CN101848464B - Method, device and system for implementing network security - Google Patents

Method, device and system for implementing network security Download PDF

Info

Publication number
CN101848464B
CN101848464B CN2009101305491A CN200910130549A CN101848464B CN 101848464 B CN101848464 B CN 101848464B CN 2009101305491 A CN2009101305491 A CN 2009101305491A CN 200910130549 A CN200910130549 A CN 200910130549A CN 101848464 B CN101848464 B CN 101848464B
Authority
CN
China
Prior art keywords
access network
general access
algorithm
message
nas
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009101305491A
Other languages
Chinese (zh)
Other versions
CN101848464A (en
Inventor
刘清顺
王晓飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2009101305491A priority Critical patent/CN101848464B/en
Publication of CN101848464A publication Critical patent/CN101848464A/en
Application granted granted Critical
Publication of CN101848464B publication Critical patent/CN101848464B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a method, a device and a system for implementing network security. The method comprises the following steps: receiving registration response information comprising authentication result information from a mobile management entity; if the authentication result information comprises a universal access network business integrity key and user equipment safety capability information and the user equipment safety capability information comprises user equipment algorithm supporting information, determining algorithm jointly supported by user equipment as the consistent algorithm according to the information for supporting the algorithm; and sending identified registered-taking information carried with the consistent algorithm to the user equipment, wherein, the registered-taking information obtains consistent protection through the universal access network business integrity key and the consistent algorithm. The embodiment of the invention requires no additional equipment, and UE authentication is completed by virtue of MME so as to lower the complexity of consistent protection.

Description

Realize method, the Apparatus and system of network security
Technical field
The embodiment of the invention relates to communication technical field, relates in particular to method, Apparatus and system that a kind of general access realizes network security.
Background technology
(Long Term Evolution, LTE) system can be the user data service and speech business is provided Long Term Evolution.Wherein, speech business is that (Generic Access NetworkController GANC) realizes through general access network controller.
Realizing through GANC in the scheme of speech business, adopted a kind of IP layer security mechanism (IPSecurity, IPSec) method guarantee subscriber equipment (User Equipment, UE) and the fail safe of the traffic signaling that transmits between the GANC.
This IPSec method mainly comprises: at Internet Key Exchange phase I (Internet Key ExchangePease1; IKE PHASE1) accomplishes UE in the flow process and link (Internet Key Exchange Security Association with internet cryptographic key exchanging safety between the GANC; IKE SA) foundation; In above-mentioned IKEPHASE1 flow process, need to introduce authentication, mandate and charging (Authentication; Authorization; Accounting, AAA) server is accomplished extended authentication agreement-authentication and key protocol (Extensible Authentication Protocol-Authentication and Key Agreement, the EAP-AKA) authentication of network to UE; Also need in Internet Key Exchange second stage (IKE PHASE2) flow process, accomplish the foundation of target protocol secure link between UE and the GANC.
In realizing process of the present invention; The inventor finds to exist at least in the prior art following problem: this EAP-AKA method for authenticating complexity is higher; Implement difficulty; And need when on-premise network, introduce extra aaa server and accomplish the authentication to UE, the cost of paying is also higher, causes this method in the process of implementing, need pay a high price.
Summary of the invention
Embodiments of the invention provide a kind of method, Apparatus and system of realizing network security, to reduce the complexity of traffic signaling being carried out consistency protection.
For achieving the above object, embodiments of the invention adopt following technical scheme:
A kind of method that realizes network security comprises:
The registration reply message that comprises authentication result information is sent in reception from mobile management entity;
If said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; Then according to the information of said support algorithm, the algorithm of confirming to support jointly with subscriber equipment is as consistency algorithm;
Send the registration of the sign of carrying said consistency algorithm to subscriber equipment and accept message to subscriber equipment, said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm.
A kind of method that realizes network security comprises:
The login request message of carrying user's Non-Access Stratum secret signal that reception is sent from general access network controller;
Obtain network Non-Access Stratum secret signal;
To general access network controller send carry professional Integrity Key of general access network and user equipment safety capability information registration reply message to general access network controller, said user equipment safety capability information comprises the information of subscriber equipment support algorithm.
A kind of subscriber equipment comprises:
Acquisition module is used to obtain the professional Integrity Key of general access network;
Receiver module is used to receive the registration by consistency protection of sending from general access network controller and accepts message, and this registration accepts to carry in the message sign of consistency algorithm;
Authentication module is used to utilize professional Integrity Key of said general access network and said sign corresponding algorithm that message is accepted in said registration and verifies.
A kind of network equipment comprises:
Receiver module is used to receive the registration reply message that comprises authentication result information from mobile management entity;
Determination module; Be used for when said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; According to the information of said support algorithm, the algorithm of confirming to support jointly with subscriber equipment is as consistency algorithm;
Sending module, the registration that is used for sending to subscriber equipment the sign carry said consistency algorithm is accepted message to subscriber equipment, and said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm.
A kind of network equipment comprises:
The key acquisition module is used to obtain the professional Integrity Key of general access network;
Sending module, be used to send carry professional Integrity Key of general access network and user equipment safety capability information registration reply message to general access network controller, said user equipment safety capability information comprises the information of subscriber equipment support algorithm.
A kind of system that realizes network security comprises:
Mobile management entity; Be used to obtain the professional Integrity Key of general access network; And send the registration reply message carry professional Integrity Key of general access network and user equipment safety capability information to general access network controller, said user equipment safety capability information comprises the information of subscriber equipment support algorithm;
General access network controller; Reception is from the registration reply message that comprises authentication result information of mobile management entity; When said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; According to the information of said support algorithm select with the common algorithm of supporting of subscriber equipment as consistency algorithm, and the registration of sending the sign of carrying said consistency algorithm accepts message to subscriber equipment, said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm;
Subscriber equipment; Be used to obtain the professional Integrity Key of general access network; Reception is accepted message from the registration by consistency protection of general access network controller; This registration accepts to carry in the message sign of consistency algorithm, and utilizes professional Integrity Key of said general access network and said sign corresponding algorithm that message is accepted in said registration and verify.
The method of the realization network security that the embodiment of the invention provides, Apparatus and system utilize mobile management entity (Mobility Management Entity through employing; MME) realize that network side carries out authentication to UE; And the traffic signaling after the authentication carried out the technical scheme of consistency protection; Having overcome needs extra introducing aaa server could realize the EAP-AKA authentication that network side carries out UE in the prior art; And the technical problem that the method for authenticating complexity is high, so obtained reduce to traffic signaling carry out consistency protection complexity, implement better simply beneficial effect.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that the embodiment of the invention 1 realizes the method for network security;
Fig. 2 is the flow chart that the embodiment of the invention 2 realizes the method for network security;
Fig. 3 is the flow chart that the embodiment of the invention 3 realizes the method for network security;
Fig. 4 is the flow chart that the embodiment of the invention 4 realizes the method for network security;
Fig. 5 is the block diagram that the embodiment of the invention 5 realizes the UE equipment of network security;
Fig. 6 is the block diagram that the embodiment of the invention 5 realizes the GANC equipment of network security;
Fig. 7 is the block diagram that the embodiment of the invention 5 realizes the MME equipment of network security;
Fig. 8 is the block diagram that the embodiment of the invention 6 realizes the system of network security.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
The embodiment of the invention is applied to Long Term Evolution, and (Long Term Evolution LTE), but is not limited to this system; Can also be other network systems; Comprise: WIMAX (Worldwide Interoperability forMicrowave Access, World Interoperability for Microwave Access, WiMax) system, global system for mobile communications (GlobalSystem for Mobile Communications; GSM), WCDMA (Wideband-CodeDivision Multiple Access; WCDMA), TD SDMA insert (Time Division-Synchronized Code Division Multiple Access, TD-SCDMA), code division multiple access (Code-Division Multiple Access, CDMA), WLAN (Wireless Local AreaNetwork; Or fixed network etc. WLAN).
Embodiment 1
Present embodiment discloses a kind of method that realizes network security, and this method is fit to be deployed on the UE, and is as shown in Figure 1, and this method comprises:
At UE through evolution packet switching system (Evolved Packet System; EPS) accomplished the safety certification that inserts the LTE system after; UE and MME can respectively have an access security managing entity key (Key ofAccess Security Management Entity, K ASME) and the K of UE and MME ASMEIdentical.
11, utilize the authenticating result K of EPS ASMEUE can obtain general access network professional Integrity Key (Integrity Key of Generic Access Network, IK GAN).
12, UE receives from what GANC sent and is accepted (GA-RC REGISTER ACCEPT) message, the sign of carrying consistency algorithm in this GA-RC REGISTER ACCEPT message by the registration of the general access-in resource key-course of consistency protection.
Be meant the additional message authentication code (MAC-I) that is useful on the traffic signaling integrity protection in this GA-RC REGISTER ACCEPT message in the GA-RC REGISTER ACCEPT message described in 12 by consistency protection
13, UE finds UE side and this sign corresponding algorithm according to the sign of this consistency algorithm.
14, utilize the IK in 11 GANWith the algorithm that UE finds the GA-RC REGISTERACCEPT message that receives is verified.
Checking detailed process in 14 is: UE is to this algorithm that finds (being integral algorithm) lining input parameter: IK GAN, the integrality sequence number; Protected GA-RC REGISTER ACCEPT message and direction (up or descending, as to be up in the present embodiment) are calculated a checking message authentication code (XMAC-I) through the calculating of integral algorithm here; And compare with additional MAC-I in this XMAC-I and the message received; If both are consistent, then pass through through consistency checking, otherwise then for not passing through consistency checking.
Wherein, the integrality sequence number is in the present embodiment and knows already; Integral algorithm, IK GAN, protected GA-RC REGISTER ACCEPT message and direction then are what know in the present embodiment.
The method of the realization network security that present embodiment provides is utilized the authenticating result K of EPS through employing ASMEGeneration is used for the technical scheme of the key of consistency protection; Solved in the prior art is being that traffic signaling is when providing consistency protection through the IPSec method; The support that UE need add the IPSec characteristic has caused the complexity technical problems of high therefrom, and then has obtained the technique effect that reduces the complexity of the consistency protection that traffic signaling is carried out.
Embodiment 2
Present embodiment discloses a kind of method that realizes network security, and this method is fit to be deployed on the GANC, and is as shown in Figure 2, and this method comprises:
21, GANC receives MME and sends forward direction register response (ForwardRegister Response) message that comprises authentication result information.
22, if comprise IK in the authentication result information of said Forward Register Response message GANWith UE security capabilities information, and this UE security capabilities information contains the information of the algorithm that the UE side supported, then GANC selects GANC side and the common a kind of algorithm supported of the UE consistency algorithm as consistency protection according to the information of the algorithm of said support.
23, GANC sends the general access-in resource key-course registration of the sign of carrying said consistency algorithm and accepts (GA-RC REGISTER ACCEPT) message to UE, and said GA-RC REGISTER ACCEPT message is through said IK GANObtain consistency protection with said consistency algorithm.
Consistency protection described in 23 is specially: GANC is to this consistency algorithm (being integral algorithm) lining input parameter: IK GAN, the integrality sequence number; GA-RC REGISTER ACCEPT message and the direction protected are (up or descending; Be descending in the present embodiment here), and through MAC-I of integral algorithm, this MAC-I is attached to GA-RC REGISTER ACCEPT message after.
Wherein, the integrality sequence number is in the present embodiment and knows already; Integral algorithm, IK GAN, the GA-RC REGISTER ACCEPT message that protect and direction then are what know in the present embodiment.
The method of the realization network security that present embodiment provides has following beneficial effect: GANC and obtains the Integrity Key that is used for consistency protection through MME, need not GANC and calculates; Obtain the information of the algorithm that the UE side supports through MME, GANC can obtain the consistency algorithm as consistency protection through the algorithm of selecting the common support of GANC side and UE side, and process is simple, and complexity is low.
Embodiment 3
Present embodiment discloses a kind of method that realizes network security, and this method is fit to be deployed on the MME, and is as shown in Figure 3, and this method comprises:
Accomplished the safety certification of access LTE system through EPS at UE after, UE and MME can respectively have K ASME, and the K of UE and MME ASMEIdentical.
31, utilize the authenticating result K of EPS ASME,, MME can obtain IK GAN
32, MME sends and carries above-mentioned IK GANArrive GANC with forward direction register response (ForwardRegister Response) message of UE security capabilities information, comprise the information of the algorithm that the UE side is supported in the said UE security capabilities information.
The method that is applicable to the realization network security on the MME that present embodiment provides has following beneficial effect: utilize MME in the network architecture to realizing the authentication to UE; With need in the network architecture, compare by extra introducing aaa server in the prior art; Reduced operation cost; And implement and be easier to, reduced the complexity that realizes traffic signaling is implemented consistency protection.
Embodiment 4
Present embodiment specifically provides a kind of method that realizes network security, and is as shown in Figure 4, and this method comprises: accomplished the safety certification of access LTE system through EPS at UE after, UE and MME can respectively have a K ASME, and the K of UE and MME ASMEIdentical.
101, UE is before GANC initiates login request message, to the key generating function (Key DerivationFunction, KDF) input parameter FC (0x17) in the algorithm, P0 (up Non-Access Stratum sequence number), L0 (up Non-Access Stratum sequence number length) comes calculating K ASMEAnd obtain the NAS-token1 of a 256bit, and also input parameter FC (0x1B) in the KDF algorithm of UE simultaneously, P0 (descending Non-Access Stratum sequence number), L0 (descending Non-Access Stratum sequence number length) comes calculating K ASMEAnd obtain the IK of a 128bit GANGeneral access network traffic encryption key (Cipher Key of Generic Access Network, CK with a 128bit GAN), UE selects the IK of 128bit wherein GANConsistency protection key as traffic signaling.
In 101, UE can use the IK of 128bit GANAs the key of traffic signaling consistency protection, also can use IK by 128bit GANCK with 128bit GANCombine the IK of 256bit GANKey as the traffic signaling consistency protection.
102; UE sends GA-RC REGISTER message to GANC; In this GA-RC REGISTER message, carry the NAS-token1 that calculates in the log-on message, 101 of UE; And the non-sequence number (NAS Sequence Number) that inserts into, this NAS Sequence Number gets the least-significant byte of up Non-Access Stratum sequence number.
103, GANC receives above-mentioned GA-RC REGISTER message, and obtains log-on message, NAS-token1 and the NAS SequenceNumber of the UE that carries in this GA-RCREGISTER request message.GANC is transmitted to MME through sending Forward Register Request message with the above-mentioned log-on message that obtains, NAS-token1 and NAS Sequence Number.
104, after MME receives above-mentioned Forward Register Request message, overflow sequence number according to the Non-Access Stratum of the up Non-Access Stratum sequence number of NASSequence Number that receives and MME side and calculate the Non-Access Stratum sequence number.Use with 101 in the identical KDF algorithm of UE and input parameter (i.e. input parameter FC (0x17) in the KDF algorithm, P0 (up Non-Access Stratum sequence number), L0 (up Non-Access Stratum sequence number length)) calculating K ASMEAnd obtain NAS-token2.The NAS-token1 that carries in NAS-token2 that MME calculates oneself and the Forward Register Request message compares; If both are consistent; Then represent the authentication of UE through network side; And use equally with 101 in the identical KDF algorithm of UE and input parameter (i.e. input parameter FC (0x1B) in the KDF algorithm, P0 (descending Non-Access Stratum sequence number), L0 (descending Non-Access Stratum sequence number length)) calculating K ASME,And obtain the IK of a 128bit equally GANCK with a 128bit GAN, corresponding to the IK in 101 GAN, MME also selects the IK of 128bit wherein in this step GANConsistency protection key as traffic signaling; If relatively both are inconsistent as a result, then carry out 1051.
Likewise, in 104, MME can use the IK of 128bit GANAs the key of traffic signaling consistency protection, also can use IK by 128bit GANCK with 128bit GANCombine the IK of 256bit GANAs the key of traffic signaling consistency protection, corresponding to selecting in above-mentioned 101, if the IK of the 256bit that has selected in 101 to combine GAN, the also IK of the 256bit that combines of corresponding selection in 104 so GAN
105, MME replys Forward Register Response message and gives GANC, in this ForwardRegister Response message, carries the IK that aforementioned calculation draws GANWith UE security capabilities information, contain the algorithm information that the UE side is supported in this UE security capabilities information.
1051 MME reply Forward Register Response message and give GANC, in this ForwardRegister Response message, carry the failed authentication cause value, and directly carry out 1071.
106, GANC obtains the IK that carries in this ForwardRegister Response message after receiving above-mentioned Forward Register Response message GANAlgorithm information with the UE support; GANC is set to 0 with the descending general access network counter (DOWNLINK GAN COUNT) of this locality simultaneously; And the algorithm of supporting algorithm information to select all to support jointly at two ends according to the algorithm information of the UE side support of carrying in this Forward Register Response message and GANC self is as consistency algorithm, and this consistency algorithm is used to implement the consistency protection of the business information transmitted between UE and GANC.
107, GANC replys the GA-RC REGISTER ACCEPT message of the sign of carrying above-mentioned consistency algorithm and gives UE, and this GA-RC REGISTER ACCEPT message obtains consistency protection.
Consistency protection described in 107 is specially: GANC is to consistency algorithm (being integral algorithm) lining input parameter: IK GAN, the integrality sequence number; GA-RC REGISTER ACCEPT message and the direction protected are (up or descending; Be descending in the present embodiment here), and through MAC-I of integral algorithm, this MAC-I is attached to GA-RC REGISTER ACCEPT message after.
1071, GANC issues UE with general access-in resource key-course registration reject (GA-RC REGISTER REJECT) message, in this GA-RC REGISTER REJECT message, carries Reason For Denial value (Register Reject Cause) and direct process ends.
108; After UE receives the above-mentioned GA-RC REGISTER ACCEPT message that obtains consistency protection; Select with this GA-RC REGISTER ACCEPT message in the sign corresponding algorithm of the consistency algorithm that carries as the consistency algorithm of UE side; The UPLINK GAN COUNT of UE side is set to 0 simultaneously, and this GA-RC REGISTER ACCEPT message is carried out consistency checking.
The detailed process of the consistency checking in 108 is: UE is to consistency algorithm (being integral algorithm) lining input parameter: IK GAN, the integrality sequence number; Protected GA-RC REGISTER ACCEPT message and direction are (up or descending; Be up in the present embodiment here), calculate a checking message authentication code (XMAC-I) through the calculating of integral algorithm, and compare with the MAC-I that adds in this XMAC-I and the message received; If both are consistent; Then pass through, otherwise then for not passing through consistency checking, UE will not carry out the instruction and the direct process ends of this GA-RC REGISTER ACCEPT message through consistency checking.
109, UE sends general access-in resource key-course registration and accomplishes (GA-RC REGISTERCOMPLETE) message to GANC, and this GA-RC REGISTER COMPLETE message obtains consistency protection.
The concrete implementation of the consistency protection that is provided in the consistency protection in 109 and 107 is the same, and the traffic signaling that transmits between later UE and the GANC all will obtain said consistency protection.
When the method for the realization network security that present embodiment provided has following beneficial effect: UE initiation GANC service log-on at least, utilize MME that it is carried out authentication, network side need not to introduce aaa server, reduces and realizes cost; Can't realize consistency protection through the IPSec method between UE and GANC, reduce the complexity of traffic signaling consistency protection; Make full use of UE and MME cipher key shared K ASMEDerive the Integrity Key IK of GANC GAN, be used for UEG and ANC at operational consistency protection, reduced the complexity that realizes the realization of traffic signaling consistency protection between UE and GANC.
Embodiment 5
Present embodiment provides a kind of user equipment (UE), and is as shown in Figure 5, and this UE comprises: acquisition module 51, receiver module 52, authentication module 53, secret signal acquisition module 54, sending module 55.
Acquisition module 51 is used to obtain IK GANReceiver module 52 be used to receive from GANC send by the GA-RC REGISTER ACCEPT message of consistency protection, the sign of carrying consistency algorithm in this GA-RC REGISTER ACCEPT message; Authentication module 53 is used to utilize said IK GANWith said sign corresponding algorithm said GA-RC REGISTER ACCEPT message is verified.
Wherein, acquisition module 51 usefulness KDF algorithms are to K ASMECalculate and obtain IK GAN, and the IK that obtains of acquisition module 51 GANComprise: the IK of 128bit GANCK with 128bit GAN, correspondingly, the IK that authentication module 53 utilizes in proof procedure GANComprise: the IK of 128bit GAN, perhaps by the IK of 128bit GANCK with 128bit GANCombine the IK of 256bit GAN
Secret signal acquisition module 54 in the present embodiment is used for the KDF algorithm K ASMEThe NAS-token of UE side is obtained in calculating; Sending module 55 is used to send the GA-RCREGISTER message of the NAS-token that carries said UE side to GANC.
Present embodiment provides a kind of GANC, and is as shown in Figure 6, and this GANC comprises: receiver module 61, determination module 62, sending module 63, secret signal receiver module 64, secret signal sending module 65.
Receiver module 61 is used for MME and sends the Forward Register Response message that comprises authentication result information; Determination module 62 is used for comprising IK when said authentication result information GANDuring with UE security capabilities information, comprise in the said UE security capabilities information that UE supports the information of algorithm, according to the information of said support algorithm select with the common algorithm of supporting of UE as consistency algorithm; Sending module 63 is used to send the GA-RC REGISTER ACCEPT message of the sign of carrying said consistency algorithm to UE, and said GA-RCREGISTER ACCEPT message is through said IK GANObtain consistency protection with said consistency algorithm.
Wherein, sending module 63 also is used for when said authentication result information comprises the ForwardRegister Response message of failure reason value, sends the GA-RC REGISTER REJECT message of carrying the Reason For Denial value and arrives UE.
Secret signal receiver module 64 in the present embodiment is used to receive the GA-RC REGISTER message of the NAS-token that carries the UE side that sends from UE; Secret signal sending module 65 is used to send the Forward Register Request of the NAS-token that carries said UE side to MME.
Each unit of the embodiment of the invention can be integrated in one, and also can separate deployment.Said units can be merged into a unit, also can further split into a plurality of subelements.
The user equipment (UE) of present embodiment can be mobile phone or notebook computer etc.
The scheme that present embodiment provides is through adopting the key sent according to MME and the algorithm information of UE side support; Make the GANC acquisition be used for the technical scheme of the key and the algorithm of consistency protection; Solved in the prior art; GANC need support the technical problem of ipsec capability at key that obtains consistency protection and algorithm, and then has obtained and reduced the complexity that realizes in the consistency protection process, reduces the technique effect of realizing the consistency protection cost.
Present embodiment provides a kind of MME, and is as shown in Figure 7, and this MME comprises: key acquisition module 73, sending module 74.
Key acquisition module 73 is used to obtain IK GANSending module 74 is used for transmission and carries IK GANArrive GANC with the Forward Register Response message of UE security capabilities information, comprise in the said UE security capabilities information that UE supports the information of algorithm.
Further, the GANC in the present embodiment also comprises: receiver module 71, secret signal acquisition module 72.
Receiver module 71 is used to receive the ForwardRegister Request message of the NAS-token that carries the UE side that sends from GANC; Secret signal acquisition module 72 is used to obtain the NAS-token of MME side.
Wherein, key acquisition module 73 specifically is to be used for NAS-token when the NAS-token of said UE side and said MME side when identical, obtains IK GAN.Correspondingly, sending module 74 also be used for when the NAS-token of the NAS-token of UE side and MME side not simultaneously, send the ForwardRegister Response message of carrying failure reason value and arrive GANC.And secret signal acquisition module 72 usefulness KDF algorithms are to K ASMECalculate the NAS-token that obtains the UE side; Key acquisition module 73 usefulness KDF algorithms are to K ASMECalculate the NAS-token that obtains the MME side.
Each unit of the embodiment of the invention can be integrated in one, and also can separate deployment.Said units can be merged into a unit, also can further split into a plurality of subelements.
The scheme that present embodiment provides; Utilize MME the user to be carried out the technical scheme of authentication through employing; Solved in the prior art, needed extra introducing aaa server that the user is carried out authentication, caused implementing the cost height; The technical problem that cost is big, and then obtained and reduced the technique effect of traffic signaling being implemented the consistency protection implementation complexity.
Embodiment 6
Present embodiment discloses a kind of system that realizes network security, and is as shown in Figure 8, and this system comprises: MME81, GANC82, UE83.
MME81 is used to obtain IK GAN, and send and carry IK GANArrive GANC82 with the ForwardRegister Response message of UE83 security capabilities information, comprise the information of the algorithm that UE83 supports in the said UE83 security capabilities information.
GANC82 is used to receive the Forward RegisterResponse message that comprises authentication result information from MME81, when said authentication result information comprises IK GANDuring with the UE83 security capabilities; Comprise in the said UE83 security capabilities that UE83 supports the information of algorithm; According to the information of said support algorithm select with the common algorithm of supporting of UE83 as consistency algorithm; And the GA-RCREGISTER ACCEPT message of sending the sign carry said consistency algorithm is to UE83, and said GA-RC REGISTER ACCEPT message is through said IK GANObtain consistency protection with said consistency algorithm.
UE83 is used to obtain IK GAN, receive from GANC82 by the GA-RCREGISTER ACCEPT message of consistency protection, carry the sign of consistency algorithm in this GA-RC REGISTER ACCEPT message, and utilize said IK GANWith said sign corresponding algorithm said GA-RC REGISTERACCEPT message is verified.
In the present embodiment, UE83 also is used for the KDF algorithm K ASMECalculate the NAS-token that obtains the UE83 side, and the GA-RC REGISTER message of sending the NAS-token carry the UE83 side is to GANC82; Correspondingly, GANC82 also is used to receive the GA-RC REGISTER message of the NAS-token that carries the UE83 side that sends from UE83, and the GA-RC REGISTER message of sending the NAS-token that carries the UE83 side is to MME81; Correspondingly; MME81 also is used for after the Forward Register Request message that receives the NAS-token that carries the UE83 side that sends from GANC82; Obtain the NAS-token of MME81 side; And be NAS-token when the NAS-token of said UE83 side and said MME81 side when identical, obtain IK GAN.
Each unit of embodiment of the invention system can be integrated in a device, also can be distributed in multiple arrangement.Said units can be merged into a unit, also can further split into a plurality of subelements.
The user equipment (UE) of present embodiment can be mobile phone or notebook computer etc.
The technical scheme that present embodiment provides has following beneficial effect at least: through utilizing MME reality in the network architecture to the authentication of UE side, need not in network architecture, to introduce extra aaa server, operation cost is low, and cost is little; Through utilizing the authenticating result K of EPS ASMEObtain the key of consistency protection, reduce and obtain the operand in the consistency protection key processes, method is simple, has reduced the complexity of consistency protection.
The embodiment of the invention mainly applies to communication technical field, for traffic signaling mutual between UE and the network side provides conforming safeguard protection.Along with development of internet technology might be applied to other scene of this area, also have on the similar or close technical field of to migrate and go.
The method of the realization network security that the embodiment of the invention provides, Apparatus and system utilize mobile management entity (Mobility Management Entity through employing; MME) realize that network side carries out authentication to UE; And the traffic signaling after the authentication carried out the technical scheme of consistency protection; Having overcome needs extra introducing aaa server could realize the EAP-AKA authentication that network side carries out UE in the prior art; And the technical problem that the method for authenticating complexity is high, so obtained reduce to traffic signaling carry out consistency protection complexity, implement better simply beneficial effect.
Description through above execution mode; The those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform; Can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product is stored in the storage medium that can read; Like the floppy disk of computer, hard disk or CD etc. comprise that some instructions are with so that the controller or the network equipment are carried out the described method of each embodiment of the present invention.
The above; Be merely embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; Can expect easily changing or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by said protection range with claim.

Claims (16)

1. a method that realizes network security is characterized in that, comprising:
Reception is from the registration reply message that comprises authentication result information of mobile management entity;
If said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; Then according to the information of said support algorithm, the algorithm of confirming to support jointly with subscriber equipment is as consistency algorithm;
Send the registration of the sign of carrying said consistency algorithm to subscriber equipment and accept message, said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm.
2. the method for realization network security according to claim 1 is characterized in that, this method also comprises:
If said authentication result information comprises the registration reply message of failure reason value, then send the registration reject message of carrying the Reason For Denial value to subscriber equipment.
3. the method for realization network security according to claim 1 is characterized in that, also comprises before the registration reply message that comprises authentication result information of said reception from mobile management entity:
Reception is from the registration message that carries NAS-token1 of subscriber equipment;
Send the login request message of carrying said NAS-token1 to Mobility Management Entity.
4. a method that realizes network security is characterized in that, comprising:
Reception is from the login request message of carrying NAS-token1 of general access network controller;
Obtain NAS-token2;
Obtain the professional Integrity Key of general access network, the said professional Integrity Key of general access network that obtains comprises: if said NAS-token1 is identical with said NAS-token2, then obtain the professional Integrity Key of general access network;
Send the registration reply message that carries professional Integrity Key of general access network and user equipment safety capability information to general access network controller, said user equipment safety capability information comprises the information of subscriber equipment support algorithm.
5. the method for realization network security according to claim 4 is characterized in that, this method also comprises:
If said NAS-token1 is different with said NAS-token2, then send the registration reply message that carries failure reason value to said general access network controller.
6. according to the method for claim 4 or 5 described realization network securitys, it is characterized in that,
The said NAS-token2 of obtaining comprises: utilize key generating function algorithm to calculate inserting the security management entity key, obtain NAS-token2;
The said professional Integrity Key of general access network that obtains comprises: utilize key generating function algorithm to calculate inserting the security management entity key, obtain the professional Integrity Key of general access network.
7. a subscriber equipment is characterized in that, comprising:
Acquisition module is used to obtain the professional Integrity Key of general access network;
Receiver module is used to receive the registration by consistency protection of sending from general access network controller and accepts message, and this registration accepts to carry in the message sign of consistency algorithm;
Authentication module is used to utilize professional Integrity Key of said general access network and said sign corresponding algorithm, message is accepted in said registration verified.
8. subscriber equipment according to claim 7 is characterized in that, this equipment also comprises:
The secret signal acquisition module is used to utilize key generating function algorithm to calculate inserting the security management entity key, obtains NAS-token1;
Sending module is used for sending the login request message of carrying said NAS-token1 to general access network controller.
9. according to claim 7 or 8 described subscriber equipmenies, it is characterized in that,
The professional Integrity Key of the general access network that said acquisition module obtains comprises: professional Integrity Key of sub-general access network and general access network traffic encryption key;
The professional Integrity Key of the general access network that then said authentication module utilizes in proof procedure comprises: the professional Integrity Key of sub-general access network, the perhaps professional Integrity Key of general access network; The professional Integrity Key of said general access network comprises professional Integrity Key of sub-general access network and general access network traffic encryption key.
10. a general access network controller is characterized in that, comprising:
Receiver module is used to receive the registration reply message that comprises authentication result information from mobile management entity;
Determination module; Be used for when said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; According to the information of said support algorithm, the algorithm of confirming to support jointly with subscriber equipment is as consistency algorithm;
Sending module, the registration that is used for sending to subscriber equipment the sign carry said consistency algorithm is accepted message to subscriber equipment, and said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm.
11. general access network controller according to claim 10 is characterized in that,
Said sending module also is used for when said authentication result information comprises the registration reply message of failure reason value, sends the registration reject message of carrying the Reason For Denial value to subscriber equipment.
12., it is characterized in that this equipment also comprises according to claim 10 or 11 described general access network controllers:
The secret signal receiver module is used to receive the registration message that carries NAS-token1 from subscriber equipment;
The secret signal sending module is used for sending the login request message of carrying said NAS-token1 to Mobility Management Entity.
13. a mobile management entity is characterized in that, comprising:
Receiver module is used to receive the login request message of carrying NAS-token1 from general access network controller;
The secret signal acquisition module is used to obtain NAS-token2;
The key acquisition module is used to obtain the professional Integrity Key of general access network, and said key acquisition module is when said NAS-token1 is identical with said NAS-token2, obtains general access network business Integrity Key;
Sending module is used for sending the registration reply message that carries professional Integrity Key of general access network and user equipment safety capability information to general access network controller, and said user equipment safety capability information comprises the information of subscriber equipment support algorithm.
14. mobile management entity according to claim 13 is characterized in that,
Said sending module also be used for when said NAS-token1 and said NAS-token2 not simultaneously, carry the registration reply message of failure reason value to the general access network controller transmission.
15. a system that realizes network security is characterized in that, comprising:
Mobile management entity; Be used to obtain the professional Integrity Key of general access network; And send the registration reply message carry professional Integrity Key of general access network and user equipment safety capability information to general access network controller, said user equipment safety capability information comprises the information of subscriber equipment support algorithm;
General access network controller; Reception is from the registration reply message that comprises authentication result information of mobile management entity; When said authentication result information comprises professional Integrity Key of general access network and user equipment safety capability information; Said user equipment safety capability information comprises the information of subscriber equipment support algorithm; According to the information of said support algorithm select with the common algorithm of supporting of subscriber equipment as consistency algorithm, send the registration of the sign of carrying said consistency algorithm and accept message to subscriber equipment, said registration is accepted message and is obtained consistency protection through professional Integrity Key of said general access network and said consistency algorithm;
Subscriber equipment; Be used to obtain the professional Integrity Key of general access network; Reception is accepted message from the registration by consistency protection of general access network controller; This registration accepts to carry in the message sign of consistency algorithm, utilizes professional Integrity Key of said general access network and said sign corresponding algorithm that message is accepted in said registration and verifies.
16. the system of realization network security according to claim 15 is characterized in that,
Said subscriber equipment also is used for calculating inserting the security management entity key according to key generating function algorithm, obtains NAS-token1; Send the login request message of carrying said NAS-token1 to general access network controller;
Said general access network controller also is used to receive the registration message that carries NAS-token1 from subscriber equipment, sends the login request message of carrying said NAS-token1 to Mobility Management Entity;
Said mobile management entity also is used for after the said login request message that receives from general access network controller, obtaining NAS-token2; When said NAS-token1 is identical with said NAS-token2, obtain the professional Integrity Key of general access network.
CN2009101305491A 2009-03-28 2009-03-28 Method, device and system for implementing network security Expired - Fee Related CN101848464B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101305491A CN101848464B (en) 2009-03-28 2009-03-28 Method, device and system for implementing network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101305491A CN101848464B (en) 2009-03-28 2009-03-28 Method, device and system for implementing network security

Publications (2)

Publication Number Publication Date
CN101848464A CN101848464A (en) 2010-09-29
CN101848464B true CN101848464B (en) 2012-11-21

Family

ID=42772892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101305491A Expired - Fee Related CN101848464B (en) 2009-03-28 2009-03-28 Method, device and system for implementing network security

Country Status (1)

Country Link
CN (1) CN101848464B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12003533B2 (en) 2023-07-20 2024-06-04 Huawei Technologies Co., Ltd. Mobile communication method, apparatus, and device

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102036237B (en) * 2010-12-20 2012-12-12 广州杰赛科技股份有限公司 Security access method for wireless metropolitan area network
CN106664195B (en) * 2014-08-01 2020-05-15 广州小熊信息科技有限公司 Data processing method, device and system
BR112018013812A2 (en) 2016-01-05 2018-12-11 Huawei Technologies Co., Ltd. Mobile communication method, device and device
CN115280803B (en) * 2020-04-24 2023-10-13 Oppo广东移动通信有限公司 Multimedia broadcast multicast service authentication method, device, equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199163A (en) * 2005-06-17 2008-06-11 诺基亚公司 Unlicensed mobile access support in mobile networks of the third generation
CN101385374A (en) * 2006-02-24 2009-03-11 艾利森电话股份有限公司 Charging and position indication in general access network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101199163A (en) * 2005-06-17 2008-06-11 诺基亚公司 Unlicensed mobile access support in mobile networks of the third generation
CN101385374A (en) * 2006-02-24 2009-03-11 艾利森电话股份有限公司 Charging and position indication in general access network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Huawei.New Architecture Alternative for CS services over EPS.《3GPP TSG SA WG2 Meeting #69 TD S2-087631》.2008, *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12003533B2 (en) 2023-07-20 2024-06-04 Huawei Technologies Co., Ltd. Mobile communication method, apparatus, and device

Also Published As

Publication number Publication date
CN101848464A (en) 2010-09-29

Similar Documents

Publication Publication Date Title
US10178549B2 (en) Authentication and key agreement with perfect forward secrecy
EP2309698B1 (en) Exchange of key material
US8327143B2 (en) Techniques to provide access point authentication for wireless network
CN109314861B (en) Method, device and communication system for obtaining secret key
CN112738804B (en) Safety protection method and device
CN100407868C (en) Method for setting safety channel between mobile user and application server
CN101512537A (en) Method and system for secure processing of authentication key material in an Ad Hoc Wireless Network
CN101990211B (en) Method for network access, device and system
WO2013118096A1 (en) Method, apparatus and computer program for facilitating secure d2d discovery information
CN109560919A (en) A kind of machinery of consultation of cipher key derivative algorithm and device
CN104604290B (en) Mobile terminal for executing the method and system of the switching of mobile terminal and being intended for use in wireless cellular communication network
CN107396350A (en) SDN inter-module method for security protection based on the SDN 5G network architectures
CN101848464B (en) Method, device and system for implementing network security
US20110107099A1 (en) Pre-authentication method, authentication system and authentication apparatus
CN103024735B (en) Method and equipment for service access of card-free terminal
Singh et al. A privacy-preserving authentication protocol with secure handovers for the LTE/LTE-A networks
CN103905389B (en) Relay equipment-based security association, data transmission method, device and system
CN101005489A (en) Method for protecting mobile communication system network safety
CN102892114A (en) Method and device for checking equipment validity
CN102318259B (en) Method and apparatus for traffic count key management and key count management
EP2389031B1 (en) Secure handoff method and system
Moroz et al. Methods for ensuring data security in mobile standards
Liu et al. The untrusted handover security of the S-PMIPv6 on LTE-A
CN102056155B (en) Mobile backhaul network
Li et al. Temporary Internet Access for Authentication and Key Agreement for LTE Networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121121

CF01 Termination of patent right due to non-payment of annual fee