CN102196427A

CN102196427A - Air interface key updating method and system

Info

Publication number: CN102196427A
Application number: CN2010101434654A
Authority: CN
Inventors: 冯成燕; 谢峰; 刘扬; 陈玉芹; 陈琳; 江辉; 甘露
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2010-03-05
Filing date: 2010-03-05
Publication date: 2011-09-21

Abstract

The invention discloses an air interface key updating method and system. The method comprises the following steps of: generating a deformed and authorized key AK* according to an authorized key AK by a terminal and a target base station when a terminal is about to be switched to equipment which adopts an advanced air interface; updating an air interface key according to the AK*; and updating the air interface key according to the authorized key AK by the terminal and the target base station when the terminal is about to be switched to equipment which adopts a traditional air interface, wherein the air interface key comprises message integrity protection keys (CMAC KEYs). In the invention, as the air interface key is updated in a terminal switching process, the safety of a system is improved.

Description

Air interface key method for updating and system

Technical field

The present invention relates to the communications field, in particular to a kind of air interface key method for updating and system.

Background technology

(the Institute of Electrical and Electronic Engineers of electronic motor engineering association, abbreviation IEEE) 802.16 standards systems are primarily aimed at metropolitan area network, its main target is wireless access system air interface physical layer (PHY) and medium access control layer (the Media Access Control of development in 2～66GHz (GHz) frequency band, be called for short MAC) standard, also relate to the coexistence standard between uniformity test relevant and the different radio connecting system simultaneously with air interface protocol.

According to whether supporting mobility, IEEE 802.16 standards can be divided into fixed broadband wireless and insert air-interface standard and mobile broadband wireless access air-interface standard, wherein 802.16d belongs to the fixed wireless access air-interface standard, pass in IEEE 802 committees, with the title issue of IEEE 802.16-2004 in June, 2004; And 802.16e belongs to mobile broadband wireless access air-interface standard, passes in IEEE 802 committees in November, 2005, with the title issue of IEEE802.16-2005.Inserting of microwave whole world interoperability authentication (the WorldwideInteroperability for Microwave Access of alliance, be called for short WiMAX) based on IEEE 802.16 air interface specification, become the wireless access wide band technology of influence power maximum in the world at present.

IEEE is working out the 802.16m standard at present, this standard is in order to study next step evolution path of WiMAX, target is to become the next generation mobile communication technical standard, and finally to (the International Telecommunication Unit of International Telecommunications Union, abbreviation ITU) senior international mobile telecommunication (International Mobile Telecommunications Advanced, abbreviation IMTAdvanced) one of standard, this standard is with the existing 802.16e standard of compatibility.

At present, advanced base station (Advanced Base Station has appearred, abbreviate ABS as, promptly support the base station of 802.16m agreement), advanced base station can compatible conventional terminal (Yardstick Mobile Station, abbreviate YMS as), similarly, advanced terminals (Advanced Mobile Station is designated hereinafter simply as AMS or terminal) also should be able to insert traditional base station (Yardstick Base Station, abbreviate YBS as, only support the base station of 802.16e agreement).The time zone (Time Zone) of advanced base station can be divided into two zones, promptly, the first area (is also referred to as first recessed region, 16m Zone, communicate with terminal, abbreviate MZone as with 802.16m function) and second area (be also referred to as traditional area, Legacy Zone, communicate with terminal, abbreviate LZone as) with 802.16e function.LZone is the continuous subframes of a positive integer, and wherein ABS communicates with the terminal with 802.16e function; MZone is the continuous subframes of a positive integer, and wherein ABS communicates with the terminal with 802.16m function.

Because terminal can adopt advanced communication protocol or conventional communication protocols, therefore, advanced terminals just can be operated in MZone or LZone.

In general, when the base station in the system when the traditional base station evolves to advanced base station, the network that the base station was positioned at (is also referred to as access service network, Access Service Network, be called for short ASN, comprise base station and gateway Gateway) also can evolve to advanced networks from legacy network accordingly.But, in the system of reality, because the development speed of base station and gateway is not necessarily synchronous, perhaps, market development requires using advance technology as early as possible, and the base station will occur is advanced base station, and the gateway in the access service network is a conventional gateway, be that access service network is the situation of legacy network, this access service network is called traditional ASN network.

After introducing this network model of traditional ASN network, in order to support this model, corresponding change need be done in the communication security aspect, so that do not support traditional access service network of 802.16m safety function can use the associated safety function of 802.16m definition.

The air interface key that defines in IEEE 802.16m system comprises: master session key (MasterSession Key; abbreviate MSK as); pairwise master key (Pairwise Master Key; abbreviate PMK as); authorization key (Authorization Key; abbreviate AK as); message integrity protection key (CMAC KEYs; comprise CMAC_KEY_U and CMAC_KEY_D; wherein CMAC_KEY_U is used for the up link administrative messag is carried out integrity protection; CMAC_KEY_D is used for downlink management message is carried out integrity protection); Business Stream encryption key (Traffic Encryption Key is called for short TEK).

Following mask body is introduced the generation method of each key in the 802.16m standard security scheme that has IEEE 802.16e standard now and propose at traditional ASN network:

MSK is the root key of all other keys of IEEE 802.16 definition, be terminal and authentication and authorization charging server (Authentication Authorization Accounting Server, abbreviate AAA Server as) at extendible authentication protocol (Extensible Authentication Protocol, abbreviate EAP as) produce separately in the authentication and authorization process, be used to derive other key such as PMK.

PMK is derived by MSK and goes out, and is used to derive AK.

PMK＝Truncate(MSK，160)；

Wherein, (x, described in definition y) such as the IEEE 802.16-2005: only as y≤x, Z is the last y position of x to Z=Truncate.Content in the quotation marks is represented character string.

AK is an authorization key, is derived and is gone out by PMK.It is used to derive the message integrity protection key.

The computational methods of AK are in the IEEE 802.16e standard:

AK＝Dot16KDF(PMK，MSID|BSID|“AK”，160)

The computational methods at the AK of IEEE 802.16m standard that propose in the existing scheme are:

AK＝Dot16KDF(PMK，MSID( ^*)|BSID|“AK”，160)

Wherein, Dot16KDF is the security algorithm of IEEE802.16 definition, and concrete definition can be with reference to 802.16-2005.BSID is the abbreviation of Base Station Identification.MSID ( ^*) represent MSID or MSID ^*, when advanced base station is connected to traditional access service network gateway (ASN-GW), use MSID to derive, when advanced base station is connected to advanced ASN-GW, use MSID ^*Derive, wherein, MSID ^*It is the Hash operation value of MSID.MSID is the abbreviation of (Mobile Station identifier is called for short MSID, is generally the terminal MAC Address) of terminal iidentification among the IEEE 802.16e.MSID ^*Be in order to protect terminal iidentification (MSID), thereby threaten the privacy of terminal and in 802.16m, introduce to avoid the assailant can obtain this address in the plaintext transmission of eating dishes without rice or wine.MSID ^*Computational methods as follows:

MSID ^*=Dot16KDF (MSID|80-bit zero padding, NONCE_MS, 48) wherein, when NONCE_MS was initial network entry, the random number that terminal generates, this random number can send to the base station by terminal in three-way handshake process after a while.

AK ^*Be the distortion of AK, its computational methods are as follows:

AK ^*＝Dot16KDF(AK，AK_COUNT|”AK ^*”，160)

Wherein, AK_COUNT and following CMAC_KEY_COUNT are counters, and the former is used for the 16m system, and the latter is used for the 16e system.The two effect is basic identical, is used to guarantee that same BS-MS is to generating different keys when switching or network re-entry or position renewal.After successfully finishing re-authentication, this counter zero setting.

CMAC KEYs is derived from by AK, is used for the integrity protection of administrative messag.

The computational methods of CMAC KEYs are in the IEEE 802.16e standard:

CMAC_KEY_U＝AES _{CMAC_PREKEY_U}(CMAC_KEY_COUNT)；

CMAC_KEY_D＝AES _{CMAC_PREKEY_D}(CMAC_KEY_COUNT)；

Wherein, CMAC_PREKEY_U|CMAC_PREKEY_D|KEK＜=Dot16KDF (AK, MSID|BSID| " CMAC_KEYS+KEK ", 384);

Wherein, KEK is key-encrypting key (Key Encryption Key), only is used to encrypt TEK in 16e, with the transmission of protecting TEK eating dishes without rice or wine.CMAC_KEY_COUNT is the network re-entry counter that uses among the 802.16e, acts on identical with the AK_COUNT among the 802.16m.

The computational methods of CMAC KEYs are in the IEEE 802.16m standard:

CMAC_KEY_U|CMAC_KEY_D＝Dot16KDF(AK ^*，“CMAC_KEYS”，256)；

TEK is used for user data is encrypted, to protect the confidentiality of the data of transmitting between terminal and base station.In 16e, TEK is the random number that the base station generates, and encrypt TEK with KEK the base station, sends to terminal then.In IEEE 802.16m standard, TEK is that terminal and base station generate respectively, is calculated as follows:

TEKi＝Dot16KDF(AK ^*，SAID|COUNTER_TEK＝i|”TEK”，128)；

Wherein, SAID is the Security Association sign of this TEK association.COUNTER_TEK is a counter, is used to derive belong to the TEK of same Security Association, and when deriving a new AK, COUNTER_TEK is changed to 0, after this, new TEK of every generation, this counter increases progressively 1.

The inventor finds: when introducing traditional ASN network, and after the key derivation of 802.16m has been done corresponding modify, if terminal is switched between the base station of legacy network and/or advanced networks, do not provide in the relevant criterion and how to carry out the renewal of air interface key, use original air interface key if still prolong, will there be certain potential safety hazard in system.And, effective solution is not proposed as yet at present at this security hidden trouble.

Summary of the invention

Main purpose of the present invention is to provide a kind of air interface key method for updating and system, to address the above problem at least.

According to an aspect of the present invention, provide a kind of air interface key method for updating, may further comprise the steps: when terminal will switch to when using advanced equipment of eating dishes without rice or wine, terminal and target BS generate distortion authorization key AK according to authorization key AK ^*According to AK ^*Upgrade air interface key; When terminal will switch to when using the equipment that tradition eats dishes without rice or wine, terminal and target BS upgrade air interface key according to authorization key AK; Air interface key comprises message integrity protection ciphering key MAC KEYs.

According to a further aspect in the invention, the system that provides a kind of air interface key to upgrade comprises terminal and target BS, and the first distortion authorization key generation module is used for generating distortion authorization key AK according to authorization key AK ^*The first air interface key update module is used for according to AK ^*Upgrade air interface key, air interface key comprises message integrity protection ciphering key MACKEYs; And target BS comprises: the second distortion authorization key generation module is used for generating distortion authorization key AK according to authorization key AK ^*The second air interface key update module is used for according to AK ^*Upgrade air interface key, air interface key comprises message integrity protection ciphering key MAC KEYs.

In accordance with a further aspect of the present invention, the system that provides a kind of air interface key to upgrade, comprise terminal and target BS, target BS is the traditional base station, or target BS is the advanced base station of mixed mode, and terminal will switch to the traditional area of advanced base station, and terminal and target BS are used for upgrading air interface key according to authorization key AK; Air interface key comprises message integrity protection ciphering key MAC KEYs.

By the present invention, when adopting terminal between legacy network and/or advanced networks, to switch, air interface key is upgraded, strengthened the fail safe of system.

Description of drawings

Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:

Fig. 1 is the system architecture diagram that upgrades according to the air interface key that the embodiment of the invention provides;

Fig. 2 is the air interface key method for updating flow chart that provides according to the embodiment of the invention;

Fig. 3 is the air interface key method for updating flow chart that provides according to the embodiment of the invention one;

Fig. 4 is the air interface key method for updating flow chart that provides according to the embodiment of the invention two;

Fig. 5 is the air interface key method for updating flow chart that provides according to the embodiment of the invention three;

Fig. 6 is the air interface key method for updating flow chart that provides according to the embodiment of the invention four;

Fig. 7 is the air interface key method for updating flow chart that provides according to the embodiment of the invention five;

Fig. 8 is the air interface key method for updating flow chart that provides according to the embodiment of the invention six;

Fig. 9 is the air interface key method for updating flow chart that provides according to the embodiment of the invention seven;

Figure 10 is the air interface key method for updating flow chart that provides according to the embodiment of the invention eight;

Figure 11 is the air interface key method for updating flow chart that provides according to the embodiment of the invention nine;

Figure 12 is the air interface key method for updating flow chart that provides according to the embodiment of the invention ten;

Figure 13 is the air interface key method for updating flow chart that provides according to the embodiment of the invention 11;

Figure 14 is the air interface key method for updating flow chart that provides according to the embodiment of the invention 12; And

Figure 15 is the air interface key method for updating flow chart that provides according to the embodiment of the invention 13.

Embodiment

Hereinafter will describe the present invention with reference to the accompanying drawings and in conjunction with the embodiments in detail.Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.

The system that the embodiment of the invention provides a kind of air interface key to upgrade, referring to Fig. 1, the system architecture diagram that the air interface key that provides for present embodiment upgrades, this system comprises terminal, serving BS and target BS.Wherein, this terminal comprises:

The first distortion authorization key generation module 10 is used for generating distortion authorization key AK according to authorization key AK ^*

The first air interface key update module 12 is used for according to AK ^*Upgrade air interface key, this air interface key comprises message integrity protection ciphering key MAC KEYs;

This target BS comprises: the second distortion authorization key generation module 20 is used for generating distortion authorization key AK according to authorization key AK ^*

The second air interface key update module 22 is used for according to AK ^*Upgrade air interface key, this air interface key comprises message integrity protection ciphering key MAC KEYs.

Above-mentioned target BS is advanced base station, or this target BS is the advanced base station of mixed mode, and at this moment, above-mentioned terminal will switch to the first recessed region of this advanced person base station.

The system that the embodiment of the invention also provides a kind of air interface key to upgrade, this system comprises terminal, serving BS and target BS.This target BS is the traditional base station, or target BS is the advanced base station of mixed mode, and this terminal will switch to the traditional area of this advanced person base station, and at this moment, this terminal and this target BS are used for upgrading air interface key according to authorization key AK; Wherein, air interface key comprises message integrity protection ciphering key MAC KEYs.

Base station in the embodiment of the invention can think that perhaps the gateway behind the base station is transparent to terminal corresponding to the access service network ASN (comprising base station and access service network gateway) of WiMAX Forum network work group definition, the visible just base station of terminal.Owing in ieee standard, only relate to and eat dishes without rice or wine, thereby the gateway among the access service network ASN can be called network entity.The function of describing in the function of terminal and target BS and the following method is corresponding.

The terminal of present embodiment and target BS are according to AK ^*Upgrade air interface key, strengthened the fail safe of system, and then made system have more practicality.

In embodiments of the present invention, corresponding to said system, present embodiment provides a kind of air interface key method for updating, referring to Fig. 2, is air interface key method for updating flow chart, and this method may further comprise the steps:

Step 30, when terminal will switch to when using advanced equipment of eating dishes without rice or wine, this terminal and target BS generate distortion authorization key AK according to authorization key AK ^*According to AK ^*Upgrade air interface key; Perhaps

Step 32, when terminal will switch to when using the equipment that tradition eats dishes without rice or wine, this terminal and target BS upgrade air interface key according to authorization key AK;

Wherein, the advanced base station of using advanced equipment of eating dishes without rice or wine to comprise advanced base station or use the mixed mode of first recessed region; The equipment that uses tradition to eat dishes without rice or wine comprises traditional base station or the advanced base station of using the mixed mode of traditional area;

Above-mentioned air interface key comprises message integrity protection ciphering key MAC KEYs.

The trigger condition that above-mentioned terminal and target BS carry out the air interface key renewal comprises one of following switching: terminal is switched between traditional access service network ASN and advanced ASN network; The ASN network that the serving BS of terminal is connected with target BS all is traditional ASN network; The ASN network that the serving BS of terminal is connected with target BS all is advanced ASN network; Terminal is switched between the first recessed region MZone of advanced networks and traditional area LZone.

The formula that the embodiment of the invention generates each key use can no longer describe in detail here with reference to the formula in the correlation technique.

Terminal in the said method and target BS are according to AK or AK ^*Upgrade air interface key, strengthened the fail safe of communicating by letter between terminal and the target BS, and then made its corresponding system have more practicality.

Below by specific embodiment the technical scheme that the embodiment of the invention provides is described in detail.

Embodiment one

Present embodiment provides a kind of air interface key method for updating, this method is applied in the wireless communication system, terminal is switched between traditional ASN network and advanced ASN network, and this method is applicable to that equally also the ASN network that the serving BS of terminal is connected with target BS all is traditional ASN network; The ASN network that the serving BS of terminal is connected with target BS all is advanced ASN network; In the present embodiment, target BS is advanced base station, and the AK that uses when terminal switches to target BS does not need to upgrade, and directly uses the AK of former service network.On the basis of AK, derivation AK ^*Use AK ^*Message integrity protection ciphering key MAC KEYs and Business Stream encryption key TEK derive.

Referring to Fig. 3, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 101, when switching was initiated by terminal, terminal sent handoff request message (AAI_HO-REQ) to serving BS, and request is switched.When this step is only applicable to switch and is initiated by terminal.

Step 102, when switching when being initiated by serving BS, or after serving BS receives the handoff request message that terminal sends, serving BS is to target BS (this target BS may for a plurality of) transmission handoff request message.This message is carried the contextual information of this terminal of part, comprising: AK and AK context thereof, network re-entry counter AK_COUNT or CMAC_KEY_COUNT.

This message may need the forwarding through gateway in the access service network, because traditional gateway can only be discerned CMAC_KEY_COUNT, so, need carry out following processing according to serving BS and the residing concrete network environment of target BS:

1) all is positioned at traditional ASN network for serving BS and target BS, be that serving BS all links to each other with conventional gateway with target BS, serving BS sends CMAC_KEY_COUNT to target ASN network, target BS need be changed back AK_COUNT once more with the CMAC_KEY_COUNT that receives, and uses again;

2) all be positioned at advanced ASN network for serving BS and target BS, promptly serving BS all links to each other with advanced gateway with target BS, directly transmits AK_COUNT between serving BS and the target BS, need not change;

3) be positioned at traditional ASN network for serving BS, target BS is positioned at advanced ASN network, and promptly serving BS links to each other with conventional gateway, and target BS links to each other with advanced gateway, then serving BS sends CMAC_KEY_COUNT to target BS, and target BS is converted into AK_COUNT;

4) be positioned at advanced ASN network for serving BS, target BS is positioned at traditional ASN network, and promptly serving BS links to each other with advanced gateway, and target BS links to each other with conventional gateway, then serving BS needs earlier AK_COUNT to be converted to CMAC_KEY_COUNT, sends to target ASN network again; Target BS need be changed back AK_COUNT once more with the CMAC_KEY_COUNT that receives, and uses again.

Step 103, target BS sends switching response message to serving BS, and it is wherein optional that to carry to terminal indicating target base station be the advanced ASN network or the indication information of traditional ASN network.

Step 104, serving BS sends switching command message (AAI_HO-CMD) to terminal, wherein portability is connected to the advanced ASN gateway or the indication information of traditional ASN gateway to terminal indicating target base station, and perhaps to be to use terminal (addressing) sign of compatible advanced ASN still be terminal (addressing) sign of compatible traditional ASN in the indicating target base station.

Step 105, terminal sends switch indicating information (AAI_HO-IND) to serving BS, the advanced Base Station Identification of the target that affirmation will be switched.This step is optional.

Step 106, serving BS and target BS carry out switch acknowledgment message reciprocal process.This step is optional.

May trigger grappling authenticator redirection process in the above-mentioned steps.In this redirection process, former grappling authenticator is transmitted to the safe context of this terminal the grappling authenticator of target.

Step 107, terminal increase progressively the value of network re-entry counter AK_COUNT, calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK; Target BS calculates AK according to AK that receives and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Wherein, the operation of target BS also can be carried out after step 102 or step 103 or step 108 in the step 107.

Step 108, terminal sends distance measurement request message (AAI_RNG-REQ) to target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEY that generates.

Step 109, target BS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEY that generates if be proved to be successful, then target BS sends ranging response message (AAI_RNG-RSP) to terminal.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMACKEY that generated by the advanced base station of target calculates) with CMACKEY, also can encrypt and integrity protection this message with TEK.

Also can comprise the operation of target BS synchronous terminal side and base station side AK_COUNT value in this step.This operation is with the definition among the agreement 802.16m, slightly different is, if the authenticator that target BS connects is traditional ASN gateway, then target BS need be converted to the CMAC_KEY_COUNT value AK_COUNT value from authenticator reception network re-entry Counter Value the time; And target BS need be converted to the AK_COUNT value CMAC_KEY_COUNT value when authenticator sends the network re-entry Counter Value.Other operations are constant, repeat no more herein.

The ranging response message that end-on is received is done checking, or does deciphering and checking.If be proved to be successful, the then key updating of terminal and target ABS success continues following switching flow.

When the terminal in the present embodiment is switched, carry out the renewal of air interface key between traditional ASN network and advanced ASN network, increased the fail safe of communication.

Embodiment two

Present embodiment provides a kind of air interface key method for updating, this method is applied in the wireless communication system, terminal is switched between traditional ASN network and advanced ASN network, serving BS in the present embodiment and target BS all are advanced base stations, serving BS links to each other with conventional gateway, and target BS links to each other with advanced gateway; The difference of this embodiment and embodiment one is: terminal switches to the AK that uses behind the target BS among this embodiment needs to upgrade, and AK derives on the basis of the AK after the renewal ^*Use AK ^*CMAC KEYs and TEK derive.

Referring to Fig. 4, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 201-206 is with the step 101-106 among the embodiment 1.

Step 207, terminal generate first random number, and present embodiment is end side random number N ONCE_AMS, and according to end side random number N ONCE_AMS, generate the cryptographic Hash AMSID of terminal iidentification ^*This step and step 205,206 do not have strict time order and function order.

Step 208, terminal increase progressively network re-entry counter AK_COUNT, according to AMSID ^*BSID calculates AK with the target BS sign, calculates AK according to AK and the AK_COUNT that increases progressively ^*, according to AK ^*Calculate CMAC KEYs and TEK.Increase progressively network re-entry counter and step 207 in this step and do not have strict time sequencing.

Terminal and/or target BS may need network re-entry counter CMAC_KEY_COUNT value is converted to AK_COUNT in this step.This conversion terminal can be carried out before increasing progressively the network re-entry counter, also can carry out after increasing progressively the network re-entry counter.

Increasing progressively network re-entry counter AK_COUNT and also can replace with and make that the AK_COUNT value is 0 or 1 in the step 208.

Step 209, terminal sends distance measurement request message (AAI_RNG-REQ) to target BS, wherein carries: end side random number N ONCE_AMS, or terminal iidentification cryptographic Hash AMSID ^*, and the summary CMAC of this message that calculates by the CMAC KEY that generates.

Step 210, if terminal sends to target BS is NONCE_AMS, then target BS calculates AMSID according to the NONCE_AMS that receives ^*If that terminal sends to target BS is AMSID ^*, the target BS AMSID that need not derive again then ^*Target BS is according to AMSID ^*And/or target BS sign calculating AK, calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.

The operation of calculating AK herein can occur in network entity, as ASN gateway place.AK ^*Betide place, ASN base station with the derivation of CMAC KEYs and TEK.

Step 211, target BS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEY that generates if be proved to be successful, then target BS sends ranging response message (AAI_RNG-RSP) to terminal.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEY that generated by the advanced base station of target calculates) with CMAC KEY, also can encrypt and integrity protection this message with TEK.

If the ranging response message that receives of terminal has only been done integrity protection, then the ranging response message received of end-on carries out CMAC with the message integrity protection key that generates and verifies; If the ranging response message that receives has been done encryption and integrity protection simultaneously, then terminal is decrypted with the Business Stream encryption key this message, and verifies the integrality of this message.If be proved to be successful, the then key updating of terminal and target ABS success continues following switching flow.

In this embodiment, the random number N ONCE_AMS that the base station generates also can generate before step 205, and carries to target BS by serving BS in step 205.At this moment, the operation 210 of target BS side also can betide before the step 209.

Embodiment three

Present embodiment provides a kind of air interface key method for updating, this method is applied in the wireless communication system, terminal is switched between traditional ASN network and advanced ASN network, serving BS in the present embodiment and target BS all are advanced base stations, serving BS links to each other with conventional gateway, and target BS links to each other with advanced gateway; The difference of this embodiment and embodiment two is: AMSID in the present embodiment ^*The generation parameter uses is the random number N ONCE_ABS that target BS generates.

Referring to Fig. 5, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 301-302 is with the step 101-102 among the embodiment 1.

Step 303: the target BS of advanced ASN network generates base station side random number N ONCE_ABS.

Step 304-307 is with the step 103-106 among the embodiment 1.Unique difference is that the message in step 304 and 305 will carry parameter: base station side random number N ONCE_ABS.

Step 308, terminal increase progressively network re-entry counter AK_COUNT.Terminal and target BS generate AMSID respectively according to base station side random number N ONCE_ABS ^*, then according to AMSID ^*Calculate AK.Terminal and target BS calculate AK according to AK and AK_COUNT respectively ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Terminal and/or target BS may need network re-entry counter CMAC_KEY_COUNT value is converted to AK_COUNT in this step.This conversion terminal can be carried out before increasing progressively the network re-entry counter, also can carry out after increasing progressively the network re-entry counter.Increase progressively that network re-entry counter AK_COUNT also can replace with terminal and target BS AK_COUNT is set to 0 or 1 in the step 308.

The processing that target BS in the step 308 carries out also can betide after step 303 or 304 or 309.

Step 309, terminal sends distance measurement request message (AAI_RNG-REQ) to target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEY that generates.

Step 310, this step is with the step 109 among the embodiment one.

Embodiment four

Present embodiment provides a kind of air interface key method for updating, this method is applied in the wireless communication system, when terminal is switched between advanced ASN network and advanced ASN network, carry out air interface key and upgrade, this method equally also is applicable between traditional ASN network and the traditional ASN network.Based on BSID AK is upgraded in the present embodiment.

The difference of this embodiment and embodiment two is: terminal switches to the AK based target Base Station Identification renewal of using behind the target BS among this embodiment, on the basis of the AK after the renewal, and derivation AK ^*Use AK ^*Integrity Key CMAC KEYs and encryption key TEK derive.

As shown in Figure 6, the air interface key method for updating flow chart that provides for present embodiment.Specifically comprise the steps:

Step 3001-3006 is with the step 101-106 among the embodiment 1.

Step 3007, terminal and target BS respectively according to target BS sign ABSID and AMSID ( ^*) new AK derives.When target BS is the advanced base station that is connected to advanced networks, during derivation AK, use AMSID ^*,, during derivation AK, use AMSID when target BS is the advanced base station that is connected to legacy network.Calculate the operation of AK and can for example carry out at the gateway place at network entity at the target BS place.

Step 3008, terminal increase progressively network re-entry counter AK_COUNT (or make the AK_COUNT value is 0 or 1), calculate AK according to AK and the AK_COUNT that increases progressively ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Target BS directly uses AK_COUNT, or makes that the AK_COUNT value is 0 or 1, calculates AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.This operation of target BS side also can betide after the step 3002,3003 or 3009.

Step 3009, terminal sends distance measurement request message (AAI_RNG-REQ) to target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates.

Step 3010, target BS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEYs that generates if be proved to be successful, then target BS sends ranging response message (AAI_RNG-RSP) to terminal.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by the advanced base station of target calculates) with CMACKEYs, also can encrypt and integrity protection this message with TEK.

When the terminal in the present embodiment is switched, carry out the renewal of air interface key between advanced ASN network and advanced ASN network, increased the fail safe of communication.

Embodiment five

Present embodiment provides a kind of air interface key method for updating, this method is applied in the wireless communication system, terminal is switched between traditional ASN network and advanced ASN network, serving BS in the present embodiment and target BS all are advanced base stations, serving BS links to each other with advanced gateway, and target BS links to each other with conventional gateway; Upgrade AK according to the terminal MAC Address in the present embodiment.

Referring to Fig. 7, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 401-406 is with the step 101-106 among the embodiment 1.

Step 407, terminal increase progressively the value of network re-entry counter AK_COUNT, and target BS directly uses the AK_COUNT value that receives or change.Terminal recomputates AK according to terminal MACADDRESS (MAC Address), calculates AK according to AK and AK_COUNT again ^*, according to AK ^*Calculate CMAC KEYs and TEK; Target BS calculates AK according to terminal MAC ADDRESS, calculates AK according to AK and AK_COUNT again ^*, according to AK ^*Calculate CMAC KEYs and TEK.

The operation of target BS herein also can be carried out after step 402 or step 403 or step 408.

Increase progressively that network re-entry counter AK_COUNT also can replace with terminal and target BS AK_COUNT is set to 0 or 1 in the step 407.

Step 408-409 is with the step 108-109 among the embodiment one.

Whether the gateway type that the gateway that the key updating mode of above embodiment one to four can be connected to according to Current Serving BTS and target BS are connected to consistent selects and makes up, if Current Serving BTS and one of target BS are connected to traditional gateway, another is connected to advanced gateway, then needs to upgrade AK (promptly using the scheme of embodiment two or embodiment three or embodiment four).Especially, the terminal gateway type that can be connected to according to target BS indicated in the AAI_HO-CMD message carries out correspondingly key updating and handles.

Embodiment six

Present embodiment provides a kind of air interface key method for updating, and the terminal in this method switches to the LZone of target ABS according to legacy protocol from service YBS, finishes just to begin the zone after the network insertion and change (Zone Switch).More than two steps be referred to as handover.The LZone of service YBS and target ABS can be connected to same access service network gateway, also can be connected to different gateways.But the service network gateway that the LZone of service YBS and target ABS is connected all is a gateway of supporting legacy protocol.The service network gateway that the MZone of target ABS connects can be a gateway of supporting legacy protocol, also can be the gateway of supporting advanced agreement.

In zone conversion, terminal can disconnect earlier and being connected of the LZone of target ABS, and the MZone with target ABS connects (Break Before Establishment is abbreviated as BBE) again, shown in embodiment six; Also can keep and being connected up to regional EOC (Establish Before Break is abbreviated as EBB) shown in embodiment five of the LZone of target ABS.No longer relate to the difference of this dual mode in the following description, only describe identical place:

Referring to Fig. 8, the air interface key method for updating flow chart that provides for present embodiment.The AK that uses when terminal is changed from LZone to MZone among this embodiment does not need to upgrade, and directly uses the AK of LZone.On the basis of AK, derivation AK ^*Use AK ^*Message integrity protection ciphering key MAC KEYs and Business Stream encryption key TEK derive.This method comprises the steps:

Step 501, the LZone of terminal, service YBS and target ABS carries out the message interaction process of handoff preparation phase.This process is identical with the switching set-up procedure of 802.16e, repeats no more herein.

Step 502, terminal sends distance measurement request message (RNG-REQ) to the LZone of target ABS.

Step 503, target ABS sends ranging response message (RNG-RSP) at LZone to terminal.

Step 504, the LZone of terminal and target ABS sets up data channel.

Step 505, terminal sends distance measurement request message (RNG-REQ) to the LZone of target ABS, carrier area conversion request wherein, this step is optional.

Step 506, target ABS sends ranging response message (RNG-RSP) at LZone to terminal, wherein carrier area conversion command message (Zone Switch TLV).Wherein optional carrying to the MZone of terminal indicating target ABS is connected to the advanced ASN network or the indication information of traditional ASN network, and perhaps to be to use terminal (addressing) sign of compatible advanced ASN still be terminal (addressing) sign of compatible traditional ASN to the MZone of indicating target ABS.

Concrete, LZone and MZone can belong to same Access Service Network Gateway, also can belong to different Access Service Network Gateway.When LZone and MZone belonged to same Access Service Network Gateway, this gateway was for supporting the gateway of legacy protocol; When LZone and MZone belonged to different Access Service Network Gateway, LZone belonged to the gateway of supporting legacy protocol, and MZone belongs to the gateway of supporting advanced agreement or the gateway of supporting legacy protocol.

Step 507, terminal increase progressively the value (AK_COUNT=AK_COUNT+1) of network re-entry counter AK_COUNT.Terminal and target ABS calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Increase progressively that network re-entry counter AK_COUNT also can replace with terminal and target BS AK_COUNT is set to 0 or 1 in the step 507.

The calculating of above-mentioned terminal and target ABS is independent mutually.CMAC KEYs herein and the derivation formula of TEK are consistent with the definition among the 16m.

Step 508, the MZone of terminal and target ABS sets up down-going synchronous;

Step 509, terminal sends distance measurement request message (AAI_RNG-REQ) to MZone, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates.

Step 510, target ABS verifies that with the CMAC KEYs that generates if be proved to be successful, then target ABS sends ranging response message (AAI_RNG-RSP) at MZone to terminal at MZone to the summary CMAC in the distance measurement request message that receives.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by target ABS calculates) with CMAC KEYs, also can encrypt and integrity protection this message with TEK.

Also can comprise the operation of target ABS synchronous terminal side and base station side AK_COUNT value in this step.Except the name translation that may have AK_COUNT and CMAC_KEY_COUNT, this is operated with the definition among the agreement 802.16m, repeats no more herein.

Step 511, terminal are set up data with the MZone of target ABS and are connected.

Embodiment seven

In the present embodiment, terminal switches to the LZone of target ABS according to legacy protocol from service YBS, just begins zone conversion (Zone Switch) after also not finishing network insertion.More than two steps be referred to as handover.The LZone of service YBS and target ABS can be connected to same access service network gateway, also can be connected to different gateways.But the service network gateway that the LZone of service YBS and target ABS is connected all is a gateway of supporting legacy protocol.The service network gateway that the MZone of target ABS connects can be a gateway of supporting legacy protocol, also can be the gateway of supporting advanced agreement.

The AK that uses when terminal is changed from LZone to MZone in the present embodiment does not need to upgrade, and directly uses the AK of LZone.On the basis of AK, derivation AK ^*Use AK ^*Message integrity protection ciphering key MAC KEYS and Business Stream encryption key TEK derive.

Referring to Fig. 9, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 601, the LZone of terminal, service YBS and target ABS carries out the message interaction process of handoff preparation phase.This process is identical with the switching set-up procedure of 802.16e, repeats no more herein.

Step 602, terminal sends distance measurement request message (RNG-REQ) to the LZone of target ABS.

Step 603, target ABS sends ranging response message (RNG-RSP) at LZone to terminal, wherein carrier area conversion command information (Zone Switch TLV).Wherein optional carrying to the MZone of terminal indicating target ABS is connected to the advanced ASN network or the indication information of traditional ASN network, and perhaps to be to use terminal (addressing) sign of compatible advanced ASN still be terminal (addressing) sign of compatible traditional ASN to the MZone of indicating target ABS.

Step 604, terminal increase progressively the value (AK_COUNT=AK_COUNT+1) of network re-entry counter AK_COUNT.Terminal and target ABS calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Terminal in the step 604 increases progressively the value of network re-entry counter AK_COUNT, and replaceable the value of AK_COUNT is 0 or 1 for terminal and target ABS make respectively.Base station side is after more the operation of new key also can betide step 606.

The calculating of above-mentioned terminal and target ABS is independent mutually.CMAC KEYs herein and the derivation formula of TEK are consistent with the definition among the 16m, no longer describe in detail here.

Step 605, the MZone of terminal and target ABS sets up down-going synchronous.

Step 606, terminal sends distance measurement request message (AAI_RNG-REQ) to Mzone, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates.

Step 607, advanced base station verifies that with the CMAC KEYs that generates if be proved to be successful, then advanced base station sends ranging response message (AAI_RNG-RSP) at MZone to terminal at MZone to the summary CMAC in the distance measurement request message that receives.This message both can be done message integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by advanced base station calculates) with CMAC KEYs, also can encrypt and integrity protection this message with TEK.

Step 608, the MZone of terminal and target ABS sets up data channel.

Embodiment eight

Terminal in the present embodiment switches to the LZone of target ABS according to legacy protocol from service YBS, finishes just to begin the zone after the network insertion and change (Zone Switch).More than two steps be referred to as handover.The LZone of service YBS and target ABS can be connected to same access service network gateway, also can be connected to different gateways.But the service network gateway that the LZone of service YBS and target ABS is connected all is a gateway of supporting legacy protocol.The service network gateway that the MZone of target ABS connects is a gateway of supporting advanced agreement.

In the present embodiment, the AK that uses when terminal is changed from LZone to MZone needs to derive again.And on the basis of AK, derivation AK ^*Use AK ^*Message integrity protection ciphering key MAC KEYs and Business Stream encryption key TEK derive.

Referring to Figure 10, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 701-706, with the step 501 among the embodiment five to 506.

Step 707, terminal generate end side random number N ONCE_AMS, and according to NONCE_AMS derivation terminal iidentification cryptographic Hash AMSID ^*This step is carried out when terminal switches to the advanced base station of advanced ASN network from the traditional base station.

Step 708, terminal increase progressively the value (AK_COUNT=AK_COUNT+1) of network re-entry counter AK_COUNT, terminal according to AMSID ( ^*) AK that derives again, calculate AK according to AK and AK_COUNT then ^*, according to AK ^*Calculate CMACKEYs and TEK;

In this step when terminal be when switching to the advanced base station of traditional ASN network from the traditional base station, AK uses AMSID when deriving; When terminal is when switching to the advanced base station of advanced ASN network from the traditional base station, when deriving, uses AK AMSID ^*

Terminal may need network re-entry counter CMAC_KEY_COUNT value is converted to AK_COUNT in this step.This conversion terminal can be carried out before increasing progressively the network re-entry counter, also can carry out after increasing progressively the network re-entry counter.

It is 0 or 1 that the value that terminal in the step 708 increases progressively network re-entry counter AK_COUNT also can replace with the value that terminal makes AK_COUNT.AMSID herein ^*, AK, AK ^*, the derivation formula of CMAC KEYs and TEK can adopt the formula of correlation technique, no longer describes in detail here.

Step 709, the MZone of terminal and target ABS sets up down-going synchronous.

Step 710, terminal sends distance measurement request message (AAI_RNG-REQ) to Mzone, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEY that generates, and/or terminal random number N ONCE_AMS, and/or terminal iidentification cryptographic Hash AMSID ^*

Step 711, target ABS is after MZone receives distance measurement request message, if terminal has sent NONCE_AMS to target ABS, then target ABS generates AMSID according to the end side random number N ONCE_AMS that carries in the message ^*This step is optional.

Step 712, target ABS according to AMSID ( ^*) and/or the target BS sign AK that derives again, and calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMAC KEYs and TEK.

Target ABS is upgrading AK herein ^*Before, can increase progressively the value (AK_COUNT=AK_COUNT+1) of network re-entry counter AK_COUNT.

Target ABS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEYs that generates if be proved to be successful, then execution in step 712, otherwise regional convert failed, target ABS sends ranging response message indication refusal and inserts.

Step 713, target ABS sends ranging response message (AAI_RNG-RSP) at MZone to terminal.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by target ABS calculates) with CMAC KEYs, also can encrypt and integrity protection this message with TEK.

Step 714, the MZone of terminal and target ABS sets up data channel.

Embodiment nine

In the present embodiment, terminal switches to the LZone of target ABS according to legacy protocol from service YBS, just begins zone conversion (Zone Switch) after also not finishing network insertion.More than two steps be referred to as handover.The LZone of service YBS and target ABS can be connected to same access service network gateway, also can be connected to different gateways.But the service network gateway that the LZone of service YBS and target ABS is connected all is a gateway of supporting legacy protocol.The service network gateway that the MZone of target ABS connects is a gateway of supporting advanced agreement.

Referring to Figure 11, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 801-803 is with the step 601-603 among the embodiment six.

Step 804, terminal generate end side random number N ONCE_AMS, and according to NONCE_AMS derivation terminal iidentification cryptographic Hash AMSID ^*This step is carried out when terminal switches to the advanced base station of advanced ASN network from the traditional base station.

Step 805, terminal increase progressively the value (AK_COUNT=AK_COUNT+1) of network re-entry counter AK_COUNT, according to AMSID ( ^*) and/or the target ABS sign AK that derives again, calculate AK according to AK and AK_COUNT then ^*, according to AK ^*Calculate CMAC KEYs and TEK;

The value that terminal in the step 805 increases progressively network re-entry counter AK_COUNT also can replace with terminal and target ABS and make that the value of AK_COUNT is 0 or 1.AMSID herein ^*, AK, AK ^*, the derivation formula of CMAC KEYs and TEK can adopt the formula of correlation technique, no longer describes in detail here.

Step 806, the MZone of terminal and target ABS sets up down-going synchronous.

Step 807, terminal sends distance measurement request message (AAI_RNG-REQ) to Mzone, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates, and/or end side random number N ONCE_AMS, and/or terminal iidentification cryptographic Hash AMSID ^*

Step 808, target ABS is after MZone receives distance measurement request message, if terminal sends to target ABS is NONCE_AMS, then target ABS generates AMSID according to the end side random number N ONCE_AMS that carries in the message ^*This step is optional.

Step 809, target ABS according to AMSID ( ^*) and/or the target BS sign AK that derives again, and calculate AK according to AK and AK_COUNT ^*, according to AK ^*Calculate CMACKEYs and TEK.

Target ABS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEY that generates if be proved to be successful, then execution in step 809, inserts otherwise advanced base station sends ranging response message (AAI_RNG-REQ) indication refusal.

Step 810, target ABS sends ranging response message (AAI_RNG-RSP) at MZone to terminal.This message both can be done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by target ABS calculates) with CMAC KEYs, also can encrypt and integrity protection this message with TEK.

Step 811, the MZone of terminal and target ABS sets up data channel.

Embodiment ten

Present embodiment provides a kind of air interface key method for updating, this method is applied in terminal when advanced base station switches to the traditional base station, advanced base station may be the base station of 16m-only, it also may be the base station that contains the mixed-mode mixed mode of LZone and MZone, the base station of 16m-only is connected to advanced gateway, the LZone of the base station of mixed mode is connected to traditional gateway, and MZone may be connected to the gateway of supporting legacy protocol, also may be connected to the gateway of supporting advanced agreement.

Referring to Figure 12, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 901-906 is identical with the step 101-106 of embodiment one, no longer describes in detail here.

Step 907, terminal increase progressively the value of network re-entry counter CMAC_KEY_COUNT, according to the AK calculating CMAC KEYs and/or the KEK of CMAC_KEY_COUNT and storage; Target BS calculates CMAC KEYs and/or KEK according to AK.This operation at target BS place also can be carried out after step 902 or step 903 or step 908.

Terminal and/or target BS may need network re-entry counter AK_COUNT value is converted to CMAC_KEY_COUNT in this step.This conversion terminal can be carried out before increasing progressively the network re-entry counter, also can carry out after increasing progressively the network re-entry counter.

Step 908, terminal sends distance measurement request message (RNG-REQ) to target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEY that generates.

Step 909, target BS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEYs that generates if be proved to be successful, then target BS sends ranging response message (RNG-RSP) to terminal.This message is done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by the advanced base station of target calculates) with CMAC KEYs.

Also can comprise the operation of target BS synchronous terminal side and base station side CMACKEY_COUNT value in this step.This operation repeats no more with the definition among the agreement 802.16e herein.

The ranging response message that end-on is received is done checking.If be proved to be successful, the then key updating of terminal and target BS success continues following switching flow.

When the terminal in the present embodiment switches to the traditional base station in advanced base station, carry out the renewal of air interface key, increased the fail safe of communication.

Embodiment 11

Present embodiment provides a kind of air interface key method for updating, and the target BS in the present embodiment is advanced base station, and the terminal of this method is carried out air interface key and upgraded when the MZone of advanced base station is transformed into LZone.The MZone of this advanced person base station may be connected to the gateway of supporting legacy protocol, also may be connected to the gateway of supporting advanced agreement.

Referring to Figure 13, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 1001, terminal sends handoff request message (AAI_HO-REQ) to the MZone of advanced base station, and indication is transformed into LZone this base station under from the MZone of advanced base station, and promptly (zone switch) changed in the zone from MZone to LZone, and this step is optional.

Step 1002, advanced base station send switching command message (AAI_HO-CMD) on one's own initiative or based on the handoff request of terminal.

Step 1003, terminal sends switch indicating information to the MZone of advanced base station, and indication is transformed into LZone this base station under from the MZone of advanced base station, and promptly (zone switch) changed in the zone from MZone to LZone, and this step is optional.

Step 1004, terminal increase progressively the value of network re-entry counter CMAC_KEY_COUNT, calculate CMAC KEYs and/or KEK according to CMAC_KEY_COUNT and AK; CMAC KEYs and/or KEK are calculated according to AK in advanced base station.This operation at place, base station also can be carried out after step 1002 or step 1003 or step 1005.

Step 1005, terminal sends distance measurement request message (RNG-REQ) to the LZone of advanced base station, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates.

Step 1006, advanced base station verifies to the summary CMAC in the distance measurement request message that receives at LZone that with the CMAC KEYs that generates if be proved to be successful, then advanced base station sends ranging response message (RNG-RSP) to terminal.This message is done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by the base station calculates) with CMACKEYs.

Also can comprise the operation of advanced base station synchronization end side and base station side CMACKEY_COUNT value in this step.This operation repeats no more with the definition among the agreement 802.16e herein.

The ranging response message that end-on is received is done checking.If be proved to be successful, the then key updating of terminal and BS success continues following switching flow.

When the first recessed region of the terminal in the present embodiment in advanced base station switches to traditional area, carry out the renewal of air interface key, increased the fail safe of communication.

Embodiment 12

Present embodiment provides a kind of air interface key method for updating, and the target BS in the present embodiment is the traditional base station, and serving BS is advanced base station, when the terminal of this method switches to the traditional base station from advanced base station, carries out air interface key and upgrades.Advanced base station may be the base station of 16m-only, it also may be the base station that contains the mixed-mode mixed mode of LZone and MZone, the base station of 16m-only is connected to advanced gateway, and the LZone of the base station of mixed mode is connected to traditional gateway, and MZone is connected to the gateway of supporting advanced agreement.

Referring to Figure 14, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 1101-1106 is with the step 101-106 of embodiment one.

Step 1107, terminal increase progressively the value of network re-entry counter CMAC_KEY_COUNT.Terminal recomputates AK according to MAC ADDRESS (MAC Address), and calculates CMAC KEYs and/or KEK according to CMAC_KEY_COUNT and AK; Target BS calculates AK according to the MAC ADDRESS and the PMK of terminal, and calculates CMAC KEYs and/or KEK according to AK and network re-entry counter CMAC_KEY_COUNT.

The operation of target BS also can be carried out after step 1102 or step 1103 or step 1108 in this step.

It is 0 or 1 that the value that terminal in the step 1107 increases progressively network re-entry counter AK_COUNT also can replace with the value that terminal and target BS make AK_COUNT.AK herein, the derivation formula of CMAC KEYs and KEK can adopt the formula of correlation technique, no longer describes in detail here.

Step 1108, terminal sends distance measurement request message (RNG-REQ) to target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEYs that generates.

Step 1109, target BS verifies to the summary CMAC in the distance measurement request message that receives that with the CMAC KEYs that generates if be proved to be successful, then target BS sends ranging response message (RNG-RSP) to terminal.This message is done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEYs that generated by the advanced base station of target calculates) with CMAC KEYs.

When the terminal in the present embodiment switches to the traditional base station by advanced base station, carry out the renewal of air interface key, increased the fail safe of communication.

Embodiment 13

Present embodiment provides a kind of air interface key method for updating, and the target BS in the present embodiment is advanced base station, and the terminal of this method has been carried out the air interface key renewal when the MZone of advanced base station is transformed into LZone.The MZone of this advanced person base station in the present embodiment is connected to the gateway of supporting advanced agreement.

Referring to Figure 15, be the air interface key method for updating flow chart that present embodiment provides, this method comprises the steps:

Step 1201, terminal sends handoff request message (AAI_HO-REQ) to the MZone of target BS, and indication is transformed into LZone under this base station from the MZone of target BS, i.e. zone switch from MZone to LZone, this step is optional.

Step 1202, target BS send switching command message (AAI_HO-CMD) on one's own initiative or based on the handoff request of terminal.

Step 1203, terminal sends switch indicating information to the MZone of target BS, and indication is transformed into LZone under this base station from the MZone of target BS, i.e. zone switch from MZone to LZone, this step is optional.

Step 1204, terminal increase progressively the value of network re-entry counter CMAC_KEY_COUNT, and terminal is calculated AK according to MAC ADDRESS, calculate CMAC KEYs and/or KEK according to CMAC_KEY_COUNT and AK then; Target BS calculates AK according to terminal MACADDRESS, calculates CMAC KEYs and/or KEK according to AK and network re-entry counter CMAC_KEY_COUNT value then.

The operation of target BS also can be carried out after step 1202 or step 1203 or step 1205 in this step.

It is 0 or 1 that the value that terminal in the step 1204 increases progressively network re-entry counter AK_COUNT also can replace with the value that terminal and target BS make AK_COUNT.AK herein, the derivation formula of CMAC KEYs and KEK can adopt the formula of correlation technique, no longer describes in detail here.

Step 1205, terminal sends distance measurement request message (RNG-REQ) to the LZone of target BS, wherein carries: the summary CMAC of this message that is calculated by the CMAC KEY that generates.

Step 1206, target BS verifies to the summary CMAC in the distance measurement request message that receives at LZone that with the CMAC KEY that generates if be proved to be successful, then target BS sends ranging response message (RNG-RSP) to terminal.This message is done integrity protection (this moment, this message was carried the summary CMAC of this message that the CMAC KEY that generated by the base station calculates) with CMAC KEY.

The above only is the preferred embodiments of the present invention.The present invention program is not limited to IEEE 802.16 systems, its associative mode can be applied in other wireless communication system.

As can be seen from the above description, the present invention has realized following technique effect: when the terminal in the present embodiment is switched, carried out the renewal of air interface key between advanced networks and/or legacy network, increased the fail safe of communication.

Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, and in some cases, can carry out step shown or that describe with the order that is different from herein, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.

The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims

1. an air interface key method for updating is characterized in that, may further comprise the steps:

When terminal will switch to when using advanced equipment of eating dishes without rice or wine, described terminal and target BS generate distortion authorization key AK according to authorization key AK ^*According to AK ^*Upgrade air interface key;

When terminal will switch to when using the equipment that tradition eats dishes without rice or wine, described terminal and target BS upgrade air interface key according to authorization key AK;

Described air interface key comprises message integrity protection ciphering key MAC KEYs.

2. method according to claim 1 is characterized in that, described advanced base station of using advanced equipment of eating dishes without rice or wine to comprise advanced base station or use the mixed mode of first recessed region; The described equipment that uses tradition to eat dishes without rice or wine comprises traditional base station or the advanced base station of using the mixed mode of traditional area.

3. method according to claim 1 is characterized in that, the trigger condition that described air interface key upgrades comprises one of following switching:

Terminal is switched between traditional access service network ASN and advanced ASN network;

The ASN network that the serving BS of terminal is connected with target BS all is traditional ASN network;

The ASN network that the serving BS of terminal is connected with target BS all is advanced ASN network;

Terminal is switched between the first recessed region MZone of advanced networks and traditional area LZone.

4. method according to claim 1 is characterized in that, terminal and target BS generate distortion authorization key AK according to authorization key AK ^*Comprise:

Described terminal increases progressively AK_COUNT, generates distortion authorization key AK according to AK_COUNT that increases progressively and AK ^*

Described target BS generates distortion authorization key AK according to AK and AK_COUNT ^*

5. method according to claim 1 is characterized in that, terminal and target BS generate distortion authorization key AK according to authorization key AK ^*Comprise:

Described terminal and target BS AK_COUNT are set to 0 or be set to 1, generate distortion authorization key AK according to AK_COUNT after being provided with and AK ^*

6. method according to claim 1 is characterized in that, terminal and target BS generate distortion authorization key AK according to authorization key AK ^*Comprise:

Described terminal increases progressively CMAC_KEY_COUNT, and the value of the CMAC_KEY_COUNT after will increasing progressively is composed to AK_COUNT, generates distortion authorization key AK according to AK_COUNT after being provided with and AK ^*

7. according to the described method of the arbitrary claim of claim 1, it is characterized in that when terminal will switch to when using advanced equipment of eating dishes without rice or wine, described air interface key also comprises Business Stream encryption key TEK.

8. according to the described method of the arbitrary claim of claim 1-7, it is characterized in that described terminal and target BS generate distortion authorization key AK according to authorization key AK ^*Step before also comprise:

Described terminal and described target BS upgrade authorization key AK;

Correspondingly, described terminal and target BS generate distortion authorization key AK according to authorization key AK ^*Step in AK be the AK after upgrading.

9. method according to claim 8 is characterized in that, described terminal and described target BS upgrade authorization key AK and comprise:

Described terminal and described target BS are according to the sign cryptographic Hash of described terminal, and/or described target BS sign generates authorization key AK.

10. method according to claim 9, it is characterized in that, the sign cryptographic Hash of described terminal generates according to the sign and the random number of described terminal, and described random number comprises first random number of described terminal generation and/or second random number that described target BS generates.

11. method according to claim 10, it is characterized in that described first random number is generated by described terminal, the implementation phase switching, described terminal is carried described first random number to the distance measurement request message that described target BS sends in the described distance measurement request message;

Described second random number is generated by described target BS, and in handoff preparation phase, described target BS sends switching response message to serving BS, and described switching response message is carried described second random number; Described serving BS is transmitted to described terminal by switching command message or switching response message with described second random number.

12. method according to claim 8 is characterized in that, described terminal and described target BS upgrade authorization key AK and comprise:

Described terminal and described target BS generate authorization key AK according to the sign of described terminal and/or the sign of described target BS.

13. method according to claim 1 is characterized in that, when terminal will switch to when using the equipment that tradition eats dishes without rice or wine, described air interface key also comprises key-encrypting key KEK.

14. the system that air interface key upgrades is characterized in that comprise terminal and target BS, described terminal comprises:

The first distortion authorization key generation module is used for generating distortion authorization key AK according to authorization key AK ^*

The first air interface key update module is used for according to AK ^*Upgrade air interface key, described air interface key comprises message integrity protection ciphering key MAC KEYs; And

Described target BS comprises:

The second distortion authorization key generation module is used for generating distortion authorization key AK according to authorization key AK ^*

The second air interface key update module is used for according to AK ^*Upgrade air interface key, described air interface key comprises message integrity protection ciphering key MAC KEYs.

15. system according to claim 14 is characterized in that, described target BS is advanced base station, or described target BS is the advanced base station of mixed mode, and described terminal will switch to the first recessed region of described advanced base station.

16. system that air interface key upgrades, it is characterized in that, comprise terminal and target BS, described target BS is the traditional base station, or described target BS is the advanced base station of mixed mode, and described terminal will switch to the traditional area of described advanced base station, and described terminal and described target BS are used for upgrading air interface key according to authorization key AK; Described air interface key comprises message integrity protection ciphering key MAC KEYs.