CN105027495B - A kind of method of check key, base station, user equipment and core network element - Google Patents
A kind of method of check key, base station, user equipment and core network element Download PDFInfo
- Publication number
- CN105027495B CN105027495B CN201480000891.9A CN201480000891A CN105027495B CN 105027495 B CN105027495 B CN 105027495B CN 201480000891 A CN201480000891 A CN 201480000891A CN 105027495 B CN105027495 B CN 105027495B
- Authority
- CN
- China
- Prior art keywords
- prothetic group
- user equipment
- key
- group station
- derived
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.The specific scheme is that user equipment sends check information to base station; the check information is the information obtained after user equipment protects the known preset data of user equipment and base station by key, preset algorithm derived from user equipment; wherein, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Base station receives the key according to derived from identical preset algorithm, prothetic group station and check information after the check information and obtains target data, judges whether key derived from key and base station derived from user equipment is identical according to preset data, check information and target data.The present invention is for examining key between user equipment and base station.
Description
Technical field
The present invention relates to the communications field more particularly to a kind of method of check key, base station, user equipment and core net nets
Member.
Background technique
It is small that the carrier wave polymerization of long term evolution (Long Term Evolution, LTE) system can substantially be divided into inside of base station
Area polymerize, cell aggregation etc. between base station.The cell aggregation of inside of base station is due to only by an evolution base station (Evolution Node
B, eNB) control, it is comparatively fairly simple.The scheme that carrier wave polymerize between base station is, for example, how to make non-ideal back haul link
Different base station realizes dual link, i.e., how by the resource of two base stations data is transmitted to the terminal of connected state, to improve end
It handles up at end.
Based on the scheme that carrier wave between base station polymerize, master base station needs holding user equipment (User Equipment, UE)
It carries and establishes onto prothetic group station.But the prothetic group station that above-mentioned master base station or prothetic group station can not know that UE is derived is relevant close
Whether key is correct, when above-mentioned code key is incorrect, will lead to the service disconnection between UE and prothetic group station.
Summary of the invention
The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, being capable of school
Whether the key tested between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect and lead
Service disconnection between the user equipment and prothetic group station of cause.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of base station, the base station includes:
Receiving unit, for receiving the check information of user equipment transmission, the check information is the user equipment pair
The information that preset data obtains after being protected by key derived from the user equipment, preset algorithm, the preset algorithm
Including at least one of Encryption Algorithm, protection algorithm integrallty;
Acquiring unit, for the key according to derived from the base station, the preset algorithm, the preset data and described
Check information obtains target data;
Judging unit, for judging the use according to the preset data, the check information and the target data
Whether key derived from the equipment of family is identical as key derived from the base station.
With reference to first aspect, in the first possible implementation, the base station further include:
Reset cell makes if not identical for key and key derived from the base station derived from the user equipment
The user equipment derivative key or makes the user equipment delete the base station again.
With reference to first aspect, in the second possible implementation, the receiving unit is specifically used for:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute
State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school
Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute
State check information.
With reference to first aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
With reference to first aspect, in the fourth possible implementation, base station supplemented by the base station.
Second aspect, the embodiment of the present invention provide another base station, and the base station includes:
Receiving unit, for receiving the check information of user equipment transmission, the check information is the user equipment pair
The information that preset data obtains after being protected by key derived from the user equipment, preset algorithm, the preset algorithm
Including at least one of Encryption Algorithm, protection algorithm integrallty;
Acquiring unit is used for the key according to derived from prothetic group station, the preset algorithm, the preset data and the school
Test acquisition of information target data;
Judging unit, for judging the use according to the preset data, the check information and the target data
Whether key derived from the equipment of family is identical as the derivative key at the prothetic group station, obtains judging result;
Transmission unit, for the judging result to be sent to the prothetic group station.
In conjunction with second aspect, in the first possible implementation, the base station further include:
Reset cell, if not identical as the derivative key at the prothetic group station for key derived from the user equipment,
The user equipment is then set to delete the prothetic group station or make user equipment derivative key again.
In conjunction with second aspect, in the second possible implementation, the receiving unit is specifically used for:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school
Test information.
In conjunction with second aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
The third aspect, the embodiment of the present invention provide a kind of user equipment, and the user equipment includes:
Decryption unit, for the key according to derived from the user equipment, preset algorithm to the downlink data received into
Row decryption;
Judging unit, for according to the data after decryption judge the user equipment derived from derived from key and prothetic group station
Whether key is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical;
Transmission unit, for sending the judging result to the prothetic group station.
In conjunction with the third aspect, in the first possible implementation, the user equipment further include:
Notification unit leads to if not identical for key and key derived from the prothetic group station derived from the user equipment
Know that master base station deletes the prothetic group station;Or the master base station is notified to add the prothetic group station again;Or it is logical by the master base station
Know the prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
Fourth aspect, the embodiment of the present invention provide a kind of core network element, and the core network element includes:
Receiving unit, for receiving prothetic group station key according to derived from the prothetic group station and preset algorithm to user equipment
The upstream data of transmission be decrypted after data;
Judging unit, for according to the data after the decryption judge the user equipment derived from key and the prothetic group
Whether key derived from standing is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical;
Transmission unit, for sending the result of the judgement to the prothetic group station.
In conjunction with fourth aspect, in the first possible implementation, the core network element further include:
Notification unit leads to if not identical for key and key derived from the prothetic group station derived from the user equipment
Know that master base station deletes the prothetic group station;Or the master base station is notified to add the prothetic group station again;Or it is logical by the master base station
Know the prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of fourth aspect, in the second possible implementation, the notice
Unit is specifically used for:
The different message of key is sent to mobility management entity, and from the mobility management entity to described
Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key
It states prothetic group station or adds the prothetic group station again;Or prothetic group station retriggered is notified to reconfigure stream by the master base station
Journey;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
5th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Prothetic group station receives the check information that user equipment is sent, and the check information is the user equipment to preset data
The information obtained after being protected by key derived from the user equipment, preset algorithm, the preset algorithm include encryption
At least one of algorithm, protection algorithm integrallty;
Prothetic group station key according to derived from the prothetic group station, the preset algorithm, the preset data and described
Check information obtains target data;
The prothetic group station judges that the user sets according to the preset data, the check information and the target data
Whether standby derivative key and key derived from the prothetic group station are identical.
In conjunction with the 5th aspect, in the first possible implementation, the method also includes:
If key derived from the user equipment and key derived from the prothetic group station be not identical, make the user equipment
Derivative key or the user equipment is made to delete the prothetic group station again.
In conjunction with the 5th aspect, in the second possible implementation, the check information for receiving user equipment and sending
Include:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute
State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school
Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute
State check information.
In conjunction with the 5th aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
6th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Master base station receives the check information that user equipment is sent, and the check information is the user equipment to preset data
The information obtained after being protected by key derived from the user equipment, preset algorithm, the preset algorithm include encryption
At least one of algorithm, protection algorithm integrallty;
Master base station key according to derived from prothetic group station, the preset algorithm, the preset data and the verification
Acquisition of information target data;
The master base station judges that the user sets according to the preset data, the check information and the target data
Whether standby derivative key is identical as the derivative key at the prothetic group station, obtains judging result;
The judging result is sent to the prothetic group station by the master base station.
In conjunction with the 6th aspect, in the first possible implementation, the method also includes:
If key derived from the user equipment is not identical as the derivative key at the prothetic group station, set the user
It is standby to delete the prothetic group station or make user equipment derivative key again.
In conjunction with the 6th aspect, in the second possible implementation, the check information for receiving user equipment and sending
Include:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school
Test information.
In conjunction with the 6th aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
7th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
User equipment key according to derived from the user equipment, preset algorithm solve the downlink data received
It is close;
The user equipment according to the data after decryption judge the user equipment derived from derived from key and prothetic group station
Whether key is identical;
The user equipment sends the judging result to the prothetic group station;
Wherein, described in the user equipment according to the data after decryption judge the user equipment derived from key and prothetic group
Whether key is identical derived from standing includes:
The user equipment obtains the Internet protocol address and port numbers of the data packet after the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical.
In conjunction with the 7th aspect, in the first possible implementation, if key derived from the user equipment with it is described
Key derived from base station is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or
The prothetic group station is notified to delete the prothetic group station by the master base station.
Eighth aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Core network element receives prothetic group station key according to derived from the prothetic group station and preset algorithm and sends out user equipment
The upstream data sent be decrypted after data;
The core network element according to the data after the decryption judge the user equipment derived from key with it is described auxiliary
Whether key derived from base station is identical;
The core network element sends the result of the judgement to the prothetic group station;
Wherein, the core network element according to the data after the decryption judge the user equipment derived from key and institute
Whether identical state key derived from prothetic group station, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical.
In conjunction with eighth aspect, in the first possible implementation, if key derived from the user equipment with it is described
Key derived from prothetic group station is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or
The prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of eighth aspect, in the second possible implementation, the notice
Master base station deletes the prothetic group station or the master base station is notified to add the prothetic group station again and include:
The different message of key is sent to mobility management entity, and from the mobility management entity to described
Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key
It states prothetic group station or adds the prothetic group station again.
9th aspect, provides a kind of base station, the base station includes: communication interface, memory, processor;The communication connects
Mouth with network element for communicating, and the memory is for storing computer code;The processor executes the computer code and uses
In:
The check information that user equipment is sent is received, the check information passes through institute to preset data for the user equipment
State the information obtained after key, preset algorithm derived from user equipment are protected, the preset algorithm includes Encryption Algorithm, complete
At least one of whole property protection algorism;
It is obtained according to key derived from the base station, the preset algorithm, the preset data and the check information
Target data;
Judged according to the preset data, the check information and the target data close derived from the user equipment
Whether key is identical as key derived from the base station.
In conjunction with the 9th aspect, in the first possible implementation, the processor executes the computer code also
For:
If key derived from the user equipment and key derived from the base station be not identical, make the user equipment weight
New derivative key makes the user equipment delete the base station.
In conjunction with the 9th aspect, in the second possible implementation, the processor executes the computer code also
For:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute
State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school
Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute
State check information.
In conjunction with the 9th aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
In conjunction with the 9th aspect, in the fourth possible implementation, base station supplemented by the base station.
Tenth aspect, provides a kind of base station, the base station includes: communication interface, memory, processor;The communication connects
Mouth with network element for communicating, and the memory is for storing computer code;The processor executes the computer code and uses
In:
The check information that user equipment is sent is received, the check information passes through institute to preset data for the user equipment
State the information obtained after key, preset algorithm derived from user equipment are protected, the preset algorithm includes Encryption Algorithm, complete
At least one of whole property protection algorism;
Mesh is obtained according to key derived from prothetic group station, the preset algorithm, the preset data and the check information
Mark data;
Judged according to the preset data, the check information and the target data close derived from the user equipment
Whether key and key derived from the prothetic group station are identical, obtain judging result;
The judging result is sent to the prothetic group station.
In conjunction with the tenth aspect, in the first possible implementation, the processor executes the computer code also
For:
If key derived from the user equipment is not identical as the derivative key at the prothetic group station, set the user
It is standby to delete the prothetic group station or make user equipment derivative key again.
In conjunction with the tenth aspect, in the second possible implementation, the processor executes the computer code also
For:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school
Test information.
In conjunction with the tenth aspect, in the third possible implementation, the preset data includes at least one in following
Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
On the one hand tenth, provides a kind of user equipment, the user equipment includes: communication interface, memory, processor;
The communication interface with network element for communicating, and the memory is for storing computer code;The processor executes the meter
Calculation machine code is used for:
The downlink data received is decrypted according to key derived from the user equipment, preset algorithm;
According to the data after decryption judge the user equipment derived from key and key derived from prothetic group station it is whether identical;
The judging result is sent to the prothetic group station;
Wherein, the data according to after decryption judge key derived from key derived from the user equipment and prothetic group station
Whether identical include:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical.
On the one hand in conjunction with the tenth, in the first possible implementation, the processor executes the computer code
It is also used to:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station deletes institute
State prothetic group station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station weight is notified by the master base station
New triggering Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
12nd aspect, provides a kind of core network element, the core network element includes: communication interface, memory, processing
Device;The communication interface with network element for communicating, and the memory is for storing computer code;Described in the processor executes
Computer code is used for:
The upper line number that reception prothetic group station key according to derived from the prothetic group station and preset algorithm send user equipment
According to the data after being decrypted;
According to the data after the decryption judge the user equipment derived from key derived from key and the prothetic group station
It is whether identical;
The result of the judgement is sent to the prothetic group station;
Wherein, the data according to after the decryption judge that key derived from the user equipment spreads out with the prothetic group station
Whether raw key is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment
Key and key derived from the prothetic group station be not identical.
In conjunction with the 12nd aspect, in the first possible implementation, the processor executes the computer code
It is also used to:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station deletes institute
State prothetic group station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station weight is notified by the master base station
New triggering Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of the 12nd aspect, in the second possible implementation, the place
Reason device executes the computer code and is also used to:
The different message of key is sent to mobility management entity, and from the mobility management entity to described
Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key
It states prothetic group station or adds the prothetic group station again.
The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, Yong Hushe
Standby to send check information to base station, which is that user equipment passes through the known preset data of user equipment and base station
The information that key, preset algorithm derived from user equipment obtain after being protected, wherein preset algorithm includes Encryption Algorithm, complete
At least one of whole property protection algorism, base station are spread out after receiving the check information according to identical preset algorithm, prothetic group station
Raw key and check information obtains target data, judges that user sets according to preset data, check information and target data
Whether standby derivative key and key derived from base station are identical;Or after connection is established at user equipment and prothetic group station, user equipment is connect
Use key relevant with prothetic group station derived from user equipment and corresponding security algorithm to downlink after receiving downlink data packet
Data packet is decrypted, judge after decryption obtained data packet it is whether correct to judge derived from user equipment with prothetic group station phase
Whether the key of pass is identical as key derived from prothetic group station;Or after connection is established at user equipment and prothetic group station, core network element is connect
The data after the upstream data that base station key and preset algorithm according to derived from base station sends user equipment is decrypted are received,
Judge after decryption obtained data packet it is whether correct to judge key relevant to prothetic group station derived from user equipment whether with
Key derived from prothetic group station is identical.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to
Error in data even service disconnection caused by key and corresponding algorithm are incorrect between user equipment and prothetic group station.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram one for base station that the embodiment of the present invention provides;
Fig. 2 is the flow diagram of LTE system derivative key;
Fig. 3 is a kind of structural schematic diagram two for base station that the embodiment of the present invention provides;
Fig. 4 is the structural schematic diagram one for another base station that the embodiment of the present invention provides;
Fig. 5 is the structural schematic diagram two for another base station that the embodiment of the present invention provides;
Fig. 6 is a kind of structural schematic diagram one for user equipment that the embodiment of the present invention provides;
Fig. 7 is a kind of structural schematic diagram two for user equipment that the embodiment of the present invention provides;
Fig. 8 is a kind of structural schematic diagram one for core network element that the embodiment of the present invention provides;
Fig. 9 is a kind of structural schematic diagram two for core network element that the embodiment of the present invention provides;
Figure 10 is a kind of flow diagram one of the method for check key that the embodiment of the present invention provides;
Figure 11 is a kind of flow diagram two of the method for check key that the embodiment of the present invention provides;
Figure 12 is a kind of flow diagram three of the method for check key that the embodiment of the present invention provides;
Figure 13 is a kind of flow diagram four of the method for check key that the embodiment of the present invention provides;
Figure 14 is a kind of flow diagram five of the method for check key that the embodiment of the present invention provides;
Figure 15 is a kind of flow diagram six of the method for check key that the embodiment of the present invention provides;
Figure 16 is a kind of flow diagram seven of the method for check key that the embodiment of the present invention provides;
Figure 17 is a kind of flow diagram eight of the method for check key that the embodiment of the present invention provides;
Figure 18 is the structural schematic diagram for another base station that the embodiment of the present invention provides;
Figure 19 is the structural schematic diagram for another base station that the embodiment of the present invention provides;
Figure 20 is the structural schematic diagram for another user equipment that the embodiment of the present invention provides;
Figure 21 is the structural schematic diagram for another core network element that the embodiment of the present invention provides.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of base station 20, which can be used as prothetic group station, as shown in Fig. 1, the prothetic group
Stand 20 includes: receiving unit 21, acquiring unit 22 and judging unit 23.
Wherein, receiving unit 21, for receiving the check information of user equipment transmission, check information is user equipment to pre-
If the information that data obtain after being protected by key, preset algorithm derived from user equipment, preset algorithm includes that encryption is calculated
At least one of method, protection algorithm integrallty.
Wherein, preset data can be at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
For convenience of description, the secondary relationship of security key in LTE system is briefly described below, wherein LTE system UE
The key of side and the side evolved packet system (Evolved Packet System, EPS) is mutually indepedent, two sides cipher key derivative process
It is identical, it is all made of cipher key derivation function (Key Derivation Functions, KDF) and derives step by step, as shown in Figure 2:
K be stored in Global Subscriber identification card (Universal Subscriber Identity Module, USIM) and
The inner key of authentication center (Authentication Center, AuC) is to be permanently fixed key and the generation calculation of all keys
The basis of method.
CK is the key as derived from K for encryption, and IK is the key that integrity protection is used for derived from K.CK and IK are equal
In UE and ownership place register (Home Subscriber Server, HSS).
KASMEIt is one and key derived from CK and IK is used as UE and HSS.
KeNBIt is by KASMEIt is derivative or as derived from UE and eNB, for deriving access layer (Access Stratum, AS)
Various keys.
Next-hop (Next Hop, NH) be UE and mobility management entity (Mobility Management Entity,
MME) pass through KASMEDerivative obtained key, is one kind of eNB key.
The key of user face business:
KUPencIt is that UE and eNB pass through KeNBAnd Encryption Algorithm is derivative obtains, for protecting user face business datum;
KUPintIt is that UE and eNB pass through KeNBAnd protection algorithm integrallty is derivative obtains, for protecting relay node
User data between (Relay Node, RN) and host base station (Donor eNB, DeNB).
The relevant key of radio resource control (Radio Resource Control, RRC):
KRRCintIt is that UE and eNB is obtained by KeNB and protection algorithm integrallty derivative, for protecting RRC information;
KRRCencIt is that UE and eNB is obtained by KeNB and Encryption Algorithm derivative, for protecting RRC information.
KNASencUE and the MME key according to derived from KASME, for Non-Access Stratum (Non-Access-Stratum,
NAS) stream is protected using Encryption Algorithm.
KNASintIt is UE and MME according to KASMEDerivative key is protected for flowing to NAS using protection algorithm integrallty
Shield.
Specifically, key relevant to prothetic group station derived from user equipment may include following at least one: KeNB、KUPenc、
KUPint。、KRRCint、KRRCenc。
Illustratively, user equipment uses Encryption Algorithm and K to the cell ID under prothetic group stationUPencAfter being protected
To check information.
Optionally, receiving unit 21 can be specifically used for:
Base station addition is received from master base station by X2 interface and completes message, and base station addition completes message and carries check information;
Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry check information.
Illustratively, check information is to may be embodied in the radio resource connection reconfiguration that UE is sent to master base station and set completion to disappear
It ceases in (RRC Connection Reconfiguration Complete Message), master base station receives the check information
Base station addition is sent to prothetic group station afterwards to complete to carry the check information in message.
It can be by increasing safety verification specifically, setting carrying check information in completion message in radio resource connection reconfiguration
Information (securityConfirmation) is realized.Illustratively, it can be realized by following code:
Wherein securityConfirmation can be byte stream (OCTET STRING) or bit string (BIT STRING
The form etc. of (SIZE (xx)).
Illustratively, select the preset data in securityConfirmation that can realize by following code:
--ASN1STOP
Wherein UE generates securityConfirmation, can be and uses security ConfirmationInput
The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair
SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or
It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter
Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take
Band securityConfirmation, prothetic group station receives securityConfirmation.
Alternatively, it is illustrative, if check information is included in the media access control (Medium of user equipment transmission
Access Control, MAC) in message, specifically it can carry out reality by increasing securityConfirmation in MAC message
It is existing.
For example, it is special newly to introduce a Logic Channel Identifier (Logical Channel Identify, LCID) value
Expression is securityConfirmation, for example uses 01011, and wherein L indicates the length of securityConfirmation
Degree can not have L, be directly placed into here if securityConfirmation is regular length
securityConfirmation.Current LCID value can also be reused, securityConfirmation is added to existing
Directly securityConfirmation can also be transmitted in MAC message or as data by UE or be passed by physical layer
It is defeated.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput
The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair
SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or
It is the combination of the two.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and derivative related with prothetic group station
KUPintOr KRRCintCalculate as a result, securityConfirmation is added to the MAC message that UE is sent to prothetic group station
In, prothetic group station receives securityConfirmation.
Alternatively, check information is further included in grouping packet convergence protocol (the Packet Data of user equipment transmission
Convergence Protocol, PDCP) in data.
Illustratively, check information can be securityConfirmation, and preset data is
SecurityConfirmationInput, UE generate securityConfirmation, can be pair
SecurityConfirmationInput uses the complete of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty
Property protection result;It is also possible to the key to securityConfirmationInput using Encryption Algorithm and Encryption Algorithm
The result of the encryption of calculating;The either combination of the two.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter
Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take
Band securityConfirmation, prothetic group station receives securityConfirmation.
Acquiring unit 22 obtains mesh for key, preset algorithm according to derived from base station, preset data and check information
Mark data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, which, which is UE, uses Encryption Algorithm and derivative related with prothetic group station
KUPencTo securityConfirmationInput calculating as a result, securityConfirmation is added to master base station
The base station addition for being sent to prothetic group station is completed in message, and prothetic group station is calculated after receiving securityConfirmation according to encryption
Method and K derived from itselfUPenSecurityConfirmation is decrypted be calculated it is new
SecurityConfirmationInput。
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintOr KRRCintTo securityConfirmationInput calculating as a result, securityConfirmation is
It is added to UE to be sent in the MAC message at prothetic group station, prothetic group station receives after securityConfirmation according to integrality
Protection algorism and K derived from itselfUPintOr KRRCintThe securityConfirmationInput saved to itself has been carried out
New securityConfirmation is calculated in whole property protection.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, check information UE use Encryption Algorithm and derivative K related with prothetic group stationUPenc
To securityConfirmationInput calculating as a result, securityConfirmation, which is added to UE, is sent to prothetic group
In the PDCP data stood, prothetic group station receives the K according to derived from Encryption Algorithm and itself after securityConfirmationUPenc
Check information is decrypted, new SecurityConfirmationInput is calculated.
Judging unit 23, it is close derived from user equipment for being judged according to preset data, check information and target data
Whether key and the derivative key of base station are identical.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE
Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation
According to K derived from protection algorithm integrallty and itselfUPintIntegrity protection meter is carried out to securityConfirmationInput
Calculation obtains new securityConfirmation, judges new securityConfirmation and receives
Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UEUPintWith prothetic group station
K derived from itselfUPintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passRRCintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE
Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation
According to K derived from protection algorithm integrallty and itselfRRCintIntegrity protection is carried out to securityConfirmationInput
New securityConfirmation is calculated, judges new securityConfirmation and receives
Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UERRCintWith prothetic group
Stand itself derivative KRRCintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo obtaining intermediate variable after securityConfirmationInput integrity protection
SecurityConfirmationTemp reuses Encryption Algorithm and derivative K related with prothetic group stationUPencIt is right
SecurityConfirmation is obtained after securityConfirmationTemp encryption.Prothetic group station receives
After securityConfirmation, prothetic group station uses K derived from Encryption Algorithm and itself firstUPencIt is right
SecurityConfirmationTemp is obtained after securityConfirmation decryption, then to itself storage
SecurityConfirmationInput uses protection algorithm integrallty and derivative KUPintIt is obtained after integrity protection new
SecurityConfirmationTemp, judges new securityConfirmationTemp and receives
Whether the securityConfirmationTemp obtained after securityConfirmation decryption is identical, if the same says
K related with prothetic group station derived from bright UEUPenc、KUPintWith K derived from prothetic group station itselfUPenc、KUPintCorrespondence is identical, otherwise not
It is identical.
Optionally, as shown in figure 3, the prothetic group station 20 further include:
Reset cell 24 makes user if the derivative key for key derived from user equipment and base station is not identical
Equipment derivative key or makes user equipment delete the base station again.
Illustratively, it is assumed that new as what is obtain after integrity protection according to the result that judging unit 23 judges
SecurityConfirmation is different from the securityConfirmation received, then illustrate derived from UE with prothetic group station
Related KUPintWith K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE delete the prothetic group station or
Make UE derivative key relevant to the prothetic group station again.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user
The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet
Include at least one of Encryption Algorithm, protection algorithm integrallty;Key, preset algorithm according to derived from base station, preset data with
And check information obtains target data;Judged according to preset data, check information and target data close derived from user equipment
Whether key is identical as key derived from base station.Whether the key that can be verified between user equipment and prothetic group station is correct, can keep away
Exempt from due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention also provides a kind of base station 30, which can be used as master base station, as shown in figure 4, the master
Base station 30 includes: receiving unit 31, acquiring unit 32, judging unit 33 and transmission unit 34.
Receiving unit 31, for receiving the check information of user equipment transmission, check information is user equipment to present count
According to the information obtained after being protected by key, preset algorithm derived from user equipment, preset algorithm includes Encryption Algorithm, complete
At least one of whole property protection algorism.
Specifically, master base station receives the radio resource control information comprising check information that UE is sent.Wherein, exemplary
, radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein
It include check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
Acquiring unit 32 is obtained for the key according to derived from prothetic group station, preset algorithm, preset data and check information
Target data.
Illustratively, master base station K according to derived from Encryption Algorithm and prothetic group stationUPenc(K hereinUPencIt is to be made by master base station
Obtained with cipher key derivative process identical with prothetic group station) it is obtained the check information received from receiving unit 31 to be decrypted
Obtain target data.
Judging unit 33, it is close derived from user equipment for being judged according to preset data, check information and target data
Whether key is identical as the derivative key at prothetic group station, obtains judging result.
Illustratively, it is assumed that target data is that UE uses K derived from user equipment to preset dataUPencWith Encryption Algorithm
Data after protection, target data are master base station K according to derived from Encryption Algorithm and prothetic group stationUPenc(K hereinUPencIt is by leading
Base station obtained using cipher key derivative process identical with prothetic group station) check information received from receiving unit 31 is solved
Close obtained data, master base station judges target data and whether preset data is identical obtains judging result.
Transmission unit 34, for judging result to be sent to prothetic group station.
Illustratively, judging result is notified prothetic group station by X2 interface by master base station.
Optionally, as shown in figure 5, the master base station 30 further include:
If reset cell 35 uses not identical as the derivative key at prothetic group station for key derived from user equipment
Family equipment deletes prothetic group station or makes user equipment derivative key again.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user
The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet
Include at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, preset algorithm, preset data
And check information obtains target data;Judged derived from user equipment according to preset data, check information and target data
Whether key is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station.Use can be verified
Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by
Service disconnection between user equipment and prothetic group station.
The embodiment of the present invention also provides a kind of user equipment 40, as shown in fig. 6, the user equipment 40 includes: that decryption is single
Member 41, judging unit 42 and transmission unit 43.
Decryption unit 41 carries out the downlink data received for key, preset algorithm according to derived from user equipment
Decryption.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, UE root are had built up between UE and prothetic group station
It is decrypted, is then obtained mutually according to downlink data of the key, Encryption Algorithm derived from itself to the encryption received from network side
Networking protocol (Internet Protocol, IP) message.
Judging unit 42, for according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station
Whether key is identical.
Specifically, judging unit 42 is used for:
The Internet protocol address and port numbers of data packet after obtaining decryption;
Identify the Internet protocol address and port numbers of data packet;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station
Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station
Raw key is not identical.
Illustratively, judging unit 42 receives IP packet from decryption unit 41, obtains IP address and the end of the IP packet
Slogan, if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, while also being illustrated derived from UE
Relevant key derived from key relevant to prothetic group station and prothetic group station is identical;Or,
IP packet is erroneous packets if it can not identify the IP address and/or port numbers, at the same also illustrate derived from UE with it is auxiliary
Relevant key derived from the relevant key in base station and prothetic group station is not identical.
Transmission unit 43, for sending judging result to prothetic group station.
Illustratively, UE sends the judging result that judging unit 42 obtains to prothetic group station by master base station.
Optionally, as shown in fig. 7, the user equipment 40 further include:
If notification unit 44 notifies main base not identical for key and key derived from prothetic group station derived from user equipment
It stands and deletes the prothetic group station;Or notice master base station adds the prothetic group station again;Or the base station prothetic group station is notified again by master base station
Trigger Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by master base station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE
Together, the prothetic group station that user equipment 40 can notify master base station to add is problematic, while can indicate which of prothetic group station carries out
Problem, i.e., carry load identification in instruction, and master base station, which determines, to be deleted the prothetic group station after the prothetic group station is problematic or make to lead
Again the prothetic group station is added in base station;Or user equipment 40 can also notify the prothetic group station retriggered to match again by master base station
Set the connection with UE;Or user equipment 40 notifies the prothetic group station to delete the prothetic group station by master base station.
The embodiment of the present invention provides a kind of user equipment, and key, preset algorithm according to derived from user equipment are to reception
To downlink data be decrypted;Key derived from key derived from user equipment and prothetic group station is judged according to the data after decryption
It is whether identical;Judging result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station is correct, can be with
Avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of core network element 50, as shown in figure 8, the core network element 50 includes:
Receiving unit 51, judging unit 52 and transmission unit 53.
Receiving unit 51 sends out user equipment for receiving prothetic group station key according to derived from prothetic group station and preset algorithm
The upstream data sent be decrypted after data.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, prothetic group are had built up between UE and prothetic group station
Key, Encryption Algorithm according to derived from itself of standing are decrypted to obtain internet protocol to the upstream data of the encryption received from UE
(Internet Protocol, IP) message is discussed, IP message is sent to core network element, and then core network element receives IP report
Text.
Judging unit 52, for according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station
Whether key is identical.
Specifically, judging unit 52 is used for:
The Internet protocol address and port numbers of data packet after obtaining decryption;
Identify the Internet protocol address and port numbers of data packet;
Determine that key derived from user equipment and prothetic group station are derivative if it can identify Internet protocol address and port numbers
Key it is identical;Or,
Determine that key derived from user equipment spreads out with prothetic group station if it can not identify Internet protocol address and/or port numbers
Raw key is not identical.
Illustratively, judging unit 52 receives IP packet from receiving unit 51, obtains IP address and the end of the IP packet
Slogan, the IP packet is correct if the IP address can be identified with port numbers, while also illustrating related to prothetic group station derived from UE
Key and prothetic group station derived from relevant key be identical;Or,
IP packet is erroneous packets if it can not identify the IP address and/or port numbers, at the same also illustrate derived from UE with it is auxiliary
Relevant key derived from the relevant key in base station and prothetic group station is not identical.
Optionally, as shown in figure 9, the core network element 50 further include:
Notification unit 54, if not identical for key and key derived from prothetic group station derived from user equipment, core net net
Member notice master base station deletes the prothetic group station;Or core network element notice master base station adds the prothetic group station again;Or core network element
The prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or core network element notifies the prothetic group station to delete by master base station
Except the prothetic group station.
Optionally, notification unit 54 can be specifically used for:
The different message of key is sent to mobility management entity, and should from mobility management entity to master base station forwarding
The different message of key, so that master base station receives, the key is not identical to be obtained deleting the prothetic group station after message or addition should again
Prothetic group station;Or the prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or the prothetic group station is notified to delete by master base station
Except the prothetic group station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE
Together, core network element 50 can notify the prothetic group station of master base station or directly notice master base station addition problematic by MME, while can
Which carrying to indicate prothetic group station is out of joint, i.e., load identification is carried in instruction, master base station determines that the prothetic group station is asked
The prothetic group station is deleted after topic or master base station is made to add the prothetic group station again;Or core network element 50 can also notify the prothetic group
Retriggered of standing reconfigures the connection with UE;Or core network element 50 notifies the prothetic group station to delete the prothetic group by master base station
It stands.
The embodiment of the present invention provides a kind of core network element, receives base station key according to derived from base station and pre- imputation
The upstream data that method sends user equipment be decrypted after data;Judged derived from user equipment according to the data after decryption
Whether key is identical as key derived from prothetic group station;The result of judgement is sent to prothetic group station.User equipment and prothetic group can be verified
Whether the key between standing correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment with it is auxiliary
Service disconnection between base station.
The embodiment of the present invention provides a kind of method of check key, is based on prothetic group station, as shown in Figure 10, this method packet
It includes:
S101, prothetic group station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment
The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
S102, prothetic group station key according to derived from prothetic group station itself, preset algorithm, preset data and check information obtain
Target data.
S103, prothetic group station according to preset data, check information and target data judge key derived from user equipment with
Whether key derived from prothetic group station is identical.
The embodiment of the present invention provides a kind of method of check key, and prothetic group station receives the verification letter that user equipment is sent
Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment
Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Itself spread out according to prothetic group station at prothetic group station
Raw key, preset algorithm, preset data and check information obtains target data;Believed according to preset data, verification at prothetic group station
Breath and target data judge whether key derived from key derived from user equipment and prothetic group station itself is identical.Use can be verified
Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by
Service disconnection between user equipment and prothetic group station.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below
Specific embodiment is crossed, the method for providing the check key based on prothetic group station to the embodiment of the present invention is described in detail, such as
Shown in Figure 11, this method comprises:
S201, prothetic group station receive the check information that user equipment is sent.
Wherein, check information be user equipment to preset data by key, Encryption Algorithm derived from user equipment and/or
The information that protection algorithm integrallty obtains after being protected.
Preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
Specifically, prothetic group station, which receives base station addition from master base station by X2 interface, completes message, message is completed in base station addition
Carry check information;Or
Prothetic group station receives the medium access control message that user equipment is sent, and medium access control message carries verification letter
Breath;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry the verification letter
Breath.
Illustratively, check information is the RRC Connection that may be embodied in UE and send to master base station
In Reconfiguration Complete Message, master base station adds after receiving the check information to prothetic group station transmission base station
It adds into and carries the check information in message.
Specifically, increase can be passed through by setting carrying check information in completion message in radio resource connection reconfiguration
SecurityConfirmation is realized.Illustratively, it can be realized by following code:
Wherein Security Confirmation can for OCTET STRING or BIT STRING (SIZE's (xx)
Form etc..
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput
The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair
SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or
It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter
Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take
Band securityConfirmation, prothetic group station receives securityConfirmation.
Alternatively, it is illustrative, if check information is included in the MAC message of user equipment transmission, can specifically lead to
It crosses and increases securityConfirmation in MAC message to realize.
For example, can newly introduce a LCID value specially indicates to be securityConfirmation, for example use
01011, wherein L indicates the length of securityConfirmation, here if securityConfirmation is solid
Measured length, can there is no L, be directly placed into securityConfirmation.Current LCID value can also be reused, it will
SecurityConfirmation is added in existing MAC message or can also directly will by UE
SecurityConfirmation transmits as data or passes through physical layer transmission.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput
The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair
SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or
It is the combination of the two.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and derivative related with prothetic group station
KUPintOr KRRCintCalculate as a result, securityConfirmation is added to the MAC message that UE is sent to prothetic group station
In, prothetic group station receives securityConfirmation.
Alternatively, check information is further included in grouping packet convergence protocol (the Packet Data of user equipment transmission
Convergence Protocol, PDCP) in data.
Illustratively, check information can be securityConfirmation, and UE is generated
SecurityConfirmation, can be to securityConfirmationInput using protection algorithm integrallty and
The integrity protection result of the cipher key calculation of protection algorithm integrallty;It is also possible to securityConfirmationInput
Use the result of the encryption of Encryption Algorithm and the cipher key calculation of Encryption Algorithm;The either combination of the two.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter
Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take
Band securityConfirmation, prothetic group station receives securityConfirmation.
S202, prothetic group station key according to derived from prothetic group station itself, preset algorithm, preset data and check information obtain
Target data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, which, which is UE, uses Encryption Algorithm and derivative related with prothetic group station
KUPencTo securityConfirmationInput calculating as a result, securityConfirmation is added to master base station
The base station addition for being sent to prothetic group station is completed in message, and prothetic group station is calculated after receiving securityConfirmation according to encryption
Method and K derived from itselfUPencSecurityConfirmation is decrypted be calculated it is new
SecurityConfirmationInput。
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintOr KRRCintTo securityConfirmationInput calculating as a result, securityConfirmation is
It is added to UE to be sent in the MAC message at prothetic group station, prothetic group station receives after securityConfirmation according to integrality
Protection algorism and K derived from itselfUPintOr KRRCintThe securityConfirmationInput saved to itself has been carried out
New securityConfirmation is calculated in whole property protection.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, check information UE use Encryption Algorithm and derivative K related with prothetic group stationUPenc
To securityConfirmationInput calculating as a result, securityConfirmation, which is added to UE, is sent to prothetic group
In the PDCP data stood, prothetic group station receives the K according to derived from Encryption Algorithm and itself after securityConfirmationUPenc
Check information, which is decrypted, is calculated new SecurityConfirmationInput.
S203, prothetic group station according to preset data, check information and target data judge key derived from user equipment with
Whether key derived from prothetic group station itself is identical.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE
Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation
According to K derived from protection algorithm integrallty and itselfUPintSolution integrity protection is carried out to securityConfirmationInput
New securityConfirmation is calculated, judges new securityConfirmation and receives
Whether securityConfirmation is identical, if it is illustrates K related with prothetic group station derived from UEUPintWith prothetic group station
K derived from itselfUPintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passRRCintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE
Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation
According to K derived from protection algorithm integrallty and itselfRRCintIntegrity protection is carried out to securityConfirmationInput
New securityConfirmation is calculated, judges new securityConfirmation and receives
Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UERRCintWith prothetic group
Stand itself derivative KRRCintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo obtaining intermediate variable after securityConfirmationInput integrity protection
SecurityConfirmationTemp reuses Encryption Algorithm and derivative K related with prothetic group stationUPencIt is right
SecurityConfirmation is obtained after securityConfirmationTemp encryption.Prothetic group station receives
After securityConfirmation, prothetic group station uses K derived from Encryption Algorithm and itself firstUPencIt is right
SecurityConfirmationTemp is obtained after securityConfirmation decryption, then to itself storage
SecurityConfirmationInput uses protection algorithm integrallty and derivative KUPintIt is obtained after integrity protection new
SecurityConfirmationTemp, judges new securityConfirmationTemp and receives
Whether the securityConfirmationTemp obtained after securityConfirmation decryption is identical, if the same says
K related with prothetic group station derived from bright UEUPenc、KUPintWith K derived from prothetic group station itselfUPenc、KUPintCorrespondence is identical, otherwise not
It is identical.
If key derived from key derived from S204, user equipment and prothetic group station itself is not identical, prothetic group station makes user
Equipment deletes the prothetic group station or makes user equipment derivative key again.
Illustratively, it is assumed that new to be obtained by integrity protection according to the result that step S203 judges
SecurityConfirmation is different from the securityConfirmation received, then illustrates derived from UE and prothetic group
Stand related KUPintWith K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE delete the prothetic group station or
Person makes UE derivative key relevant to the prothetic group station again.
The embodiment of the present invention provides a kind of method of check key, and prothetic group station receives the verification letter that user equipment is sent
Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment
Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Itself spread out according to prothetic group station at prothetic group station
Raw key, preset algorithm, preset data and check information obtains target data;Believed according to preset data, verification at prothetic group station
Breath and target data judge whether key derived from key derived from user equipment and prothetic group station itself is identical.Use can be verified
Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by
Service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of method of check key, is based on master base station, as shown in figure 12, this method packet
It includes:
S301, master base station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment
The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
S302, master base station key according to derived from prothetic group station, preset algorithm, preset data and check information obtain target
Data.
S303, master base station according to preset data, check information and target data judge key derived from user equipment with
Whether key derived from prothetic group station is identical, obtains judging result.
Judging result is sent to prothetic group station by S304, master base station.
The embodiment of the present invention provides a kind of method of check key, and master base station receives the verification letter that user equipment is sent
Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment
Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Master base station is according to derived from prothetic group station
Key, preset algorithm, preset data and check information obtain target data;Master base station according to preset data, check information with
And target data judges whether key derived from user equipment is identical as key derived from prothetic group station, obtains judging result;Main base
It stands and judging result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station is correct, can be to avoid
Due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even business
It is disconnected.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below
Specific embodiment is crossed, the method for providing the check key based on master base station to the embodiment of the present invention is described in detail, such as
Shown in Figure 13, this method comprises:
S401, master base station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment
The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
Preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
Specifically, master base station receives the radio resource control information comprising check information that UE is sent.Wherein, exemplary
, radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein
It include check information.
Illustratively, check information is the RRC Connection that may include UE and send to master base station
In Reconfiguration Complete Message, master base station adds after receiving the check information to prothetic group station transmission base station
It adds into and carries the check information in message.
Specifically, increase can be passed through by setting carrying check information in completion message in radio resource connection reconfiguration
SecurityConfirmation is realized.
Illustratively, it can be realized by following code:
Wherein Security Confirmation can be OCTET STRING) or BIT STRING (SIZE (xx)
Form etc..
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput
The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair
SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or
It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter
Calculate as a result, UE to master base station send RRC Connection Reconfiguration Complete Message, wherein
RRC Connection Reconfiguration Complete Message carries securityConfirmation, main base
Station receives securityConfirmation.
S402, master base station key according to derived from prothetic group station, preset algorithm, preset data and check information obtain target
Data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmation is added to UE
It is sent in the RRC Connection Reconfiguration Complete Message of master base station, master base station receives
The K according to derived from protection algorithm integrallty and prothetic group station itself after securityConfirmationUPint(K hereinUPintIt is
Obtained by master base station use cipher key derivative process identical with prothetic group station) securityConfirmationInput has been carried out
Whole property is protected to obtain new securityConfirmation.
S403, master base station according to preset data, target data and check information judge key derived from user equipment with
Whether key derived from prothetic group station is identical, obtains judging result.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is
SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station
The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE
Cell identification data under the prothetic group station stored with prothetic group station, after master base station receives securityConfirmation
According to K derived from protection algorithm integrallty and prothetic group station itselfUPint(K hereinUPintIt is identical as prothetic group station by master base station use
Cipher key derivative process obtain) to securityConfirmationInput carry out integrity protection be calculated it is new
SecurityConfirmation, judges new securityConfirmation and receives
Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UEUPintWith prothetic group station
K derived from itselfUPintIt is identical, it is otherwise not identical.
Judging result is sent to prothetic group station by S404, master base station.
Illustratively, the result that step S303 judges is sent to prothetic group station by X2 interface by master base station.
If key derived from S405, user equipment is not identical as the derivative key at prothetic group station, delete user equipment
Prothetic group station makes user equipment derivative key again.
Illustratively, it is assumed that the result that master base station judges to prothetic group station are as follows: K related with prothetic group station derived from UEUPintWith
K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE to delete the prothetic group station or derive UE again
Key relevant to the prothetic group station.
The embodiment of the present invention provides a kind of method of check key, receives the check information that user equipment is sent, verification
Information is the information obtained after user equipment protects preset data by key, preset algorithm derived from user equipment,
Preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, pre- imputation
Method, preset data and check information obtain target data;User is judged according to preset data, check information and target data
Whether key derived from equipment is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station.
Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm not just
Error in data even service disconnection caused by really between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of method of check key, is based on UE, as shown in figure 14, this method comprises:
S501, user equipment key, preset algorithm according to derived from user equipment solve the downlink data received
It is close.
S502, user equipment judge key derived from key derived from user equipment and prothetic group station according to the data after decryption
It is whether identical.
Specifically, user equipment according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station
Whether key is identical to include:
User equipment obtains the Internet protocol address and port numbers of the data packet after decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station
Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station
Raw key is not identical.
S503, user equipment send judging result to prothetic group station.
The embodiment of the present invention provides a kind of method of check key, user equipment key according to derived from user equipment,
The downlink data received is decrypted in preset algorithm;User equipment judges derived from user equipment according to the data after decryption
Whether key is identical as key derived from prothetic group station;User equipment sends judging result to prothetic group station.User equipment can be verified
Whether the key between prothetic group station correct, can to avoid due to caused by key and corresponding algorithm are incorrect user set
The standby error in data between prothetic group station even service disconnection.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below
Specific embodiment is crossed, the method for providing the check key based on UE to the embodiment of the present invention is described in detail, such as Figure 15
It is shown, this method comprises:
S601, user equipment key, preset algorithm according to derived from user equipment solve the downlink data received
It is close.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, UE root are had built up between UE and prothetic group station
It is decrypted according to downlink data of the key, Encryption Algorithm derived from itself to the encryption received from network side, then obtains IP
Message.
S602, user equipment obtain the Internet protocol address and port numbers of the data packet after decryption.
Illustratively, UE parses the IP packet obtained after decryption, obtains the IP address and port numbers of the message.
S603, user equipment judge key derived from user equipment according to the Internet protocol address of data packet and port numbers
It is whether identical as key derived from prothetic group station, obtain judging result.
Illustratively, UE according to IP address and port numbers judge key derived from UE and key derived from prothetic group station whether phase
Together, if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, at the same also illustrate derived from UE with
Relevant key derived from the relevant key in prothetic group station and prothetic group station is identical;If the IP address and/or port can not be identified
Number then IP packet is erroneous packets, while also being illustrated relevant close derived from key relevant to prothetic group station derived from UE and prothetic group station
Key is not identical.
S604, user equipment send judging result to prothetic group station.
Illustratively, the result of judgement is sent to prothetic group station by master base station by UE.
If key derived from key derived from S605, user equipment and prothetic group station is not identical, notification of user equipment master base station
Delete the prothetic group station;Or notification of user equipment master base station adds the prothetic group station again;Or user equipment should by master base station notice
Prothetic group station retriggered Reconfiguration Procedure;Or user equipment notifies the prothetic group station to delete the prothetic group station by master base station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE
Together, the prothetic group station that UE can notify master base station to add is problematic, while can indicate which carrying at prothetic group station is out of joint, i.e.,
Carry load identification in instruction, master base station, which determines, to be deleted the prothetic group station after the prothetic group station is problematic or add master base station again
Add the prothetic group station;Or UE can also notify the prothetic group station retriggered to reconfigure the connection with UE by master base station;Or UE
The prothetic group station is notified to delete the prothetic group station by master base station.
The embodiment of the present invention provides a kind of method of check key, user equipment key according to derived from user equipment,
The downlink data received is decrypted in preset algorithm;User equipment judges derived from user equipment according to the data after decryption
Whether key is identical as key derived from prothetic group station;Judging result is sent to prothetic group station.User equipment and prothetic group station can be verified
Between key it is whether correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment and prothetic group
Error in data even service disconnection between standing.
The embodiment of the present invention provides a kind of method of check key, is based on core network element, as shown in figure 16, the party
Method includes:
S701, core network element receive prothetic group station key according to derived from prothetic group station and preset algorithm and send out user equipment
The upstream data sent be decrypted after data.
S702, core network element judge close derived from key derived from user equipment and prothetic group station according to the data after decryption
Whether key is identical.
Specifically, core network element judges derived from key derived from user equipment and prothetic group station according to the data after decryption
Whether key is identical to include:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station
Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station
Raw key is not identical.
S703, core network element send the result of judgement to prothetic group station.
The embodiment of the present invention provides a kind of method of check key, and core network element receives prothetic group station and spread out according to prothetic group station
The upstream data that raw key and preset algorithm sends user equipment be decrypted after data;Core network element is according to solution
Data after close judge whether key derived from user equipment is identical as key derived from prothetic group station;Core network element is to prothetic group station
Send the result of judgement.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key with
And corresponding algorithm it is incorrect caused by error in data even service disconnection between user equipment and prothetic group station.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below
Specific embodiment is crossed, the method for providing the check key based on core network element to the embodiment of the present invention carries out specifically
It is bright, as shown in figure 17, this method comprises:
S801, core network element receive prothetic group station key according to derived from prothetic group station and preset algorithm and send out user equipment
The upstream data sent be decrypted after data.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, prothetic group are had built up between UE and prothetic group station
Key, Encryption Algorithm according to derived from itself of standing are decrypted to obtain IP packet to the upstream data of the encryption received from UE,
IP packet is sent to core network element, and then core network element receives IP packet.
S802, core network element obtain the Internet protocol address and port numbers of the data packet after decryption.
Illustratively, core network element parses the IP packet received, obtains IP address and the end of the message
Slogan.
S803, core network element judge close derived from user equipment according to the Internet protocol address of data packet and port numbers
Whether key is identical as key derived from prothetic group station, obtains judging result.
Illustratively, core network element according to IP address and port numbers judge key derived from UE with it is close derived from prothetic group station
Whether key is identical, and if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, while also illustrating UE
Relevant key derived from derivative key relevant to prothetic group station and prothetic group station is identical;If the IP address can not be identified
And/or then IP packet is erroneous packets to port numbers, while also illustrating that key relevant to prothetic group station derived from UE and prothetic group station are derivative
Relevant key it is not identical.
S804, core network element send judging result to prothetic group station.
Illustratively, the result of judgement is sent to prothetic group station by core network element.
If key derived from key derived from S805, user equipment and prothetic group station is not identical, core network element notifies main base
It stands and deletes the prothetic group station;Or core network element notice master base station adds the prothetic group station again;Or core network element passes through master base station
Notify the prothetic group station retriggered Reconfiguration Procedure;Or core network element notifies the prothetic group station to delete the prothetic group by master base station
It stands.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE
Together, core network element can notify master base station or the directly prothetic group station added of notice master base station problematic by MME, while can be with
It indicates which carrying at prothetic group station is out of joint, i.e., carries load identification in instruction, master base station determines that the prothetic group station is problematic
After delete the prothetic group station or master base station made to add the prothetic group station again;Or core network element notifies the prothetic group station by master base station
Delete the prothetic group station.
The embodiment of the present invention provides a kind of method of check key, and core network element receives prothetic group station and spread out according to prothetic group station
The upstream data that raw key and preset algorithm sends user equipment be decrypted after data;Core network element is according to solution
Data after close judge whether key derived from user equipment is identical as key derived from prothetic group station;Core network element is to prothetic group station
Send the result of judgement.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key with
And corresponding algorithm it is incorrect caused by error in data even service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of base station 60, and as shown in figure 18, which includes: bus 64;And
It is connected to the processor 61, memory 62 and interface 63 of bus 64, wherein the interface 63 is for communicating;The memory 62 is for depositing
Computer code is stored up, processor 61 is used for for executing the computer code:
The check information that user equipment is sent is received, check information is that user equipment spreads out to preset data by user equipment
The information that raw key, preset algorithm obtain after being protected, preset algorithm include Encryption Algorithm, in protection algorithm integrallty
It is at least one;
Key, preset algorithm according to derived from base station, preset data and check information obtain target data;
Judged according to preset data, check information and target data close derived from key and base station derived from user equipment
Whether key is identical.
Optionally, processor 61 executes the computer code and is also used to:
If key and key derived from base station derived from user equipment be not identical, make user equipment again derivative key or
User equipment is set to delete base station.
Optionally, processor 61 executes the check information that the computer code is used to receive user equipment transmission, specific to use
In:
Base station addition is received from master base station by X2 interface and completes message, and base station addition completes message and carries check information;
Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
Optionally, base station supplemented by the base station.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user
The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet
Include at least one of Encryption Algorithm, protection algorithm integrallty;Key, preset algorithm according to derived from base station, preset data with
And check information obtains target data;Judged according to preset data, check information and target data close derived from user equipment
Whether key is identical as key derived from base station.Whether the key that can be verified between user equipment and base station is correct, can be to avoid
Due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of base station 70, and as shown in figure 19, which includes: bus 74;And connection
To the processor 71, memory 72 and interface 73 of bus 74, wherein the interface 73 is for communicating;The memory 72 is based on storing
Calculation machine code, processor 71 are used for for executing the computer code:
The check information that user equipment is sent is received, check information is that user equipment spreads out to preset data by user equipment
The information that raw key, preset algorithm obtain after being protected, preset algorithm include Encryption Algorithm, in protection algorithm integrallty
It is at least one;
Target data is obtained according to key derived from prothetic group station, preset algorithm, preset data and check information;
Judged derived from key derived from user equipment and prothetic group station according to preset data, check information and target data
Whether key is identical, obtains judging result;
For judging result to be sent to prothetic group station.
Optionally, processor 71 executes the computer code and is also used to:
If key derived from user equipment is not identical as the derivative key at prothetic group station, user equipment is made to delete prothetic group station
Or make user equipment derivative key again.
Optionally, processor 71 executes the check information that the computer code is used to receive user equipment transmission, specific to use
In:
The radio resource control information that user equipment is sent is received, radio resource control information carries check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim
It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked
Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number
Word.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user
The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet
Include at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, preset algorithm, preset data
And check information obtains target data;Judged derived from user equipment according to preset data, check information and target data
Whether key is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station.Use can be verified
Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by
Error in data even service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of user equipment 80, and as shown in figure 20, which includes: bus 84;
And it is connected to the processor 81, memory 82 and interface 83 of bus 84, wherein the interface 83 is for communicating;The memory 82 is used
In storage computer code, processor 81 is used for for executing the computer code:
The downlink data received is decrypted in key, preset algorithm according to derived from user equipment;
Judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption;
Judging result is sent to prothetic group station;
Wherein, judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption
Include:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station
Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station
Raw key is not identical.
Optionally, processor 81 executes the computer code and is also used to:
If key derived from user equipment and key derived from prothetic group station be not identical, notice master base station deletes prothetic group station;Or
Notice master base station adds prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or pass through main base
Delete prothetic group station in notice of standing prothetic group station.
The embodiment of the present invention provides a kind of user equipment, user equipment key according to derived from user equipment, pre- imputation
The downlink data received is decrypted in method;User equipment according to the data after decryption judge key derived from user equipment with
Whether key derived from prothetic group station is identical;User equipment sends judging result to prothetic group station.User equipment and prothetic group can be verified
Whether the key between standing correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment with it is auxiliary
Error in data even service disconnection between base station.
The embodiment of the present invention provides a kind of core network element 90, and as shown in figure 21, which includes: bus
94;And it is connected to the processor 91, memory 92 and interface 93 of bus 94, wherein the interface 93 is for communicating;The memory
92 for storing computer code, and processor 91 is used for for executing the computer code:
Receive upstream data that prothetic group station key according to derived from prothetic group station and preset algorithm send user equipment into
Data after row decryption;
Judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption;
The result of judgement is sent to prothetic group station;
Wherein, according to the data after decryption judge key derived from user equipment and key derived from prothetic group station whether phase
Together, comprising:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station
Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station
Raw key is not identical.
Optionally, processor 91 executes the computer code and is also used to:
If key derived from user equipment and key derived from prothetic group station be not identical, notice master base station deletes prothetic group station;Or
Notice master base station adds prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or pass through main base
Delete prothetic group station in notice of standing prothetic group station.
Optionally, processor 91 executes the computer code for notifying master base station to delete prothetic group station or notice master base station weight
New addition prothetic group station, is specifically used for:
The different message of key is sent to mobility management entity, and close from mobility management entity to master base station forwarding
The different message of key, so that master base station deletes prothetic group station after receiving the different message of key or adds prothetic group station again.
The embodiment of the present invention provides a kind of core network element, receives prothetic group station key according to derived from prothetic group station and pre-
The upstream data that imputation method sends user equipment be decrypted after data;Judge that user equipment spreads out according to the data after decryption
Whether raw key is identical as key derived from prothetic group station;The result of judgement is sent to prothetic group station.Can verify user equipment with
Whether the key between prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment
Error in data even service disconnection between prothetic group station.
Term "and/or" in the present invention, only a kind of incidence relation for describing affiliated partner, indicates may exist three kinds
Relationship, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.In addition, this
Character "/" in text typicallys represent the relationship that forward-backward correlation object is a kind of "or".
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description
It is convenienct and succinct, only the example of the division of the above functional modules, in practical application, can according to need and will be upper
It states function distribution to be completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, to complete
All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to
The corresponding process in embodiment of the method is stated, details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that the independent physics of each unit includes, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention
The all or part of the steps of embodiment the method.And storage medium above-mentioned includes: U disk, mobile hard disk, read-only memory
(ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk
Etc. the various media that can store program code.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (6)
1. a kind of user equipment characterized by comprising
Decryption unit solves the downlink data received for the key according to derived from the user equipment, preset algorithm
Close, the preset algorithm is Encryption Algorithm;
Judging unit, for according to the data after decryption judge the user equipment derived from key derived from key and prothetic group station
It is whether identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described
Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is not identical;
Transmission unit, for sending the judging result to the prothetic group station.
2. user equipment according to claim 1, which is characterized in that the user equipment further include:
Notification unit, if not identical for key and key derived from the prothetic group station derived from the user equipment, notice master
Delete the prothetic group station in base station;Or the master base station is notified to add the prothetic group station again;Or institute is notified by the master base station
State prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
3. a kind of method of check key characterized by comprising
The downlink data received is decrypted in user equipment key according to derived from the user equipment, preset algorithm, institute
Stating preset algorithm is Encryption Algorithm;
The user equipment according to the data after decryption judge the user equipment derived from key derived from key and prothetic group station
It is whether identical;
The user equipment sends the judging result to the prothetic group station;
Wherein, described in the user equipment according to the data after decryption judge the user equipment derived from key spread out with prothetic group station
Whether raw key is identical to include:
The user equipment obtains the Internet protocol address and port numbers of the data packet after the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described
Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is not identical.
4. according to the method described in claim 3, it is characterized in that, if key derived from the user equipment and the prothetic group station
Derivative key is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or,
The master base station is notified to add the prothetic group station again;Or,
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or,
The prothetic group station is notified to delete the prothetic group station by the master base station.
5. a kind of user equipment, which is characterized in that the user equipment includes: communication interface, memory, processor;It is described logical
Letter interface with network element for communicating, and the memory is for storing computer code;The processor executes the computer generation
Code is used for:
The downlink data received is decrypted according to key derived from the user equipment, preset algorithm, the pre- imputation
Method is Encryption Algorithm;
According to the data after decryption judge the user equipment derived from key and key derived from prothetic group station it is whether identical;
The judging result is sent to the prothetic group station;
Wherein, whether the data according to after decryption judge key derived from key derived from the user equipment and prothetic group station
It is identical to include:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described
Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with
Key derived from the prothetic group station is not identical.
6. user equipment according to claim 5, which is characterized in that the processor executes the computer code and also uses
In:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station is deleted described auxiliary
Base station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station is notified to touch again by the master base station
Send out Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2014/070607 WO2015106387A1 (en) | 2014-01-14 | 2014-01-14 | Key verification method, base station, user device and core network element |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105027495A CN105027495A (en) | 2015-11-04 |
CN105027495B true CN105027495B (en) | 2018-12-14 |
Family
ID=53542265
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480000891.9A Active CN105027495B (en) | 2014-01-14 | 2014-01-14 | A kind of method of check key, base station, user equipment and core network element |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105027495B (en) |
WO (1) | WO2015106387A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113573423B (en) * | 2018-05-30 | 2024-01-16 | 华为技术有限公司 | Communication method and device |
CN113132924B (en) * | 2021-04-19 | 2022-01-21 | 北京达源环保科技有限公司 | Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal |
CN114069826A (en) * | 2021-10-30 | 2022-02-18 | 国网湖南省电力有限公司 | Method, system and medium for checking 5G communication security of spare power automatic switching device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101400059A (en) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | Cipher key updating method and device under active state |
WO2010151895A1 (en) * | 2009-06-26 | 2010-12-29 | Qualcomm Incorporated | Systems, apparatus and methods to facilitate handover security |
CN102625302A (en) * | 2008-06-23 | 2012-08-01 | 华为技术有限公司 | Key derivation method, equipment and system |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100450305C (en) * | 2006-01-07 | 2009-01-07 | 华为技术有限公司 | Safety service communication method based on general authentification frame |
CN101102186B (en) * | 2006-07-04 | 2012-01-04 | 华为技术有限公司 | Method for implementing general authentication framework service push |
CN101309503A (en) * | 2007-05-17 | 2008-11-19 | 华为技术有限公司 | Wireless switching method, base station and terminal |
EP2028890B1 (en) * | 2007-08-12 | 2019-01-02 | LG Electronics Inc. | Handover method with link failure recovery, wireless device and base station for implementing such method |
CN101715188B (en) * | 2010-01-14 | 2015-11-25 | 中兴通讯股份有限公司 | A kind of update method of air interface key and system |
CN102215485B (en) * | 2010-04-04 | 2015-07-22 | 中兴通讯股份有限公司 | Method for guaranteeing safety of multi-carrier switching or reconstructing in multi-carrier communication system |
US20120155647A1 (en) * | 2010-12-21 | 2012-06-21 | General Instrument Corporation | Cryptographic devices & methods |
-
2014
- 2014-01-14 WO PCT/CN2014/070607 patent/WO2015106387A1/en active Application Filing
- 2014-01-14 CN CN201480000891.9A patent/CN105027495B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101400059A (en) * | 2007-09-28 | 2009-04-01 | 华为技术有限公司 | Cipher key updating method and device under active state |
CN102625302A (en) * | 2008-06-23 | 2012-08-01 | 华为技术有限公司 | Key derivation method, equipment and system |
WO2010151895A1 (en) * | 2009-06-26 | 2010-12-29 | Qualcomm Incorporated | Systems, apparatus and methods to facilitate handover security |
Also Published As
Publication number | Publication date |
---|---|
CN105027495A (en) | 2015-11-04 |
WO2015106387A1 (en) | 2015-07-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10958631B2 (en) | Method and system for providing security from a radio access network | |
CN102625300B (en) | Generation method and device for key | |
CN103609154B (en) | A kind of WLAN access authentication method, equipment and system | |
CN101931955B (en) | Authentication method, device and system | |
KR101929699B1 (en) | GPRS system key enforcement method, SGSN device, UE, HLR / HSS, and GPRS system | |
CN102056157B (en) | Method, system and device for determining keys and ciphertexts | |
CN109729096A (en) | Method of mobile communication, device and equipment | |
CN103781069B (en) | Bidirectional-authentication method, device and system | |
CN109218325A (en) | Data completeness protection method and device | |
CN105554907A (en) | General method for configuring WiFi device to make same to connect WiFi router | |
CN103167492B (en) | Generate method and the equipment thereof of access layer secret key in a communications system | |
CN109246696B (en) | Key processing method and related device | |
CN109788474A (en) | A kind of method and device of message protection | |
WO2019062374A1 (en) | Key derivation algorithm negotiation method and apparatus | |
CN109803262B (en) | Network parameter transmission method and device | |
CN109729524A (en) | A kind of RRC connection restoration methods and device | |
CN104935426A (en) | Key negotiation method, user equipment and short-range communication control network element | |
CN102404721A (en) | Safety protecting method of Un interface, device and base station | |
CN107801187A (en) | Encipher-decipher method, apparatus and system | |
CN110048988A (en) | The sending method and device of message | |
CN110418432A (en) | Handle the device and method that wireless heterogeneous networks are rebuild | |
CN105027495B (en) | A kind of method of check key, base station, user equipment and core network element | |
CN111464572A (en) | Session configuration method and device | |
CN105103577B (en) | A kind of device and method of encryption data | |
CN104125563B (en) | Method for managing security and equipment in cognitive radio system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |