CN105103577B - A kind of device and method of encryption data - Google Patents

A kind of device and method of encryption data Download PDF

Info

Publication number
CN105103577B
CN105103577B CN201480000843.XA CN201480000843A CN105103577B CN 105103577 B CN105103577 B CN 105103577B CN 201480000843 A CN201480000843 A CN 201480000843A CN 105103577 B CN105103577 B CN 105103577B
Authority
CN
China
Prior art keywords
ncc
mme
request message
enb
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201480000843.XA
Other languages
Chinese (zh)
Other versions
CN105103577A (en
Inventor
张丽佳
张冬梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN105103577A publication Critical patent/CN105103577A/en
Application granted granted Critical
Publication of CN105103577B publication Critical patent/CN105103577B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/24Reselection being triggered by specific parameters

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of device and method of encryption data, belong to wireless communication field.The described method includes: receiving the handoff trigger message that first movement management entity MME is sent, the handoff trigger message carries the mark of user equipment (UE);Receive the switching request message of the 2nd MME transmission;It keeps the key KeNB shared between the evolved base station eNB and UE constant, and the data communicated between the eNB and the UE is encrypted according to the KeNB.Described device includes the first receiving module, the second receiving module, keeps module and encrypting module.Determine that switch reasons are the switchings of core net triggering according to handoff trigger message or switching request message in the present invention, eNB obtains the KeNB currently shared with UE, keeps the KeNB between eNB and UE constant, to guarantee that the side eNB is synchronous with the KeNB of the side UE.

Description

A kind of device and method of encryption data
Technical field
The present invention relates to wireless communication field, in particular to a kind of device and method of encryption data.
Background technique
When UE (User Equipment, user equipment) carries out specific transactions, such as MTC (Machine Type Communication, machine type communication) business when, a large amount of Internet resources, eNB (evolved Node B, evolution can be occupied Type base station) in order to prevent UE carry out influence to general network when specific transactions, can will carry out the UE of specific transactions by common net Network is redirected in particular network, and is encrypted to the data communicated between eNB and UE.
It, can be with currently, provide a kind of method of encryption data are as follows: when UE is attached to general network, general network First MME (Mobility Management Entity, mobility management entity) know from the signing information of UE need by When UE is redirected to particular network from general network, the first MME sends handoff trigger message to eNB, includes switching in message Cause value (switching of core net triggering);ENB sends switching to the first MME and needs message, and the first MME calculates the first NCC (Next Hop Chaining Counter, next-hop chain counter) and the first NH (Next Hop, next-hop), the first NCC according to when What the 2nd preceding NCC was obtained after adding one, the first NH is according to being currently that the 2nd NH is calculated;First MME transmission weighs forward Locating request message is to the 2nd MME of particular network, and RELOCATION REQUEST message carries the first NCC and the first NH forward for this;The Two MME receive the RELOCATION REQUEST message forward that the first MME is sent, and send switching request message to eNB, which disappears Breath carries the first NCC and the first NH, and eNB receives the switching request message that the 2nd MME is sent, and according to the first NCC and the first NH The key KeNB* updated is calculated, the data communicated between eNB and UE are encrypted according to KeNB*.
In the implementation of the present invention, the inventor finds that the existing technology has at least the following problems:
Switching flow is simplified in the prior art, eNB does not send switching command message to UE, and UE can not be according to cutting It changes command messages and obtains the first NCC, it is even more impossible to calculating the key KeNB* of update, so as to cause the side KeNB and UE of the side eNB KeNB is asynchronous.
Summary of the invention
In order to solve problems in the prior art, the present invention provides a kind of device and method of encryption data.The technology Scheme is as follows:
In a first aspect, the present invention provides a kind of device of encryption data, described device includes:
First receiving module, for receiving the handoff trigger message of first movement management entity MME transmission, the switching Trigger the mark that message carries user equipment (UE);
Second receiving module, for receiving the switching request message of the 2nd MME transmission;
Module is kept, for keeping the key KeNB shared between evolved base station eNB and the UE constant;
Encrypting module, for being encrypted according to the KeNB to the data communicated between the eNB and the UE.
With reference to first aspect, in the first possible implementation of the first aspect, described device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and the switching needs message to carry institute Switch reasons are stated, so that the first MME is sent RELOCATION REQUEST message forward and is asked to the 2nd MME, the reorientation forward Message is asked to carry the switch reasons, so that the 2nd MME sends the switching request message to the eNB.
With reference to first aspect, in the second possible implementation of the first aspect, the switching request message carries First next-hop chain counter NCC and the first next-hop NH, the first NCC is after the first MME adds one according to the 2nd NCC It obtains, the first NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, institute Stating the 2nd NH is current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC Current NCC, the 2nd NH are current NH.
With reference to first aspect the first may, in a third possible implementation of the first aspect, it is described forward It is described first that RELOCATION REQUEST message, which carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC, What MME was obtained after adding one according to the 2nd NCC, the first NH the first MME is calculated according to the 2nd NH, and described Two NCC are current NCC, and the 2nd NH is current NH;Alternatively,
The re-positioning request forward carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC It is current NH for current NCC, the 2nd NH.
With reference to first aspect, in a fourth possible implementation of the first aspect, the holding module, comprising:
Determination unit, for determining that switch reasons are core according to the handoff trigger message or the switching request message The switching of heart net triggering;
Holding unit, for keeping the KeNB constant.
Second aspect, the present invention provides a kind of device of encryption data, described device includes:
Second sending module gives evolved base station eNB for sending handoff trigger message, and the handoff trigger message carries The mark of user equipment (UE) makes the eNB send switching according to the handoff trigger message and message is needed to give first movement pipe Manage entity MME;
Third receiving module needs message for receiving the switching that the eNB is sent;
Module is obtained, is to work as obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC Preceding NCC, the 2nd NH are current NH;
Third sending module, for send forward RELOCATION REQUEST message to the second mobility management entity MME, it is described to Preceding RELOCATION REQUEST message carries switch reasons, and the 2nd MME is made to send switching request message to the eNB, so that described ENB keeps the key KeNB shared between the eNB and the UE constant, and according to the KeNB to the eNB and the UE Between the data that communicate encrypted.
In conjunction with second aspect, in the first possible implementation of the second aspect, the switching request message is carried First NCC and the first NH, the first NCC are to obtain after the first MME adds one according to the 2nd NCC, and the first NH is What the first MME was calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
In conjunction with second aspect, in a second possible implementation of the second aspect, the re-positioning request forward disappears Breath carries the first NCC and the first NH, and the first NCC the first MME is obtained after adding one according to the 2nd NCC, institute The first NH the first MME is stated to be calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
In conjunction with second aspect, in the third possible implementation of the second aspect, described device further include:
First carries module, for setting pre- bidding for the next-hop instruction NHI of the RELOCATION REQUEST message forward Know, and carries the 2nd NCC and the 2nd NH, alternatively,
Second carries module, above and below the old evolved packet system EPS safety by the RELOCATION REQUEST message forward The next-hop instruction NHI_old of text is set as the default mark, and carries the 2nd NCC and the 2nd HN.
The third aspect, the present invention provides a kind of methods of encryption data, which comprises
The handoff trigger message that first movement management entity MME is sent is received, the handoff trigger message carries user The mark of equipment UE;
Receive the switching request message of the 2nd MME transmission;
Keep the key KeNB shared between the evolved base station eNB and UE constant, and according to the KeNB to described The data communicated between eNB and the UE are encrypted.
In conjunction with the third aspect, in the first possible implementation of the third aspect, the reception first movement pipe After managing the handoff trigger message that entity MME is sent, the method also includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described First MME sends RELOCATION REQUEST message forward, and to the 2nd MME, the RELOCATION REQUEST message forward carries the switching Reason, so that the 2nd MME sends the switching request message to the eNB.
The first in conjunction with the third aspect is possible, in the second possible implementation of the third aspect, the switching Request message carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC be the first MME according to What the 2nd NCC was obtained after adding one, the first NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is Current NCC, the 2nd NH are current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC Current NCC, the 2nd NH are current NH.
In conjunction with the third aspect the first may, in the third possible implementation of the third aspect, it is described forward It is described first that RELOCATION REQUEST message, which carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC, What MME was obtained after adding one according to the 2nd NCC, the first NH the first MME is calculated according to the 2nd NH, and described Two NCC are current NCC, and the 2nd NH is current NH;Alternatively,
The RELOCATION REQUEST message forward carries the second next-hop chain counter NCC and the second next-hop NH, and described the Two NCC are current NCC, and the 2nd NH is current NH.
In conjunction with the third aspect, in the fourth possible implementation of the third aspect, the holding evolved base station eNB The key KeNB shared between the UE is constant, comprising:
Determine that switch reasons are cutting for core net triggering according to the handoff trigger message or the switching request message It changes, keeps the KeNB constant.
Fourth aspect, the present invention provides a kind of methods of encryption data, which comprises
It sending handoff trigger message and gives evolved base station eNB, the handoff trigger message carries the mark of user equipment (UE), So that the eNB is sent switching according to the handoff trigger message needs message to give first movement management entity MME;
It receives the switching that the eNB is sent and needs message, and obtain under the second next-hop chain counter NCC and second One jumps NH, and the 2nd NCC is current NCC, and the 2nd NH is current NH;
RELOCATION REQUEST message forward is sent to carry switch reasons to the 2nd MME, the RELOCATION REQUEST message forward, make 2nd MME sends switching request message to the eNB, so that the eNB kept sharing between the eNB and the UE Key KeNB is constant, and is encrypted according to the KeNB to the data communicated between the eNB and the UE.
In conjunction with fourth aspect, in the first possible implementation of the fourth aspect, the switching request message carries First NCC and the first NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and described first NH the first MME is calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
In conjunction with fourth aspect, in the second possible implementation of the fourth aspect, the re-positioning request forward disappears Breath carries the first NCC and the first NH, and the first NCC the first MME is obtained after adding one according to the 2nd NCC, institute The first NH the first MME is stated to be calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
In conjunction with fourth aspect, in the third possible implementation of the fourth aspect, reorientation is asked forward for the transmission Ask message to before the second mobility management entity MME, the method also includes:
Default mark is set by the next-hop instruction NHI of the RELOCATION REQUEST message forward, and carries described second NCC and the 2nd NH, alternatively,
The next-hop of the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward is indicated into NHI_ Old is set as the default mark, and carries the 2nd NCC and the 2nd HN.
5th aspect, the present invention provides a kind of device of encryption data, described device includes: first memory and first Processor, the method for executing the encryption data as described in third aspect any claim.
6th aspect, the present invention provides a kind of device of encryption data, described device includes: second memory and second Processor, the method for executing the encryption data as described in fourth aspect any claim.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 1 provides;
Fig. 2 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 2 provides;
Fig. 3 is a kind of method flow diagram for encryption data that the embodiment of the present invention 3 provides;
Fig. 4 is a kind of method flow diagram for encryption data that the embodiment of the present invention 4 provides;
Fig. 5 is a kind of method flow diagram for encryption data that the embodiment of the present invention 5 provides;
Fig. 6 is a kind of method flow diagram for encryption data that the embodiment of the present invention 6 provides;
Fig. 7 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 7 provides;
Fig. 8 is a kind of apparatus structure schematic diagram for encryption data that the embodiment of the present invention 8 provides.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
Embodiment 1
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 1, wherein the device includes:
First receiving module 101, for receiving the handoff trigger message of the first MME transmission, which is carried The mark of user equipment (UE);
Wherein, the first MME know from the signing information of UE need for UE to be switched to from the first MME of general network it is specific When two MME of network, the mark of UE is obtained, and sends handoff trigger message to the first receiving module 101, which disappears Breath carries the mark of UE.ENB receives the handoff trigger message that the first MME is sent.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE Body limits.For example, UE's is identified as MME UE S1AP (Access Point, access points) ID (Identity, identity mark Know number) i.e. the MME mark of unique identification UE or eNB UE S1AP ID, that is, eNB unique identification on S1 interface on S1 interface The mark etc. of UE.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that needed UE from general network is known from the signing information of UE in the first MME One MME is switched to before the 2nd MME of particular network, and UE initiates attachment flow, and the S-GW with network side to general network (Serving Gateway, gateway) or P-GW (PDN Gateway, PDN Gateway) establish PDN (Public Data Network, public data network) connection.
Second receiving module 102, for receiving the switching request message of the 2nd MME transmission.
When wherein, in order to which UE is redirected to two MME by the first MME, the 2nd MME sends switching request message to second Receiving module 102, the second receiving module 102 receive the switching request message that the 2nd MME is sent.
Further, when the second receiving module 102 receives the switching request message of the 2nd MME transmission, it is true to send switching Message is recognized to the 2nd MME.The switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Module 103 is kept, for keeping the key KeNB shared between evolved base station eNB and UE constant;
Wherein, module 103 is kept, comprising:
Determination unit, for determining that switch reasons are core nets according to the handoff trigger message or the switching request message The switching of triggering;
Wherein, since the handoff trigger message is that the first MME is sent, the switching that determination unit is sent according to the first MME Triggering message can determine that this switch reasons is the switching of core net triggering;Alternatively, carrying switching in switching request message Reason, determination unit can determine that switch reasons are the switchings of core net triggering according to switch reasons.
Wherein, the switching of core net triggering only switches over MME accompanying by UE, and the cell and base station where UE are simultaneously It does not change.
Holding unit, for keeping KeNB constant.
Wherein, holding unit obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after Key KeNB*.
Encrypting module 104, for being encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE.
Specifically, encrypting module 104 calculates first key and the second key according to KeNB*, and using first key and the The data communicated between two key pair eNB and UE carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first { NCC, NH } is right, and keeps KeNB constant.
Further, the device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and it is former which needs message to carry switching Cause, sending the first MME forward, RELOCATION REQUEST message is to the 2nd MME, and RELOCATION REQUEST message carries switch reasons forward for this, So that the 2nd MME sends the switching request message to eNB.
Specifically, the first receiving module 101 receive the first MME transmission handoff trigger message after, determining module according to Handoff trigger message determines that switch reasons are the switchings of core net triggering, and the first sending module sends switching and needs message to the One MME, the switching need message to carry switch reasons;First MME receives the switching that the first sending module is sent and needs message, and RELOCATION REQUEST message is to the 2nd MME forward for transmission, and RELOCATION REQUEST message carries switch reasons forward for this;2nd MME is received The RELOCATION REQUEST message forward that first MME is sent, and switching request message is sent to the second receiving module 102.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core Net the switching of triggering.This can also carry in RELOCATION REQUEST message forward Kasme and KSI (Key Set Identifier, it is close Key set identifier), the Kasme and KSI are for deducing Non-Access Stratum NAS key.
Further, which can not carry any { NCC, NH } to information;The switching request message It is after the first MME adds one according to the 2nd NCC that the first next-hop chain counter NCC and the first next-hop NH, the first NCC, which can be carried, It obtains, the first NH is what the first MME was calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current NH;Alternatively, it is current that the switching request message, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC, NCC, the 2nd NH are current NH.
Wherein, when the first MME receives switching and needs message, the 2nd NCC and the 2nd NH is obtained;First MME is according to second When NCC and the 2nd NH calculates a first NCC and NH, the first NCC and the first NH is carried in the switching request message, if first When MME does not calculate a first NCC and NH according to the 2nd NCC and the 2nd NH, the 2nd NCC and the is carried in the switching request message Two NH.
Further, switch reasons can also be carried in the switching request message.
Wherein, this forward RELOCATION REQUEST message carry the first NCC and the first NH, the first NCC be the first MME according to second What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH, and the 2nd NCC is current NCC, the 2nd NH For current NH;Alternatively, this RELOCATION REQUEST message carries the 2nd NCC and the 2nd NH forward, the 2nd NCC is current NCC, the Two NH are current NH.
Further, after MME accompanying by UE being switched to the 2nd MME by the first MME, the 2nd MME transmission is weighed forward Location response message gives the first MME.
Further, when not carrying any { NCC, NH } to information in the switching request message, eNB will be accompanying by UE MME the 2nd MME is switched to by the first MME after, the 2nd MME adds one to obtain the first NCC according to the 2nd NCC, according to the 2nd NH The first NH is calculated, and transmitting path changes message to eNB, it is right which changes first { NCC, NH } of message carrying.ENB connects The path for receiving the 2nd MME transmission changes message, and it is right to obtain first { NCC, NH }.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 2
The embodiment of the invention provides a kind of devices of encryption data.Referring to fig. 2, wherein the device includes:
Second sending module 201 gives evolved base station eNB for sending handoff trigger message, which takes Mark with user equipment (UE) makes eNB send switching according to the handoff trigger message and needs message;
Wherein, the first MME know from the signing information of UE need for UE to be switched to from the first MME of general network it is specific When two MME of network, the mark of UE is obtained, the second sending module 201 sends handoff trigger message to the first receiving module 101, which carries the mark of UE.ENB receives the handoff trigger message that the first MME is sent.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that needed UE from general network is known from the signing information of UE in the first MME One MME is switched to before the 2nd MME of particular network, UE to general network initiate attachment flow, and with the S-GW of network side or Person P-GW establishes PDN connection.
Third receiving module 202, the switching for receiving eNB transmission need message;
Wherein, eNB, which sends to switch according to handoff trigger message, needs message to third receiving module 202, and third receives mould Block 202 receives the switching that eNB is sent and needs message.
Module is obtained, is current for obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC NCC, the 2nd NH are current NH;
Third sending module 203, should to the second mobility management entity MME for sending RELOCATION REQUEST message forward RELOCATION REQUEST message carries switch reasons forward, and the 2nd MME is made to send switching request message to eNB, so that eNB keeps eNB The key KeNB shared between UE is constant, and is encrypted according to the KeNB to the data communicated between eNB and UE.
Further, which carries the first NCC and the first NH, and the first NCC is the first MME according to second What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively, the switching request message carries the Two NCC and the 2nd NH.
Further, switch reasons can also be carried in the switching request message.
Wherein, the switching that third receiving module 202 receives that eNB is sent needs message, and is needed in message according to switching Switch reasons confirm that the switch reasons are the switchings triggered by core net, and it is right to obtain second { NCC, NH }, according to second NCC, NH } to calculating, first { NCC, NH } is right, i.e., and add one to obtain the first NCC the second NCC, and calculate the first NH according to the 2nd NH.
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH } To including the 2nd NCC and the 2nd NH;First { NCC, NH } to for fresh { NCC, NH } it is right, first { NCC, NH } to include first NCC and the first NH.
Wherein, the 2nd NCC is current NCC;2nd NH is current NH.
Further, the first MME sends forward that RELOCATION REQUEST message is to the 2nd MME, the RELOCATION REQUEST message forward Carry switch reasons and first { NCC, NH } it is right, alternatively, this forward RELOCATION REQUEST message carry switch reasons and second NCC, NH } it is right.2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message to eNB.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core Net the switching of triggering.This can also carry Kasme and KSI in RELOCATION REQUEST message forward, and the Kasme and KSI are for deducing Non-Access Stratum NAS key.
Wherein, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, according to the re-positioning request forward Switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not carry Any { NCC, NH } is to information;Alternatively, if first { NCC, NH } clock synchronization, the 2nd MME are carried in RELOCATION REQUEST message forward The RELOCATION REQUEST message forward of the first MME transmission is received, the 2nd MME is according to the switch reasons in RELOCATION REQUEST message forward Determination is the switching of core net triggering and first { NCC, NH } of acquisition is right from this forward RELOCATION REQUEST message, the 2nd MME hair It is right to give first { NCC, NH } of carrying in the switching request message of eNB;Alternatively, if is carried in RELOCATION REQUEST message forward Two { NCC, NH } clock synchronizations, the 2nd MME receive the locating request message forward that the first MME is sent, and the 2nd MME is according to relocating forward Switch reasons determination in request message is the switching of core net triggering and obtains second from this forward RELOCATION REQUEST message { NCC, NH } is right, and it is right that the 2nd MME is sent to second { NCC, NH } of carrying in the switching request message of eNB.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention Body limits, for example, the 2nd MME is some specific MME.
Further, eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to second MME;ENB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB to the data communicated between eNB and UE It is encrypted.
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE Carry out encryption and integrity protection.
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first { NCC, NH } is right, and keeps KeNB constant.
Further, the 2nd MME send forward relocation response message to the first MME.
Further, when not carrying any { NCC, NH } to information in the switching request message, eNB will be accompanying by UE MME the 2nd MME is switched to by the first MME after, the 2nd MME adds one to obtain the first NCC according to the 2nd NCC, according to the 2nd NH The first NH is calculated, and transmitting path changes message to eNB, it is right which changes first { NCC, NH } of message carrying.ENB connects The path for receiving the 2nd MME transmission changes message, and it is right to obtain first { NCC, NH }.
Further, the device further include:
First carries module, for setting default mark for the next-hop instruction NHI of the RELOCATION REQUEST message forward, And the 2nd NCC and the 2nd NH is carried, alternatively,
Second carries module, for by the old evolved packet system EPS safe context of RELOCATION REQUEST message forward Next-hop instruction NHI_old is set as default mark, and carries the 2nd NCC and the 2nd HN.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 3
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 3, wherein this method comprises:
Step 301: receiving the handoff trigger message that the first MME is sent, which carries the mark of UE;
Step 302: receiving the switching request message that the 2nd MME is sent;
Step 303: keeping the key KeNB shared between eNB and UE constant, and led to according to the KeNB between eNB and UE The data of letter are encrypted.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 4
The embodiment of the invention provides a kind of methods of encryption data.Referring to fig. 4, wherein this method comprises:
Step 401: the first MME sends handoff trigger message to eNB, which carries the mark of UE;
Specifically, the first MME is known from the signing information of UE needs UE being switched to spy from the first MME of general network When determining two MME of network, the mark of UE is obtained, and sends handoff trigger message to eNB, which carries UE's Mark.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that before step 401, UE initiates attachment flow and and network side to general network S-GW or P-GW establishes PDN connection.
Step 402:eNB receives the handoff trigger message that the first MME is sent, and determines to cut according to the handoff trigger message Change the switching the reason is that core net triggering;
Wherein, since the handoff trigger message is that the first MME is sent, eNB disappears according to the handover trigger that the first MME is sent Breath can determine that this switch reasons is the switching of core net triggering;The switching of core net triggering only will be accompanying by UE MME is switched over, and the cell and base station where UE do not change.
Step 403:eNB sends switching and needs message to the first MME, which needs message to carry switch reasons;
Step 404: the first MME receives the switching that eNB is sent and needs message, needs message to calculate the first NCC according to switching With the first NH;
Specifically, the switching that the first MME receives that eNB is sent needs message, and needs the message authentication switching according to switching The reason is that by core net trigger switching, obtain second { NCC, NH } it is right, according to second { NCC, NH } to calculate first NCC, NH } it is right, i.e., add one to obtain the first NCC the second NCC, and calculate the first NH according to the 2nd NH.
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH } To including the 2nd NCC and the 2nd NH;First { NCC, NH } to for fresh { NCC, NH } it is right, first { NCC, NH } to include first NCC and the first NH.
Wherein, the 2nd NCC is current NCC;2nd NH is current NH.
Step 405: RELOCATION REQUEST message is to the 2nd MME forward for the first MME transmission, and RELOCATION REQUEST message is taken forward for this Band switch reasons and first { NCC, NH } are right;
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core Net the switching of triggering.
Further, this can also carry Kasme and KSI (Key Set in RELOCATION REQUEST message forward Identifier, key set identifier), the Kasme and KSI are for deducing Non-Access Stratum NAS key.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention Body limits, for example, the 2nd MME is some specific MME.
Step 406: the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message To eNB;
Specifically, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and is relocated forward and is asked according to this Asking the switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not take With any { NCC, NH } to information;Alternatively, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, the 2nd MME It is the switching of core net triggering and from the RELOCATION REQUEST message forward according to the switch reasons in RELOCATION REQUEST message forward First { NCC, NH } of middle acquisition is right, and it is right that the 2nd MME is sent to first { NCC, NH } of carrying in the switching request message of eNB.
Further, switch reasons can also be carried in the switching request message.
Step 407:eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to the 2nd MME;
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Step 408:eNB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB or KeNB* to eNB The data communicated between UE are encrypted;
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE Carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, first { NCC, NH } is right, and eNB ignores first { NCC, NH } is right, and keeps KeNB constant.
Step 409: the 2nd MME send forward relocation response message to the first MME.
Further, when first { NCC, NH } clock synchronization is not carried in the switching request message, eNB will be accompanying by UE After MME is switched to the 2nd MME by the first MME, the 2nd MME transmitting path changes message to eNB, which changes message and carry First { NCC, NH } is right.ENB receives the path that the 2nd MME is sent and changes message, and it is right to obtain first { NCC, NH }.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 5
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 5, wherein this method comprises:
Step 501: sending handoff trigger message to eNB, which carries the mark of UE, makes eNB according to this Handoff trigger message sends switching and needs message to the first MME;
Step 502: receiving the switching that eNB is sent and need message, and obtain the 2nd NCC and the 2nd NH, the 2nd NCC is to work as Preceding NCC, the 2nd NH are current NH;
Step 503: RELOCATION REQUEST message is to the 2nd MME forward for transmission, and RELOCATION REQUEST message carries switching forward for this Reason makes the 2nd MME send switching request message to eNB, so that eNB keeps the key KeNB shared between eNB and UE constant, And the data communicated between eNB and UE are encrypted according to KeNB.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 6
The embodiment of the invention provides a kind of methods of encryption data.Referring to Fig. 6, wherein this method comprises:
Step 601: the first MME sends handoff trigger message to eNB, which carries the mark of UE;
Specifically, the first MME is known from the signing information of UE needs UE being switched to spy from the first MME of general network When determining two MME of network, the mark of UE is obtained, and sends handoff trigger message to eNB, which carries UE's Mark.
Wherein, UE is identified as any mark that can identify UE, in embodiments of the present invention, does not do and has to the mark of UE Body limits.For example, UE's is identified as the i.e. MME of MME UE S1AP the ID mark of unique identification UE or eNB UE on S1 interface The mark etc. of S1AP ID, that is, eNB unique identification UE on S1 interface.First MME is the MME that UE currently adheres to.
Wherein, it should be noted that before step 601, UE to general network initiate attachment flow, and with network side S-GW or P-GW establishes PDN connection.
Step 602:eNB receives the handoff trigger message that the first MME is sent, and determines to cut according to the handoff trigger message Change the switching the reason is that core net triggering;
Wherein, since the handoff trigger message is that the first MME is sent, eNB disappears according to the handover trigger that the first MME is sent Breath can determine that this switch reasons is the switching of core net triggering;The switching of core net triggering only will be accompanying by UE MME is switched over, and the cell and base station where UE do not change.
Step 603:eNB sends switching and needs message to the first MME, which needs message to carry switch reasons;
Wherein, which, which is used to indicate, switches over MME accompanying by UE, also, switch reasons can be to appoint One instruction message, is in embodiments of the present invention not especially limited switch reasons, for example, switch reasons can be switch reasons (switching of core net triggering).
Step 604: the first MME receives the switching that eNB is sent and needs message, needs message transmission to reset forward according to switching Position request message gives the 2nd MME;
Specifically, the switching that the first MME receives that eNB is sent needs message, and needs the switching in message former according to switching Because determination is the switching triggered by core net, RELOCATION REQUEST message forward is sent to the 2nd MME, re-positioning request disappears forward for this It is right that breath carries switch reasons, second { NCC, NH };
Wherein, second { NCC, NH } to for current { NCC, NH } right or old { NCC, NH } it is right, second { NCC, NH } To including the 2nd NCC and the 2nd NH;2nd NCC is current NCC;2nd NH is current NH.
Wherein, the switch reasons that RELOCATION REQUEST message carries forward are for notifying the 2nd MME to be this time switched to core Net the switching of triggering.
Further, this can also carry Kasme and KSI in RELOCATION REQUEST message forward, and the Kasme and KSI are used for Deduce Non-Access Stratum NAS key.
Wherein, the 2nd MME is that any MME in addition to the first MME does not make to have to the 2nd MME in embodiments of the present invention Body limits, for example, the 2nd MME is some specific MME.
Step 605: the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and sends switching request message To eNB;
Specifically, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, and is relocated forward and is asked according to this Asking the switch reasons determination in message is the switching of core net triggering, and the 2nd MME is sent in the switching request message of eNB and does not take With any { NCC, NH } to information;Alternatively, the 2nd MME receives the RELOCATION REQUEST message forward that the first MME is sent, the 2nd MME It is the switching of core net triggering and from the re-positioning request forward according to the switch reasons determination in RELOCATION REQUEST message forward It is right that second { NCC, NH } is obtained in message, it is right that the 2nd MME is sent to second { NCC, NH } of carrying in the switching request message of eNB.
Further, switch reasons can also be carried in the switching request message.
Wherein, it sets the NHI (Next Hop Indicator, next-hop instruction) of the RELOCATION REQUEST message forward to Default mark, and carry the 2nd NCC and the 2nd NH, alternatively, by NHI_old (the Next Hop of the RELOCATION REQUEST message forward Indicator for old EPS (Evolved Packet System, evolved packet system) Security Context, it is old The next-hop of EPS safe context indicates) it is set as default mark, and carry the 2nd NCC and the 2nd HN.
Wherein, this is preset and is identified as any mark that can identify NHI or NHI_old, in embodiments of the present invention, right Default mark is not especially limited, such as is preset and be identified as 1.
Step 606:eNB receives the switching request message that the 2nd MME is sent, and sends switch acknowledgment message to the 2nd MME;
Wherein, the switch acknowledgment message is for notifying that the 2nd MME can this time be switched.
Step 607:eNB keeps the key KeNB shared between eNB and UE constant, and according to the KeNB or KeNB* to eNB The data communicated between UE are encrypted;
Specifically, eNB determines that switch reasons are core net triggerings according to handoff trigger message or switching request message Switching, obtain between current eNB and UE share KeNB, and using the KeNB as switch MME after key KeNB*;ENB root First key and the second key are calculated according to KeNB*, and using the data communicated between first key and the second key pair eNB and UE Carry out encryption and integrity protection.
Wherein, it should be noted that if carried in the switching request message, second { NCC, NH } is right, and eNB ignores second { NCC, NH } is right, and keeps KeNB constant.
Step 608: the 2nd MME send forward relocation response message to the first MME.
Further, after MME accompanying by UE is switched to the 2nd MME by the first MME by eNB, the 2nd MME is according to Two { NCC, NH } are right to first { NCC, NH } is calculated, and the 2nd MME transmitting path changes message to eNB, which changes message and take Band first { NCC, NH } is right.ENB receives the path that the 2nd MME is sent and changes message, and it is right to obtain first { NCC, NH }.
Wherein, the 2nd NCC is added one to obtain the first NCC by the 2nd MME, and calculates the first NH according to the 2nd NH, and second { NCC, NH } to right for current { NCC, NH }, second { NCC, NH } is to including the 2nd NCC and the 2nd NH;First { NCC, NH } is right Right for fresh { NCC, NH }, first { NCC, NH } is to including the first NCC and the first NH.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 7
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 7, wherein the device includes: the first storage Device 701 and first processor 702, the method for executing following encryption data:
The handoff trigger message that first movement management entity MME is sent is received, which carries user and set The mark of standby UE;
Receive the switching request message of the 2nd MME transmission;
Keep the key KeNB shared between evolved base station eNB and UE constant, and according to the KeNB between eNB and UE The data of communication are encrypted.
Further, after receiving the handoff trigger message that first movement management entity MME is sent, this method is also wrapped It includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described First MME sends RELOCATION REQUEST message forward, and to the 2nd MME, the RELOCATION REQUEST message forward carries the switching Reason, so that the 2nd MME sends the switching request message to the eNB.
Further, which carries the first next-hop chain counter NCC and the first next-hop NH, and first NCC is to obtain after the first MME adds one according to the 2nd NCC, what the first NH was calculated for the first MME according to the 2nd NH, second NCC is current NCC, and the 2nd NH is current NH;Alternatively,
It is current that the switching request message, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC, NCC, the 2nd NH are current NH.
Further, the RELOCATION REQUEST message forward carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is the first MME root It is calculated according to the 2nd NH, the 2nd NCC is current NCC, and the 2nd NH is current NH;Alternatively,
The re-positioning request forward carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC It is current NH for current NCC, the 2nd NH.
Further, keep the key KeNB shared between evolved base station eNB and UE constant, comprising:
It determines that switch reasons are the switchings of core net triggering according to the handoff trigger message or the switching request message, protects It is constant to hold the KeNB.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Embodiment 8
The embodiment of the invention provides a kind of devices of encryption data.Referring to Fig. 8, wherein the device includes: the second storage Device 801 and second processor 802, the method for executing following encryption data:
It sends handoff trigger message and gives evolved base station eNB, which carries the mark of user equipment (UE), makes ENB sends switching according to the handoff trigger message and message is needed to give first movement management entity MME;
It receives the switching that eNB is sent and needs message, and obtain the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC are current NCC, and the 2nd NH is current NH;
Send forward that RELOCATION REQUEST message is to the 2nd MME, RELOCATION REQUEST message carries switch reasons forward for this, makes the Two MME send switching request message to eNB, so that eNB keeps the key KeNB shared between eNB and UE constant, and according to this KeNB encrypts the data communicated between eNB and UE.
Further, which carries the first NCC and the first NH, and the first NCC is the first MME according to second What NCC was obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
Further, RELOCATION REQUEST message carries the first NCC and the first NH forward, and the first NCC is the first MME according to the What two NCC were obtained after adding one, the first NH is what the first MME was calculated according to the 2nd NH;Alternatively,
RELOCATION REQUEST message carries the 2nd NCC and the 2nd NH forward.
Further, it sends before RELOCATION REQUEST message is to the second mobility management entity MME forward, this method is also wrapped It includes:
Default mark is set by the next-hop instruction NHI of the RELOCATION REQUEST message forward, and carries the 2nd NCC and the Two NH, alternatively,
By this forward the old evolved packet system EPS safe context of RELOCATION REQUEST message next-hop indicate NHI_ Old is set as default mark, and carries the 2nd NCC and the 2nd HN.
In embodiments of the present invention, eNB receives the handoff trigger message and receive the 2nd MME transmission that the first MME is sent Switching request message, according to handoff trigger message or switching request message determine switch reasons be core net triggering cut It changes, eNB obtains the KeNB currently shared with UE, and using the KeNB as the key KeNB* updated after switching MME, i.e. holding eNB KeNB between UE is constant, and is encrypted according to the KeNB or KeNB* to the data communicated between eNB and UE, to protect It is synchronous with the KeNB of the side UE to demonstrate,prove the side eNB.
Field those of ordinary skill be understood that realize above-described embodiment all or part of the steps can by hardware come It completes, relevant hardware can also be instructed to complete by program, the program can store computer-readable deposits in a kind of In storage media, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (20)

1. a kind of device of encryption data, which is characterized in that described device includes:
First receiving module, for receiving the handoff trigger message of first movement management entity MME transmission, the handover trigger The mark of message carrying user equipment (UE);
Second receiving module, for receiving the switching request message of the 2nd MME transmission;
Module is kept, for keeping the key KeNB shared between evolved base station eNB and the UE constant;
Encrypting module, for being encrypted according to the KeNB to the data communicated between the eNB and the UE.
2. device as described in claim 1, which is characterized in that described device further include:
Determining module, for determining that switch reasons are the switchings of core net triggering according to the handoff trigger message;
First sending module needs message to the first MME for sending switching, and the switching needs to cut described in message carrying Reason is changed, so that the first MME is sent RELOCATION REQUEST message forward and disappears to the 2nd MME, the re-positioning request forward Breath carries the switch reasons, so that the 2nd MME sends the switching request message to the eNB.
3. device as described in claim 1, which is characterized in that the switching request message carries the first next-hop chain counter NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, the first NH First MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, and the 2nd NCC is current NCC, the 2nd NH be current NH.
4. device as claimed in claim 2, which is characterized in that the RELOCATION REQUEST message forward carries the first next-hop chain Counter NCC and the first next-hop NH, the first NCC the first MME is obtained after adding one according to the 2nd NCC, described First NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is to work as Preceding NH;Alternatively,
It is to work as that the re-positioning request forward, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC, Preceding NCC, the 2nd NH are current NH.
5. device as described in claim 1, which is characterized in that the holding module, comprising:
Determination unit, for determining that switch reasons are core nets according to the handoff trigger message or the switching request message The switching of triggering;
Holding unit, for keeping the KeNB constant.
6. a kind of device of encryption data, which is characterized in that described device includes:
Second sending module gives evolved base station eNB for sending handoff trigger message, and the handoff trigger message carries user The mark of equipment UE makes the eNB send switching according to the handoff trigger message and message is needed to manage in fact to first movement Body MME;
Third receiving module needs message for receiving the switching that the eNB is sent;
Module is obtained, is current for obtaining the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC NCC, the 2nd NH are current NH;
Third sending module, it is described to weigh forward to the second mobility management entity MME for sending RELOCATION REQUEST message forward Locating request message carries switch reasons, and the 2nd MME is made to send switching request message to the eNB, so that the eNB is protected It is constant to hold the key KeNB shared between the eNB and the UE, and is led to according to the KeNB between the eNB and the UE The data of letter are encrypted.
7. device as claimed in claim 6, which is characterized in that the switching request message carries the first NCC and the first NH, institute State after the first NCC the first MME adds one according to the 2nd NCC and obtain, the first NH be the first MME according to What the 2nd NH was calculated;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
8. device as claimed in claim 6, which is characterized in that the RELOCATION REQUEST message forward carries the first NCC and the One NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is described first MME is calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
9. device as claimed in claim 6, which is characterized in that described device further include:
First carries module, for setting default mark for the next-hop instruction NHI of the RELOCATION REQUEST message forward, and The 2nd NCC and the 2nd NH is carried, alternatively,
Second carries module, for by the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward Next-hop instruction NHI_old is set as the default mark, and carries the 2nd NCC and the 2nd HN.
10. a kind of method of encryption data, which is characterized in that the described method includes:
The handoff trigger message that first movement management entity MME is sent is received, the handoff trigger message carries user equipment The mark of UE;
Receive the switching request message of the 2nd MME transmission;
Keep the evolved base station eNB and UE between share key KeNB it is constant, and according to the KeNB to the eNB with The data communicated between the UE are encrypted.
11. method as claimed in claim 10, the handoff trigger message for receiving first movement management entity MME and sending Later, the method also includes:
Determine that switch reasons are the switchings of core net triggering according to the handoff trigger message;
Sending switching needs message to the first MME, and the switching needs message to carry the switch reasons, makes described first MME sends RELOCATION REQUEST message forward, and, to the 2nd MME, it is former that the RELOCATION REQUEST message forward carries the switching Cause, so that the 2nd MME sends the switching request message to the eNB.
12. method as claimed in claim 10, which is characterized in that the switching request message carries the first next-hop chain and counts Device NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and described first NH the first MME is calculated according to the 2nd NH, and the 2nd NCC is current NCC, and the 2nd NH is current NH;Alternatively,
The switching request message carries the second next-hop chain counter NCC and the second next-hop NH, and the 2nd NCC is current NCC, the 2nd NH be current NH.
13. method as claimed in claim 11, which is characterized in that the RELOCATION REQUEST message forward carries the first next-hop Chain counter NCC and the first next-hop NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, institute It states the first NH the first MME to be calculated according to the 2nd NH, the 2nd NCC is current NCC, and the 2nd NH is Current NH;Alternatively,
It is to work as that the re-positioning request forward, which carries the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC, Preceding NCC, the 2nd NH are current NH.
14. method as claimed in claim 10, which is characterized in that between the holding evolved base station eNB and the UE altogether The key KeNB enjoyed is constant, comprising:
It determines that switch reasons are the switchings of core net triggering according to the handoff trigger message or the switching request message, protects It is constant to hold the KeNB.
15. a kind of method of encryption data, which is characterized in that the described method includes:
It sends handoff trigger message and gives evolved base station eNB, the handoff trigger message carries the mark of user equipment (UE), makes institute Stating eNB and being sent to switch according to the handoff trigger message needs message to give first movement management entity MME;
It receives the switching that the eNB is sent and needs message, and obtain the second next-hop chain counter NCC and the second next-hop NH, the 2nd NCC are current NCC, and the 2nd NH is current NH;
Send RELOCATION REQUEST message forward makes described to the 2nd MME, the carrying of the RELOCATION REQUEST message forward switch reasons 2nd MME sends switching request message to the eNB, so that the eNB keeps the key shared between the eNB and the UE KeNB is constant, and is encrypted according to the KeNB to the data communicated between the eNB and the UE.
16. method as claimed in claim 15, which is characterized in that the switching request message carries the first NCC and the first NH, First NCC the first MME is obtained after adding one according to the 2nd NCC, and the first NH is the first MME root It is calculated according to the 2nd NH;Alternatively,
The switching request message carries the 2nd NCC and the 2nd NH.
17. method as claimed in claim 15, which is characterized in that the RELOCATION REQUEST message forward carry the first NCC and First NH, the first NCC the first MME are obtained after adding one according to the 2nd NCC, and the first NH is described the One MME is calculated according to the 2nd NH;Alternatively,
The RELOCATION REQUEST message forward carries the 2nd NCC and the 2nd NH.
18. method as claimed in claim 15, which is characterized in that RELOCATION REQUEST message is mobile to second forward for the transmission Before property management entity MME, the method also includes:
Set default mark for the next-hop of the RELOCATION REQUEST message forward instruction NHI, and carry the 2nd NCC and 2nd NH, alternatively,
The next-hop of the old evolved packet system EPS safe context of the RELOCATION REQUEST message forward is indicated into NHI_old It is set as the default mark, and carries the 2nd NCC and the 2nd HN.
19. a kind of device of encryption data, which is characterized in that described device includes: first memory and first processor, is used for The method for executing the encryption data as described in claim 11-14 any claim.
20. a kind of device of encryption data, which is characterized in that described device includes: second memory and second processor, is used for The method for executing the encryption data as described in claim 15-18 any claim.
CN201480000843.XA 2014-01-28 2014-01-28 A kind of device and method of encryption data Active CN105103577B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/071651 WO2015113197A1 (en) 2014-01-28 2014-01-28 Apparatus and method for encrypting data

Publications (2)

Publication Number Publication Date
CN105103577A CN105103577A (en) 2015-11-25
CN105103577B true CN105103577B (en) 2019-05-24

Family

ID=53756094

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480000843.XA Active CN105103577B (en) 2014-01-28 2014-01-28 A kind of device and method of encryption data

Country Status (2)

Country Link
CN (1) CN105103577B (en)
WO (1) WO2015113197A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10455414B2 (en) 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
RU2719772C1 (en) 2017-01-30 2020-04-23 Телефонактиеболагет Лм Эрикссон (Пабл) Operating security context in 5g in connected mode
EP3709601B1 (en) 2017-03-17 2022-02-16 Telefonaktiebolaget LM Ericsson (publ) Network node for use in a communication network, a communication device and methods of operating the same
US10542428B2 (en) 2017-11-20 2020-01-21 Telefonaktiebolaget Lm Ericsson (Publ) Security context handling in 5G during handover
CN111031486B (en) * 2018-10-10 2021-05-11 电信科学技术研究院有限公司 Positioning service key distribution method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101325483A (en) * 2008-07-28 2008-12-17 中国电信股份有限公司 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN101500271A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method and equipment for implementing core network equipment load balance
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101400059B (en) * 2007-09-28 2010-12-08 华为技术有限公司 Cipher key updating method and device under active state
CN101291536B (en) * 2008-05-30 2011-12-28 中兴通讯股份有限公司 Switching method for load rebalance of mobility management entity
CN103139771B (en) * 2011-11-25 2018-03-30 中兴通讯股份有限公司 Key generation method and system in handoff procedure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101500271A (en) * 2008-02-01 2009-08-05 华为技术有限公司 Method and equipment for implementing core network equipment load balance
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN101325483A (en) * 2008-07-28 2008-12-17 中国电信股份有限公司 Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method

Also Published As

Publication number Publication date
CN105103577A (en) 2015-11-25
WO2015113197A1 (en) 2015-08-06

Similar Documents

Publication Publication Date Title
US10958631B2 (en) Method and system for providing security from a radio access network
CN108966220B (en) A kind of method and the network equipment of secret key deduction
EP3499840B1 (en) User-plane security for next generation cellular networks
CN105103577B (en) A kind of device and method of encryption data
CN105874766B (en) The method and apparatus of controlled certificate is provided between the subscriber devices
KR102219061B1 (en) Method and device and communication system for obtaining a key
CN102056157B (en) Method, system and device for determining keys and ciphertexts
CN106102105B (en) A kind of method and device of switching within cell
JP4390842B1 (en) Mobile communication method, radio base station, and mobile station
CN108141754A (en) For being related to the device and method of the mobile process of mobility management entity reorientation
KR20110119785A (en) Un-ciphered network operation solution
EP3490289B1 (en) Cross-interface correlation of traffic
CN105409263B (en) The method and apparatus for identifying selection for agent algorithms
WO2009152755A1 (en) Method and system for generating an identity identifier of a key
CN109246696B (en) Key processing method and related device
CN109964500A (en) Export is used for the security key of relayed communications
CN106998537B (en) The information transferring method and device of group-calling service
CN103139771B (en) Key generation method and system in handoff procedure
CN103595529B (en) The changing method of a kind of one-pass key and realize device
EP3536027A1 (en) Handover of a device which uses another device as relay
CN108702620A (en) A kind of safety communicating method and core net node
WO2018010186A1 (en) Key acquisition method and apparatus
CN101835151B (en) The update method of air interface key and wireless access system
CN112400335B (en) Method and computing device for performing data integrity protection
CN109688581A (en) A kind of safe transmission method and device of data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant