS Support Node SGSN;
Check context consistency module, be used for checking whether the selected safe context of SGSN is consistent with UE.Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether carry key identifier in the message consistent with the selected key identifier of UE.
SGSN comprises:
Module is enabled in the safe context judgement, is used for judging using the buffer memory safe context still to shine upon safe context; Described safe context selects determination module also to be used for, and receives Routing Area Update request message or Attach Request message that subscriber equipment sends, judges that according to whether carrying key identifier in the message selection buffer memory safe context still shines upon safe context;
Enable selected safe context module, be used for enabling safe context and enable the safe context that determination module is judged, and its counterpart keys identifier is sent to subscriber equipment; Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and key identifier corresponding to safe context of enabling put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
It is a kind of when transferring to UTRAN/ERAN for UE from the EUTRAN free time that the present invention also provides, and the system of negotiating and initiating safety context as shown in figure 10, comprises with lower unit:
UE comprises:
Determine whether to be with the key identifier module, be used for notification target SGSN, the safe context that the UE expectation is used;
Check context consistency module, be used for checking whether the selected safe context of SGSN is consistent with UE.
SGSN comprises:
Module is enabled in the safe context judgement, is used for judging using the buffer memory safe context still to shine upon safe context;
Enable selected safe context module, be used for enabling safe context and enable the safe context that determination module is judged, and its counterpart keys identifier is sent to subscriber equipment;
Above-mentioned each Elementary Function is with 9 described each unit.
SGSN also comprises the module that the special sign position is set, and is used for shining upon security parameter by context request message/whether Attach Request message notice MME needs to generate or transmit.
MME, determining whether to provide mapping security parameter module, for the special sign position that checks context request/Attach Request message that SGSN sends, thereby determines whether will provide the mapping security parameter.
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicates the described special sign position module notice MME that arranges not need generation or transmit the mapping security parameter.
The method and system of the negotiating and initiating safety context of above-described embodiment, UE by the routing update request message whether with key identifier, the safe context that comes its expectation of notification target SGSN to use, target SGSN is by judging the key identifier in the Routing Area Update request message, thereby whether need to determine mapping key and identifier thereof, guaranteed that UE and SGSN can not have mapping key and buffer memory key simultaneously, when having solved UE and having transferred to UTRAN/GERAN from EUTRAN, the asynchronous problem with the network side safety context of UE.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and be carried out by calculation element, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (23)
1. the method for a negotiating and initiating safety context, subscriber equipment is transferred to universal land radio access web UTRAN or global system for mobile communications enhanced data rates for gsm evolution entity wireless access network GERAN from the land radio access web EUTRAN of evolution, it is characterized in that, comprise:
User equipment (UE) transmission Routing Area Update request message or Attach Request message are to Serving GPRS Support Node SGSN, context type designator safe to carry and key identifier in the message, the safe context that described safe context type indicator equipment for indicating user is selected are mapping safe context or buffer memory safe context.
2. the method for claim 1, it is characterized in that, when described safe context type indicator equipment for indicating user select be the buffer memory safe context time, the key identifier that carries in the described message is the key identifier of buffer memory key, when described safe context type indicator equipment for indicating user is selected to be the mapping safe context, the key identifier that carries in the described message is the key identifier of mapping key, perhaps is set to sky.
3. method as claimed in claim 2 is characterized in that, described user equipment (UE) arranges safe context type indicator and key identifier field in the described request message before sending Routing Area Update request message or Attach Request message, specifically comprises:
UE checks whether there is available buffer memory key:
If there is available buffer memory key, then do not produce the mapping security parameter, what the value of safe context type indicator was set to that equipment for indicating user selects is the buffer memory safe context, and put the key identifier of buffer memory key into the key identifier field, use the buffer memory safe context to the route update request or adhere to request and carry out integrity protection;
If there is not available buffer memory key; what the value of safe context type indicator was set to that equipment for indicating user selects is the mapping safe context; the key identifier of the mapping key that EUTRAN is forwarded is put the key identifier field into; perhaps the key identifier field directly is set to " sky ", Routing Area Update request or Attach Request message are not subject to integrity protection.
4. method as claimed in claim 3 is characterized in that, after described SGSN receives described Routing Area Update request or Attach Request message, checks the safe context type indicator in this message; If the selected safe context of safe context type indicator equipment for indicating user is the buffer memory safe context, then SGSN uses the integrality of buffer memory safe context checking Routing Area Update or Attach Request message.
5. method as claimed in claim 4 is characterized in that, if when the safe context that described safe context type indicator equipment for indicating user is selected was the buffer memory safe context, described SGSN also must carry out following steps:
Whether the described SGSN relatively key identifier in routing update request or the Attach Request message is consistent with the key identifier in self the buffer memory safe context, if inconsistent, notice UE safety context negotiation is unsuccessful, re-starts Authentication and Key Agreement AKA; If consistent, described SGSN notification source mobile management unit MME does not generate or transmits the mapping security parameter, perhaps directly deletes the mapping security parameter that source MME sends.
6. method as claimed in claim 5 is characterized in that, described SGSN is by context request or differentiate that specific flag bit notification source MME does not generate or transmit the mapping security parameter in the request message.
7. method as claimed in claim 5; it is characterized in that; described SGSN is when relatively the key identifier in routing update request or the Attach Request message is consistent with the key identifier in self the buffer memory safe context; described SGSN determines to enable the buffer memory safe context; type and the key identifier of the safe context enabled are put into respectively safe context type indicator and key identifier field; beam back UE by the SGSN response message; UE checks whether it is correct, and described SGSN response message is among the integrity protection of buffer memory safe context.
8. method as claimed in claim 4 is characterized in that, if the safe context that described safe context type indicator equipment for indicating user is selected is the mapping safe context, described SGSN enables the mapping safe context that is sent by source MME; Type and the key identification of the safe context enabled are put into respectively safe context type indicator and key identifier field; send to UE by the SGSN response message; UE checks whether it is correct, and this SGSN response message is among the integrity protection of mapping safe context.
9. such as claim 7 or 8 described methods, it is characterized in that described SGSN response message is Routing Area Update acceptance or adheres to and accept message that perhaps other are with the message of safe mode command.
10. such as claim 7 or 8 described methods, it is characterized in that after described UE receives described SGSN response message, check whether key identifier and safe context type indicator be correct, if correct, then UE sends out Routing Area Update or adheres to and finish to SGSN; Otherwise UE notice SGSN safety context negotiation is unsuccessful, again Authentication and Key Agreement AKA.
11. the system of a negotiating and initiating safety context comprises user equipment (UE) and Serving GPRS Support Node SGSN, it is characterized in that:
Described subscriber equipment comprises:
Key identifier and designator fill module, are used for notification target SGSN, the safe context that the UE expectation is used;
Check context consistency module, for checking whether the safe context that SGSN enables is consistent with UE;
Described SGSN comprises:
Safe context is selected determination module, and the safe context that the UE expectation that is used for sending according to subscriber equipment is used judges that enabling the buffer memory safe context still shines upon safe context;
Enable selected safe context module, be used for enabling the safe context that safe context selects determination module to judge, and the information of the safe context enabled is sent to subscriber equipment.
12. system as claimed in claim 11 is characterized in that,
Described key identifier and designator fill module and also are used for: the safe context type indicator and the key identifier field that fill Routing Area Update request message or Attach Request message, and described message sent to Serving GPRS Support Node SGSN, the safe context that described safe context type indicator equipment for indicating user is selected is mapping safe context or buffer memory safe context;
Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether the safe context type of carrying in the message is consistent with key identifier with the selected safe context type of UE with key identifier;
Described safe context selects determination module also to be used for, receive Routing Area Update request message or Attach Request message that subscriber equipment sends, judge according to the safe context type indicator that carries in the message and select the buffer memory safe context still to shine upon safe context;
Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and the type of the safe context enabled and counterpart keys identifier thereof put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
13. system as claimed in claim 12, it is characterized in that, described key identifier and designator fill module check and whether have available buffer memory key, if there is available buffer memory key, what the value of safe context type indicator was set to that equipment for indicating user selects is the buffer memory safe context, and put the key identifier of buffer memory key into the key identifier field, use the buffer memory safe context to the route update request or adhere to request and carry out integrity protection; If there is not available buffer memory key, what then the value of safe context type indicator is set to that equipment for indicating user selects is the mapping safe context, put the key identifier of mapping key into the key identifier field, perhaps the key identifier field directly is set to " sky ".
14. such as claim 12 or 13 described systems, it is characterized in that, described safe context is selected determination module, judge that the safe context that described safe context type indicator equipment for indicating user is selected is the buffer memory safe context, and when described key identifier is consistent with the key identifier in self the buffer memory safe context, described safe context is selected determination module to judge and is selected the buffer memory safe context, be the mapping safe context if judge the safe context that described safe context type indicator equipment for indicating user is selected, described safe context is selected determination module to judge and is selected the mapping safe context.
15. such as claim 11 or 12 described systems, it is characterized in that,
Described system also comprises mobile management unit MME, and MME further comprises special sign position checking module, is used for checking the special sign position, judges whether MME needs to generate transmission mapping security parameter;
Described SGSN also comprises special sign position module is set, and is used for arranging the special sign position, and whether notice MME needs to generate is transmitted the mapping security parameter;
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicate the described special sign position module that arranges special sign position notice MME is set does not need to generate or transmit and shine upon security parameter.
16. the method for a negotiating and initiating safety context, subscriber equipment is transferred to universal land radio access web UTRAN or global system for mobile communications enhanced data rates for gsm evolution entity wireless access network GERAN from the land radio access web EUTRAN of evolution, it is characterized in that, comprise:
Subscriber equipment transmission Routing Area Update request message or Attach Request message carry or do not carry key identifier to Serving GPRS Support Node in the message;
Described Serving GPRS Support Node is after SGSN receives described Routing Area Update request or adheres to message, if carry the buffer memory key that key identifier and SGSN have and this key identifier is corresponding in the message, then SGSN determines to enable the buffer memory safe context, if do not carry key identifier in the message, then SGSN determines to enable the mapping safe context.
17. method as claimed in claim 16 is characterized in that, described subscriber equipment determines whether carry key identifier in the following way in update inquiry information or Attach Request message:
UE checks whether there is available buffer memory key:
If there is available buffer memory key, then do not produce the mapping security parameter, in Routing Area Update request message or Attach Request message, carry the key identifier of buffer memory key, use the buffer memory safe context to route update request or all or part of integrity protection that carries out of Attach Request message;
If there is not available buffer memory key; then use the EUTRAN security parameter to generate the mapping security parameter; do not carry key identifier at the Routing Area Update request message, use the mapping safe context to route update request or all or part of integrity protection that carries out of Attach Request message.
18. method as claimed in claim 16 is characterized in that, after described SGSN receives Routing Area Update request message or Attach Request message, if in the message with key identifier, also must carry out following steps:
At first check by the key identifier of receiving whether SGSN has the buffer memory key the same with UE, if have, SGSN notification source MME does not generate or transmits the mapping security parameter, or the direct mapping security parameter that receives from source MME of deleting, if do not have, then AKA is made in the failure of SGSN notice UE safety context negotiation again.
19. method as claimed in claim 18 is characterized in that, described SGSN is by context request or differentiates that specific flag bit notification source MME does not generate or transmit the mapping security parameter in the request message.
20. method as claimed in claim 16 is characterized in that, described method also comprises:
Described SGSN accepts message by Routing Area Update or adheres to accept message key identifier corresponding to safe context of enabling issued UE;
After described UE receives, check whether the selected key identifier of both sides is consistent; If consistent, UE sends out Routing Area Update or adheres to end to SGSN; If inconsistent, described UE notifies described SGSN safety context negotiation unsuccessful, again AKA.
21. the system of a negotiating and initiating safety context comprises user equipment (UE) and Serving GPRS Support Node SGSN, it is characterized in that,
Described UE comprises:
Determine whether to be with the key identifier module, be used for notification target SGSN, the safe context that the UE expectation is used;
Check key identifier consistency module, be used for checking whether the selected safe context of SGSN is consistent with UE;
Described SGSN comprises:
Module is enabled in the safe context judgement, is used for judging using the buffer memory safe context still to shine upon safe context;
Enable selected safe context module, be used for enabling safe context and judge the safe context of enabling the module judgement, and key identifier corresponding to safe context of enabling sent to subscriber equipment.
22. system as claimed in claim 21 is characterized in that,
Whether described decision is with the key identifier module also to be used for: whether have the buffer memory key at the Routing Area Update request message or Attach Request message carries or do not carry key identifier according to this locality, if the buffer memory key is arranged, carry the key identifier of buffer memory key in described message kind, if there is not the buffer memory key, do not carry key identifier; And described message sent to Serving GPRS Support Node SGSN;
Described inspection context consistency module also is used for: receive the Routing Area Update that SGSN sends or adhere to and accept message, check whether carry key identifier in the message consistent with the selected key identifier of UE;
Described safe context selects determination module also to be used for, and receives Routing Area Update request message or Attach Request message that subscriber equipment sends, judges that according to whether carrying key identifier in the message selection buffer memory safe context still shines upon safe context;
Describedly enable selected safe context module and also be used for, enable the safe context that safe context selects determination module to select, and the key identifier of the correspondence of the safe context enabled put into Routing Area Update or adhere to and accept message and send to subscriber equipment.
23. the system as claimed in claim 22 is characterized in that,
Described system also comprises MME, comprises to determine whether mapping security parameter module need to be provided, and checks the special sign position in context request/Attach Request message that SGSN sends, thereby determines whether will provide the mapping security parameter;
Described SGSN also comprises special sign position module is set, and whether be used for needs to generate or transmit the mapping security parameter by context request message/Attach Request message notice MME;
Described safe context selects determination module to judge when selecting the buffer memory safe context, indicates the described special sign position module notice MME that arranges not need generation or transmit the mapping security parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810160865.9A CN101355809B (en) | 2008-09-12 | 2008-09-12 | Method and system for negotiating and initiating safety context |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810160865.9A CN101355809B (en) | 2008-09-12 | 2008-09-12 | Method and system for negotiating and initiating safety context |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101355809A CN101355809A (en) | 2009-01-28 |
| CN101355809B true CN101355809B (en) | 2013-03-20 |
Family
ID=40308332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810160865.9A Active CN101355809B (en) | 2008-09-12 | 2008-09-12 | Method and system for negotiating and initiating safety context |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101355809B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8526617B2 (en) * | 2008-12-29 | 2013-09-03 | Htc Corporation | Method of handling security configuration in wireless communications system and related communication device |
| CN102348201B (en) * | 2010-08-05 | 2014-02-19 | 华为技术有限公司 | Method and device for acquiring security context |
| US9147062B2 (en) | 2011-06-29 | 2015-09-29 | International Business Machines Corporation | Renewal of user identification information |
| CN107113606B (en) * | 2014-12-22 | 2020-09-29 | 瑞典爱立信有限公司 | Method, apparatus and storage medium for communicating with a GPRS network |
| CN106412948B (en) * | 2015-07-31 | 2019-09-20 | 联芯科技有限公司 | A kind of transmission method and its transmission terminal being related to NAS signaling message |
| US10432399B2 (en) * | 2016-07-12 | 2019-10-01 | Huawei Technologies Co., Ltd. | Method and apparatus for storing context information in a mobile device |
| CN108347416B (en) | 2017-01-24 | 2021-06-29 | 华为技术有限公司 | Security protection negotiation method and network element |
| US20220124566A1 (en) * | 2019-02-14 | 2022-04-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Network Node, UE and Method for Handling Handover with Parameter for Deriving Security Context |
| CN112087297B (en) * | 2019-06-14 | 2022-05-24 | 华为技术有限公司 | Method, system and equipment for obtaining security context |
| CN111045605B (en) * | 2019-12-12 | 2023-10-20 | 海光信息技术股份有限公司 | Technical scheme for improving system security by utilizing processor cache and security processor |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937487A (en) * | 2005-09-22 | 2007-03-28 | 北京三星通信技术研究有限公司 | LTE authentication and encryption method |
| CN101060712A (en) * | 2006-04-20 | 2007-10-24 | 华为技术有限公司 | Wireless connecting establishment method |
-
2008
- 2008-09-12 CN CN200810160865.9A patent/CN101355809B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937487A (en) * | 2005-09-22 | 2007-03-28 | 北京三星通信技术研究有限公司 | LTE authentication and encryption method |
| CN101060712A (en) * | 2006-04-20 | 2007-10-24 | 华为技术有限公司 | Wireless connecting establishment method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101355809A (en) | 2009-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101355809B (en) | Method and system for negotiating and initiating safety context | |
| CN101299666A (en) | Method and system for generating cryptographic-key identification identifier | |
| CN101299884B (en) | Method and system for generating cryptographic-key identification identifier when transferring user equipment | |
| CN104105221B (en) | A kind of implementation method of dual link and base station | |
| CN101242630B (en) | Method, device and network system for secure algorithm negotiation | |
| US10893574B2 (en) | Packet data unit session release method and network entity performing the same | |
| CN109246769B (en) | PDU session establishment method and device | |
| CN106961456A (en) | Determine IOT operational approaches and equipment, IOT business conducts control method and equipment | |
| JP2014533908A (en) | Method and apparatus for managing security key for communication authentication with terminal in wireless communication system | |
| JP7146922B2 (en) | Method and device for notifying execution of PDCP data recovery | |
| KR102246978B1 (en) | Routing method and device | |
| CN109246708B (en) | Information transmission method and device | |
| CN113225784B (en) | Message identification method and device | |
| WO2017132962A1 (en) | Security parameter transmission method and related device | |
| CN109964500A (en) | Export is used for the security key of relayed communications | |
| CN114727290A (en) | Communication method and device | |
| CN111586735B (en) | Communication method and device | |
| CN111586774B (en) | Communication method and communication device | |
| US20190320482A1 (en) | Link re-establishment method, apparatus, and system | |
| CN113473646B (en) | Communication method and device | |
| WO2017054102A1 (en) | Method and device for managing user equipment | |
| CN105027495A (en) | Key verification method, base station, user device and core network element | |
| CN101938744B (en) | A kind of method and system ensureing SRNC and core net node cipher consistency | |
| CN114175776B (en) | Method and user equipment for wireless communication | |
| CN116508356A (en) | Key generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |