CN105027495B - A kind of method of check key, base station, user equipment and core network element - Google Patents

A kind of method of check key, base station, user equipment and core network element Download PDF

Info

Publication number
CN105027495B
CN105027495B CN201480000891.9A CN201480000891A CN105027495B CN 105027495 B CN105027495 B CN 105027495B CN 201480000891 A CN201480000891 A CN 201480000891A CN 105027495 B CN105027495 B CN 105027495B
Authority
CN
China
Prior art keywords
prothetic group
user equipment
key
group station
derived
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201480000891.9A
Other languages
Chinese (zh)
Other versions
CN105027495A (en
Inventor
郭轶
戴明增
张宏平
曾清海
蔺波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN105027495A publication Critical patent/CN105027495A/en
Application granted granted Critical
Publication of CN105027495B publication Critical patent/CN105027495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even service disconnection.The specific scheme is that user equipment sends check information to base station; the check information is the information obtained after user equipment protects the known preset data of user equipment and base station by key, preset algorithm derived from user equipment; wherein, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Base station receives the key according to derived from identical preset algorithm, prothetic group station and check information after the check information and obtains target data, judges whether key derived from key and base station derived from user equipment is identical according to preset data, check information and target data.The present invention is for examining key between user equipment and base station.

Description

A kind of method of check key, base station, user equipment and core network element
Technical field
The present invention relates to the communications field more particularly to a kind of method of check key, base station, user equipment and core net nets Member.
Background technique
It is small that the carrier wave polymerization of long term evolution (Long Term Evolution, LTE) system can substantially be divided into inside of base station Area polymerize, cell aggregation etc. between base station.The cell aggregation of inside of base station is due to only by an evolution base station (Evolution Node B, eNB) control, it is comparatively fairly simple.The scheme that carrier wave polymerize between base station is, for example, how to make non-ideal back haul link Different base station realizes dual link, i.e., how by the resource of two base stations data is transmitted to the terminal of connected state, to improve end It handles up at end.
Based on the scheme that carrier wave between base station polymerize, master base station needs holding user equipment (User Equipment, UE) It carries and establishes onto prothetic group station.But the prothetic group station that above-mentioned master base station or prothetic group station can not know that UE is derived is relevant close Whether key is correct, when above-mentioned code key is incorrect, will lead to the service disconnection between UE and prothetic group station.
Summary of the invention
The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, being capable of school Whether the key tested between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect and lead Service disconnection between the user equipment and prothetic group station of cause.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that
In a first aspect, the embodiment of the present invention provides a kind of base station, the base station includes:
Receiving unit, for receiving the check information of user equipment transmission, the check information is the user equipment pair The information that preset data obtains after being protected by key derived from the user equipment, preset algorithm, the preset algorithm Including at least one of Encryption Algorithm, protection algorithm integrallty;
Acquiring unit, for the key according to derived from the base station, the preset algorithm, the preset data and described Check information obtains target data;
Judging unit, for judging the use according to the preset data, the check information and the target data Whether key derived from the equipment of family is identical as key derived from the base station.
With reference to first aspect, in the first possible implementation, the base station further include:
Reset cell makes if not identical for key and key derived from the base station derived from the user equipment The user equipment derivative key or makes the user equipment delete the base station again.
With reference to first aspect, in the second possible implementation, the receiving unit is specifically used for:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute State check information.
With reference to first aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
With reference to first aspect, in the fourth possible implementation, base station supplemented by the base station.
Second aspect, the embodiment of the present invention provide another base station, and the base station includes:
Receiving unit, for receiving the check information of user equipment transmission, the check information is the user equipment pair The information that preset data obtains after being protected by key derived from the user equipment, preset algorithm, the preset algorithm Including at least one of Encryption Algorithm, protection algorithm integrallty;
Acquiring unit is used for the key according to derived from prothetic group station, the preset algorithm, the preset data and the school Test acquisition of information target data;
Judging unit, for judging the use according to the preset data, the check information and the target data Whether key derived from the equipment of family is identical as the derivative key at the prothetic group station, obtains judging result;
Transmission unit, for the judging result to be sent to the prothetic group station.
In conjunction with second aspect, in the first possible implementation, the base station further include:
Reset cell, if not identical as the derivative key at the prothetic group station for key derived from the user equipment, The user equipment is then set to delete the prothetic group station or make user equipment derivative key again.
In conjunction with second aspect, in the second possible implementation, the receiving unit is specifically used for:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school Test information.
In conjunction with second aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
The third aspect, the embodiment of the present invention provide a kind of user equipment, and the user equipment includes:
Decryption unit, for the key according to derived from the user equipment, preset algorithm to the downlink data received into Row decryption;
Judging unit, for according to the data after decryption judge the user equipment derived from derived from key and prothetic group station Whether key is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical;
Transmission unit, for sending the judging result to the prothetic group station.
In conjunction with the third aspect, in the first possible implementation, the user equipment further include:
Notification unit leads to if not identical for key and key derived from the prothetic group station derived from the user equipment Know that master base station deletes the prothetic group station;Or the master base station is notified to add the prothetic group station again;Or it is logical by the master base station Know the prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
Fourth aspect, the embodiment of the present invention provide a kind of core network element, and the core network element includes:
Receiving unit, for receiving prothetic group station key according to derived from the prothetic group station and preset algorithm to user equipment The upstream data of transmission be decrypted after data;
Judging unit, for according to the data after the decryption judge the user equipment derived from key and the prothetic group Whether key derived from standing is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical;
Transmission unit, for sending the result of the judgement to the prothetic group station.
In conjunction with fourth aspect, in the first possible implementation, the core network element further include:
Notification unit leads to if not identical for key and key derived from the prothetic group station derived from the user equipment Know that master base station deletes the prothetic group station;Or the master base station is notified to add the prothetic group station again;Or it is logical by the master base station Know the prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of fourth aspect, in the second possible implementation, the notice Unit is specifically used for:
The different message of key is sent to mobility management entity, and from the mobility management entity to described Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key It states prothetic group station or adds the prothetic group station again;Or prothetic group station retriggered is notified to reconfigure stream by the master base station Journey;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
5th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Prothetic group station receives the check information that user equipment is sent, and the check information is the user equipment to preset data The information obtained after being protected by key derived from the user equipment, preset algorithm, the preset algorithm include encryption At least one of algorithm, protection algorithm integrallty;
Prothetic group station key according to derived from the prothetic group station, the preset algorithm, the preset data and described Check information obtains target data;
The prothetic group station judges that the user sets according to the preset data, the check information and the target data Whether standby derivative key and key derived from the prothetic group station are identical.
In conjunction with the 5th aspect, in the first possible implementation, the method also includes:
If key derived from the user equipment and key derived from the prothetic group station be not identical, make the user equipment Derivative key or the user equipment is made to delete the prothetic group station again.
In conjunction with the 5th aspect, in the second possible implementation, the check information for receiving user equipment and sending Include:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute State check information.
In conjunction with the 5th aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
6th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Master base station receives the check information that user equipment is sent, and the check information is the user equipment to preset data The information obtained after being protected by key derived from the user equipment, preset algorithm, the preset algorithm include encryption At least one of algorithm, protection algorithm integrallty;
Master base station key according to derived from prothetic group station, the preset algorithm, the preset data and the verification Acquisition of information target data;
The master base station judges that the user sets according to the preset data, the check information and the target data Whether standby derivative key is identical as the derivative key at the prothetic group station, obtains judging result;
The judging result is sent to the prothetic group station by the master base station.
In conjunction with the 6th aspect, in the first possible implementation, the method also includes:
If key derived from the user equipment is not identical as the derivative key at the prothetic group station, set the user It is standby to delete the prothetic group station or make user equipment derivative key again.
In conjunction with the 6th aspect, in the second possible implementation, the check information for receiving user equipment and sending Include:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school Test information.
In conjunction with the 6th aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
7th aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
User equipment key according to derived from the user equipment, preset algorithm solve the downlink data received It is close;
The user equipment according to the data after decryption judge the user equipment derived from derived from key and prothetic group station Whether key is identical;
The user equipment sends the judging result to the prothetic group station;
Wherein, described in the user equipment according to the data after decryption judge the user equipment derived from key and prothetic group Whether key is identical derived from standing includes:
The user equipment obtains the Internet protocol address and port numbers of the data packet after the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical.
In conjunction with the 7th aspect, in the first possible implementation, if key derived from the user equipment with it is described Key derived from base station is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or
The prothetic group station is notified to delete the prothetic group station by the master base station.
Eighth aspect, the embodiment of the present invention provide a kind of method of check key, which comprises
Core network element receives prothetic group station key according to derived from the prothetic group station and preset algorithm and sends out user equipment The upstream data sent be decrypted after data;
The core network element according to the data after the decryption judge the user equipment derived from key with it is described auxiliary Whether key derived from base station is identical;
The core network element sends the result of the judgement to the prothetic group station;
Wherein, the core network element according to the data after the decryption judge the user equipment derived from key and institute Whether identical state key derived from prothetic group station, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical.
In conjunction with eighth aspect, in the first possible implementation, if key derived from the user equipment with it is described Key derived from prothetic group station is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or
The master base station is notified to add the prothetic group station again;Or
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or
The prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of eighth aspect, in the second possible implementation, the notice Master base station deletes the prothetic group station or the master base station is notified to add the prothetic group station again and include:
The different message of key is sent to mobility management entity, and from the mobility management entity to described Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key It states prothetic group station or adds the prothetic group station again.
9th aspect, provides a kind of base station, the base station includes: communication interface, memory, processor;The communication connects Mouth with network element for communicating, and the memory is for storing computer code;The processor executes the computer code and uses In:
The check information that user equipment is sent is received, the check information passes through institute to preset data for the user equipment State the information obtained after key, preset algorithm derived from user equipment are protected, the preset algorithm includes Encryption Algorithm, complete At least one of whole property protection algorism;
It is obtained according to key derived from the base station, the preset algorithm, the preset data and the check information Target data;
Judged according to the preset data, the check information and the target data close derived from the user equipment Whether key is identical as key derived from the base station.
In conjunction with the 9th aspect, in the first possible implementation, the processor executes the computer code also For:
If key derived from the user equipment and key derived from the base station be not identical, make the user equipment weight New derivative key makes the user equipment delete the base station.
In conjunction with the 9th aspect, in the second possible implementation, the processor executes the computer code also For:
The base station addition is received from master base station by X2 interface and completes message, and the base station addition completes message and carries institute State check information;Or
The medium access control message that the user equipment is sent is received, the medium access control message carries the school Test information;Or
The grouping packet convergence protocol data that the user equipment is sent are received, the grouping packet convergence protocol data carry institute State check information.
In conjunction with the 9th aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
In conjunction with the 9th aspect, in the fourth possible implementation, base station supplemented by the base station.
Tenth aspect, provides a kind of base station, the base station includes: communication interface, memory, processor;The communication connects Mouth with network element for communicating, and the memory is for storing computer code;The processor executes the computer code and uses In:
The check information that user equipment is sent is received, the check information passes through institute to preset data for the user equipment State the information obtained after key, preset algorithm derived from user equipment are protected, the preset algorithm includes Encryption Algorithm, complete At least one of whole property protection algorism;
Mesh is obtained according to key derived from prothetic group station, the preset algorithm, the preset data and the check information Mark data;
Judged according to the preset data, the check information and the target data close derived from the user equipment Whether key and key derived from the prothetic group station are identical, obtain judging result;
The judging result is sent to the prothetic group station.
In conjunction with the tenth aspect, in the first possible implementation, the processor executes the computer code also For:
If key derived from the user equipment is not identical as the derivative key at the prothetic group station, set the user It is standby to delete the prothetic group station or make user equipment derivative key again.
In conjunction with the tenth aspect, in the second possible implementation, the processor executes the computer code also For:
The radio resource control information that the user equipment is sent is received, the radio resource control information carries the school Test information.
In conjunction with the tenth aspect, in the third possible implementation, the preset data includes at least one in following Kind:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
On the one hand tenth, provides a kind of user equipment, the user equipment includes: communication interface, memory, processor; The communication interface with network element for communicating, and the memory is for storing computer code;The processor executes the meter Calculation machine code is used for:
The downlink data received is decrypted according to key derived from the user equipment, preset algorithm;
According to the data after decryption judge the user equipment derived from key and key derived from prothetic group station it is whether identical;
The judging result is sent to the prothetic group station;
Wherein, the data according to after decryption judge key derived from key derived from the user equipment and prothetic group station Whether identical include:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical.
On the one hand in conjunction with the tenth, in the first possible implementation, the processor executes the computer code It is also used to:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station deletes institute State prothetic group station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station weight is notified by the master base station New triggering Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
12nd aspect, provides a kind of core network element, the core network element includes: communication interface, memory, processing Device;The communication interface with network element for communicating, and the memory is for storing computer code;Described in the processor executes Computer code is used for:
The upper line number that reception prothetic group station key according to derived from the prothetic group station and preset algorithm send user equipment According to the data after being decrypted;
According to the data after the decryption judge the user equipment derived from key derived from key and the prothetic group station It is whether identical;
The result of the judgement is sent to the prothetic group station;
Wherein, the data according to after the decryption judge that key derived from the user equipment spreads out with the prothetic group station Whether raw key is identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with Key derived from the prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine close derived from the user equipment Key and key derived from the prothetic group station be not identical.
In conjunction with the 12nd aspect, in the first possible implementation, the processor executes the computer code It is also used to:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station deletes institute State prothetic group station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station weight is notified by the master base station New triggering Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
In conjunction with the first possible implementation of the 12nd aspect, in the second possible implementation, the place Reason device executes the computer code and is also used to:
The different message of key is sent to mobility management entity, and from the mobility management entity to described Master base station forwards the different message of key, so that the master base station deletes institute after receiving the different message of the key It states prothetic group station or adds the prothetic group station again.
The embodiment of the present invention provides method, base station, user equipment and the core network element of a kind of check key, Yong Hushe Standby to send check information to base station, which is that user equipment passes through the known preset data of user equipment and base station The information that key, preset algorithm derived from user equipment obtain after being protected, wherein preset algorithm includes Encryption Algorithm, complete At least one of whole property protection algorism, base station are spread out after receiving the check information according to identical preset algorithm, prothetic group station Raw key and check information obtains target data, judges that user sets according to preset data, check information and target data Whether standby derivative key and key derived from base station are identical;Or after connection is established at user equipment and prothetic group station, user equipment is connect Use key relevant with prothetic group station derived from user equipment and corresponding security algorithm to downlink after receiving downlink data packet Data packet is decrypted, judge after decryption obtained data packet it is whether correct to judge derived from user equipment with prothetic group station phase Whether the key of pass is identical as key derived from prothetic group station;Or after connection is established at user equipment and prothetic group station, core network element is connect The data after the upstream data that base station key and preset algorithm according to derived from base station sends user equipment is decrypted are received, Judge after decryption obtained data packet it is whether correct to judge key relevant to prothetic group station derived from user equipment whether with Key derived from prothetic group station is identical.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to Error in data even service disconnection caused by key and corresponding algorithm are incorrect between user equipment and prothetic group station.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram one for base station that the embodiment of the present invention provides;
Fig. 2 is the flow diagram of LTE system derivative key;
Fig. 3 is a kind of structural schematic diagram two for base station that the embodiment of the present invention provides;
Fig. 4 is the structural schematic diagram one for another base station that the embodiment of the present invention provides;
Fig. 5 is the structural schematic diagram two for another base station that the embodiment of the present invention provides;
Fig. 6 is a kind of structural schematic diagram one for user equipment that the embodiment of the present invention provides;
Fig. 7 is a kind of structural schematic diagram two for user equipment that the embodiment of the present invention provides;
Fig. 8 is a kind of structural schematic diagram one for core network element that the embodiment of the present invention provides;
Fig. 9 is a kind of structural schematic diagram two for core network element that the embodiment of the present invention provides;
Figure 10 is a kind of flow diagram one of the method for check key that the embodiment of the present invention provides;
Figure 11 is a kind of flow diagram two of the method for check key that the embodiment of the present invention provides;
Figure 12 is a kind of flow diagram three of the method for check key that the embodiment of the present invention provides;
Figure 13 is a kind of flow diagram four of the method for check key that the embodiment of the present invention provides;
Figure 14 is a kind of flow diagram five of the method for check key that the embodiment of the present invention provides;
Figure 15 is a kind of flow diagram six of the method for check key that the embodiment of the present invention provides;
Figure 16 is a kind of flow diagram seven of the method for check key that the embodiment of the present invention provides;
Figure 17 is a kind of flow diagram eight of the method for check key that the embodiment of the present invention provides;
Figure 18 is the structural schematic diagram for another base station that the embodiment of the present invention provides;
Figure 19 is the structural schematic diagram for another base station that the embodiment of the present invention provides;
Figure 20 is the structural schematic diagram for another user equipment that the embodiment of the present invention provides;
Figure 21 is the structural schematic diagram for another core network element that the embodiment of the present invention provides.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of base station 20, which can be used as prothetic group station, as shown in Fig. 1, the prothetic group Stand 20 includes: receiving unit 21, acquiring unit 22 and judging unit 23.
Wherein, receiving unit 21, for receiving the check information of user equipment transmission, check information is user equipment to pre- If the information that data obtain after being protected by key, preset algorithm derived from user equipment, preset algorithm includes that encryption is calculated At least one of method, protection algorithm integrallty.
Wherein, preset data can be at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
For convenience of description, the secondary relationship of security key in LTE system is briefly described below, wherein LTE system UE The key of side and the side evolved packet system (Evolved Packet System, EPS) is mutually indepedent, two sides cipher key derivative process It is identical, it is all made of cipher key derivation function (Key Derivation Functions, KDF) and derives step by step, as shown in Figure 2:
K be stored in Global Subscriber identification card (Universal Subscriber Identity Module, USIM) and The inner key of authentication center (Authentication Center, AuC) is to be permanently fixed key and the generation calculation of all keys The basis of method.
CK is the key as derived from K for encryption, and IK is the key that integrity protection is used for derived from K.CK and IK are equal In UE and ownership place register (Home Subscriber Server, HSS).
KASMEIt is one and key derived from CK and IK is used as UE and HSS.
KeNBIt is by KASMEIt is derivative or as derived from UE and eNB, for deriving access layer (Access Stratum, AS) Various keys.
Next-hop (Next Hop, NH) be UE and mobility management entity (Mobility Management Entity, MME) pass through KASMEDerivative obtained key, is one kind of eNB key.
The key of user face business:
KUPencIt is that UE and eNB pass through KeNBAnd Encryption Algorithm is derivative obtains, for protecting user face business datum;
KUPintIt is that UE and eNB pass through KeNBAnd protection algorithm integrallty is derivative obtains, for protecting relay node User data between (Relay Node, RN) and host base station (Donor eNB, DeNB).
The relevant key of radio resource control (Radio Resource Control, RRC):
KRRCintIt is that UE and eNB is obtained by KeNB and protection algorithm integrallty derivative, for protecting RRC information;
KRRCencIt is that UE and eNB is obtained by KeNB and Encryption Algorithm derivative, for protecting RRC information.
KNASencUE and the MME key according to derived from KASME, for Non-Access Stratum (Non-Access-Stratum, NAS) stream is protected using Encryption Algorithm.
KNASintIt is UE and MME according to KASMEDerivative key is protected for flowing to NAS using protection algorithm integrallty Shield.
Specifically, key relevant to prothetic group station derived from user equipment may include following at least one: KeNB、KUPenc、 KUPint。、KRRCint、KRRCenc
Illustratively, user equipment uses Encryption Algorithm and K to the cell ID under prothetic group stationUPencAfter being protected To check information.
Optionally, receiving unit 21 can be specifically used for:
Base station addition is received from master base station by X2 interface and completes message, and base station addition completes message and carries check information; Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry check information.
Illustratively, check information is to may be embodied in the radio resource connection reconfiguration that UE is sent to master base station and set completion to disappear It ceases in (RRC Connection Reconfiguration Complete Message), master base station receives the check information Base station addition is sent to prothetic group station afterwards to complete to carry the check information in message.
It can be by increasing safety verification specifically, setting carrying check information in completion message in radio resource connection reconfiguration Information (securityConfirmation) is realized.Illustratively, it can be realized by following code:
Wherein securityConfirmation can be byte stream (OCTET STRING) or bit string (BIT STRING The form etc. of (SIZE (xx)).
Illustratively, select the preset data in securityConfirmation that can realize by following code:
--ASN1STOP
Wherein UE generates securityConfirmation, can be and uses security ConfirmationInput The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take Band securityConfirmation, prothetic group station receives securityConfirmation.
Alternatively, it is illustrative, if check information is included in the media access control (Medium of user equipment transmission Access Control, MAC) in message, specifically it can carry out reality by increasing securityConfirmation in MAC message It is existing.
For example, it is special newly to introduce a Logic Channel Identifier (Logical Channel Identify, LCID) value Expression is securityConfirmation, for example uses 01011, and wherein L indicates the length of securityConfirmation Degree can not have L, be directly placed into here if securityConfirmation is regular length securityConfirmation.Current LCID value can also be reused, securityConfirmation is added to existing Directly securityConfirmation can also be transmitted in MAC message or as data by UE or be passed by physical layer It is defeated.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or It is the combination of the two.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and derivative related with prothetic group station KUPintOr KRRCintCalculate as a result, securityConfirmation is added to the MAC message that UE is sent to prothetic group station In, prothetic group station receives securityConfirmation.
Alternatively, check information is further included in grouping packet convergence protocol (the Packet Data of user equipment transmission Convergence Protocol, PDCP) in data.
Illustratively, check information can be securityConfirmation, and preset data is SecurityConfirmationInput, UE generate securityConfirmation, can be pair SecurityConfirmationInput uses the complete of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty Property protection result;It is also possible to the key to securityConfirmationInput using Encryption Algorithm and Encryption Algorithm The result of the encryption of calculating;The either combination of the two.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take Band securityConfirmation, prothetic group station receives securityConfirmation.
Acquiring unit 22 obtains mesh for key, preset algorithm according to derived from base station, preset data and check information Mark data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, which, which is UE, uses Encryption Algorithm and derivative related with prothetic group station KUPencTo securityConfirmationInput calculating as a result, securityConfirmation is added to master base station The base station addition for being sent to prothetic group station is completed in message, and prothetic group station is calculated after receiving securityConfirmation according to encryption Method and K derived from itselfUPenSecurityConfirmation is decrypted be calculated it is new SecurityConfirmationInput。
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintOr KRRCintTo securityConfirmationInput calculating as a result, securityConfirmation is It is added to UE to be sent in the MAC message at prothetic group station, prothetic group station receives after securityConfirmation according to integrality Protection algorism and K derived from itselfUPintOr KRRCintThe securityConfirmationInput saved to itself has been carried out New securityConfirmation is calculated in whole property protection.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, check information UE use Encryption Algorithm and derivative K related with prothetic group stationUPenc To securityConfirmationInput calculating as a result, securityConfirmation, which is added to UE, is sent to prothetic group In the PDCP data stood, prothetic group station receives the K according to derived from Encryption Algorithm and itself after securityConfirmationUPenc Check information is decrypted, new SecurityConfirmationInput is calculated.
Judging unit 23, it is close derived from user equipment for being judged according to preset data, check information and target data Whether key and the derivative key of base station are identical.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation According to K derived from protection algorithm integrallty and itselfUPintIntegrity protection meter is carried out to securityConfirmationInput Calculation obtains new securityConfirmation, judges new securityConfirmation and receives Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UEUPintWith prothetic group station K derived from itselfUPintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passRRCintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation According to K derived from protection algorithm integrallty and itselfRRCintIntegrity protection is carried out to securityConfirmationInput New securityConfirmation is calculated, judges new securityConfirmation and receives Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UERRCintWith prothetic group Stand itself derivative KRRCintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo obtaining intermediate variable after securityConfirmationInput integrity protection SecurityConfirmationTemp reuses Encryption Algorithm and derivative K related with prothetic group stationUPencIt is right SecurityConfirmation is obtained after securityConfirmationTemp encryption.Prothetic group station receives After securityConfirmation, prothetic group station uses K derived from Encryption Algorithm and itself firstUPencIt is right SecurityConfirmationTemp is obtained after securityConfirmation decryption, then to itself storage SecurityConfirmationInput uses protection algorithm integrallty and derivative KUPintIt is obtained after integrity protection new SecurityConfirmationTemp, judges new securityConfirmationTemp and receives Whether the securityConfirmationTemp obtained after securityConfirmation decryption is identical, if the same says K related with prothetic group station derived from bright UEUPenc、KUPintWith K derived from prothetic group station itselfUPenc、KUPintCorrespondence is identical, otherwise not It is identical.
Optionally, as shown in figure 3, the prothetic group station 20 further include:
Reset cell 24 makes user if the derivative key for key derived from user equipment and base station is not identical Equipment derivative key or makes user equipment delete the base station again.
Illustratively, it is assumed that new as what is obtain after integrity protection according to the result that judging unit 23 judges SecurityConfirmation is different from the securityConfirmation received, then illustrate derived from UE with prothetic group station Related KUPintWith K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE delete the prothetic group station or Make UE derivative key relevant to the prothetic group station again.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet Include at least one of Encryption Algorithm, protection algorithm integrallty;Key, preset algorithm according to derived from base station, preset data with And check information obtains target data;Judged according to preset data, check information and target data close derived from user equipment Whether key is identical as key derived from base station.Whether the key that can be verified between user equipment and prothetic group station is correct, can keep away Exempt from due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention also provides a kind of base station 30, which can be used as master base station, as shown in figure 4, the master Base station 30 includes: receiving unit 31, acquiring unit 32, judging unit 33 and transmission unit 34.
Receiving unit 31, for receiving the check information of user equipment transmission, check information is user equipment to present count According to the information obtained after being protected by key, preset algorithm derived from user equipment, preset algorithm includes Encryption Algorithm, complete At least one of whole property protection algorism.
Specifically, master base station receives the radio resource control information comprising check information that UE is sent.Wherein, exemplary , radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein It include check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
Acquiring unit 32 is obtained for the key according to derived from prothetic group station, preset algorithm, preset data and check information Target data.
Illustratively, master base station K according to derived from Encryption Algorithm and prothetic group stationUPenc(K hereinUPencIt is to be made by master base station Obtained with cipher key derivative process identical with prothetic group station) it is obtained the check information received from receiving unit 31 to be decrypted Obtain target data.
Judging unit 33, it is close derived from user equipment for being judged according to preset data, check information and target data Whether key is identical as the derivative key at prothetic group station, obtains judging result.
Illustratively, it is assumed that target data is that UE uses K derived from user equipment to preset dataUPencWith Encryption Algorithm Data after protection, target data are master base station K according to derived from Encryption Algorithm and prothetic group stationUPenc(K hereinUPencIt is by leading Base station obtained using cipher key derivative process identical with prothetic group station) check information received from receiving unit 31 is solved Close obtained data, master base station judges target data and whether preset data is identical obtains judging result.
Transmission unit 34, for judging result to be sent to prothetic group station.
Illustratively, judging result is notified prothetic group station by X2 interface by master base station.
Optionally, as shown in figure 5, the master base station 30 further include:
If reset cell 35 uses not identical as the derivative key at prothetic group station for key derived from user equipment Family equipment deletes prothetic group station or makes user equipment derivative key again.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet Include at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, preset algorithm, preset data And check information obtains target data;Judged derived from user equipment according to preset data, check information and target data Whether key is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station.Use can be verified Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by Service disconnection between user equipment and prothetic group station.
The embodiment of the present invention also provides a kind of user equipment 40, as shown in fig. 6, the user equipment 40 includes: that decryption is single Member 41, judging unit 42 and transmission unit 43.
Decryption unit 41 carries out the downlink data received for key, preset algorithm according to derived from user equipment Decryption.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, UE root are had built up between UE and prothetic group station It is decrypted, is then obtained mutually according to downlink data of the key, Encryption Algorithm derived from itself to the encryption received from network side Networking protocol (Internet Protocol, IP) message.
Judging unit 42, for according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station Whether key is identical.
Specifically, judging unit 42 is used for:
The Internet protocol address and port numbers of data packet after obtaining decryption;
Identify the Internet protocol address and port numbers of data packet;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station Raw key is not identical.
Illustratively, judging unit 42 receives IP packet from decryption unit 41, obtains IP address and the end of the IP packet Slogan, if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, while also being illustrated derived from UE Relevant key derived from key relevant to prothetic group station and prothetic group station is identical;Or,
IP packet is erroneous packets if it can not identify the IP address and/or port numbers, at the same also illustrate derived from UE with it is auxiliary Relevant key derived from the relevant key in base station and prothetic group station is not identical.
Transmission unit 43, for sending judging result to prothetic group station.
Illustratively, UE sends the judging result that judging unit 42 obtains to prothetic group station by master base station.
Optionally, as shown in fig. 7, the user equipment 40 further include:
If notification unit 44 notifies main base not identical for key and key derived from prothetic group station derived from user equipment It stands and deletes the prothetic group station;Or notice master base station adds the prothetic group station again;Or the base station prothetic group station is notified again by master base station Trigger Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by master base station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE Together, the prothetic group station that user equipment 40 can notify master base station to add is problematic, while can indicate which of prothetic group station carries out Problem, i.e., carry load identification in instruction, and master base station, which determines, to be deleted the prothetic group station after the prothetic group station is problematic or make to lead Again the prothetic group station is added in base station;Or user equipment 40 can also notify the prothetic group station retriggered to match again by master base station Set the connection with UE;Or user equipment 40 notifies the prothetic group station to delete the prothetic group station by master base station.
The embodiment of the present invention provides a kind of user equipment, and key, preset algorithm according to derived from user equipment are to reception To downlink data be decrypted;Key derived from key derived from user equipment and prothetic group station is judged according to the data after decryption It is whether identical;Judging result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station is correct, can be with Avoid due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of core network element 50, as shown in figure 8, the core network element 50 includes:
Receiving unit 51, judging unit 52 and transmission unit 53.
Receiving unit 51 sends out user equipment for receiving prothetic group station key according to derived from prothetic group station and preset algorithm The upstream data sent be decrypted after data.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, prothetic group are had built up between UE and prothetic group station Key, Encryption Algorithm according to derived from itself of standing are decrypted to obtain internet protocol to the upstream data of the encryption received from UE (Internet Protocol, IP) message is discussed, IP message is sent to core network element, and then core network element receives IP report Text.
Judging unit 52, for according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station Whether key is identical.
Specifically, judging unit 52 is used for:
The Internet protocol address and port numbers of data packet after obtaining decryption;
Identify the Internet protocol address and port numbers of data packet;
Determine that key derived from user equipment and prothetic group station are derivative if it can identify Internet protocol address and port numbers Key it is identical;Or,
Determine that key derived from user equipment spreads out with prothetic group station if it can not identify Internet protocol address and/or port numbers Raw key is not identical.
Illustratively, judging unit 52 receives IP packet from receiving unit 51, obtains IP address and the end of the IP packet Slogan, the IP packet is correct if the IP address can be identified with port numbers, while also illustrating related to prothetic group station derived from UE Key and prothetic group station derived from relevant key be identical;Or,
IP packet is erroneous packets if it can not identify the IP address and/or port numbers, at the same also illustrate derived from UE with it is auxiliary Relevant key derived from the relevant key in base station and prothetic group station is not identical.
Optionally, as shown in figure 9, the core network element 50 further include:
Notification unit 54, if not identical for key and key derived from prothetic group station derived from user equipment, core net net Member notice master base station deletes the prothetic group station;Or core network element notice master base station adds the prothetic group station again;Or core network element The prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or core network element notifies the prothetic group station to delete by master base station Except the prothetic group station.
Optionally, notification unit 54 can be specifically used for:
The different message of key is sent to mobility management entity, and should from mobility management entity to master base station forwarding The different message of key, so that master base station receives, the key is not identical to be obtained deleting the prothetic group station after message or addition should again Prothetic group station;Or the prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or the prothetic group station is notified to delete by master base station Except the prothetic group station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE Together, core network element 50 can notify the prothetic group station of master base station or directly notice master base station addition problematic by MME, while can Which carrying to indicate prothetic group station is out of joint, i.e., load identification is carried in instruction, master base station determines that the prothetic group station is asked The prothetic group station is deleted after topic or master base station is made to add the prothetic group station again;Or core network element 50 can also notify the prothetic group Retriggered of standing reconfigures the connection with UE;Or core network element 50 notifies the prothetic group station to delete the prothetic group by master base station It stands.
The embodiment of the present invention provides a kind of core network element, receives base station key according to derived from base station and pre- imputation The upstream data that method sends user equipment be decrypted after data;Judged derived from user equipment according to the data after decryption Whether key is identical as key derived from prothetic group station;The result of judgement is sent to prothetic group station.User equipment and prothetic group can be verified Whether the key between standing correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment with it is auxiliary Service disconnection between base station.
The embodiment of the present invention provides a kind of method of check key, is based on prothetic group station, as shown in Figure 10, this method packet It includes:
S101, prothetic group station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
S102, prothetic group station key according to derived from prothetic group station itself, preset algorithm, preset data and check information obtain Target data.
S103, prothetic group station according to preset data, check information and target data judge key derived from user equipment with Whether key derived from prothetic group station is identical.
The embodiment of the present invention provides a kind of method of check key, and prothetic group station receives the verification letter that user equipment is sent Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Itself spread out according to prothetic group station at prothetic group station Raw key, preset algorithm, preset data and check information obtains target data;Believed according to preset data, verification at prothetic group station Breath and target data judge whether key derived from key derived from user equipment and prothetic group station itself is identical.Use can be verified Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by Service disconnection between user equipment and prothetic group station.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below Specific embodiment is crossed, the method for providing the check key based on prothetic group station to the embodiment of the present invention is described in detail, such as Shown in Figure 11, this method comprises:
S201, prothetic group station receive the check information that user equipment is sent.
Wherein, check information be user equipment to preset data by key, Encryption Algorithm derived from user equipment and/or The information that protection algorithm integrallty obtains after being protected.
Preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
Specifically, prothetic group station, which receives base station addition from master base station by X2 interface, completes message, message is completed in base station addition Carry check information;Or
Prothetic group station receives the medium access control message that user equipment is sent, and medium access control message carries verification letter Breath;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry the verification letter Breath.
Illustratively, check information is the RRC Connection that may be embodied in UE and send to master base station In Reconfiguration Complete Message, master base station adds after receiving the check information to prothetic group station transmission base station It adds into and carries the check information in message.
Specifically, increase can be passed through by setting carrying check information in completion message in radio resource connection reconfiguration SecurityConfirmation is realized.Illustratively, it can be realized by following code:
Wherein Security Confirmation can for OCTET STRING or BIT STRING (SIZE's (xx) Form etc..
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take Band securityConfirmation, prothetic group station receives securityConfirmation.
Alternatively, it is illustrative, if check information is included in the MAC message of user equipment transmission, can specifically lead to It crosses and increases securityConfirmation in MAC message to realize.
For example, can newly introduce a LCID value specially indicates to be securityConfirmation, for example use 01011, wherein L indicates the length of securityConfirmation, here if securityConfirmation is solid Measured length, can there is no L, be directly placed into securityConfirmation.Current LCID value can also be reused, it will SecurityConfirmation is added in existing MAC message or can also directly will by UE SecurityConfirmation transmits as data or passes through physical layer transmission.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or It is the combination of the two.
Assuming that securityConfirmation, which is UE, uses protection algorithm integrallty and derivative related with prothetic group station KUPintOr KRRCintCalculate as a result, securityConfirmation is added to the MAC message that UE is sent to prothetic group station In, prothetic group station receives securityConfirmation.
Alternatively, check information is further included in grouping packet convergence protocol (the Packet Data of user equipment transmission Convergence Protocol, PDCP) in data.
Illustratively, check information can be securityConfirmation, and UE is generated SecurityConfirmation, can be to securityConfirmationInput using protection algorithm integrallty and The integrity protection result of the cipher key calculation of protection algorithm integrallty;It is also possible to securityConfirmationInput Use the result of the encryption of Encryption Algorithm and the cipher key calculation of Encryption Algorithm;The either combination of the two.
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter Calculate as a result, master base station by X2 interface to prothetic group station send base station addition complete message, wherein base station addition complete message take Band securityConfirmation, prothetic group station receives securityConfirmation.
S202, prothetic group station key according to derived from prothetic group station itself, preset algorithm, preset data and check information obtain Target data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, which, which is UE, uses Encryption Algorithm and derivative related with prothetic group station KUPencTo securityConfirmationInput calculating as a result, securityConfirmation is added to master base station The base station addition for being sent to prothetic group station is completed in message, and prothetic group station is calculated after receiving securityConfirmation according to encryption Method and K derived from itselfUPencSecurityConfirmation is decrypted be calculated it is new SecurityConfirmationInput。
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintOr KRRCintTo securityConfirmationInput calculating as a result, securityConfirmation is It is added to UE to be sent in the MAC message at prothetic group station, prothetic group station receives after securityConfirmation according to integrality Protection algorism and K derived from itselfUPintOr KRRCintThe securityConfirmationInput saved to itself has been carried out New securityConfirmation is calculated in whole property protection.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, check information UE use Encryption Algorithm and derivative K related with prothetic group stationUPenc To securityConfirmationInput calculating as a result, securityConfirmation, which is added to UE, is sent to prothetic group In the PDCP data stood, prothetic group station receives the K according to derived from Encryption Algorithm and itself after securityConfirmationUPenc Check information, which is decrypted, is calculated new SecurityConfirmationInput.
S203, prothetic group station according to preset data, check information and target data judge key derived from user equipment with Whether key derived from prothetic group station itself is identical.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation According to K derived from protection algorithm integrallty and itselfUPintSolution integrity protection is carried out to securityConfirmationInput New securityConfirmation is calculated, judges new securityConfirmation and receives Whether securityConfirmation is identical, if it is illustrates K related with prothetic group station derived from UEUPintWith prothetic group station K derived from itselfUPintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passRRCintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE Cell identification data under the prothetic group station stored with prothetic group station, after prothetic group station receives securityConfirmation According to K derived from protection algorithm integrallty and itselfRRCintIntegrity protection is carried out to securityConfirmationInput New securityConfirmation is calculated, judges new securityConfirmation and receives Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UERRCintWith prothetic group Stand itself derivative KRRCintIt is identical, it is otherwise not identical.
Alternatively, illustrative, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo obtaining intermediate variable after securityConfirmationInput integrity protection SecurityConfirmationTemp reuses Encryption Algorithm and derivative K related with prothetic group stationUPencIt is right SecurityConfirmation is obtained after securityConfirmationTemp encryption.Prothetic group station receives After securityConfirmation, prothetic group station uses K derived from Encryption Algorithm and itself firstUPencIt is right SecurityConfirmationTemp is obtained after securityConfirmation decryption, then to itself storage SecurityConfirmationInput uses protection algorithm integrallty and derivative KUPintIt is obtained after integrity protection new SecurityConfirmationTemp, judges new securityConfirmationTemp and receives Whether the securityConfirmationTemp obtained after securityConfirmation decryption is identical, if the same says K related with prothetic group station derived from bright UEUPenc、KUPintWith K derived from prothetic group station itselfUPenc、KUPintCorrespondence is identical, otherwise not It is identical.
If key derived from key derived from S204, user equipment and prothetic group station itself is not identical, prothetic group station makes user Equipment deletes the prothetic group station or makes user equipment derivative key again.
Illustratively, it is assumed that new to be obtained by integrity protection according to the result that step S203 judges SecurityConfirmation is different from the securityConfirmation received, then illustrates derived from UE and prothetic group Stand related KUPintWith K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE delete the prothetic group station or Person makes UE derivative key relevant to the prothetic group station again.
The embodiment of the present invention provides a kind of method of check key, and prothetic group station receives the verification letter that user equipment is sent Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Itself spread out according to prothetic group station at prothetic group station Raw key, preset algorithm, preset data and check information obtains target data;Believed according to preset data, verification at prothetic group station Breath and target data judge whether key derived from key derived from user equipment and prothetic group station itself is identical.Use can be verified Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by Service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of method of check key, is based on master base station, as shown in figure 12, this method packet It includes:
S301, master base station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
S302, master base station key according to derived from prothetic group station, preset algorithm, preset data and check information obtain target Data.
S303, master base station according to preset data, check information and target data judge key derived from user equipment with Whether key derived from prothetic group station is identical, obtains judging result.
Judging result is sent to prothetic group station by S304, master base station.
The embodiment of the present invention provides a kind of method of check key, and master base station receives the verification letter that user equipment is sent Breath, check information are to obtain after user equipment protects preset data by key, preset algorithm derived from user equipment Information, preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;Master base station is according to derived from prothetic group station Key, preset algorithm, preset data and check information obtain target data;Master base station according to preset data, check information with And target data judges whether key derived from user equipment is identical as key derived from prothetic group station, obtains judging result;Main base It stands and judging result is sent to prothetic group station.Whether the key that can be verified between user equipment and prothetic group station is correct, can be to avoid Due to key and corresponding algorithm it is incorrect caused by error in data between user equipment and prothetic group station even business It is disconnected.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below Specific embodiment is crossed, the method for providing the check key based on master base station to the embodiment of the present invention is described in detail, such as Shown in Figure 13, this method comprises:
S401, master base station receive the check information that user equipment is sent.
Wherein, check information is that user equipment carries out preset data by key, preset algorithm derived from user equipment The information obtained after protection, preset algorithm include at least one of Encryption Algorithm, protection algorithm integrallty.
Preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
Specifically, master base station receives the radio resource control information comprising check information that UE is sent.Wherein, exemplary , radio resource control information can be RRC Connection Reconfiguration Complete Message, wherein It include check information.
Illustratively, check information is the RRC Connection that may include UE and send to master base station In Reconfiguration Complete Message, master base station adds after receiving the check information to prothetic group station transmission base station It adds into and carries the check information in message.
Specifically, increase can be passed through by setting carrying check information in completion message in radio resource connection reconfiguration SecurityConfirmation is realized.
Illustratively, it can be realized by following code:
Wherein Security Confirmation can be OCTET STRING) or BIT STRING (SIZE (xx) Form etc..
Illustratively, select the preset data in securityConfirmation that can realize by following code:
Wherein UE generates securityConfirmation, can be and uses securityConfirmationInput The integrity protection result of the cipher key calculation of protection algorithm integrallty and protection algorithm integrallty;It is also possible to pair SecurityConfirmationInput uses the result of the encryption of the cipher key calculation of Encryption Algorithm and Encryption Algorithm;Or It is the combination of the two.
Assuming that securityConfirmation is that UE uses Encryption Algorithm and derivative K related with prothetic group stationUPencMeter Calculate as a result, UE to master base station send RRC Connection Reconfiguration Complete Message, wherein RRC Connection Reconfiguration Complete Message carries securityConfirmation, main base Station receives securityConfirmation.
S402, master base station key according to derived from prothetic group station, preset algorithm, preset data and check information obtain target Data.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmation is added to UE It is sent in the RRC Connection Reconfiguration Complete Message of master base station, master base station receives The K according to derived from protection algorithm integrallty and prothetic group station itself after securityConfirmationUPint(K hereinUPintIt is Obtained by master base station use cipher key derivative process identical with prothetic group station) securityConfirmationInput has been carried out Whole property is protected to obtain new securityConfirmation.
S403, master base station according to preset data, target data and check information judge key derived from user equipment with Whether key derived from prothetic group station is identical, obtains judging result.
Illustratively, it is assumed that check information is securityConfirmation, and preset data is SecurityConfirmationInput, the check information are UE using protection algorithm integrallty and derivative have with prothetic group station The K of passUPintTo securityConfirmationInput calculating as a result, securityConfirmationInput is UE Cell identification data under the prothetic group station stored with prothetic group station, after master base station receives securityConfirmation According to K derived from protection algorithm integrallty and prothetic group station itselfUPint(K hereinUPintIt is identical as prothetic group station by master base station use Cipher key derivative process obtain) to securityConfirmationInput carry out integrity protection be calculated it is new SecurityConfirmation, judges new securityConfirmation and receives Whether securityConfirmation is identical, if the same illustrates K related with prothetic group station derived from UEUPintWith prothetic group station K derived from itselfUPintIt is identical, it is otherwise not identical.
Judging result is sent to prothetic group station by S404, master base station.
Illustratively, the result that step S303 judges is sent to prothetic group station by X2 interface by master base station.
If key derived from S405, user equipment is not identical as the derivative key at prothetic group station, delete user equipment Prothetic group station makes user equipment derivative key again.
Illustratively, it is assumed that the result that master base station judges to prothetic group station are as follows: K related with prothetic group station derived from UEUPintWith K derived from prothetic group station itselfUPintIt is not identical, then, prothetic group station can notify UE to delete the prothetic group station or derive UE again Key relevant to the prothetic group station.
The embodiment of the present invention provides a kind of method of check key, receives the check information that user equipment is sent, verification Information is the information obtained after user equipment protects preset data by key, preset algorithm derived from user equipment, Preset algorithm includes at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, pre- imputation Method, preset data and check information obtain target data;User is judged according to preset data, check information and target data Whether key derived from equipment is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station. Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm not just Error in data even service disconnection caused by really between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of method of check key, is based on UE, as shown in figure 14, this method comprises:
S501, user equipment key, preset algorithm according to derived from user equipment solve the downlink data received It is close.
S502, user equipment judge key derived from key derived from user equipment and prothetic group station according to the data after decryption It is whether identical.
Specifically, user equipment according to the data after decryption judge key derived from user equipment with it is close derived from prothetic group station Whether key is identical to include:
User equipment obtains the Internet protocol address and port numbers of the data packet after decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station Raw key is not identical.
S503, user equipment send judging result to prothetic group station.
The embodiment of the present invention provides a kind of method of check key, user equipment key according to derived from user equipment, The downlink data received is decrypted in preset algorithm;User equipment judges derived from user equipment according to the data after decryption Whether key is identical as key derived from prothetic group station;User equipment sends judging result to prothetic group station.User equipment can be verified Whether the key between prothetic group station correct, can to avoid due to caused by key and corresponding algorithm are incorrect user set The standby error in data between prothetic group station even service disconnection.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below Specific embodiment is crossed, the method for providing the check key based on UE to the embodiment of the present invention is described in detail, such as Figure 15 It is shown, this method comprises:
S601, user equipment key, preset algorithm according to derived from user equipment solve the downlink data received It is close.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, UE root are had built up between UE and prothetic group station It is decrypted according to downlink data of the key, Encryption Algorithm derived from itself to the encryption received from network side, then obtains IP Message.
S602, user equipment obtain the Internet protocol address and port numbers of the data packet after decryption.
Illustratively, UE parses the IP packet obtained after decryption, obtains the IP address and port numbers of the message.
S603, user equipment judge key derived from user equipment according to the Internet protocol address of data packet and port numbers It is whether identical as key derived from prothetic group station, obtain judging result.
Illustratively, UE according to IP address and port numbers judge key derived from UE and key derived from prothetic group station whether phase Together, if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, at the same also illustrate derived from UE with Relevant key derived from the relevant key in prothetic group station and prothetic group station is identical;If the IP address and/or port can not be identified Number then IP packet is erroneous packets, while also being illustrated relevant close derived from key relevant to prothetic group station derived from UE and prothetic group station Key is not identical.
S604, user equipment send judging result to prothetic group station.
Illustratively, the result of judgement is sent to prothetic group station by master base station by UE.
If key derived from key derived from S605, user equipment and prothetic group station is not identical, notification of user equipment master base station Delete the prothetic group station;Or notification of user equipment master base station adds the prothetic group station again;Or user equipment should by master base station notice Prothetic group station retriggered Reconfiguration Procedure;Or user equipment notifies the prothetic group station to delete the prothetic group station by master base station.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE Together, the prothetic group station that UE can notify master base station to add is problematic, while can indicate which carrying at prothetic group station is out of joint, i.e., Carry load identification in instruction, master base station, which determines, to be deleted the prothetic group station after the prothetic group station is problematic or add master base station again Add the prothetic group station;Or UE can also notify the prothetic group station retriggered to reconfigure the connection with UE by master base station;Or UE The prothetic group station is notified to delete the prothetic group station by master base station.
The embodiment of the present invention provides a kind of method of check key, user equipment key according to derived from user equipment, The downlink data received is decrypted in preset algorithm;User equipment judges derived from user equipment according to the data after decryption Whether key is identical as key derived from prothetic group station;Judging result is sent to prothetic group station.User equipment and prothetic group station can be verified Between key it is whether correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment and prothetic group Error in data even service disconnection between standing.
The embodiment of the present invention provides a kind of method of check key, is based on core network element, as shown in figure 16, the party Method includes:
S701, core network element receive prothetic group station key according to derived from prothetic group station and preset algorithm and send out user equipment The upstream data sent be decrypted after data.
S702, core network element judge close derived from key derived from user equipment and prothetic group station according to the data after decryption Whether key is identical.
Specifically, core network element judges derived from key derived from user equipment and prothetic group station according to the data after decryption Whether key is identical to include:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station Raw key is not identical.
S703, core network element send the result of judgement to prothetic group station.
The embodiment of the present invention provides a kind of method of check key, and core network element receives prothetic group station and spread out according to prothetic group station The upstream data that raw key and preset algorithm sends user equipment be decrypted after data;Core network element is according to solution Data after close judge whether key derived from user equipment is identical as key derived from prothetic group station;Core network element is to prothetic group station Send the result of judgement.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key with And corresponding algorithm it is incorrect caused by error in data even service disconnection between user equipment and prothetic group station.
In order to enable those skilled in the art to be more clearly understood that technical solution provided in an embodiment of the present invention, lead to below Specific embodiment is crossed, the method for providing the check key based on core network element to the embodiment of the present invention carries out specifically It is bright, as shown in figure 17, this method comprises:
S801, core network element receive prothetic group station key according to derived from prothetic group station and preset algorithm and send out user equipment The upstream data sent be decrypted after data.
Illustratively, wherein preset algorithm can be Encryption Algorithm, and connection, prothetic group are had built up between UE and prothetic group station Key, Encryption Algorithm according to derived from itself of standing are decrypted to obtain IP packet to the upstream data of the encryption received from UE, IP packet is sent to core network element, and then core network element receives IP packet.
S802, core network element obtain the Internet protocol address and port numbers of the data packet after decryption.
Illustratively, core network element parses the IP packet received, obtains IP address and the end of the message Slogan.
S803, core network element judge close derived from user equipment according to the Internet protocol address of data packet and port numbers Whether key is identical as key derived from prothetic group station, obtains judging result.
Illustratively, core network element according to IP address and port numbers judge key derived from UE with it is close derived from prothetic group station Whether key is identical, and if that can identify, the IP packet issued corresponding application with if port numbers by the IP address, while also illustrating UE Relevant key derived from derivative key relevant to prothetic group station and prothetic group station is identical;If the IP address can not be identified And/or then IP packet is erroneous packets to port numbers, while also illustrating that key relevant to prothetic group station derived from UE and prothetic group station are derivative Relevant key it is not identical.
S804, core network element send judging result to prothetic group station.
Illustratively, the result of judgement is sent to prothetic group station by core network element.
If key derived from key derived from S805, user equipment and prothetic group station is not identical, core network element notifies main base It stands and deletes the prothetic group station;Or core network element notice master base station adds the prothetic group station again;Or core network element passes through master base station Notify the prothetic group station retriggered Reconfiguration Procedure;Or core network element notifies the prothetic group station to delete the prothetic group by master base station It stands.
Illustratively, if the not phase of relevant key derived from key relevant to prothetic group station and prothetic group station derived from UE Together, core network element can notify master base station or the directly prothetic group station added of notice master base station problematic by MME, while can be with It indicates which carrying at prothetic group station is out of joint, i.e., carries load identification in instruction, master base station determines that the prothetic group station is problematic After delete the prothetic group station or master base station made to add the prothetic group station again;Or core network element notifies the prothetic group station by master base station Delete the prothetic group station.
The embodiment of the present invention provides a kind of method of check key, and core network element receives prothetic group station and spread out according to prothetic group station The upstream data that raw key and preset algorithm sends user equipment be decrypted after data;Core network element is according to solution Data after close judge whether key derived from user equipment is identical as key derived from prothetic group station;Core network element is to prothetic group station Send the result of judgement.Whether the key that can be verified between user equipment and prothetic group station correct, can to avoid due to key with And corresponding algorithm it is incorrect caused by error in data even service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of base station 60, and as shown in figure 18, which includes: bus 64;And It is connected to the processor 61, memory 62 and interface 63 of bus 64, wherein the interface 63 is for communicating;The memory 62 is for depositing Computer code is stored up, processor 61 is used for for executing the computer code:
The check information that user equipment is sent is received, check information is that user equipment spreads out to preset data by user equipment The information that raw key, preset algorithm obtain after being protected, preset algorithm include Encryption Algorithm, in protection algorithm integrallty It is at least one;
Key, preset algorithm according to derived from base station, preset data and check information obtain target data;
Judged according to preset data, check information and target data close derived from key and base station derived from user equipment Whether key is identical.
Optionally, processor 61 executes the computer code and is also used to:
If key and key derived from base station derived from user equipment be not identical, make user equipment again derivative key or User equipment is set to delete base station.
Optionally, processor 61 executes the check information that the computer code is used to receive user equipment transmission, specific to use In:
Base station addition is received from master base station by X2 interface and completes message, and base station addition completes message and carries check information; Or
The medium access control message that user equipment is sent is received, medium access control message carries check information;Or
The grouping packet convergence protocol data that user equipment is sent are received, grouping packet convergence protocol data carry check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
Optionally, base station supplemented by the base station.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet Include at least one of Encryption Algorithm, protection algorithm integrallty;Key, preset algorithm according to derived from base station, preset data with And check information obtains target data;Judged according to preset data, check information and target data close derived from user equipment Whether key is identical as key derived from base station.Whether the key that can be verified between user equipment and base station is correct, can be to avoid Due to key and corresponding algorithm it is incorrect caused by service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of base station 70, and as shown in figure 19, which includes: bus 74;And connection To the processor 71, memory 72 and interface 73 of bus 74, wherein the interface 73 is for communicating;The memory 72 is based on storing Calculation machine code, processor 71 are used for for executing the computer code:
The check information that user equipment is sent is received, check information is that user equipment spreads out to preset data by user equipment The information that raw key, preset algorithm obtain after being protected, preset algorithm include Encryption Algorithm, in protection algorithm integrallty It is at least one;
Target data is obtained according to key derived from prothetic group station, preset algorithm, preset data and check information;
Judged derived from key derived from user equipment and prothetic group station according to preset data, check information and target data Whether key is identical, obtains judging result;
For judging result to be sent to prothetic group station.
Optionally, processor 71 executes the computer code and is also used to:
If key derived from user equipment is not identical as the derivative key at prothetic group station, user equipment is made to delete prothetic group station Or make user equipment derivative key again.
Optionally, processor 71 executes the check information that the computer code is used to receive user equipment transmission, specific to use In:
The radio resource control information that user equipment is sent is received, radio resource control information carries check information.
Optionally, preset data includes at least one of the following:
Cell ID under prothetic group station, the Physical Cell Identifier under prothetic group station, the cell-radio network under prothetic group station are interim It identifies, the cell ID under master base station, the Physical Cell Identifier under master base station, the cell-radio network under master base station is temporarily marked Mark data, master base station or the prothetic group station that knowledge, prothetic group station and user equipment store are transmitted to the data of user equipment, certain number Word.
The embodiment of the present invention provides a kind of base station, receives the check information that user equipment is sent, check information is user The information that equipment obtains after being protected to preset data by key, preset algorithm derived from user equipment, preset algorithm packet Include at least one of Encryption Algorithm, protection algorithm integrallty;According to key derived from prothetic group station, preset algorithm, preset data And check information obtains target data;Judged derived from user equipment according to preset data, check information and target data Whether key is identical as key derived from prothetic group station, obtains judging result;Judging result is sent to prothetic group station.Use can be verified Whether the key between family equipment and prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by Error in data even service disconnection between user equipment and prothetic group station.
The embodiment of the present invention provides a kind of user equipment 80, and as shown in figure 20, which includes: bus 84; And it is connected to the processor 81, memory 82 and interface 83 of bus 84, wherein the interface 83 is for communicating;The memory 82 is used In storage computer code, processor 81 is used for for executing the computer code:
The downlink data received is decrypted in key, preset algorithm according to derived from user equipment;
Judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption;
Judging result is sent to prothetic group station;
Wherein, judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption Include:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station Raw key is not identical.
Optionally, processor 81 executes the computer code and is also used to:
If key derived from user equipment and key derived from prothetic group station be not identical, notice master base station deletes prothetic group station;Or Notice master base station adds prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or pass through main base Delete prothetic group station in notice of standing prothetic group station.
The embodiment of the present invention provides a kind of user equipment, user equipment key according to derived from user equipment, pre- imputation The downlink data received is decrypted in method;User equipment according to the data after decryption judge key derived from user equipment with Whether key derived from prothetic group station is identical;User equipment sends judging result to prothetic group station.User equipment and prothetic group can be verified Whether the key between standing correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment with it is auxiliary Error in data even service disconnection between base station.
The embodiment of the present invention provides a kind of core network element 90, and as shown in figure 21, which includes: bus 94;And it is connected to the processor 91, memory 92 and interface 93 of bus 94, wherein the interface 93 is for communicating;The memory 92 for storing computer code, and processor 91 is used for for executing the computer code:
Receive upstream data that prothetic group station key according to derived from prothetic group station and preset algorithm send user equipment into Data after row decryption;
Judge whether key derived from user equipment is identical as key derived from prothetic group station according to the data after decryption;
The result of judgement is sent to prothetic group station;
Wherein, according to the data after decryption judge key derived from user equipment and key derived from prothetic group station whether phase Together, comprising:
The Internet protocol address and port numbers of data packet after obtaining decryption;
If Internet protocol address and port numbers can be identified, determine derived from key derived from user equipment and prothetic group station Key is identical;Or,
If Internet protocol address and/or port numbers can not be identified, determine that key derived from user equipment spreads out with prothetic group station Raw key is not identical.
Optionally, processor 91 executes the computer code and is also used to:
If key derived from user equipment and key derived from prothetic group station be not identical, notice master base station deletes prothetic group station;Or Notice master base station adds prothetic group station again;Or prothetic group station retriggered Reconfiguration Procedure is notified by master base station;Or pass through main base Delete prothetic group station in notice of standing prothetic group station.
Optionally, processor 91 executes the computer code for notifying master base station to delete prothetic group station or notice master base station weight New addition prothetic group station, is specifically used for:
The different message of key is sent to mobility management entity, and close from mobility management entity to master base station forwarding The different message of key, so that master base station deletes prothetic group station after receiving the different message of key or adds prothetic group station again.
The embodiment of the present invention provides a kind of core network element, receives prothetic group station key according to derived from prothetic group station and pre- The upstream data that imputation method sends user equipment be decrypted after data;Judge that user equipment spreads out according to the data after decryption Whether raw key is identical as key derived from prothetic group station;The result of judgement is sent to prothetic group station.Can verify user equipment with Whether the key between prothetic group station correct, can to avoid due to key and corresponding algorithm it is incorrect caused by user equipment Error in data even service disconnection between prothetic group station.
Term "and/or" in the present invention, only a kind of incidence relation for describing affiliated partner, indicates may exist three kinds Relationship, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.In addition, this Character "/" in text typicallys represent the relationship that forward-backward correlation object is a kind of "or".
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description It is convenienct and succinct, only the example of the division of the above functional modules, in practical application, can according to need and will be upper It states function distribution to be completed by different functional modules, i.e., the internal structure of device is divided into different functional modules, to complete All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to The corresponding process in embodiment of the method is stated, details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that the independent physics of each unit includes, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer It is each that equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the present invention The all or part of the steps of embodiment the method.And storage medium above-mentioned includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk Etc. the various media that can store program code.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (6)

1. a kind of user equipment characterized by comprising
Decryption unit solves the downlink data received for the key according to derived from the user equipment, preset algorithm Close, the preset algorithm is Encryption Algorithm;
Judging unit, for according to the data after decryption judge the user equipment derived from key derived from key and prothetic group station It is whether identical, comprising:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with Key derived from the prothetic group station is not identical;
Transmission unit, for sending the judging result to the prothetic group station.
2. user equipment according to claim 1, which is characterized in that the user equipment further include:
Notification unit, if not identical for key and key derived from the prothetic group station derived from the user equipment, notice master Delete the prothetic group station in base station;Or the master base station is notified to add the prothetic group station again;Or institute is notified by the master base station State prothetic group station retriggered Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
3. a kind of method of check key characterized by comprising
The downlink data received is decrypted in user equipment key according to derived from the user equipment, preset algorithm, institute Stating preset algorithm is Encryption Algorithm;
The user equipment according to the data after decryption judge the user equipment derived from key derived from key and prothetic group station It is whether identical;
The user equipment sends the judging result to the prothetic group station;
Wherein, described in the user equipment according to the data after decryption judge the user equipment derived from key spread out with prothetic group station Whether raw key is identical to include:
The user equipment obtains the Internet protocol address and port numbers of the data packet after the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with Key derived from the prothetic group station is not identical.
4. according to the method described in claim 3, it is characterized in that, if key derived from the user equipment and the prothetic group station Derivative key is not identical, the method also includes:
Master base station is notified to delete the prothetic group station;Or,
The master base station is notified to add the prothetic group station again;Or,
The prothetic group station retriggered Reconfiguration Procedure is notified by the master base station;Or,
The prothetic group station is notified to delete the prothetic group station by the master base station.
5. a kind of user equipment, which is characterized in that the user equipment includes: communication interface, memory, processor;It is described logical Letter interface with network element for communicating, and the memory is for storing computer code;The processor executes the computer generation Code is used for:
The downlink data received is decrypted according to key derived from the user equipment, preset algorithm, the pre- imputation Method is Encryption Algorithm;
According to the data after decryption judge the user equipment derived from key and key derived from prothetic group station it is whether identical;
The judging result is sent to the prothetic group station;
Wherein, whether the data according to after decryption judge key derived from key derived from the user equipment and prothetic group station It is identical to include:
The Internet protocol address and port numbers of data packet after obtaining the decryption;
If the Internet protocol address and the port numbers can be identified, determine key derived from the user equipment with it is described Key derived from prothetic group station is identical;Or,
If the Internet protocol address and/or the port numbers can not be identified, determine key derived from the user equipment with Key derived from the prothetic group station is not identical.
6. user equipment according to claim 5, which is characterized in that the processor executes the computer code and also uses In:
If key derived from the user equipment and key derived from the prothetic group station be not identical, notice master base station is deleted described auxiliary Base station;Or the master base station is notified to add the prothetic group station again;Or the prothetic group station is notified to touch again by the master base station Send out Reconfiguration Procedure;Or the prothetic group station is notified to delete the prothetic group station by the master base station.
CN201480000891.9A 2014-01-14 2014-01-14 A kind of method of check key, base station, user equipment and core network element Active CN105027495B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/070607 WO2015106387A1 (en) 2014-01-14 2014-01-14 Key verification method, base station, user device and core network element

Publications (2)

Publication Number Publication Date
CN105027495A CN105027495A (en) 2015-11-04
CN105027495B true CN105027495B (en) 2018-12-14

Family

ID=53542265

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480000891.9A Active CN105027495B (en) 2014-01-14 2014-01-14 A kind of method of check key, base station, user equipment and core network element

Country Status (2)

Country Link
CN (1) CN105027495B (en)
WO (1) WO2015106387A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113573423B (en) * 2018-05-30 2024-01-16 华为技术有限公司 Communication method and device
CN113132924B (en) * 2021-04-19 2022-01-21 北京达源环保科技有限公司 Information transmission method and system for high-deployment-density sludge anaerobic digestion monitoring terminal
CN114069826A (en) * 2021-10-30 2022-02-18 国网湖南省电力有限公司 Method, system and medium for checking 5G communication security of spare power automatic switching device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Cipher key updating method and device under active state
WO2010151895A1 (en) * 2009-06-26 2010-12-29 Qualcomm Incorporated Systems, apparatus and methods to facilitate handover security
CN102625302A (en) * 2008-06-23 2012-08-01 华为技术有限公司 Key derivation method, equipment and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100450305C (en) * 2006-01-07 2009-01-07 华为技术有限公司 Safety service communication method based on general authentification frame
CN101102186B (en) * 2006-07-04 2012-01-04 华为技术有限公司 Method for implementing general authentication framework service push
CN101309503A (en) * 2007-05-17 2008-11-19 华为技术有限公司 Wireless switching method, base station and terminal
EP2028890B1 (en) * 2007-08-12 2019-01-02 LG Electronics Inc. Handover method with link failure recovery, wireless device and base station for implementing such method
CN101715188B (en) * 2010-01-14 2015-11-25 中兴通讯股份有限公司 A kind of update method of air interface key and system
CN102215485B (en) * 2010-04-04 2015-07-22 中兴通讯股份有限公司 Method for guaranteeing safety of multi-carrier switching or reconstructing in multi-carrier communication system
US20120155647A1 (en) * 2010-12-21 2012-06-21 General Instrument Corporation Cryptographic devices & methods

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059A (en) * 2007-09-28 2009-04-01 华为技术有限公司 Cipher key updating method and device under active state
CN102625302A (en) * 2008-06-23 2012-08-01 华为技术有限公司 Key derivation method, equipment and system
WO2010151895A1 (en) * 2009-06-26 2010-12-29 Qualcomm Incorporated Systems, apparatus and methods to facilitate handover security

Also Published As

Publication number Publication date
CN105027495A (en) 2015-11-04
WO2015106387A1 (en) 2015-07-23

Similar Documents

Publication Publication Date Title
US10958631B2 (en) Method and system for providing security from a radio access network
CN102625300B (en) Generation method and device for key
CN103609154B (en) A kind of WLAN access authentication method, equipment and system
CN101931955B (en) Authentication method, device and system
KR101929699B1 (en) GPRS system key enforcement method, SGSN device, UE, HLR / HSS, and GPRS system
CN102056157B (en) Method, system and device for determining keys and ciphertexts
CN109729096A (en) Method of mobile communication, device and equipment
CN103781069B (en) Bidirectional-authentication method, device and system
CN109218325A (en) Data completeness protection method and device
CN105554907A (en) General method for configuring WiFi device to make same to connect WiFi router
CN103167492B (en) Generate method and the equipment thereof of access layer secret key in a communications system
CN109246696B (en) Key processing method and related device
CN109788474A (en) A kind of method and device of message protection
WO2019062374A1 (en) Key derivation algorithm negotiation method and apparatus
CN109803262B (en) Network parameter transmission method and device
CN109729524A (en) A kind of RRC connection restoration methods and device
CN104935426A (en) Key negotiation method, user equipment and short-range communication control network element
CN102404721A (en) Safety protecting method of Un interface, device and base station
CN107801187A (en) Encipher-decipher method, apparatus and system
CN110048988A (en) The sending method and device of message
CN110418432A (en) Handle the device and method that wireless heterogeneous networks are rebuild
CN105027495B (en) A kind of method of check key, base station, user equipment and core network element
CN111464572A (en) Session configuration method and device
CN105103577B (en) A kind of device and method of encryption data
CN104125563B (en) Method for managing security and equipment in cognitive radio system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant