CN107005410A - Internet protocol security tunnel establishing method, user equipment and base station - Google Patents

Internet protocol security tunnel establishing method, user equipment and base station Download PDF

Info

Publication number
CN107005410A
CN107005410A CN201580035366.5A CN201580035366A CN107005410A CN 107005410 A CN107005410 A CN 107005410A CN 201580035366 A CN201580035366 A CN 201580035366A CN 107005410 A CN107005410 A CN 107005410A
Authority
CN
China
Prior art keywords
user equipment
base station
security
parameter
ipsec tunnel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201580035366.5A
Other languages
Chinese (zh)
Other versions
CN107005410B (en
Inventor
陈璟
李�赫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GRABLAN (BEIJING) SOFTWARE ENGINEERING Co.,Ltd.
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN107005410A publication Critical patent/CN107005410A/en
Application granted granted Critical
Publication of CN107005410B publication Critical patent/CN107005410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a kind of Internet Protocol Security IPsec tunnel establishing methods, user equipment and base station.When user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.

Description

Internet Protocol Security tunnel establishing method, user equipment and base station Technical field
The present invention relates to communication technical field, more particularly to a kind of Internet Protocol Security (Internet Protocol security, abbreviation IPsec) tunnel establishing method, user equipment and base station.
Background technology
Long evolving system-WLAN polymerization (Long Term Evolution-Wireless Local Area Networks, abbreviation LWA), it is Long Term Evolution (Long Term Evolution, abbreviation LTE) system utilize WLAN (Wireless Local Area network, abbreviation WLAN) high data transmission efficiency characteristic carry out downlink transmission data, be a kind of new technique of data distribution.The definition of its framework is as shown in Figure 1.Mobile management entity (Mobility Management Entity, abbreviation MME)/gateway (Serving Gateway, abbreviation S-GW) it is core-network side node, core-network side is represented in framework, long evolving system base station (Evolved Node B, abbreviation eNB) it is connected between core-network side by S1 interfaces, while eNB is connected with WLAN master station (WLAN Terminal, abbreviation WT) by Xw interfaces.Under this framework, WT and eNB are separated deployment.For core-network side, WT is transparent, and sightless, i.e., core-network side does not know WT presence.One WT can connect multiple WLAN access nodes (Access Point, abbreviation AP), and user equipment (User Equipment, abbreviation UE) passes through the access network that is connected with AP.When downlink data arrives, eNB forwards data to UE by WT, realizes WLAN shunt.
It is the LWA technologies under new architecture shown in Fig. 1, it is desirable to the compatible existing WLAN technologies under new architecture.Existing WLAN access way is the framework using Fig. 2, is accessed by way of S2a and S2b interfaces.
S2a access ways are that UE accesses interface used during believable WLAN.Believable WLAN refers to that WLAN is operator deployment.Under S2a access ways, UE accesses WLAN is completed after authentication, can be directly connected to the packet data gateway (Packet Data Network-Gateway, abbreviation P-GW) of core-network side, and then realization is surfed the Net using WLAN, carries out data distribution.
S2b interfaces are the interfaces between ePDG and P-GW.UE uses this interface in the case of the WLAN of access untrusted.The WLAN of untrusted refer to be not operator deployment WLAN node.When user is accessed by the WLAN of this kind of untrusted, to be aided in by the grouped data domain gateway (Evloved Packet Data Gateway, abbreviation ePDG) of evolution.EPDG is the network element of operator deployment, therefore ePDG It is believable for operator, can so ensures that the WLAN of untrusted has no idea to see, change the user data transmitted between UE and core-network side, and then ensure to transmit data just with WLAN, and other services is provided without WLAN.
New demand requires compatible existing WLAN, just refers to the WLAN access ways of the untrusted under requirement compatibility S2b access ways.According to Fig. 1 framework, it can be seen that without deployment ePDG between WT and eNB, therefore it can not ensure to protect the data safety of user under untrusted WLAN.
The content of the invention
The embodiments of the invention provide a kind of IPsec tunnel establishing methods, user equipment and base station, to set up the IPsec tunnels between user equipment and base station, it is ensured that user equipment safely core network access, it is ensured that the security of data transfer.
First aspect there is provided a kind of Internet Protocol Security IPsec tunnel establishing methods, including:
Base station sends the first anti-playback parameters to user equipment;
The base station determines the second anti-playback parameters of the user equipment, and the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
The base station generates the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
The base station determines IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
The identity of first AUTH and the 2nd AUTH and the user equipment described in the base station authentication.
When user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, IPsec tunnels are set up, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
In the first possible implementation of first aspect, methods described also includes:
The internet protocol address of the base station is sent to the user equipment by the base station;
The base station receives the IP address of the WLAN for the user equipment connection that the user equipment is sent.
With reference to the first possible implementation of first aspect or first aspect, in second of possible realization In mode; the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters; the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected; first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd.
With reference to second of possible implementation of first aspect, in the third possible implementation of first aspect, the base station determines IPsec tunnel building parameters, including:
The base station receives the first internet key exchange version 2 IKEv2 message that the user equipment is sent, and the first IKEv2 message includes the second security parameter;
The base station sends the response message of the first IKEv2 message to the user equipment;
The base station receives the user equipment and the 2nd IKEv2 message sent is encrypted according to second security parameter, and the 2nd IKEv2 message includes the IPsec tunnel buildings parameter;
The base station sends the response message of the 2nd IKEv2 message to the user equipment;
Wherein, the identity of the user equipment is also included in the IPsec tunnel buildings parameter, and internet key exchange head HDR, the HDR include the mark SPI for being used to identify IPsec tunnel building flows;The security algorithm is the security algorithm for being provided with security algorithm rank.
By IP packets between this implementation base station and user equipment, particularly internet key exchange version 2 message, consults IPsec tunnel building parameters.
With reference to the third possible implementation of first aspect, in the 4th kind of possible implementation, the identity of user equipment described in the base station authentication, including:
Whether the identity of user equipment described in the base station authentication is consistent with the identity of the acquired user equipment of core-network side.
With reference to the third possible implementation of first aspect, in the 5th kind of possible implementation, the base station obtains the IPsec tunnel building parameters after consulting with the user equipment, including:
The base station receives at least one radio resource control RRC message that the user equipment is sent;
Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
In this implementation, user equipment sends IPsec tunnel building parameters to base station by RRC information, base station receives the IPsec tunnel building parameters that user equipment is sent, the message that the whole IKEv2 in IPsec tunnels will be set up is encapsulated in transmission in RRC information, and RRC information can ensure that transmitting-receiving opposite end is certification Cross.
With reference in a first aspect, in the 6th kind of possible implementation of first aspect, the base station determines IPsec tunnel building parameters, including:
The security algorithm list that the 2nd AUTH and the user equipment that the base station reception user equipment is sent by radio resource control RRC message are supported;
The base station is according to the security algorithm levels list of itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The IPsec tunnel buildings parameter is sent to the user equipment by the base station.
In this implementation, IPsec tunnel building call parameters are transmitted by RRC information, without fully enclosed IKEv2 message.
With reference in a first aspect, in the 7th kind of possible implementation of first aspect, the base station determines IPsec tunnel building parameters, including:
2nd AUTH and the base station security algorithm levels list are sent to the user equipment by the base station by RRC information, so that the security algorithm list that the user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The base station receives the IPsec tunnel buildings parameter that the user equipment is sent.
In this implementation, IPsec tunnel building call parameters are transmitted by RRC information, without fully enclosed IKEv2 message.
Second aspect there is provided a kind of IPsec tunnel establishing methods, including:
User equipment receives the first anti-playback parameters that base station is sent;
The user equipment determines the second anti-playback parameters of the user equipment, and the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
The user equipment generates the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec, and sends the 2nd AUTH to the base station;
The user equipment receives the IPsec tunnel building parameters that the base station is sent, the IPsec tunnels Setting up parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
First AUTH described in the user equipment authentication and the 2nd AUTH.
With reference in a first aspect, in the first possible implementation, methods described also includes:
The user equipment receives the internet protocol address for the base station that the base station is sent;
The IP address for the WLAN that the user equipment connects the user equipment is sent to the base station.
With reference to the first possible implementation of second aspect or second aspect, in second of possible implementation, methods described also includes:
The user equipment sends the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
The user equipment receives the response message for the first IKEv2 message that the base station is sent;
The user equipment encrypts the 2nd IKEv2 message according to second security parameter, the 2nd IKEv2 message after encryption is sent to the base station, the 2nd IKEv2 message includes the IPsec tunnel buildings parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
The user equipment receives the response message for the 2nd IKEv2 message that the base station is sent.
With reference to second of possible implementation of second aspect, in the third possible implementation, methods described also includes:
The user equipment sends at least one RRC information to the base station;
Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
With reference to second aspect, in the 4th kind of possible implementation, methods described also includes:
The user equipment sends security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and user equipment institute The security algorithm list of support, determines the rank of the security algorithm of first security parameter, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The user equipment receives the IPsec tunnel buildings parameter that the base station is sent, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
With reference to second aspect, in the 5th kind of possible implementation, methods described also includes:
The user equipment receives the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The security algorithm list that the user equipment is supported according to itself, and the base station security algorithm levels list, determine the rank of the security algorithm of first security parameter;
The IPsec tunnel buildings parameter is sent to the base station by the user equipment, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
The third aspect has the function for base station behavior in the above method of realizing there is provided a kind of base station, the base station.The function can be realized by hardware, and corresponding software can also be performed by hardware and is realized.The hardware or software include one or more modules corresponding with above-mentioned functions.
In a kind of possible implementation, the base station includes:Transmitter and processor;Wherein,
The transmitter, for sending the first anti-playback parameters to user equipment;
The processor, the second anti-playback parameters for determining the user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
The processor, for generating the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
The processor is additionally operable to determine IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
The processor is additionally operable to verify the identity of the first AUTH and the 2nd AUTH and the user equipment.
In alternatively possible implementation, the base station includes:
Transmitting element, for sending the first anti-playback parameters to user equipment;
Determining unit, the second anti-playback parameters for determining the user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
Generation unit, for generating the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
The determining unit is additionally operable to determine IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
Authentication unit, the identity for verifying the first AUTH and the 2nd AUTH and the user equipment.
Fourth aspect has the function for user equipment behavior in the above method of realizing there is provided a kind of user equipment, the user equipment.The function can be realized by hardware, and corresponding software can also be performed by hardware and is realized.The hardware or software include one or more modules corresponding with above-mentioned functions.
In a kind of possible implementation, the user equipment includes:Receiver, transmitter and processor;Wherein,
The receiver, the first anti-playback parameters for receiving base station transmission;
The processor, for generating the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
The transmitter is additionally operable to send the 2nd AUTH to the base station;
The receiver is additionally operable to receive the IPsec tunnel building parameters that the base station is sent, and the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station resists according to the KeNB and described first Playback parameters generate the first Kipsec, and the base station generates the first AUTH according to the first Kipsec;
The processor is additionally operable to checking the first AUTH and the 2nd AUTH.
In alternatively possible implementation, the user equipment includes:
Receiving unit, the first anti-playback parameters for receiving base station transmission;
Generation unit, for generating the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
Transmitting element, for sending the 2nd AUTH to the base station;
The receiving unit is additionally operable to receive the IPsec tunnel building parameters that the base station is sent, the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
Authentication unit, for verifying the first AUTH and the 2nd AUTH.
A kind of Internet Protocol Security IPsec tunnel establishing methods provided according to embodiments of the present invention, user equipment and base station, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, the required accompanying drawing used in embodiment will be briefly described below, apparently, drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is long evolving system-WLAN polymerization LWA schematic diagrames;
Fig. 2 is existing WLAN WLAN access way schematic diagram;
Fig. 3 is a kind of schematic flow sheet of IPsec tunnel establishing methods provided in an embodiment of the present invention;
Fig. 4 is the schematic flow sheet of another IPsec tunnel establishing methods provided in an embodiment of the present invention;
Fig. 5 is the schematic flow sheet of another IPsec tunnel establishing method provided in an embodiment of the present invention;
Fig. 6 is a kind of structural representation of base station provided in an embodiment of the present invention;
Fig. 7 is the structural representation of another base station provided in an embodiment of the present invention;
Fig. 8 is a kind of structural representation of user equipment provided in an embodiment of the present invention;
Fig. 9 provides the structural representation of another base station for the embodiment of the present invention;
Figure 10 provides the structural representation of another user equipment for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
The compatible existing WLAN technologies of LWA new architectures shown in application claims Fig. 1, that is, require the WLAN access ways of the untrusted under compatibility S2b access ways.The embodiment of the present invention will set up IPsec tunnels between the user equipment and the base station, reach the effect of ePDG under S2b interfaces.
Before the IPsec tunnel establishing methods of the embodiment of the present invention are implemented, user equipment core network access, and authenticate success.Now, base station has had the identity of user equipment, such as Cell Radio Network Temporary Identifier/Identity, Cell-RNTI (Cell Radio Network Temporary Identifier, abbreviation C-RNTI), and base station can find user equipment by this mark.It is that the safety of eating dishes without rice or wine between user equipment and base station has built up to authenticate the result successfully brought, identical confidentiality key and Integrity Key are held between user equipment and base station, these keys are used for ensureing between user equipment and base station transmitting the security of message by mobile network.
The embodiment of the present invention is when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
Fig. 3 is a kind of schematic flow sheet of IPsec tunnel establishing methods provided in an embodiment of the present invention, and this method comprises the following steps:
S101, base station and user equipment consult anti-playback parameters.
Anti- playback parameters are that in order to prevent that the key that base station or user equipment are generated every time from being identical, or the message of generation is identical, and if key or message are identical, attacker can intercept and capture former message, resend again.Anti- playback parameters are usually the value of random number, timestamp, or counter.
Base station can carry anti-playback parameters in RRC information of the IP address of base station to user equipment is sent - 1, user equipment then can carry anti-playback parameters -2 when replying the RRC information of base station, anti- playback parameters -2 can not also be carried, this is determined by concrete configuration, if for example, anti-playback parameters are random numbers, anti- playback parameters -1 and anti-playback parameters -2 are likely to be identical, it is also likely to be different, if the mode of selection transmission random number, will carry anti-playback parameters -2 in replying message;If by the way of counter, base station can set counter, and user equipment is not provided with counter, so needing base station that the value of counter is transmitted to user equipment as anti-playback parameters -1, and user equipment is due to no timer, so without carrying anti-playback parameters in replying message;If being also equipped with counter in user equipment, user equipment is also required to be transmitted to base station using the value of its counter as anti-playback parameters -2;If by the way of timestamp, both sides are required for transmitting anti-playback parameters.Correspondingly, replying the RRC information of base station can include:RRC reconfigures completion message, RRC completion messages etc..
S102, base station generate the first wildcard Kipsec according to the anti-playback parameters of air interface key KeNB and first, and generate the first authentication information AUTH according to the first Kipsec.
S103, user equipment generate the 2nd Kipsec according to the anti-playback parameters of the KeNB and second, and generate the 2nd AUTH according to the 2nd Kipsec.
User equipment and base station can generate identical air interface key KeNB when foundation eats dishes without rice or wine safe.Then, base station, user equipment are utilized respectively the key-function of setting, the first Kipsec and the 2nd Kipsec is generated according to the anti-playback parameters after KeNB and negotiation, the first AUTH (Authentication) and the 2nd AUTH is generated according to the first Kipsec and the 2nd Kipsec respectively again, because the key-function of use is identical, KeNB is identical, and anti-playback parameters are by consulting, base station and user equipment know the anti-playback parameters of opposite end, therefore, base station, user equipment can verify the authentication information of opposite end respectively according to the authentication information of oneself.
S104, base station and user equipment consult IPsec tunnel building parameters.
The IPsec tunnel buildings parameter includes authentication information (AUTH) and IPsec tunnel transmission parameters, the IPsec tunnel transmissions parameter includes the first security parameter and for mark (the Traffic Selector for the in/out port for identifying the data flow that IPsec is protected, abbreviation TS), security parameter is also known as Security Association parameter (Security Association, abbreviation SA), this parameter includes security algorithm, and the first Kipsec or the 2nd Kipsec, the security algorithm has security algorithm rank, security algorithm rank is used to represent which kind of algorithm should be prioritized, first Kipsec or the 2nd Kipsec is used for the data flow transmitted in security algorithm in encryption IP sec tunnels.IPsec tunnel building parameters are also possible that the identity IDi of user equipment, and base station identity IDr.In this embodiment, in order that base station accurately judges the identity of user equipment, it can use C-RNTI is used as IDi.Wherein, IDi represents initiator's identity, i.e. Identification-Initiator, and IDr represents recipient's identity, i.e. Identification-Responder.
S105, base station, user equipment separately verify the first AUTH and the 2nd AUTH.
If S106, the AUTH of base station authentication the first and the 2nd AUTH are consistent, the identity to user equipment is verified.
After the IPsec tunnel building parameters after being consulted, whether the authentication information that base station, user equipment separately verify opposite end is consistent with the authentication information of itself, and if the verification passes, base station is verified to the identity of user equipment again.The identity of base station authentication user equipment, the identity for the user equipment that the identity and IPsec tunnel building parameters of the user equipment obtained when eating dishes without rice or wine and connecting can be included is compared, and if what is received is RRC information, then the identity of user equipment is verified when receiving RRC information.
IPsec tunnel transmission parameters have been consulted in base station with user equipment, then the work for setting up IPsec tunnels has been completed, so as to transmit data in IPsec tunnels according to IPsec tunnel transmissions parameter.
A kind of IPsec tunnel establishing methods provided according to embodiments of the present invention, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
Fig. 4 is the schematic flow sheet of another IPsec tunnel establishing methods provided in an embodiment of the present invention, and this method comprises the following steps:
S201, base station send the IP address of base station to user equipment in RRC reconfiguration messages.
Anti- playback parameters -1 are carried in RRC reconfiguration messages.
S202, user equipment reply RRC and reconfigure completion message after the RRC reconfiguration messages of base station are received.
RRC, which is reconfigured, carries anti-playback parameters -2 in completion message.
When setting up the IPsec tunnels between user equipment and base station, it is necessary to complete two operations:First, both sides need to know the IP address of opposite end, second, base station it needs to be determined that the opposite end for setting up IPsec tunnels is this user equipment, rather than the identity of attacker or other people user equipment, i.e. user equipment is correct.
First, the IP address of base station is sent to user equipment by base station.Base station can select one, the IP for sending base station in multiple radio resource control (Radio Resource Control, abbreviation RRC) message Address, the RRC information includes:RRC reconfiguration messages, RRC sets up request message, and RRC re-establishes message etc..Selection is based on mobile network through safety certification by RRC information transmission, it can be ensured that the security of the message of transmission.
Meanwhile, user equipment sends the IP address of the WLAN of user equipment connection to base station, before user equipment sends IP, and user equipment first has to access WLAN by AP, then obtains the IP address of WLAN distribution.
S203, base station generate the first wildcard Kipsec, and generate the first authentication information AUTH according to the first Kipsec using key-function is set according to the anti-playback parameters after air interface key KeNB and negotiation.
S204, user equipment utilize the setting key-function, generate the 2nd Kipsec according to the anti-playback parameters after the KeNB and negotiation, and generate the 2nd AUTH according to the 2nd Kipsec.
S205, user equipment access AP.
S206, user equipment obtain the IP address of AP distributions.
The AP IP address distributed is sent to base station by S207, user equipment.
S208, base station and user equipment consult the second security parameter by the first internet key exchange version 2 message.
Specifically, user equipment sends internet cryptographic key exchanging safety alliance parameter negotiation initial message IKE_SA_INIT message to base station, the IKE_SA_INIT message includes internet key exchange head (IKE Header, abbreviation HDR), the second security parameter SAi1, sender's basic key KEi, random number N i, wherein, HDR includes Security Parameter Index (Security Parameter Indexes, abbreviation SPI), for identifying IPsec tunnel establishment procedures;IKE_SA_INIT message is replied in base station, and the message of reply includes HDR, SAr1, reply party basic key KEr, random number N r, so as to complete the negotiation of the second security parameter of base station and user equipment.Second security parameter also includes security algorithm, security algorithm rank and key.Here SAi1 and SAr1 security algorithm rank determines that SAi1 and SAr1 include multiple security algorithms by IKEv2 message, and the security algorithm used is specified by security algorithm rank.Key is and random number (Ni, the Nr) generation according to basic key (KEi and KEr).Second security parameter is used for the 2nd IKEv2 message of encrypted transmission IPsec tunnel building parameters.
S209, base station receive user equipment and the 2nd IKEv2 message sent are encrypted according to the second security parameter.
Specifically, user equipment sends IKE_AUTH message and transmission is encrypted by the second security parameter to the base station IKE_AUTH message.The IKE_AUTH message includes HDR, SK IDi, AUTH, SAi2, TSi, TSr }, wherein, SK { } represents that the parameter in { } is encrypted with the security algorithm and key in the second security parameter and protected;The IKR_AUTH message of user equipment is replied in base station, and the message of reply includes HDR, SK { IDr, AUTH, SAr2, TSi, TSr }.
In the present embodiment, pass through IP packets between base station and user equipment, particularly internet key exchange version 2 message, consult IPsec tunnel building parameters, by then passing through the transmission of IP packets, not yet verify the identity of opposite end, it cannot be guaranteed that the security of transmitting procedure, accordingly, it would be desirable to first consult the security parameter of the message for transmitting IPsec tunnel building parameters, then the message for sending IPsec tunnel building parameters is encrypted for good security parameter through consultation.
It is used as a kind of S208-S209 alternative, user equipment sends IPsec tunnel building parameters to base station by RRC information, base station receives the IPsec tunnel building parameters that user equipment is sent, the message that the whole IKEv2 in IPsec tunnels will be set up is encapsulated in transmission in RRC information, because RRC information can ensure that transmitting-receiving opposite end was authenticated, it is not necessary to emphasize the identity IDi of authentication information AUTH and initiator.
S210, base station, user equipment separately verify the first AUTH and the 2nd AUTH.
If S211, the AUTH of base station authentication the first and the 2nd AUTH are consistent, the identity to user equipment is verified.
Fig. 5 is the schematic flow sheet of another IPsec tunnel establishing method provided in an embodiment of the present invention, and this method comprises the following steps:
S301, user equipment access AP.
S302, user equipment obtain the IP address of AP distributions.
S303, base station send the IP address of base station to user equipment in RRC reconfiguration messages.
Anti- playback parameters -1 are carried in this message.
S304, user equipment reply RRC and reconfigure completion message after the RRC reconfiguration messages of base station are received.
Carry the AP of user equipment connection IP address and anti-playback parameters -2.
S305, base station generate the first wildcard Kipsec, and generate the first authentication information AUTH according to the first Kipsec using key-function is set according to the anti-playback parameters after air interface key KeNB and negotiation.
S306, user equipment utilize the setting key-function, generate the 2nd Kipsec according to the anti-playback parameters after the KeNB and negotiation, and generate the 2nd AUTH according to the 2nd Kipsec.
The security algorithm list that the 2nd AUTH and user equipment that S307, base station reception user equipment are sent by RRC information are supported.
IPsec tunnel building call parameters are sent to base station by user equipment by RRC information, and base station receives the IPsec tunnel building call parameters that user equipment is sent, and the IPsec tunnel building call parameters include:Authentication information, and the security algorithm list that user equipment is supported, the security algorithm may include AES and protection algorithm integrallty.
Alternatively, can also be during i.e. attach during user equipment is attached to core net, the security algorithm list that user equipment is supported is transferred to base station in advance, i.e. can be before S301, user equipment carries security algorithm list that user equipment supported to MME in Attach Request message, and the security algorithm list that user equipment is supported is transferred to base station by MME in Attach Accept message, the Attach flows of user equipment are completed afterwards, set up default bearing.
S308, base station determine the rank of the security algorithm of the first security parameter according to the security algorithm levels list of itself, and the security algorithm list that user equipment is supported.
Security algorithm levels list is provided with base station, the security algorithm levels list includes the corresponding relation of multiple security algorithms and security algorithm rank.The security algorithm list that base station is supported according to the security algorithm levels list and the user equipment obtained; the security algorithm that can be supported from user equipment determines the rank of the security algorithm of the first security parameter; the security algorithm is used as the security algorithm for protecting IPsec tunnel transmissions; for example, algorithm security ability grade highest security algorithm in the security algorithm list that user equipment is supported can be chosen.
Alternatively, if user equipment security algorithm list for being supported user equipment in advance during attach is transferred to base station, the rank of the IP address of base station and the security algorithm of the first security parameter determined can be sent to user equipment by base station in RRC reconfiguration messages.
IPsec tunnel building parameters are sent to user equipment by S309, base station.
After authentication information and the first security algorithm is determined, IPsec tunnel building parameters are sent to user equipment by base station, the IPsec tunnel buildings parameter includes the first security parameter and TS, and first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd.
In the present embodiment, IPsec tunnel building call parameters are transmitted by RRC information, without fully enclosed IKEv2 message, because RRC information can ensure the security of data transfer in itself, without consulting the second security parameter.
In the present embodiment, it is that IPsec tunnel buildings are initiated by user equipment, is used as S307-S309 one kind Alternative, IPsec tunnel buildings can also be initiated by base station, i.e. IPsec tunnel building call parameters are sent to user equipment by base station by RRC information, so that the security algorithm list that user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, then IPsec tunnel building parameters are sent to base station by user equipment, base station receives the IPsec tunnel building parameters that user equipment is sent.
S310, base station, user equipment separately verify the first AUTH and the 2nd AUTH.
If S311, the AUTH of base station authentication the first and the 2nd AUTH are consistent, the identity to user equipment is verified.
It should be noted that, for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement, because according to the present invention, some steps can be carried out sequentially or simultaneously using other.Secondly, those skilled in the art should also know, embodiment described in this description belongs to preferred embodiment, and involved action and the module not necessarily present invention are necessary.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the part being described in detail in some embodiment, may refer to the associated description of other embodiment.
Step in present invention method can be sequentially adjusted, merged and deleted according to actual needs.
Fig. 6 is a kind of structural representation of base station provided in an embodiment of the present invention, and the base station 1000 includes transmitting element 11, determining unit 12, generation unit 13 and authentication unit 14.Wherein:
Transmitting element 11, for sending the first anti-playback parameters to user equipment.
Determining unit 12, the second anti-playback parameters base station for determining the user equipment can carry anti-playback parameters -1 in the RRC information to user equipment, user equipment then can carry anti-playback parameters -2 when replying the RRC information of base station, anti- playback parameters -2 can not also be carried, this is determined by concrete configuration.Correspondingly, replying the RRC information of base station can include:RRC reconfigures completion message, RRC completion messages etc..
Generation unit 13, for generating the first wildcard Kipsec according to the anti-playback parameters of air interface key KeNB and first, and generates the first authentication information AUTH according to the first Kipsec.
User equipment and base station can generate identical air interface key KeNB when foundation eats dishes without rice or wine safe. Then, base station, user equipment are utilized respectively the key-function of setting, the first Kipsec and the 2nd Kipsec is generated according to the anti-playback parameters after KeNB and negotiation, the first AUTH and the 2nd AUTH is generated according to the first Kipsec and the 2nd Kipsec respectively again, because the key-function of use is identical, KeNB is identical, and anti-playback parameters are by consulting, base station and user equipment know the anti-playback parameters of opposite end, therefore, base station, user equipment can verify the authentication information of opposite end respectively according to the authentication information of oneself.
The determining unit 12 is additionally operable to determine IPsec tunnel building parameters.
The IPsec tunnel buildings parameter includes authentication information and IPsec tunnel transmission parameters, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark for the in/out port for identifying the data flow that IPsec is protected, security parameter is also known as Security Association parameter (Security Association, abbreviation SA), this parameter includes security algorithm, and the first Kipsec or the 2nd Kipsec, the security algorithm has security algorithm rank, security algorithm rank is used to represent which kind of algorithm should be prioritized, first Kipsec or the 2nd Kipsec is used for the data flow transmitted in security algorithm in encryption IP sec tunnels.IPsec tunnel building parameters are also possible that the identity IDi of user equipment, and base station identity IDr.
Authentication unit 14, the identity for verifying the first AUTH and the 2nd AUTH and user equipment.
After the IPsec tunnel building parameters after being consulted, whether the authentication information that base station, user equipment separately verify opposite end is consistent with the authentication information of itself, and if the verification passes, base station is verified to the identity of user equipment again.The identity of base station authentication user equipment, the identity for the user equipment that the identity and IPsec tunnel building parameters of the user equipment obtained when eating dishes without rice or wine and connecting can be included is compared, and if what is received is RRC information, then the identity of user equipment is verified when receiving RRC information.
IPsec tunnel transmission parameters have been consulted in base station with user equipment, then the work for setting up IPsec tunnels has been completed.
A kind of base station provided according to embodiments of the present invention, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
Please continue to refer to Fig. 6, base station also includes receiving unit, and a kind of specific implementation of receiving unit is provided below:
Receiving unit passes through the first internet key exchange version specifically for obtaining with the user equipment The second security parameter that this 2 message is consulted.
Specifically, user equipment sends internet cryptographic key exchanging safety alliance parameter negotiation initial message IKE_SA_INIT message to base station, the IKE_SA_INIT message includes HDR, second security parameter SAi1, sender basic key KEi, random number N i, wherein, HDR includes SPI, for identifying IPsec tunnel establishment procedures;IKE_SA_INIT message is replied in base station, and the message of reply includes HDR, SAr1, reply party basic key KEr, random number N r, so as to complete the negotiation of the second security parameter of base station and user equipment.Second security parameter also includes security algorithm, security algorithm rank and key.Here SAi1 and SAr1 security algorithm rank determines that SAi1 and SAr1 include multiple security algorithms by IKEv2 message, and the security algorithm used is specified by security algorithm rank.Key is and random number (Ni, the Nr) generation according to basic key (KEi and KEr).Second security parameter is used for the 2nd IKEv2 message of encrypted transmission IPsec tunnel building parameters.
Receiving unit encrypts the 2nd IKEv2 message of transmission also particularly useful for user equipment is received according to the second security parameter.
Specifically, user equipment sends IKE_AUTH message and transmission is encrypted by the second security parameter to the base station IKE_AUTH message.The IKE_AUTH message includes HDR, SK { IDi, AUTH, SAi2, TSi, TSr }, wherein, SK { } represents that the parameter in { } is encrypted with the security algorithm and key in the second security parameter and protected;The IKR_AUTH message of user equipment is replied in base station, and the message of reply includes HDR, SK { IDr, AUTH, SAr2, TSi, TSr }.
In the present embodiment, pass through IP packets between base station and user equipment, particularly internet key exchange version 2 message, consult IPsec tunnel building parameters, by then passing through the transmission of IP packets, not yet verify the identity of opposite end, it cannot be guaranteed that the security of transmitting procedure, accordingly, it would be desirable to first consult the security parameter of the message for transmitting IPsec tunnel building parameters, then the message for sending IPsec tunnel building parameters is encrypted for good security parameter through consultation.
It is used as the implementation of another replacement of receiving unit, user equipment sends IPsec tunnel building parameters to base station by RRC information, receiving unit receives the IPsec tunnel building parameters that user equipment is sent, the message that the whole IKEv2 in IPsec tunnels will be set up is encapsulated in transmission in RRC information, because RRC information can ensure that transmitting-receiving opposite end was authenticated, it is not necessary to emphasize the identity IDi of authentication information AUTH and initiator.
Fig. 7 is the structural representation of another base station provided in an embodiment of the present invention, and the base station 2000 includes hair Send unit 21, receiving unit 22, generation unit 23, determining unit 24 and authentication unit 25.Wherein:
Transmitting element 21, for the internet protocol address of base station and anti-playback parameters to be sent into user equipment in RRC reconfiguration messages.
Receiving unit 22, the IP address and anti-playback parameters of the WLAN for receiving the user equipment connection that the user equipment is sent.
Generation unit 23, for using key-function is set, generating the first wildcard Kipsec according to the anti-playback parameters after air interface key KeNB and negotiation, and the first authentication information AUTH is generated according to the first Kipsec.
Receiving unit 22 is additionally operable to receive the security algorithm list that the 2nd AUTH that sends by RRC information of user equipment and user equipment are supported.
IPsec tunnel building call parameters are sent to base station by user equipment by RRC information, and base station receives the IPsec tunnel building call parameters that user equipment is sent, and the IPsec tunnel building call parameters include:Authentication information, and the security algorithm list that user equipment is supported, the security algorithm may include AES and protection algorithm integrallty.
Alternatively, can also be during i.e. attach during user equipment is attached to core net, the security algorithm list that user equipment is supported is transferred to base station in advance, i.e. can be before S301, user equipment carries security algorithm list that user equipment supported to MME in Attach Request message, and the security algorithm list that user equipment is supported is transferred to base station by MME in Attach Accept message, the Attach flows of user equipment are completed afterwards, set up default bearing.
Determining unit 24, for according to the security algorithm levels list of itself, and the security algorithm list that user equipment is supported, determining the rank of the security algorithm of the first security parameter.
Security algorithm levels list is provided with base station, the security algorithm levels list includes the corresponding relation of multiple security algorithms and security algorithm rank.The security algorithm list that base station is supported according to the security algorithm levels list and the user equipment obtained; the security algorithm that can be supported from user equipment determines the rank of the security algorithm of the first security parameter; the security algorithm is used as the security algorithm for protecting IPsec tunnel transmissions; for example, algorithm security ability grade highest security algorithm in the security algorithm list that user equipment is supported can be chosen.
Alternatively, if user equipment security algorithm list for being supported user equipment in advance during attach is transferred to base station, the rank of the IP address of base station and the security algorithm of the first security parameter determined can be sent to user equipment by base station in RRC reconfiguration messages.
Transmitting element 21 is additionally operable to IPsec tunnel building parameters being sent to user equipment.
After authentication information and the first security algorithm is determined, IPsec tunnel building parameters are sent to user equipment by base station, the IPsec tunnel buildings parameter includes the first security parameter and TS, and first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd..
In the present embodiment, IPsec tunnel building call parameters are transmitted by RRC information, without fully enclosed IKEv2 message, because RRC information can ensure the security of data transfer in itself, without consulting the second security parameter.
In the present embodiment, it is that IPsec tunnel buildings are initiated by user equipment, alternatively, IPsec tunnel buildings can also be initiated by base station, i.e. IPsec tunnel building call parameters are sent to user equipment by base station by RRC information, so that the security algorithm list that user equipment is supported according to itself, and the security algorithm levels list of the base station, determine the rank of the security algorithm of first security parameter, then IPsec tunnel building parameters are sent to base station by user equipment, and base station receives the IPsec tunnel building parameters that user equipment is sent.
Authentication unit 25, for verifying the first AUTH and the 2nd AUTH.
If the authentication unit 25 is additionally operable to checking, the first AUTH and the 2nd AUTH is consistent, and the identity to user equipment is verified.
Fig. 8 is a kind of structural representation of user equipment provided in an embodiment of the present invention, and the user equipment 3000 includes determining unit 31, generation unit 32, transmitting element 33, receiving unit 34 and authentication unit 35;Wherein:
Determining unit 31, the second anti-playback parameters for determining user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
Generation unit 32, for generating the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
Transmitting element 33, for sending the 2nd AUTH to the base station;
Receiving unit 34, for receiving the IPsec tunnel building parameters that the base station is sent, the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
Authentication unit 35, for verifying the first AUTH and the 2nd AUTH.
Further, the receiving unit 34 is additionally operable to receive the internet protocol address for the base station that the base station is sent;
The IP address that the transmitting element is additionally operable to the WLAN for connecting the user equipment is sent to the base station.
As a kind of implementation, the transmitting element 33 is additionally operable to send the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
The receiving unit 34 is additionally operable to receive the response message for the first IKEv2 message that the base station is sent;
The transmitting element 33 is additionally operable to encrypt the 2nd IKEv2 message according to second security parameter, the 2nd IKEv2 message after encryption is sent to the base station, the 2nd IKEv2 message includes the IPsec tunnel buildings parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
The receiving unit 34 is additionally operable to receive the response message for the 2nd IKEv2 message that the base station is sent.
As another implementation, the transmitting element 33 is additionally operable to send at least one RRC information to the base station;
Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
It is used as another implementation, the transmitting element 33 is additionally operable to send security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The receiving unit 34 is additionally operable to receive the IPsec tunnel buildings parameter that the base station is sent, and the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, and first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
As another implementation, the receiving unit 34 is additionally operable to receive the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The determining unit 31 is additionally operable to the security algorithm list supported according to itself, and the base station security algorithm levels list, determine the rank of the security algorithm of first security parameter;
The transmitting element 33 is additionally operable to the IPsec tunnel buildings parameter being sent to the base station, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
A kind of user equipment provided according to embodiments of the present invention, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
As shown in figure 9, the structural representation of another base station is provided for the embodiment of the present invention, the function for realizing above-mentioned IPsec tunnel buildings, as shown in Figure 9, base station 4000 includes transmitter 41 and processor 42, wherein, it is connected with each other between the transmitter 41 and processor 42 by bus 43.Wherein:
The transmitter, for sending the first anti-playback parameters to user equipment;
The processor, the second anti-playback parameters for determining the user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
The processor is additionally operable to be used for generate the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
The processor is additionally operable to determine IPsec tunnel building parameters, the IPsec tunnel buildings parameter bag The 2nd AUTH is included, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
The processor is additionally operable to verify the identity of the first AUTH and the 2nd AUTH and the user equipment.
Further, the transmitter is additionally operable to the internet protocol address of the base station being sent to the user equipment;
The base station also includes:Receiver;
The receiver is additionally operable to receive the IP address of the WLAN for the user equipment connection that the user equipment is sent.
Further; the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters; the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected; first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd.
Further, the receiver is additionally operable to receive the first internet key exchange version 2 IKEv2 message that the user equipment is sent, and the first IKEv2 message includes the second security parameter;
The transmitter is additionally operable to send the response message of the first IKEv2 message to the user equipment;
The receiver is additionally operable to receive the 2nd IKEv2 message that the user equipment encrypts transmission according to second security parameter, and the 2nd IKEv2 message includes the IPsec tunnel buildings parameter;
The transmitter is additionally operable to send the response message of the 2nd IKEv2 message to the user equipment;
Wherein, the identity of the user equipment is also included in the IPsec tunnel buildings parameter, and internet key exchange head HDR, the HDR include the mark SPI for being used to identify IPsec tunnel building flows;The security algorithm is the security algorithm for being provided with security algorithm rank.
Further, the processor is additionally operable to:
Verify whether the identity of the user equipment is consistent with the identity of the acquired user equipment of core-network side.
Further, the receiver is additionally operable to receive at least one radio resource control RRC message that the user equipment is sent;
Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
Further, the receiver is additionally operable to receive the security algorithm list that the 2nd AUTH and the user equipment that the user equipment sent by radio resource control RRC message are supported;
The processor is additionally operable to the security algorithm levels list according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The transmitter is additionally operable to the IPsec tunnel buildings parameter being sent to the user equipment.
Further, the transmitter is additionally operable to that the 2nd AUTH and the base station security algorithm levels list are sent into the user equipment by RRC information, so that the security algorithm list that the user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The receiver is additionally operable to receive the IPsec tunnel buildings parameter that the user equipment is sent.
A kind of base station provided according to embodiments of the present invention, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
As shown in Figure 10, the structural representation of another user equipment is provided for the embodiment of the present invention, function for realizing above-mentioned IPsec tunnel buildings, as shown in Figure 10, user equipment 5000 includes receiver 51, transmitter 52 and processor 53, wherein, the receiver 51, is connected with each other between transmitter 52 and processor 53 by bus 54.Wherein:
The processor, the second anti-playback parameters for determining user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
The processor is additionally operable to generate the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
Transmitter, for sending the 2nd AUTH to the base station;
Receiver, for receiving the IPsec tunnel building parameters that the base station is sent, the IPsec tunnels Setting up parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
The processor is additionally operable to checking the first AUTH and the 2nd AUTH.
Further, the receiver is additionally operable to receive the internet protocol address for the base station that the base station is sent;
The IP address that the transmitting element is additionally operable to the WLAN for connecting the user equipment is sent to the base station.
Further, the transmitter is additionally operable to send the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
The receiver is additionally operable to receive the response message for the first IKEv2 message that the base station is sent;
The transmitter is additionally operable to encrypt the 2nd IKEv2 message according to second security parameter, the 2nd IKEv2 message after encryption is sent to the base station, the 2nd IKEv2 message includes the IPsec tunnel buildings parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
The receiver is additionally operable to receive the response message for the 2nd IKEv2 message that the base station is sent.
Further, the transmitter is additionally operable to send at least one RRC information to the base station;
Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
Further, the transmitter is additionally operable to send security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The receiver is additionally operable to receive the IPsec tunnel buildings parameter that the base station is sent, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes being used for the mark SPI for identifying IPsec tunnel building flows, and the IPsec tunnels are passed Defeated parameter includes the first security parameter and TS, and first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
Further, the receiver is additionally operable to receive the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
The processor is additionally operable to the security algorithm list supported according to itself, and the base station security algorithm levels list, determine the rank of the security algorithm of first security parameter;
The transmitter is additionally operable to the IPsec tunnel buildings parameter being sent to the base station, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
A kind of user equipment provided according to embodiments of the present invention, when user equipment asks core network access by WLAN, consult anti-playback parameters and IPsec tunnel building parameters with user equipment in base station, set up IPsec tunnels, and the IPsec tunnel transmissions parameter included according to tunnel building parameter transmits data in IPsec tunnels, so as to realize that user equipment passes through wireless LAN safety ground core network access, it is ensured that the security of data transfer.
Unit in device of the embodiment of the present invention can be combined, divided and deleted according to actual needs.Not be the same as Example and the feature of non-be the same as Example described in this specification can be combined or combined by those skilled in the art.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can be realized with hardware, or firmware is realized, or combinations thereof mode is realized.When implemented in software, above-mentioned functions can be stored in computer-readable medium or be transmitted as one or more instructions on computer-readable medium or code.Computer-readable medium includes computer-readable storage medium and communication media, and wherein communication media includes being easy to any medium that computer program is transmitted from a place to another place.Storage medium can be any usable medium that computer can be accessed.As example but it is not limited to:Computer-readable medium can include random access memory (Random Access Memory, RAM), read-only storage (Read-Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read-Only Memory, EEPROM), read-only optical disc (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storages, magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store with instruction or data structure form desired program code and can by computer access any other medium.In addition.Any connection can be suitably turn into computer-readable medium.For example, if software is to use coaxial cable, optical fiber cable, twisted-pair feeder, Digital Subscriber Line (Digital Subscriber Line,) or such as wireless technology of infrared ray, radio and microwave etc is transmitted from website, server or other remote sources DSL, then the wireless technology of coaxial cable, optical fiber cable, twisted-pair feeder, DSL or such as infrared ray, wireless and microwave etc be included in belonging to medium it is fixing in.As used in the present invention, disk (Disk) and dish (disc) include compression laser disc (CD), laser disc, laser disc, Digital Versatile Disc (DVD), floppy disk and Blu-ray Disc, the replicate data of the usual magnetic of which disk, and dish is then with laser come optical replicate data.Above combination above should also be as being included within the protection domain of computer-readable medium.
In a word, the preferred embodiment of technical solution of the present invention is the foregoing is only, is not intended to limit the scope of the present invention.Within the spirit and principles of the invention, any modification, equivalent substitution and improvements made etc., should be included in the scope of the protection.

Claims (42)

  1. A kind of Internet Protocol Security IPsec tunnel establishing methods, it is characterised in that including:
    Base station sends the first anti-playback parameters to user equipment;
    The base station determines the second anti-playback parameters of the user equipment, and the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    The base station generates the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
    The base station determines IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
    The identity of first AUTH and the 2nd AUTH and the user equipment described in the base station authentication.
  2. The method as described in claim 1, it is characterised in that also include:
    The internet protocol address of the base station is sent to the user equipment by the base station;
    The base station receives the IP address of the WLAN for the user equipment connection that the user equipment is sent.
  3. Method as claimed in claim 1 or 2; it is characterized in that; the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters; the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected; first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd.
  4. Method as claimed in claim 3, it is characterised in that the base station determines IPsec tunnel building parameters, including:
    The base station receives the first internet key exchange version 2 IKEv2 message that the user equipment is sent, and the first IKEv2 message includes the second security parameter;
    The base station sends the response message of the first IKEv2 message to the user equipment;
    The base station receives the user equipment and the 2nd IKEv2 message sent is encrypted according to second security parameter, and the 2nd IKEv2 message includes the IPsec tunnel buildings parameter;
    The base station sends the response message of the 2nd IKEv2 message to the user equipment;
    Wherein, the identity of the user equipment is also included in the IPsec tunnel buildings parameter, and internet key exchange head HDR, the HDR include the mark SPI for being used to identify IPsec tunnel building flows;The security algorithm is the security algorithm for being provided with security algorithm rank.
  5. Method as claimed in claim 4, it is characterised in that the identity of user equipment described in the base station authentication, including:
    Whether the identity of user equipment described in the base station authentication is consistent with the identity of the acquired user equipment of core-network side.
  6. Method as claimed in claim 4, it is characterised in that the base station determines IPsec tunnel building parameters, including:
    The base station receives at least one radio resource control RRC message that the user equipment is sent;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  7. Method as claimed in claim 3, it is characterised in that the base station determines IPsec tunnel building parameters, including:
    The security algorithm list that the 2nd AUTH and the user equipment that the base station reception user equipment is sent by radio resource control RRC message are supported;
    The base station is according to the security algorithm levels list of itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The IPsec tunnel buildings parameter is sent to the user equipment by the base station.
  8. Method as claimed in claim 3, it is characterised in that the base station determines IPsec tunnel building parameters, including:
    2nd AUTH and the base station security algorithm levels list are sent to the user equipment by the base station by RRC information, so that the security algorithm list that the user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The base station receives the IPsec tunnel buildings parameter that the user equipment is sent.
  9. A kind of IPsec tunnel establishing methods, it is characterised in that including:
    User equipment receives the first anti-playback parameters that base station is sent;
    The user equipment determines the second anti-playback parameters of the user equipment, and the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    The user equipment generates the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec, and sends the 2nd AUTH to the base station;
    The user equipment receives the IPsec tunnel building parameters that the base station is sent, the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
    First AUTH described in the user equipment authentication and the 2nd AUTH.
  10. Method as claimed in claim 9, it is characterised in that also include:
    The user equipment receives the internet protocol address for the base station that the base station is sent;
    The IP address for the WLAN that the user equipment connects the user equipment is sent to the base station.
  11. Method as described in claim 9 or 10, it is characterised in that also include:
    The user equipment sends the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
    The user equipment receives the response message for the first IKEv2 message that the base station is sent;
    The user equipment encrypts the 2nd IKEv2 message according to second security parameter, and the 2nd IKEv2 message after encryption is sent into the base station, and the 2nd IKEv2 message includes the IPsec Tunnel building parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
    The user equipment receives the response message for the 2nd IKEv2 message that the base station is sent.
  12. Method as claimed in claim 11, it is characterised in that also include:
    The user equipment sends at least one RRC information to the base station;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  13. Method as described in claim 9 or 10, it is characterised in that also include:
    The user equipment sends security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The user equipment receives the IPsec tunnel buildings parameter that the base station is sent, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
  14. Method as described in claim 9 or 10, it is characterised in that also include:
    The user equipment receives the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The security algorithm list that the user equipment is supported according to itself, and the base station security algorithm Levels list, determines the rank of the security algorithm of first security parameter;
    The IPsec tunnel buildings parameter is sent to the base station by the user equipment, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
  15. A kind of base station, it is characterised in that including:
    Transmitting element, for sending the first anti-playback parameters to user equipment;
    Determining unit, the second anti-playback parameters for determining the user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    Generation unit, for generating the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
    The determining unit is additionally operable to determine IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
    Authentication unit, the identity for verifying the first AUTH and the 2nd AUTH and the user equipment.
  16. Base station as claimed in claim 14, it is characterised in that:
    The transmitting element is additionally operable to the internet protocol address of the base station being sent to the user equipment;
    The base station also includes:Receiving unit;
    The receiving unit is additionally operable to receive the IP address of the WLAN for the user equipment connection that the user equipment is sent.
  17. Base station as claimed in claim 15; it is characterized in that; the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters; the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, and first security parameter includes peace Full algorithm, and the Kipsec of the first Kipsec or described 2nd.
  18. Base station as claimed in claim 16, it is characterised in that:
    The receiving unit is additionally operable to receive the first internet key exchange version 2 IKEv2 message that the user equipment is sent, and the first IKEv2 message includes the second security parameter;
    The transmitting element is additionally operable to send the response message of the first IKEv2 message to the user equipment;
    The receiving unit is additionally operable to receive the 2nd IKEv2 message that the user equipment encrypts transmission according to second security parameter, and the 2nd IKEv2 message includes the IPsec tunnel buildings parameter;
    The transmitting element is additionally operable to send the response message of the 2nd IKEv2 message to the user equipment;
    Wherein, the identity of the user equipment is also included in the IPsec tunnel buildings parameter, and internet key exchange head HDR, the HDR include the mark SPI for being used to identify IPsec tunnel building flows;The security algorithm is the security algorithm for being provided with security algorithm rank.
  19. Base station as claimed in claim 17, it is characterised in that the authentication unit specifically for:
    Verify whether the identity of the user equipment is consistent with the identity of the acquired user equipment of core-network side.
  20. Base station as claimed in claim 16, it is characterised in that:
    The receiving unit is additionally operable to receive at least one radio resource control RRC message that the user equipment is sent;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  21. Base station as claimed in claim 16, it is characterised in that:
    The receiving unit is additionally operable to receive the security algorithm list that the 2nd AUTH and the user equipment that the user equipment sent by radio resource control RRC message are supported;
    The determining unit is additionally operable to the security algorithm levels list according to itself, and user equipment institute The security algorithm list of support, determines the rank of the security algorithm of first security parameter, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The transmitting element is additionally operable to the IPsec tunnel buildings parameter being sent to the user equipment.
  22. Base station as claimed in claim 16, it is characterised in that:
    The transmitting element is additionally operable to that the 2nd AUTH and the base station security algorithm levels list are sent into the user equipment by RRC information, so that the security algorithm list that the user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The receiving unit is additionally operable to receive the IPsec tunnel buildings parameter that the user equipment is sent.
  23. A kind of user equipment, it is characterised in that including:
    Determining unit, the second anti-playback parameters for determining user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    Generation unit, for generating the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
    Transmitting element, for sending the 2nd AUTH to the base station;
    Receiving unit, for receiving the IPsec tunnel building parameters that the base station is sent, the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
    Authentication unit, for verifying the first AUTH and the 2nd AUTH.
  24. User equipment as claimed in claim 22, it is characterised in that:
    The receiving unit is additionally operable to receive the internet protocol address for the base station that the base station is sent;
    The IP address that the transmitting element is additionally operable to the WLAN for connecting the user equipment is sent to the base station.
  25. User equipment as described in claim 22 or 23, it is characterised in that:
    The transmitting element is additionally operable to send the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
    The receiving unit is additionally operable to receive the response message for the first IKEv2 message that the base station is sent;
    The transmitting element is additionally operable to encrypt the 2nd IKEv2 message according to second security parameter, the 2nd IKEv2 message after encryption is sent to the base station, the 2nd IKEv2 message includes the IPsec tunnel buildings parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
    The receiving unit is additionally operable to receive the response message for the 2nd IKEv2 message that the base station is sent.
  26. User equipment as claimed in claim 24, it is characterised in that:
    The transmitting element is additionally operable to send at least one RRC information to the base station;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  27. User equipment as described in claim 22 or 23, it is characterised in that:
    The transmitting element is additionally operable to send security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The receiving unit is additionally operable to receive the IPsec tunnel buildings parameter that the base station is sent, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, and first security parameter includes determining the safety of the rank Algorithm, and the Kipsec of the first Kipsec or described 2nd.
  28. User equipment as described in claim 22 or 23, it is characterised in that:
    The receiving unit is additionally operable to receive the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The determining unit is additionally operable to the security algorithm list supported according to itself, and the base station security algorithm levels list, determine the rank of the security algorithm of first security parameter;
    The transmitting element is additionally operable to the IPsec tunnel buildings parameter being sent to the base station, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
  29. A kind of base station, it is characterised in that including:Transmitter and processor;
    The transmitter, for sending the first anti-playback parameters to user equipment;
    The processor, the second anti-playback parameters for determining the user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    The processor is additionally operable to be used for generate the first wildcard Kipsec according to air interface key KeNB and the first anti-playback parameters, and generates the first authentication information AUTH according to the first Kipsec;
    The processor is additionally operable to determine IPsec tunnel building parameters, the IPsec tunnel buildings parameter includes the 2nd AUTH, wherein, the user equipment generates the 2nd Kipsec according to the KeNB and the second anti-playback parameters, and generates the 2nd AUTH according to the 2nd Kipsec;
    The processor is additionally operable to verify the identity of the first AUTH and the 2nd AUTH and the user equipment.
  30. Base station as claimed in claim 28, it is characterised in that:
    The transmitter is additionally operable to the internet protocol address of the base station being sent to the user equipment;
    The base station also includes:Receiver;
    The receiver is additionally operable to receive the IP address of the WLAN for the user equipment connection that the user equipment is sent.
  31. Base station as claimed in claim 29; it is characterized in that; the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters; the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected; first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd.
  32. Base station as claimed in claim 30, it is characterised in that:
    The receiver is additionally operable to receive the first internet key exchange version 2 IKEv2 message that the user equipment is sent, and the first IKEv2 message includes the second security parameter;
    The transmitter is additionally operable to send the response message of the first IKEv2 message to the user equipment;
    The receiver is additionally operable to receive the 2nd IKEv2 message that the user equipment encrypts transmission according to second security parameter, and the 2nd IKEv2 message includes the IPsec tunnel buildings parameter;
    The transmitter is additionally operable to send the response message of the 2nd IKEv2 message to the user equipment;
    Wherein, the identity of the user equipment is also included in the IPsec tunnel buildings parameter, and internet key exchange head HDR, the HDR include the mark SPI for being used to identify IPsec tunnel building flows;The security algorithm is the security algorithm for being provided with security algorithm rank.
  33. Base station as claimed in claim 31, it is characterised in that the processor is additionally operable to:
    Verify whether the identity of the user equipment is consistent with the identity of the acquired user equipment of core-network side.
  34. Base station as claimed in claim 30, it is characterised in that:
    The receiver is additionally operable to receive at least one radio resource control RRC message that the user equipment is sent;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  35. Base station as claimed in claim 30, it is characterised in that:
    The receiver is additionally operable to receive the security algorithm list that the 2nd AUTH and the user equipment that the user equipment sent by radio resource control RRC message are supported;
    The processor is additionally operable to the security algorithm levels list according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The transmitter is additionally operable to the IPsec tunnel buildings parameter being sent to the user equipment.
  36. Base station as claimed in claim 30, it is characterised in that:
    The transmitter is additionally operable to that the 2nd AUTH and the base station security algorithm levels list are sent into the user equipment by RRC information, so that the security algorithm list that the user equipment is supported according to itself, and the security algorithm levels list of the base station, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The receiver is additionally operable to receive the IPsec tunnel buildings parameter that the user equipment is sent.
  37. A kind of user equipment, it is characterised in that including:Processor, transmitters and receivers;Wherein,
    The processor, the second anti-playback parameters for determining user equipment, the first anti-playback parameters are respectively used to prevent the base station identical with the key that the user equipment is generated every time with the second anti-playback parameters;
    The processor is additionally operable to generate the second wildcard Kipsec according to air interface key KeNB and the second anti-playback parameters, and generates the second authentication information AUTH according to the 2nd Kipsec;
    Transmitter, for sending the 2nd AUTH to the base station;
    Receiver, for receiving the IPsec tunnel building parameters that the base station is sent, the IPsec tunnel buildings parameter includes the first AUTH, wherein, the base station generates the first Kipsec according to the KeNB and the first anti-playback parameters, and the base station generates the first AUTH according to the first Kipsec;
    The processor is additionally operable to checking the first AUTH and the 2nd AUTH.
  38. User equipment as claimed in claim 36, it is characterised in that:
    The receiver is additionally operable to receive the internet protocol address for the base station that the base station is sent;
    The IP address that the transmitting element is additionally operable to the WLAN for connecting the user equipment is sent to the base station.
  39. User equipment as described in claim 36 or 37, it is characterised in that:
    The transmitter is additionally operable to send the first IKEv2 message to the base station, and the first IKEv2 message includes the second security parameter;
    The receiver is additionally operable to receive the response message for the first IKEv2 message that the base station is sent;
    The transmitter is additionally operable to encrypt the 2nd IKEv2 message according to second security parameter, the 2nd IKEv2 message after encryption is sent to the base station, the 2nd IKEv2 message includes the IPsec tunnel buildings parameter, the IPsec tunnel buildings parameter also includes IPsec tunnel transmission parameters, the identity of the user equipment, with internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and for the mark TS for the in/out port for identifying the data flow that IPsec is protected, first security parameter includes security algorithm, and the Kipsec of the first Kipsec or described 2nd, the security algorithm is the security algorithm for being provided with security algorithm rank;
    The receiver is additionally operable to receive the response message for the 2nd IKEv2 message that the base station is sent.
  40. User equipment as claimed in claim 38, it is characterised in that:
    The transmitter is additionally operable to send at least one RRC information to the base station;
    Wherein, at least one described RRC information encapsulates the response message of the first IKEv2 message, the response message of the first IKEv2 message, the 2nd IKEv2 message, and the 2nd IKEv2 message.
  41. User equipment as described in claim 36 or 37, it is characterised in that:
    The transmitter is additionally operable to send security algorithm list that the user equipment supported to the base station by RRC information, so that security algorithm levels list of the base station according to itself, and the security algorithm list that the user equipment is supported, the rank of the security algorithm of first security parameter is determined, the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The receiver is additionally operable to receive the IPsec tunnel buildings parameter that the base station is sent, and the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, The HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
  42. User equipment as described in claim 36 or 37, it is characterised in that:
    The receiver is additionally operable to receive the security algorithm levels list for the base station that the base station is sent by RRC information, and the security algorithm levels list includes multiple security algorithms and the corresponding relation of security algorithm rank;
    The processor is additionally operable to the security algorithm list supported according to itself, and the base station security algorithm levels list, determine the rank of the security algorithm of first security parameter;
    The transmitter is additionally operable to the IPsec tunnel buildings parameter being sent to the base station, the IPsec tunnel buildings parameter also includes IPsec tunnel transmissions parameter and internet key exchange head HDR, the HDR includes the mark SPI for being used to identify IPsec tunnel building flows, the IPsec tunnel transmissions parameter includes the first security parameter and TS, first security parameter includes the security algorithm for determining the rank, and the Kipsec of the first Kipsec or described 2nd.
CN201580035366.5A 2015-10-31 2015-10-31 Internet protocol security tunnel establishment method, user equipment and base station Active CN107005410B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/093536 WO2017070973A1 (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishing method, user equipment and base station

Publications (2)

Publication Number Publication Date
CN107005410A true CN107005410A (en) 2017-08-01
CN107005410B CN107005410B (en) 2020-06-26

Family

ID=58629757

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201580035366.5A Active CN107005410B (en) 2015-10-31 2015-10-31 Internet protocol security tunnel establishment method, user equipment and base station

Country Status (2)

Country Link
CN (1) CN107005410B (en)
WO (1) WO2017070973A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422205B (en) * 2021-12-30 2024-03-01 广西电网有限责任公司电力科学研究院 Method for establishing network layer data tunnel of special CPU chip for electric power

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
CN101272251A (en) * 2007-03-22 2008-09-24 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment
CN101945387A (en) * 2010-09-17 2011-01-12 中兴通讯股份有限公司 Method and system of binding access layer secret key and device
CN103312668A (en) * 2012-03-09 2013-09-18 中兴通讯股份有限公司 Message transmission method and device based on link management protocol security alliance
JP5319575B2 (en) * 2010-02-23 2013-10-16 日本電信電話株式会社 Communication method and communication system
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system
US20150281254A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102013206185A1 (en) * 2013-04-09 2014-10-09 Robert Bosch Gmbh Method for detecting a manipulation of a sensor and / or sensor data of the sensor

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
CN101272251A (en) * 2007-03-22 2008-09-24 华为技术有限公司 Authentication and cryptographic key negotiation method, authentication method, system and equipment
JP5319575B2 (en) * 2010-02-23 2013-10-16 日本電信電話株式会社 Communication method and communication system
CN101945387A (en) * 2010-09-17 2011-01-12 中兴通讯股份有限公司 Method and system of binding access layer secret key and device
CN103312668A (en) * 2012-03-09 2013-09-18 中兴通讯股份有限公司 Message transmission method and device based on link management protocol security alliance
CN104969578A (en) * 2013-04-17 2015-10-07 华为技术有限公司 Data transmission method, device and system
US20150281254A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN104184675A (en) * 2014-09-12 2014-12-03 成都卫士通信息产业股份有限公司 Load-balanced IPSec VPN device trunking system and working method of load-balanced IPSec VPN device trunking system

Also Published As

Publication number Publication date
CN107005410B (en) 2020-06-26
WO2017070973A1 (en) 2017-05-04

Similar Documents

Publication Publication Date Title
US11025597B2 (en) Security implementation method, device, and system
CN108293223B (en) Data transmission method, user equipment and network side equipment
EP2583479B1 (en) Method and apparatus for binding subscriber authentication and device authentication in communication systems
JP2019512942A (en) Authentication mechanism for 5G technology
EP2663107A1 (en) Key generating method and apparatus
CN109964498A (en) The method and apparatus that remote unit is attached to mobile core network via independent insincere non-3GPP access network
TW201703556A (en) Network security architecture
EP3086586B1 (en) Terminal authentication method, device and system
JP2017534204A (en) User plane security for next generation cellular networks
CN102056157B (en) Method, system and device for determining keys and ciphertexts
WO2018170617A1 (en) Network access authentication method based on non-3gpp network, and related device and system
WO2019096075A1 (en) Method and apparatus for message protection
KR20230054421A (en) Privacy of Repeater Selection in Cellular Sliced Networks
CN103609154A (en) Method, apparatus and system for WLAN access authentication
WO2012031510A1 (en) Method and system for implementing synchronous binding of security key
CN102223634A (en) Method and device for controlling mode of accessing user terminal into Internet
WO2017132962A1 (en) Security parameter transmission method and related device
EP2648437A1 (en) Method, apparatus and system for key generation
CN110583036A (en) Network authentication method, network equipment and core network equipment
US11722890B2 (en) Methods and systems for deriving cu-up security keys for disaggregated gNB architecture
CN107005410A (en) Internet protocol security tunnel establishing method, user equipment and base station
EP3311599B1 (en) Ultra dense network security architecture and method
CN110226319A (en) Method and apparatus for the parameter exchange during promptly accessing
CN114245372B (en) Authentication method, device and system
WO2017210811A1 (en) Security strategy execution method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200601

Address after: Room 208, floor 2, East distribution building, Dongsheng science and Technology Park, Zhongguancun, No.18, Xueqing Road, Haidian District, Beijing 100080

Applicant after: GRABLAN (BEIJING) SOFTWARE ENGINEERING Co.,Ltd.

Applicant after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200709

Address after: Room 208, floor 2, East distribution building, Dongsheng science and Technology Park, Zhongguancun, No.18, Xueqing Road, Haidian District, Beijing 100080

Patentee after: GRABLAN (BEIJING) SOFTWARE ENGINEERING Co.,Ltd.

Address before: Room 208, floor 2, East distribution building, Dongsheng science and Technology Park, Zhongguancun, No.18, Xueqing Road, Haidian District, Beijing 100080

Co-patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

Patentee before: GRABLAN (BEIJING) SOFTWARE ENGINEERING Co.,Ltd.