CN105103577B - A kind of device and method of encryption data - Google Patents
A kind of device and method of encryption data Download PDFInfo
- Publication number
- CN105103577B CN105103577B CN201480000843.XA CN201480000843A CN105103577B CN 105103577 B CN105103577 B CN 105103577B CN 201480000843 A CN201480000843 A CN 201480000843A CN 105103577 B CN105103577 B CN 105103577B
- Authority
- CN
- China
- Prior art keywords
- ncc
- mme
- request message
- enb
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000005540 biological transmission Effects 0.000 claims abstract description 33
- 230000001360 synchronised effect Effects 0.000 abstract description 10
- 238000004891 communication Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/24—Reselection being triggered by specific parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of device and method of encryption data, belong to wireless communication field.The described method includes: receiving the handoff trigger message that first movement management entity MME is sent, the handoff trigger message carries the mark of user equipment (UE);Receive the switching request message of the 2nd MME transmission;It keeps the key KeNB shared between the evolved base station eNB and UE constant, and the data communicated between the eNB and the UE is encrypted according to the KeNB.Described device includes the first receiving module, the second receiving module, keeps module and encrypting module.Determine that switch reasons are the switchings of core net triggering according to handoff trigger message or switching request message in the present invention, eNB obtains the KeNB currently shared with UE, keeps the KeNB between eNB and UE constant, to guarantee that the side eNB is synchronous with the KeNB of the side UE.
Description
Technical field
The present invention relates to wireless communication field, in particular to a kind of device and method of encryption data.
Background technique
When UE (User Equipment, user equipment) carries out specific transactions, such as MTC (Machine Type
Communication, machine type communication) business when, a large amount of Internet resources, eNB (evolved Node B, evolution can be occupied
Type base station) in order to prevent UE carry out influence to general network when specific transactions, can will carry out the UE of specific transactions by common net
Network is redirected in particular network, and is encrypted to the data communicated between eNB and UE.
It, can be with currently, provide a kind of method of encryption data are as follows: when UE is attached to general network, general network
First MME (Mobility Management Entity, mobility management entity) know from the signing information of UE need by
When UE is redirected to particular network from general network, the first MME sends handoff trigger message to eNB, includes switching in message
Cause value (switching of core net triggering);ENB sends switching to the first MME and needs message, and the first MME calculates the first NCC (Next
Hop Chaining Counter, next-hop chain counter) and the first NH (Next Hop, next-hop), the first NCC according to when
What the 2nd preceding NCC was obtained after adding one, the first NH is according to being currently that the 2nd NH is calculated;First MME transmission weighs forward
Locating request message is to the 2nd MME of particular network, and RELOCATION REQUEST message carries the first NCC and the first NH forward for this;The
Two MME receive the RELOCATION REQUEST message forward that the first MME is sent, and send switching request message to eNB, which disappears
Breath carries the first NCC and the first NH, and eNB receives the switching request message that the 2nd MME is sent, and according to the first NCC and the first NH
The key KeNB* updated is calculated, the data communicated between eNB and UE are encrypted according to KeNB*.
In the implementation of the present invention, the inventor finds that the existing technology has at least the following problems:
Switching flow is simplified in the prior art, eNB does not send switching command message to UE, and UE can not be according to cutting
It changes command messages and obtains the first NCC, it is even more impossible to calculating the key KeNB* of update, so as to cause the side KeNB and UE of the side eNB
KeNB is asynchronous.
Summary of the invention
In order to solve problems in the prior art, the present invention provides a kind of device and method of encryption data.The technology
Scheme is as follows:
In a first aspect, the present invention provides a kind of device of encryption data, described device includes:
First receiving module, for receiving the handoff trigger message of first movement management entity MME transmission, the switching
Trigger the mark that message carries user equipment (UE);
Second receiving module, for receiving the switching request message of the 2nd MME transmission;
Module is kept, for keeping the key KeNB shared between evolved base station eNB and the UE constant;
Encrypting module, for being encrypted according to the KeNB to the data communicated between the eNB and the UE.
With reference to first aspect, in the first possible implementation of the first aspect, described device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and the switching needs message to carry institute
Switch reasons are stated, so that the first MME is sent RELOCATION REQUEST message forward and is asked to the 2nd MME, the reorientation forward
Message is asked to carry the switch reasons, so that the 2nd MME sends the switching request message to the eNB.
With reference to first aspect, in the second possible implementation of the first aspect, the switching request message carries
First next-hop chain counter NCC and the first next-hop NH, the first NCC is after the first MME adds one according to the 2nd NCC
It obtains, the first NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, institute
Stating the 2nd NH is current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
Current NCC, the 2nd NH are current NH.
With reference to first aspect the first may, in a third possible implementation of the first aspect, it is described forward
It is described first that RELOCATION REQUEST message, which carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC,
What MME was obtained after adding one according to the 2nd NCC, the first NH the first MME is calculated according to the 2nd NH, and described
Two NCC are current NCC, and the 2nd NH is current NH;Alternatively,
The re-positioning request forward carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
It is current NH for current NCC, the 2nd NH.
With reference to first aspect, in a fourth possible implementation of the first aspect, the holding module, comprising:
Determination unit, for determining that switch reasons are core according to the handoff trigger message or the switching request message
The switching of heart net triggering;
Holding unit, for keeping the KeNB constant.
Second aspect, the present invention provides a kind of device of encryption data, described device includes:
Second sending module gives evolved base station eNB for sending handoff trigger message, and the handoff trigger message carries
The mark of user equipment (UE) makes the eNB send switching according to the handoff trigger message and message is needed to give first movement pipe
Manage entity MME;
Third receiving module needs message for receiving the switching that the eNB is sent;
Module is obtained, is to work as obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
Preceding NCC, the 2nd NH are current NH;
Third sending module, for send forward RELOCATION REQUEST message to the second mobility management entity MME, it is described to
Preceding RELOCATION REQUEST message carries switch reasons, and the 2nd MME is made to send switching request message to the eNB, so that described
ENB keeps the key KeNB shared between the eNB and the UE constant, and according to the KeNB to the eNB and the UE
Between the data that communicate encrypted.
In conjunction with second aspect, in the first possible implementation of the second aspect, the switching request message is carried
First NCC and the first NH, the first NCC are to obtain after the first MME adds one according to the 2nd NCC, and the first NH is
What the first MME was calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
In conjunction with second aspect, in a second possible implementation of the second aspect, the re-positioning request forward disappears
Breath carries the first NCC and the first NH, and the first NCC the first MME is obtained after adding one according to the 2nd NCC, institute
The first NH the first MME is stated to be calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
In conjunction with second aspect, in the third possible implementation of the second aspect, described device further include:
First carries module, for setting pre- bidding for the next-hop instruction NHI of the RELOCATION REQUEST message forward
Know, and carries the 2nd NCC and the 2nd NH, alternatively,
Second carries module, above and below the old evolved packet system EPS safety by the RELOCATION REQUEST message forward
The next-hop instruction NHI_old of text is set as the default mark, and carries the 2nd NCC and the 2nd HN.
The third aspect, the present invention provides a kind of methods of encryption data, which comprises
The handoff trigger message that first movement management entity MME is sent is received, the handoff trigger message carries user
The mark of equipment UE;
Receive the switching request message of the 2nd MME transmission;
Keep the key KeNB shared between the evolved base station eNB and UE constant, and according to the KeNB to described
The data communicated between eNB and the UE are encrypted.
In conjunction with the third aspect, in the first possible implementation of the third aspect, the reception first movement pipe
After managing the handoff trigger message that entity MME is sent, the method also includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described
First MME sends RELOCATION REQUEST message forward, and to the 2nd MME, the RELOCATION REQUEST message forward carries the switching
Reason, so that the 2nd MME sends the switching request message to the eNB.
The first in conjunction with the third aspect is possible, in the second possible implementation of the third aspect, the switching
Request message carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC be the first MME according to
What the 2nd NCC was obtained after adding one, the first NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is
Current NCC, the 2nd NH are current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
Current NCC, the 2nd NH are current NH.
In conjunction with the third aspect the first may, in the third possible implementation of the third aspect, it is described forward
It is described first that RELOCATION REQUEST message, which carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC,
What MME was obtained after adding one according to the 2nd NCC, the first NH the first MME is calculated according to the 2nd NH, and described
Two NCC are current NCC, and the 2nd NH is current NH;Alternatively,
The RELOCATION REQUEST message forward carries the second next-hop chain counter NCC and the second next-hop NH, and described the
Two NCC are current NCC, and the 2nd NH is current NH.
In conjunction with the third aspect, in the fourth possible implementation of the third aspect, the holding evolved base station eNB
The key KeNB shared between the UE is constant, comprising:
Determine that switch reasons are cutting for core net triggering according to the handoff trigger message or the switching request message
It changes, keeps the KeNB constant.
Fourth aspect, the present invention provides a kind of methods of encryption data, which comprises
It sending handoff trigger message and gives evolved base station eNB, the handoff trigger message carries the mark of user equipment (UE),
So that the eNB is sent switching according to the handoff trigger message needs message to give first movement management entity MME;
It receives the switching that the eNB is sent and needs message, and obtain under the second next-hop chain counter NCC and second
One jumps NH, and the 2nd NCC is current NCC, and the 2nd NH is current NH;
RELOCATION REQUEST message forward is sent to carry switch reasons to the 2nd MME, the RELOCATION REQUEST message forward, make
2nd MME sends switching request message to the eNB, so that the eNB kept sharing between the eNB and the UE
Key KeNB is constant, and is encrypted according to the KeNB to the data communicated between the eNB and the UE.
In conjunction with fourth aspect, in the first possible implementation of the fourth aspect, the switching request message carries
First NCC and the first NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and described first
NH the first MME is calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
In conjunction with fourth aspect, in the second possible implementation of the fourth aspect, the re-positioning request forward disappears
Breath carries the first NCC and the first NH, and the first NCC the first MME is obtained after adding one according to the 2nd NCC, institute
The first NH the first MME is stated to be calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
In conjunction with fourth aspect, in the third possible implementation of the fourth aspect, reorientation is asked forward for the transmission
Ask message to before the second mobility management entity MME, the method also includes:
Default mark is set by the next-hop instruction NHI of the RELOCATION REQUEST message forward, and carries described second
NCC and the 2nd NH, alternatively,
The next-hop of the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward is indicated into NHI_
Old is set as the default mark, and carries the 2nd NCC and the 2nd HN.
5th aspect, the present invention provides a kind of device of encryption data, described device includes: first memory and first
Processor, the method for executing the encryption data as described in third aspect any claim.
6th aspect, the present invention provides a kind of device of encryption data, described device includes: second memory and second
Processor, the method for executing the encryption data as described in fourth aspect any claim.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 1 provides;
Fig. 2 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 2 provides;
Fig. 3 is a kind of method flow diagram for encryption data that the embodiment of the present invention 3 provides;
Fig. 4 is a kind of method flow diagram for encryption data that the embodiment of the present invention 4 provides;
Fig. 5 is a kind of method flow diagram for encryption data that the embodiment of the present invention 5 provides;
Fig. 6 is a kind of method flow diagram for encryption data that the embodiment of the present invention 6 provides;
Fig. 7 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 7 provides;
Fig. 8 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 8 provides.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Embodiment 1
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 1, wherein the device includes:
First receiving module 101, for receiving the handoff trigger message of the first MME transmission, which is carried
The mark of user equipment (UE);
Wherein, the first MME know from the signing information of UE need for UE to be switched to from the first MME of general network it is specific
When two MME of network, the mark of UE is obtained, and sends handoff trigger message to the first receiving module 101, which disappears
Breath carries the mark of UE.ENB receives the handoff trigger message that the first MME is sent.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE
Body limits.For example, UE's is identified as MME UE S1AP (Access Point, access points) ID (Identity, identity mark
Know number) i.e. the MME mark of unique identification UE or eNB UE S1AP ID, that is, eNB unique identification on S1 interface on S1 interface
The mark etc. of UE.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that needed UE from general network is known from the signing information of UE in the first MME
One MME is switched to before the 2nd MME of particular network, and UE initiates attachment flow, and the S-GW with network side to general network
(Serving Gateway, gateway) or P-GW (PDN Gateway, PDN Gateway) establish PDN (Public Data
Network, public data network) connection.
Second receiving module 102, for receiving the switching request message of the 2nd MME transmission.
When wherein, in order to which UE is redirected to two MME by the first MME, the 2nd MME sends switching request message to second
Receiving module 102, the second receiving module 102 receive the switching request message that the 2nd MME is sent.
Further, when the second receiving module 102 receives the switching request message of the 2nd MME transmission, it is true to send switching
Message is recognized to the 2nd MME.The switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Module 103 is kept, for keeping the key KeNB shared between evolved base station eNB and UE constant;
Wherein, module 103 is kept, comprising:
Determination unit, for determining that switch reasons are core nets according to the handoff trigger message or the switching request message
The switching of triggering;
Wherein, since the handoff trigger message is that the first MME is sent, the switching that determination unit is sent according to the first MME
Triggering message can determine that this switch reasons is the switching of core net triggering;Alternatively, carrying switching in switching request message
Reason, determination unit can determine that switch reasons are the switchings of core net triggering according to switch reasons.
Wherein, the switching of core net triggering only switches over MME accompanying by UE, and the cell and base station where UE are simultaneously
It does not change.
Holding unit, for keeping KeNB constant.
Wherein, holding unit obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after
Key KeNB*.
Encrypting module 104, for being encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE.
Specifically, encrypting module 104 calculates first key and the second key according to KeNB*, and using first key and the
The data communicated between two key pair eNB and UE carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first
{ NCC, NH } is right, and keeps KeNB constant.
Further, the device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and it is former which needs message to carry switching
Cause, sending the first MME forward, RELOCATION REQUEST message is to the 2nd MME, and RELOCATION REQUEST message carries switch reasons forward for this,
So that the 2nd MME sends the switching request message to eNB.
Specifically, the first receiving module 101 receive the first MME transmission handoff trigger message after, determining module according to
Handoff trigger message determines that switch reasons are the switchings of core net triggering, and the first sending module sends switching and needs message to the
One MME, the switching need message to carry switch reasons;First MME receives the switching that the first sending module is sent and needs message, and
RELOCATION REQUEST message is to the 2nd MME forward for transmission, and RELOCATION REQUEST message carries switch reasons forward for this;2nd MME is received
The RELOCATION REQUEST message forward that first MME is sent, and switching request message is sent to the second receiving module 102.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core
Net the switching of triggering.This can also carry in RELOCATION REQUEST message forward Kasme and KSI (Key Set Identifier, it is close
Key set identifier), the Kasme and KSI are for deducing Non-Access Stratum NAS key.
Further, which can not carry any { NCC, NH } to information;The switching request message
It is after the first MME adds one according to the 2nd NCC that the first next-hop chain counter NCC and the first next-hop NH, the first NCC, which can be carried,
It obtains, the first NH is what the first MME was calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current
NH;Alternatively, it is current that the switching request message, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC,
NCC, the 2nd NH are current NH.
Wherein, when the first MME receives switching and needs message, the 2nd NCC and the 2nd NH is obtained;First MME is according to second
When NCC and the 2nd NH calculates a first NCC and NH, the first NCC and the first NH is carried in the switching request message, if first
When MME does not calculate a first NCC and NH according to the 2nd NCC and the 2nd NH, the 2nd NCC and the is carried in the switching request message
Two NH.
Further, switch reasons can also be carried in the switching request message.
Wherein, this forward RELOCATION REQUEST message carry the first NCC and the first NH, the first NCC be the first MME according to second
What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH, and the 2nd NCC is current NCC, the 2nd NH
For current NH;Alternatively, this RELOCATION REQUEST message carries the 2nd NCC and the 2nd NH forward, the 2nd NCC is current NCC, the
Two NH are current NH.
Further, after MME accompanying by UE being switched to the 2nd MME by the first MME, the 2nd MME transmission is weighed forward
Location response message gives the first MME.
Further, when not carrying any { NCC, NH } to information in the switching request message, eNB will be accompanying by UE
MME the 2nd MME is switched to by the first MME after, the 2nd MME adds one to obtain the first NCC according to the 2nd NCC, according to the 2nd NH
The first NH is calculated, and transmitting path changes message to eNB, it is right which changes first { NCC, NH } of message carrying.ENB connects
The path for receiving the 2nd MME transmission changes message, and it is right to obtain first { NCC, NH }.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 2
The embodiment of the invention provides a kind of devices of encryption data.Referring to fig. 2, wherein the device includes:
Second sending module 201 gives evolved base station eNB for sending handoff trigger message, which takes
Mark with user equipment (UE) makes eNB send switching according to the handoff trigger message and needs message;
Wherein, the first MME know from the signing information of UE need for UE to be switched to from the first MME of general network it is specific
When two MME of network, the mark of UE is obtained, the second sending module 201 sends handoff trigger message to the first receiving module
101, which carries the mark of UE.ENB receives the handoff trigger message that the first MME is sent.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE
Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface
The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that needed UE from general network is known from the signing information of UE in the first MME
One MME is switched to before the 2nd MME of particular network, UE to general network initiate attachment flow, and with the S-GW of network side or
Person P-GW establishes PDN connection.
Third receiving module 202, the switching for receiving eNB transmission need message;
Wherein, eNB, which sends to switch according to handoff trigger message, needs message to third receiving module 202, and third receives mould
Block 202 receives the switching that eNB is sent and needs message.
Module is obtained, is current for obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
NCC, the 2nd NH are current NH;
Third sending module 203, should to the second mobility management entity MME for sending RELOCATION REQUEST message forward
RELOCATION REQUEST message carries switch reasons forward, and the 2nd MME is made to send switching request message to eNB, so that eNB keeps eNB
The key KeNB shared between UE is constant, and is encrypted according to the KeNB to the data communicated between eNB and UE.
Further, which carries the first NCC and the first NH, and the first NCC is the first MME according to second
What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively, the switching request message carries the
Two NCC and the 2nd NH.
Further, switch reasons can also be carried in the switching request message.
Wherein, the switching that third receiving module 202 receives that eNB is sent needs message, and is needed in message according to switching
Switch reasons confirm that the switch reasons are the switchings triggered by core net, and it is right to obtain second { NCC, NH }, according to second NCC,
NH } to calculating, first { NCC, NH } is right, i.e., and add one to obtain the first NCC the second NCC, and calculate the first NH according to the 2nd NH.
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH }
To including the 2nd NCC and the 2nd NH;First { NCC, NH } to for fresh { NCC, NH } it is right, first { NCC, NH } to include first
NCC and the first NH.
Wherein, the 2nd NCC is current NCC;2nd NH is current NH.
Further, the first MME sends forward that RELOCATION REQUEST message is to the 2nd MME, the RELOCATION REQUEST message forward
Carry switch reasons and first { NCC, NH } it is right, alternatively, this forward RELOCATION REQUEST message carry switch reasons and second NCC,
NH } it is right.2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message to eNB.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core
Net the switching of triggering.This can also carry Kasme and KSI in RELOCATION REQUEST message forward, and the Kasme and KSI are for deducing
Non-Access Stratum NAS key.
Wherein, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, according to the re-positioning request forward
Switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not carry
Any { NCC, NH } is to information;Alternatively, if first { NCC, NH } clock synchronization, the 2nd MME are carried in RELOCATION REQUEST message forward
The RELOCATION REQUEST message forward of the first MME transmission is received, the 2nd MME is according to the switch reasons in RELOCATION REQUEST message forward
Determination is the switching of core net triggering and first { NCC, NH } of acquisition is right from this forward RELOCATION REQUEST message, the 2nd MME hair
It is right to give first { NCC, NH } of carrying in the switching request message of eNB;Alternatively, if is carried in RELOCATION REQUEST message forward
Two { NCC, NH } clock synchronizations, the 2nd MME receive the locating request message forward that the first MME is sent, and the 2nd MME is according to relocating forward
Switch reasons determination in request message is the switching of core net triggering and obtains second from this forward RELOCATION REQUEST message
{ NCC, NH } is right, and it is right that the 2nd MME is sent to second { NCC, NH } of carrying in the switching request message of eNB.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention
Body limits, for example, the 2nd MME is some specific MME.
Further, eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to second
MME;ENB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB to the data communicated between eNB and UE
It is encrypted.
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message
Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root
First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE
Carry out encryption and integrity protection.
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first
{ NCC, NH } is right, and keeps KeNB constant.
Further, the 2nd MME send forward relocation response message to the first MME.
Further, when not carrying any { NCC, NH } to information in the switching request message, eNB will be accompanying by UE
MME the 2nd MME is switched to by the first MME after, the 2nd MME adds one to obtain the first NCC according to the 2nd NCC, according to the 2nd NH
The first NH is calculated, and transmitting path changes message to eNB, it is right which changes first { NCC, NH } of message carrying.ENB connects
The path for receiving the 2nd MME transmission changes message, and it is right to obtain first { NCC, NH }.
Further, the device further include:
First carries module, for setting default mark for the next-hop instruction NHI of the RELOCATION REQUEST message forward,
And the 2nd NCC and the 2nd NH is carried, alternatively,
Second carries module, for by the old evolved packet system EPS safe context of RELOCATION REQUEST message forward
Next-hop instruction NHI_old is set as default mark, and carries the 2nd NCC and the 2nd HN.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 3
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 3, wherein this method comprises:
Step 301: receiving the handoff trigger message that the first MME is sent, which carries the mark of UE;
Step 302: receiving the switching request message that the 2nd MME is sent;
Step 303: keeping the key KeNB shared between eNB and UE constant, and led to according to the KeNB between eNB and UE
The data of letter are encrypted.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 4
The embodiment of the invention provides a kind of methods of encryption data.Referring to fig. 4, wherein this method comprises:
Step 401: the first MME sends handoff trigger message to eNB, which carries the mark of UE;
Specifically, the first MME is known from the signing information of UE needs UE being switched to spy from the first MME of general network
When determining two MME of network, the mark of UE is obtained, and sends handoff trigger message to eNB, which carries UE's
Mark.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE
Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface
The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that before step 401, UE initiates attachment flow and and network side to general network
S-GW or P-GW establishes PDN connection.
Step 402:eNB receives the handoff trigger message that the first MME is sent, and determines to cut according to the handoff trigger message
Change the switching the reason is that core net triggering;
Wherein, since the handoff trigger message is that the first MME is sent, eNB disappears according to the handover trigger that the first MME is sent
Breath can determine that this switch reasons is the switching of core net triggering;The switching of core net triggering only will be accompanying by UE
MME is switched over, and the cell and base station where UE do not change.
Step 403:eNB sends switching and needs message to the first MME, which needs message to carry switch reasons;
Step 404: the first MME receives the switching that eNB is sent and needs message, needs message to calculate the first NCC according to switching
With the first NH;
Specifically, the switching that the first MME receives that eNB is sent needs message, and needs the message authentication switching according to switching
The reason is that by core net trigger switching, obtain second { NCC, NH } it is right, according to second { NCC, NH } to calculate first NCC,
NH } it is right, i.e., add one to obtain the first NCC the second NCC, and calculate the first NH according to the 2nd NH.
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH }
To including the 2nd NCC and the 2nd NH;First { NCC, NH } to for fresh { NCC, NH } it is right, first { NCC, NH } to include first
NCC and the first NH.
Wherein, the 2nd NCC is current NCC;2nd NH is current NH.
Step 405: RELOCATION REQUEST message is to the 2nd MME forward for the first MME transmission, and RELOCATION REQUEST message is taken forward for this
Band switch reasons and first { NCC, NH } are right;
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core
Net the switching of triggering.
Further, this can also carry Kasme and KSI (Key Set in RELOCATION REQUEST message forward
Identifier, key set identifier), the Kasme and KSI are for deducing Non-Access Stratum NAS key.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention
Body limits, for example, the 2nd MME is some specific MME.
Step 406: the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message
To eNB;
Specifically, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and is relocated forward and is asked according to this
Asking the switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not take
With any { NCC, NH } to information;Alternatively, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, the 2nd MME
It is the switching of core net triggering and from the RELOCATION REQUEST message forward according to the switch reasons in RELOCATION REQUEST message forward
First { NCC, NH } of middle acquisition is right, and it is right that the 2nd MME is sent to first { NCC, NH } of carrying in the switching request message of eNB.
Further, switch reasons can also be carried in the switching request message.
Step 407:eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to the 2nd MME;
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Step 408:eNB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB or KeNB* to eNB
The data communicated between UE are encrypted;
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message
Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root
First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE
Carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first
{ NCC, NH } is right, and keeps KeNB constant.
Step 409: the 2nd MME send forward relocation response message to the first MME.
Further, when first { NCC, NH } clock synchronization is not carried in the switching request message, eNB will be accompanying by UE
After MME is switched to the 2nd MME by the first MME, the 2nd MME transmitting path changes message to eNB, which changes message and carry
First { NCC, NH } is right.ENB receives the path that the 2nd MME is sent and changes message, and it is right to obtain first { NCC, NH }.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 5
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 5, wherein this method comprises:
Step 501: sending handoff trigger message to eNB, which carries the mark of UE, makes eNB according to this
Handoff trigger message sends switching and needs message to the first MME;
Step 502: receiving the switching that eNB is sent and need message, and obtain the 2nd NCC and the 2nd NH, the 2nd NCC is to work as
Preceding NCC, the 2nd NH are current NH;
Step 503: RELOCATION REQUEST message is to the 2nd MME forward for transmission, and RELOCATION REQUEST message carries switching forward for this
Reason makes the 2nd MME send switching request message to eNB, so that eNB keeps the key KeNB shared between eNB and UE constant,
And the data communicated between eNB and UE are encrypted according to KeNB.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 6
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 6, wherein this method comprises:
Step 601: the first MME sends handoff trigger message to eNB, which carries the mark of UE;
Specifically, the first MME is known from the signing information of UE needs UE being switched to spy from the first MME of general network
When determining two MME of network, the mark of UE is obtained, and sends handoff trigger message to eNB, which carries UE's
Mark.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE
Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface
The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that before step 601, UE to general network initiate attachment flow, and with network side
S-GW or P-GW establishes PDN connection.
Step 602:eNB receives the handoff trigger message that the first MME is sent, and determines to cut according to the handoff trigger message
Change the switching the reason is that core net triggering;
Wherein, since the handoff trigger message is that the first MME is sent, eNB disappears according to the handover trigger that the first MME is sent
Breath can determine that this switch reasons is the switching of core net triggering;The switching of core net triggering only will be accompanying by UE
MME is switched over, and the cell and base station where UE do not change.
Step 603:eNB sends switching and needs message to the first MME, which needs message to carry switch reasons;
Wherein, which, which is used to indicate, switches over MME accompanying by UE, also, switch reasons can be to appoint
One instruction message, is in embodiments of the present invention not especially limited switch reasons, for example, switch reasons can be switch reasons
(switching of core net triggering).
Step 604: the first MME receives the switching that eNB is sent and needs message, needs message transmission to reset forward according to switching
Position request message gives the 2nd MME;
Specifically, the switching that the first MME receives that eNB is sent needs message, and needs the switching in message former according to switching
Because determination is the switching triggered by core net, RELOCATION REQUEST message forward is sent to the 2nd MME, re-positioning request disappears forward for this
It is right that breath carries switch reasons, second { NCC, NH };
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH }
To including the 2nd NCC and the 2nd NH;2nd NCC is current NCC;2nd NH is current NH.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core
Net the switching of triggering.
Further, this can also carry Kasme and KSI in RELOCATION REQUEST message forward, and the Kasme and KSI are used for
Deduce Non-Access Stratum NAS key.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention
Body limits, for example, the 2nd MME is some specific MME.
Step 605: the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message
To eNB;
Specifically, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and is relocated forward and is asked according to this
Asking the switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not take
With any { NCC, NH } to information;Alternatively, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, the 2nd MME
It is the switching of core net triggering and from the re-positioning request forward according to the switch reasons determination in RELOCATION REQUEST message forward
It is right that second { NCC, NH } is obtained in message, it is right that the 2nd MME is sent to second { NCC, NH } of carrying in the switching request message of eNB.
Further, switch reasons can also be carried in the switching request message.
Wherein, it sets the NHI (Next Hop Indicator, next-hop instruction) of the RELOCATION REQUEST message forward to
Default mark, and carry the 2nd NCC and the 2nd NH, alternatively, by NHI_old (the Next Hop of the RELOCATION REQUEST message forward
Indicator for old EPS (Evolved Packet System, evolved packet system) Security Context, it is old
The next-hop of EPS safe context indicates) it is set as default mark, and carry the 2nd NCC and the 2nd HN.
Wherein, this is preset and is identified as any mark that can identify NHI or NHI_old, in embodiments of the present invention, right
Default mark is not especially limited, such as is preset and be identified as 1.
Step 606:eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to the 2nd MME;
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Step 607:eNB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB or KeNB* to eNB
The data communicated between UE are encrypted;
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message
Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root
First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE
Carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, second { NCC, NH } is right, and eNB ignores second
{ NCC, NH } is right, and keeps KeNB constant.
Step 608: the 2nd MME send forward relocation response message to the first MME.
Further, after MME accompanying by UE is switched to the 2nd MME by the first MME by eNB, the 2nd MME is according to
Two { NCC, NH } are right to first { NCC, NH } is calculated, and the 2nd MME transmitting path changes message to eNB, which changes message and take
Band first { NCC, NH } is right.ENB receives the path that the 2nd MME is sent and changes message, and it is right to obtain first { NCC, NH }.
Wherein, the 2nd NCC is added one to obtain the first NCC by the 2nd MME, and calculates the first NH according to the 2nd NH, and second
{ NCC, NH } to right for current { NCC, NH }, second { NCC, NH } is to including the 2nd NCC and the 2nd NH;First { NCC, NH } is right
Right for fresh { NCC, NH }, first { NCC, NH } is to including the first NCC and the first NH.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 7
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 7, wherein the device includes: the first storage
Device 701 and first processor 702, the method for executing following encryption data:
The handoff trigger message that first movement management entity MME is sent is received, which carries user and set
The mark of standby UE;
Receive the switching request message of the 2nd MME transmission;
Keep the key KeNB shared between evolved base station eNB and UE constant, and according to the KeNB between eNB and UE
The data of communication are encrypted.
Further, after receiving the handoff trigger message that first movement management entity MME is sent, this method is also wrapped
It includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described
First MME sends RELOCATION REQUEST message forward, and to the 2nd MME, the RELOCATION REQUEST message forward carries the switching
Reason, so that the 2nd MME sends the switching request message to the eNB.
Further, which carries the first next-hop chain counter NCC and the first next-hop NH, and first
NCC is to obtain after the first MME adds one according to the 2nd NCC, what the first NH was calculated for the first MME according to the 2nd NH, second
NCC is current NCC, and the 2nd NH is current NH;Alternatively,
It is current that the switching request message, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC,
NCC, the 2nd NH are current NH.
Further, the RELOCATION REQUEST message forward carries the first next-hop chain counter NCC and the first next-hop
NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is the first MME root
It is calculated according to the 2nd NH, the 2nd NCC is current NCC, and the 2nd NH is current NH;Alternatively,
The re-positioning request forward carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
It is current NH for current NCC, the 2nd NH.
Further, keep the key KeNB shared between evolved base station eNB and UE constant, comprising:
It determines that switch reasons are the switchings of core net triggering according to the handoff trigger message or the switching request message, protects
It is constant to hold the KeNB.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 8
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 8, wherein the device includes: the second storage
Device 801 and second processor 802, the method for executing following encryption data:
It sends handoff trigger message and gives evolved base station eNB, which carries the mark of user equipment (UE), makes
ENB sends switching according to the handoff trigger message and message is needed to give first movement management entity MME;
It receives the switching that eNB is sent and needs message, and obtain the second next-hop chain counter NCC and the second next-hop
NH, the 2nd NCC are current NCC, and the 2nd NH is current NH;
Send forward that RELOCATION REQUEST message is to the 2nd MME, RELOCATION REQUEST message carries switch reasons forward for this, makes the
Two MME send switching request message to eNB, so that eNB keeps the key KeNB shared between eNB and UE constant, and according to this
KeNB encrypts the data communicated between eNB and UE.
Further, which carries the first NCC and the first NH, and the first NCC is the first MME according to second
What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
Further, RELOCATION REQUEST message carries the first NCC and the first NH forward, and the first NCC is the first MME according to the
What two NCC were obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively,
RELOCATION REQUEST message carries the 2nd NCC and the 2nd NH forward.
Further, it sends before RELOCATION REQUEST message is to the second mobility management entity MME forward, this method is also wrapped
It includes:
Default mark is set by the next-hop instruction NHI of the RELOCATION REQUEST message forward, and carries the 2nd NCC and the
Two NH, alternatively,
By this forward the old evolved packet system EPS safe context of RELOCATION REQUEST message next-hop indicate NHI_
Old is set as default mark, and carries the 2nd NCC and the 2nd HN.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent
Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut
It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB
KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect
It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Field those of ordinary skill be understood that realize above-described embodiment all or part of the steps can by hardware come
It completes, relevant hardware can also be instructed to complete by program, the program can store computer-readable deposits in a kind of
In storage media, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (20)
1. a kind of device of encryption data, which is characterized in that described device includes:
First receiving module, for receiving the handoff trigger message of first movement management entity MME transmission, the handover trigger
The mark of message carrying user equipment (UE);
Second receiving module, for receiving the switching request message of the 2nd MME transmission;
Module is kept, for keeping the key KeNB shared between evolved base station eNB and the UE constant;
Encrypting module, for being encrypted according to the KeNB to the data communicated between the eNB and the UE.
2. device as described in claim 1, which is characterized in that described device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and the switching needs to cut described in message carrying
Reason is changed, so that the first MME is sent RELOCATION REQUEST message forward and disappears to the 2nd MME, the re-positioning request forward
Breath carries the switch reasons, so that the 2nd MME sends the switching request message to the eNB.
3. device as described in claim 1, which is characterized in that the switching request message carries the first next-hop chain counter
NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, the first NH
First MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current
NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, and the 2nd NCC is current
NCC, the 2nd NH be current NH.
4. device as claimed in claim 2, which is characterized in that the RELOCATION REQUEST message forward carries the first next-hop chain
Counter NCC and the first next-hop NH, the first NCC the first MME is obtained after adding one according to the 2nd NCC, described
First NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is to work as
Preceding NH;Alternatively,
It is to work as that the re-positioning request forward, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC,
Preceding NCC, the 2nd NH are current NH.
5. device as described in claim 1, which is characterized in that the holding module, comprising:
Determination unit, for determining that switch reasons are core nets according to the handoff trigger message or the switching request message
The switching of triggering;
Holding unit, for keeping the KeNB constant.
6. a kind of device of encryption data, which is characterized in that described device includes:
Second sending module gives evolved base station eNB for sending handoff trigger message, and the handoff trigger message carries user
The mark of equipment UE makes the eNB send switching according to the handoff trigger message and message is needed to manage in fact to first movement
Body MME;
Third receiving module needs message for receiving the switching that the eNB is sent;
Module is obtained, is current for obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC
NCC, the 2nd NH are current NH;
Third sending module, it is described to weigh forward to the second mobility management entity MME for sending RELOCATION REQUEST message forward
Locating request message carries switch reasons, and the 2nd MME is made to send switching request message to the eNB, so that the eNB is protected
It is constant to hold the key KeNB shared between the eNB and the UE, and is led to according to the KeNB between the eNB and the UE
The data of letter are encrypted.
7. device as claimed in claim 6, which is characterized in that the switching request message carries the first NCC and the first NH, institute
State after the first NCC the first MME adds one according to the 2nd NCC and obtain, the first NH be the first MME according to
What the 2nd NH was calculated;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
8. device as claimed in claim 6, which is characterized in that the RELOCATION REQUEST message forward carries the first NCC and the
One NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is described first
MME is calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
9. device as claimed in claim 6, which is characterized in that described device further include:
First carries module, for setting default mark for the next-hop instruction NHI of the RELOCATION REQUEST message forward, and
The 2nd NCC and the 2nd NH is carried, alternatively,
Second carries module, for by the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward
Next-hop instruction NHI_old is set as the default mark, and carries the 2nd NCC and the 2nd HN.
10. a kind of method of encryption data, which is characterized in that the described method includes:
The handoff trigger message that first movement management entity MME is sent is received, the handoff trigger message carries user equipment
The mark of UE;
Receive the switching request message of the 2nd MME transmission;
Keep the evolved base station eNB and UE between share key KeNB it is constant, and according to the KeNB to the eNB with
The data communicated between the UE are encrypted.
11. method as claimed in claim 10, the handoff trigger message for receiving first movement management entity MME and sending
Later, the method also includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described first
MME sends RELOCATION REQUEST message forward, and, to the 2nd MME, it is former that the RELOCATION REQUEST message forward carries the switching
Cause, so that the 2nd MME sends the switching request message to the eNB.
12. method as claimed in claim 10, which is characterized in that the switching request message carries the first next-hop chain and counts
Device NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and described first
NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current
NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, and the 2nd NCC is current
NCC, the 2nd NH be current NH.
13. method as claimed in claim 11, which is characterized in that the RELOCATION REQUEST message forward carries the first next-hop
Chain counter NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, institute
It states the first NH the first MME to be calculated according to the 2nd NH, the 2nd NCC is current NCC, and the 2nd NH is
Current NH;Alternatively,
It is to work as that the re-positioning request forward, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC,
Preceding NCC, the 2nd NH are current NH.
14. method as claimed in claim 10, which is characterized in that between the holding evolved base station eNB and the UE altogether
The key KeNB enjoyed is constant, comprising:
It determines that switch reasons are the switchings of core net triggering according to the handoff trigger message or the switching request message, protects
It is constant to hold the KeNB.
15. a kind of method of encryption data, which is characterized in that the described method includes:
It sends handoff trigger message and gives evolved base station eNB, the handoff trigger message carries the mark of user equipment (UE), makes institute
Stating eNB and being sent to switch according to the handoff trigger message needs message to give first movement management entity MME;
It receives the switching that the eNB is sent and needs message, and obtain the second next-hop chain counter NCC and the second next-hop
NH, the 2nd NCC are current NCC, and the 2nd NH is current NH;
Send RELOCATION REQUEST message forward makes described to the 2nd MME, the carrying of the RELOCATION REQUEST message forward switch reasons
2nd MME sends switching request message to the eNB, so that the eNB keeps the key shared between the eNB and the UE
KeNB is constant, and is encrypted according to the KeNB to the data communicated between the eNB and the UE.
16. method as claimed in claim 15, which is characterized in that the switching request message carries the first NCC and the first NH,
First NCC the first MME is obtained after adding one according to the 2nd NCC, and the first NH is the first MME root
It is calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
17. method as claimed in claim 15, which is characterized in that the RELOCATION REQUEST message forward carry the first NCC and
First NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is described the
One MME is calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
18. method as claimed in claim 15, which is characterized in that RELOCATION REQUEST message is mobile to second forward for the transmission
Before property management entity MME, the method also includes:
Set default mark for the next-hop of the RELOCATION REQUEST message forward instruction NHI, and carry the 2nd NCC and
2nd NH, alternatively,
The next-hop of the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward is indicated into NHI_old
It is set as the default mark, and carries the 2nd NCC and the 2nd HN.
19. a kind of device of encryption data, which is characterized in that described device includes: first memory and first processor, is used for
The method for executing the encryption data as described in claim 11-14 any claim.
20. a kind of device of encryption data, which is characterized in that described device includes: second memory and second processor, is used for
The method for executing the encryption data as described in claim 15-18 any claim.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2014/071651 WO2015113197A1 (en) | 2014-01-28 | 2014-01-28 | Apparatus and method for encrypting data |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105103577A CN105103577A (en) | 2015-11-25 |
CN105103577B true CN105103577B (en) | 2019-05-24 |
Family
ID=53756094
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480000843.XA Active CN105103577B (en) | 2014-01-28 | 2014-01-28 | A kind of device and method of encryption data |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN105103577B (en) |
WO (1) | WO2015113197A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10455414B2 (en) | 2014-10-29 | 2019-10-22 | Qualcomm Incorporated | User-plane security for next generation cellular networks |
RU2719772C1 (en) | 2017-01-30 | 2020-04-23 | Телефонактиеболагет Лм Эрикссон (Пабл) | Operating security context in 5g in connected mode |
EP3709601B1 (en) | 2017-03-17 | 2022-02-16 | Telefonaktiebolaget LM Ericsson (publ) | Network node for use in a communication network, a communication device and methods of operating the same |
US10542428B2 (en) | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
CN111031486B (en) * | 2018-10-10 | 2021-05-11 | 电信科学技术研究院有限公司 | Positioning service key distribution method and device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101325483A (en) * | 2008-07-28 | 2008-12-17 | 中国电信股份有限公司 | Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method |
CN101500271A (en) * | 2008-02-01 | 2009-08-05 | 华为技术有限公司 | Method and equipment for implementing core network equipment load balance |
CN101552983A (en) * | 2008-04-01 | 2009-10-07 | 华为技术有限公司 | Key generating method, key generating device, mobile management entity and user equipment |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101400059B (en) * | 2007-09-28 | 2010-12-08 | 华为技术有限公司 | Cipher key updating method and device under active state |
CN101291536B (en) * | 2008-05-30 | 2011-12-28 | 中兴通讯股份有限公司 | Switching method for load rebalance of mobility management entity |
CN103139771B (en) * | 2011-11-25 | 2018-03-30 | 中兴通讯股份有限公司 | Key generation method and system in handoff procedure |
-
2014
- 2014-01-28 CN CN201480000843.XA patent/CN105103577B/en active Active
- 2014-01-28 WO PCT/CN2014/071651 patent/WO2015113197A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101500271A (en) * | 2008-02-01 | 2009-08-05 | 华为技术有限公司 | Method and equipment for implementing core network equipment load balance |
CN101552983A (en) * | 2008-04-01 | 2009-10-07 | 华为技术有限公司 | Key generating method, key generating device, mobile management entity and user equipment |
CN101325483A (en) * | 2008-07-28 | 2008-12-17 | 中国电信股份有限公司 | Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method |
Also Published As
Publication number | Publication date |
---|---|
CN105103577A (en) | 2015-11-25 |
WO2015113197A1 (en) | 2015-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10958631B2 (en) | Method and system for providing security from a radio access network | |
CN108966220B (en) | A kind of method and the network equipment of secret key deduction | |
EP3499840B1 (en) | User-plane security for next generation cellular networks | |
CN105103577B (en) | A kind of device and method of encryption data | |
CN105874766B (en) | The method and apparatus of controlled certificate is provided between the subscriber devices | |
KR102219061B1 (en) | Method and device and communication system for obtaining a key | |
CN102056157B (en) | Method, system and device for determining keys and ciphertexts | |
CN106102105B (en) | A kind of method and device of switching within cell | |
JP4390842B1 (en) | Mobile communication method, radio base station, and mobile station | |
CN108141754A (en) | For being related to the device and method of the mobile process of mobility management entity reorientation | |
KR20110119785A (en) | Un-ciphered network operation solution | |
EP3490289B1 (en) | Cross-interface correlation of traffic | |
CN105409263B (en) | The method and apparatus for identifying selection for agent algorithms | |
WO2009152755A1 (en) | Method and system for generating an identity identifier of a key | |
CN109246696B (en) | Key processing method and related device | |
CN109964500A (en) | Export is used for the security key of relayed communications | |
CN106998537B (en) | The information transferring method and device of group-calling service | |
CN103139771B (en) | Key generation method and system in handoff procedure | |
CN103595529B (en) | The changing method of a kind of one-pass key and realize device | |
EP3536027A1 (en) | Handover of a device which uses another device as relay | |
CN108702620A (en) | A kind of safety communicating method and core net node | |
WO2018010186A1 (en) | Key acquisition method and apparatus | |
CN101835151B (en) | The update method of air interface key and wireless access system | |
CN112400335B (en) | Method and computing device for performing data integrity protection | |
CN109688581A (en) | A kind of safe transmission method and device of data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |