CN1937487A - LTE authentication and encryption method - Google Patents
LTE authentication and encryption method Download PDFInfo
- Publication number
- CN1937487A CN1937487A CN 200510086496 CN200510086496A CN1937487A CN 1937487 A CN1937487 A CN 1937487A CN 200510086496 CN200510086496 CN 200510086496 CN 200510086496 A CN200510086496 A CN 200510086496A CN 1937487 A CN1937487 A CN 1937487A
- Authority
- CN
- China
- Prior art keywords
- message
- eran
- sends
- ecn
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The method includes steps: (1) ECN sends the info related to the authority verifying and security to ERAN. (2) ERAN stores the info and produces a random number, produces the 1st message according to the received info, and sends it to UE for UE to verify authority against the network. This method reduces the interaction of signaling planes. Before the plane is established, if the network needs to handle the AKA progress and the local encrypting progress, the builds of customer plane may be reduced without decreasing the safety of the AKA progress and the local encrypting progress.
Description
Technical field
The present invention relates to a kind ofly in mobile communication system Long Term Evolution (hereinafter to be referred as the LTE) system configuration that third generation partner plan (hereinafter to be referred as 3GPP) proposes, the user is carried out authentication and method of encrypting.
Background technology
In WCDMA (Wide Code Division Multiple Access) system, jumbo packet data services can be provided, such as business of networking, also can provide the business of circuit domain, such as speech business.
Fig. 1 is the description of system configuration of the transmission of packet data business of third generation partner plan (hereinafter to be referred as 3GPP).
101 E-PDN among Fig. 1 (Extern Packet Data Network) are outside public data networks, and various types of bag data are provided.The bag data are transferred to 103 gateway general packet radio service (is GPRS hereinafter to be referred as GPRS) support nodes (is GGSN hereinafter to be referred as Gateway GPRS Support Node) by external network by predetermined interface 102.Interface 102 is the interfaces between external network and the GGSN.After GGSN receives data, data are sent to 105 Serving GPRS Support Nodes (hereinafter to be referred as SGSN) by interface 104.Connect by the tunnel between GGSN and the SGSN, interface 104 meets the agreement of gn interface, and the standard of this interface is arranged in TS25.413.After SGSN receives data, need send to 107 service wireless network controllers (hereinafter to be referred as SRNC) to data.In WCDMA, be to connect by the tunnel between SGSN and the RNC, if also do not set up the tunnel of transfer of data, SGSN is by the Data-carrying between 106 transmission message foundation of predetermined interface and the SRNC, if set up the tunnel, SGSN sends to SRNC to data by 106 interfaces.Interface 106 meets the agreement of Iu interface, and the standard of Iu interface comprises the agreement of protocol of control plane (to call the RNSAP agreement in the following text) and datum plane.The RNSAP agreement comprises the signaling process of setting up datum plane, and datum plane has been stipulated the form in the data of Iu interface transmission.After 107 SRNC receives data, need send to 109 base stations (to call Node B in the following text) to data.If the bearer context for data transmission between SRNC and the Node B is not also set up, SRNC send by predetermined interface 108 that message are set up and the base station between Data-carrying, and send message and set up Radio Link between base station and UE to UE.After having set up Data-carrying, SRNC is responsible for packing data is become predetermined form, and sending to base station 109,108 interfaces by 108 interfaces is Iub interface, the standard of Iub interface comprises the protocol (to call the NBAP agreement in the following text) of control plane and the agreement of datum plane.The NBAP agreement has comprised the signaling process of setting up the Iub interface Data-carrying, and the agreement of datum plane has been stipulated the form of the data of Iub interface transmission.109 base stations send to 110UE to the Radio Link of data by air interface.General, RNC and Node B together, be called RAN (Radio AccessNetwork), SGSN and GGSN are called CN (Core Network).
In 3GPP, network need carry out authentication to the user, and the user also needs network is carried out authentication.The process of authentication comprises two, and one is the AKA process that authentication and secret key are consulted, and the AKA process is the transmission that SGSN and UE directly carry out authentication information and cryptographic keys.Another is local authentication process, is the transmission of following security-related parameter between SRNC and the UE.After two steps success in the above, signaling can start integrity protection (Integrityprotection).SRNC has also started the encipherment protection of data and signaling (Cipheringprotection).
Fig. 2 is the schematic diagram of protection algorithm integrallty.Integrity protection is that UE and SRNC carry out the RRC message that the RRC module produces.Concrete ciphering process can be with reference to the agreement of 3GPP.The parameter of the input of cryptographic algorithm comprises COUNT-I, FRESH, IK etc.
-COUNT-I is the parameter of one 32 bit, in WCDMA, according to the part of the signal that transmits on the radio bearer, radio bearer is divided into signaling bear (Signaling RadioBearer is called for short SRB) and Data-carrying (Rdaio Bearer is called for short RB).For each signaling bear, the COUNT-I of a up signaling bear and the COUNT-I of a downlink signaling carrying are arranged respectively.COUNT-I is made up of two parts: the sequence number of a weak point and a long sequence number.Short sequence number occupies the low bit of COUNT-I, and long sequence number occupies higher bit.The sequence number of the Radio Resource control (being called for short RRC) that short sequence number is 4 bits, RRC PDU of every transmission, the sequence number of RRC increases by 1.Long sequence number is the Hyper Frame Number (RRC HFN) of the RRC of one 28 bit, reaches maximum when lacking sequence number at every turn, and HFN just increases by 1, and short sequence number since 0 numeration, carries out the circulation of next round again.
RRC HFN is by a value initialization that is called START, and terminal and RNC are initialized to the value of START to high 20 bits of RRCHFN, and other value of RRC HFN is initialized to 0.
High 28 bits of COUNT-I are known as RRC Hyper Frame Number (HFN), and when UE initialization HFN, high 20 bits are initialized to the START value.The START value is kept at the parameter on terminal and the USIM, and terminal and USIM preserve one and be used for the START value in CS territory and the START value in a PS territory.The length of START is 20 bits, and behind starting up of terminal, and USIM inserts, and ME obtains the START value from USIM, and preserves it.Work as terminal closedown, perhaps pulled out usim card, terminal deletion START value.In idle condition, the START value of preserving among ME and the USIM is the same.When setting up wireless connections, terminal sends to RNC to the START value by " RRC sets up and finishes " message.
-FRESH is the random number that SRNC produces, and SRNC need send to UE to this random number.
-IK (Integrity Key) is the parameters R AND that UE sends according to SGSN, and AUTN comes out according to the algorithm computation of acquiescence.SGSN need send to SRNC to IK.
-DIRECTION if message sends to SRNC from UE, is made as 0 with DIRECTION, if message sends to UE from SRNC, it is made as 1.
-MESSAGE is exactly the RRC message that will carry out integrity protection.
Fig. 3 is the schematic diagram of encipherment protection algorithm.Encryption is to carry out at the wireless chain control layer of UE and SRNC (hereinafter referred to as rlc layer) or medium Access Layer (to call the MAC layer in the following text).RLC can have three kinds of patterns, and the AM pattern is supported the re-transmission of data; The UM pattern can be carried out segmentation to data; The TM pattern is a transparent transmission.For AM and UM pattern, encryption is carried out at rlc layer, and for the TM pattern, encryption is carried out at the MAC layer.Concrete ciphering process can be with reference to the agreement of 3GPP.The parameter of the input of cryptographic algorithm comprises COUNT-C, FRESH, CK etc.
-COUNT-C is the parameter of one 32 bit, to each radio bearer that uses RLC AM pattern or RLC UM pattern, generally includes signaling bear and Data-carrying, and the COUNT-C of a up carrying and the COUNT-C of a downlink bearing are arranged respectively.To all use the radio bearer of RLC-TM pattern in the same territory, have only a COUNT-C, be used for uplink and downlink.COUNT-C is made up of two parts: the sequence number of a weak point and a long sequence number.Short sequence number occupies low bit, and long sequence number occupies higher bit.The pattern of transmission is depended in the renewal of COUNT-C.
For the RLC TM on the dedicated channel, short sequence number is the Connection Frame Number (to call CFN in the following text) of 8 bits, and long sequence number is the special-purpose MAC layer Hyper Frame Number (to call MAC-d HFN in the following text) of 24 bits, and for the circulation of each CFN, long sequence number increases by 1.
For RLC-UM, short sequence number is the RLC sequence number (RLC SN) of 7 bits, and long sequence number is the RLC UM HFN of 25 bits, and for the circulation of each RLC SN, long sequence number increases by 1.
For RLC-AM, short sequence number is the RLC sequence number (RLC SN) of 12 bits, and long sequence number is the RLC UM HFN of 20 bits, the circulation of each RLC SN, and long sequence number increases by 1.
When UE initialization HFN, high 20 bits are initialized to the START value, and other value of HFN is initialized to 0.
-FRESH is the random number that SRNC produces, and SRNC need send to UE to this random number.
-CK (Ciphering Key) is the parameters R AND that UE sends according to SGSN, and AUTN calculates according to predetermined algorithm.SGSN need send to SRNC to CK.
-BEARER is the sign of radio bearer.
-DIRECTION if message sends to SRNC from UE, is made as 0 with DIRECTION, if message sends to UE from RNC, it is made as 1.
-LENGTH is the length of KEYSTREAN BLOCK.
-PLANTTEXTBLOCK wants encrypted data packet.
UE at first initiates the registration process to network after start, Fig. 4 is the flow chart after the UE start.
After 401 steps: the UE110 start, at first set up RRC and be connected with SRNC105.
UE sends message " RRC connection request " message and gives SRNC, the sign that message comprises UE with set up the reason that RRC is connected.SRNC sends message " RRC connects foundation " message and gives UE, and message comprises the temporary mark that SRNC distributes to UE, for example information of C-RNTI, U-RNTI and signaling bear.UE sends " RRC connects foundation to be finished " message and gives SRNC then.In this message, UE gives SRNC wireless access capability information and START value reporting.Wireless access capability information comprises PDCP ability, RLC ability, cryptographic capabilities of UE etc.Wherein, cryptographic capabilities comprises the cryptographic algorithm of UE support and the integral algorithm that UE supports.SRNC105 receives the message of 401 steps, preserves cryptographic capabilities and the START value of UE.
402 steps: UE 110 sends " register requirement " message and gives SGSN 105.
" register requirement (ATTACH REQUEST) " message comprises the network capabilities of information IMSI, registration type, portable terminal, the wireless access capability of portable terminal, old RAI, DRX parameter.IMSI is user's a permanent sign; Registration type points out it is the GPRS registration, or the GPRS/IMSI combined registering.The GPRS registration is that the information of UE is registered on the SGSN, and the GPRS/IMSI combined registering is that UE information is registered on SGSN and the MSC; The network capabilities of portable terminal is meant the characteristics of portable terminal, such as, terminal whether possess the ability, the portable terminal that carry out the session management by dedicated channel or GPRS information whether possess GPRS cryptographic algorithm GEA/1, portable terminal whether support WCDMA version 99 and after standard or the like of version; The wireless access capability of portable terminal is an information of pointing out terminal wireless access aspect, such as, information such as multislot capability, power grade; Old RAI is the indication of the Routing Area of UE preservation; The DRX parameter is to point out whether UE uses discontinuous reception, if support, and points out the length of the circulation of discontinuous reception.
" register requirement " is the message of Non-Access Stratum, to RNC is transparent transmission, RNC is a message of handling Access Layer, the message of Access Layer is to typically refer to RRC message, RNC receives the RRC message that UE sends, unpack and handle by the RRC module of RNC, the message of Non-Access Stratum sends by special RRC message-" initial directly transmission (Initial DirectTransfer) " or " directly transmission (Direct Transfer) ", the message of Non-Access Stratum is included in the RRC message, RNC receives " initial directly transmission " or " directly transmission ", add the sign of sub-district, send message " directly transmission " by Iu interface 106 and give SGSN105.
SGSN105 receives " register requirement " message, if SGSN does not preserve the information of UE, and do not comprise old P-TMSI in " register requirement " message yet, then SGSN will initiate user's authentication and secret key are consulted (AKA) process, 403 steps are authentication and the secret key negotiations processes to UE among Fig. 4, and detailed AKA process has detailed description at Fig. 5.By the AKA process, UE can calculate IK, CK.If SGSN will distribute a P-TMSI to the user, SGSN also needs enciphered message is sent to SRNC after the AKA process, makes SRNC initiate the local cipher process.
404 steps: network can determine the combination UEAs of the cryptographic algorithm that the user in network should use; combination UIAs with protection algorithm integrallty; this combination can be pre-configured; it doesn't matter for a merchandiser user's ability, and all users should use certain cryptographic algorithm and the protection algorithm integrallty in this combination range.
405 steps: SGSN sends message " safe mode command " and gives SRNC, and message comprises IK, CK, UIAs, UEAs.
406 steps: SRNC receives the message in 405 steps, SRNC has preserved the cryptographic capabilities of UE, know cryptographic algorithm and integral algorithm that UE can support, rapid from previous step, SRNC knows the operable cryptographic algorithm of user and the integral algorithm combination of network decision, according to ability and the operable algorithm combination of UE, cryptographic algorithm and the integral algorithm of selecting UE to use.Operable cryptographic algorithm combination UEAs such as the decision of, network be UEA1, UEA2, UEA3, UEA4}, user's ability supports that { UEA1, UEA2}, SRNC can determine to use the cryptographic algorithm of UEA1 as the user to cryptographic algorithm.And SRNC will produce an input parameter-FRESH of cryptographic algorithm and integral algorithm.SRNC can enable integrity protection to RRC message afterwards.
407 steps: SRNC sends " safe mode command " and gives UE, and message comprises FRESH, UE cryptographic capabilities, cryptographic algorithm UEA and protection algorithm integrallty UIA that the UE of SRNC decision uses, MAC-I.MAC-I is an integrity information, and MAC-I calculates according to method shown in Figure 2.
408 steps, UE is according to the RAND that receives, and AUTN calculates IK and CK, and UE calculates COUNT-I according to the START value of preserving.UE calculates a parameter according to method shown in Figure 2 then; be known as XMAC-I; the MAC-I that XMAC-I that comparison oneself is calculated and SRNC send; if it is identical; think that then this RRC message is legal; UE preserves the content of message in 407 steps, and can enable integrity protection to RRC message afterwards.
409 steps: UE sends " safe mode is finished " and gives SRNC, wherein comprises the integrity information MAC-I of this rrc message.
410 steps: SRNC checking integrity information MAC-I, if XMAC-I and MAC-I by relatively oneself calculating identical, think that this RRC message is legal.
411 steps: SRNC sends " safe mode is finished " and gives SGSN, comprises the cryptographic algorithm UEA and the protection algorithm integrallty UIA of the UE use of SRNC decision.Data after 211 steps can begin encrypted.
412 steps: SGSN sends " position renewal " message and gives HLR, and this message comprises SGSN number, the address of SGSN, IMSI.
413 steps: HLR preserves the position updated information, sends " position is upgraded and confirmed " message then and gives SGSN.
414 steps: SGSN sends " registration is accepted " message and gives UE.Comprise SGSN in the message to the temporary mark P-TMSI that the user distributes, wherein comprise the signature of P-TMSI.The signature of P-TMSI is a sign of the SGSN contextual information of giving the user, and it is shorter than the length of P-TMSI.Use the signature of P-TMSI in can non-access layer information afterwards, lack than the message-length of use P-TMSI in message like this.
415 steps: because SGSN has distributed new temporary mark P-TMSI to the user, UE need send response message to SGSN.
Fig. 5 has described SGSN carries out authentication to UE signal flow.If SGSN does not preserve the authentication information of UE, SGSN sends message " transmission authentication information " and gives HLR in 501 steps, comprises the IMSI of UE in this message;
After 502 steps: HLR receives this message, authentication module sends " sending authentication information confirms " message and gives SGSN, message comprises the formation of a sequential authentication vector, and each vector is one group and follows the related parameter of authentication, comprises RAND, XRES, AUTN, CK and IK.Wherein RAND is a random number; XRES is used for comparing with the RES parameter that UE sends, thereby judges whether the user is validated user; Authentication mark AUTN is that USIM judges the parameter that network is whether legal; CK is an input parameter of cryptographic algorithm, and IK is an input parameter of protection algorithm integrallty.
Each vector is used in authentication and the secret key negotiations process between SGSN and the USIM.
503 steps: the principle of first-in first-out is followed in the use of encrypting vector in proper order, the vector that SGSN selects the next one to use in order, and the RAND that comprises in the vector and AUTN by non-access layer information " authentication and encrypt request information and give UE; in addition, this message also comprises encrypts algorithm and the KSI that uses.KSI (Key Set Identifier) is the indication of a secret key group of SGSN distribution, is used for distinguishing the not secret key group of same area.
504 steps: receive 503 message; the USIM of portable terminal the inside analyzes AUTN by predetermined algorithm; judge whether AUTN is legal; if AUTN is in reasonable range; USIM just thinks that network is legal; USIM calculates the secret key CK that encrypts usefulness according to pre-defined algorithm, also has the secret key IK that integrity protection is used, and calculates a parameters R ES.Concrete algorithm has detailed introduction in the TS33.102 the inside.These parameters and KSI preserve together.Terminal sends message " authentication and encrypted response " and gives SGSN then.The message the inside comprises the RES parameter.Obtain XRES in the matrix that SGSN selects from 503 steps, compare the RES that this XRES and UE send,, think that UE has passed through authentication if identical.IK and CK in the matrix that SGSN selects to select in 503 steps are as the IK and the CK of the current use of UE.And IK, CK and KSI are kept in the context of UE.
In UE moved to a new Routing Area (Routing Area), UE will initiate the process of routing region updating.Routing Area is the combination of one group of sub-district of SGSN definition, SGSN is to Route Distinguisher RAI of this group cell allocation, and by broadcast channel, UE knows the residing RA in present sub-district, if and old sub-district is at same RA, UE will initiate the process of routing region updating.In this process, SGSN can carry out ciphering process.Fig. 6 has described in the existing systems structure, and UE changes the process of Routing Area.
601 steps: the user of idle pulley moves under the new Routing Area, and the user sends the RA update inquiry information to new SGSN.In the RA update inquiry information, comprise the indication RAI of old Routing Area, the signature signature of old P-TMSI, the network capabilities of user terminal in addition.This message is included in and sends in the RRC message.
602 steps: new SGSN sends message for old SGSN, and requirement obtains the contextual information of the UE of old SGSN preservation.The contextual information of the UE that SGSN preserves comprises sign that mobile management (MM) context and Packet Data Protocol (PDP) context, MM context comprise UE, encrypts used information, the wireless capability of terminal, the network capabilities of terminal etc., and PDP Context comprises type, address information, APN information, tunnel information and the Qos information etc. of PDP.
603 steps: old SGSN sends the contextual information of UE to new SGSN.
604 steps: new SGSN may initiate security process, and this process can comprise the authentication of UE and 204 to 211 steps.
605 steps: new SGSN sends message to GGSN and " upgrades the PDP Context request ", upgrades the PDP Context information that GGSN goes up the UE that preserves, and this message comprises the address of new SGSN, the Tunnel Identifier of distribution, the information of Qos in addition.
606 steps: GGSN sends " upgrading the PDP Context response " message.
607 steps: new SGSN sends " position renewal " message and gives HLR, and HLR is a node of preserving customer position information.Comprise the IP address of new SGSN and the sign IMSI of UE in this message.
608 steps: HLR sends message " delete position record " for old SGSN, the information of the UE that old SGSN deletion is preserved.Old SGSN sends response message " delete position registration confirmed " and gives HLR
609 steps: HLR sends message " Insert subscriber data " and gives new SGSN, and SGSN judges that according to subscriber data whether UE has the right to receive certain service, sends response message then to HLR.
610 steps: HLR sends response message " position is upgraded and confirmed " and gives new SGSN.
611 steps: new SGSN sends " position is upgraded and confirmed " message and gives UE, and this message comprises new P-TMSI.
As mentioned above, in existing systems, AKA process and local cipher process are separated, such benefit is that network can only carry out the local cipher process, still as required, from reducing the purpose of signaling delay, can join together AKA process and local cipher process.Join together to reduce the mutual of signaling,, just can reduce the foundation of user plane if network need carry out AKA process and local cipher process before setting up the plane, and, the fail safe of existing AKA process and local cipher process do not reduced.
Summary of the invention
The purpose of this invention is to provide a kind of authentication of in LTE, using and encryption method.
Another object of the present invention provides a kind of in LTE, especially authentication and the method for encrypting of using in the process of UE switching Routing Area.
According to an aspect of the present invention, provide a kind of in LTE, merged AKA process and local cipher process and carry out authentication and method of encrypting, comprised step:
1) information that the ECN transmission is relevant with safety with authentication is to ERAN; And
2) ERAN preserves corresponding information, produces random number, produces first information and sending to UE, so that UE authentication network according to the information that receives then.
ECN sends in the message of ERAN, comprises the parameter that authentication UE and integral algorithm are used, IK, UIAs, AUTN, RAND, CK, UEAs.ERAN preserves IK, CK, and produce random number FRESH, and sending message to UE, message comprises AUTN, RAND, UIA, UEA, FRESH, integrity protection information (MAC-I).UE receives message, can utilize the information in the message to come the authentication network, UE authentication network, the method that method can utilize present 3G to use is come the authentication network by AUTN, then checked for integrity information, if it is all correct, UE sends message to ERAN, comprises a parameter RES, and ECN can use RES to judge whether the user is validated user.If UE authentication network is illegal, UE can not send response message to network.If UE checked for integrity information is incorrect, UE can not send response message to network.After ERAN checked that message is whether complete, protection algorithm integrallty and cryptographic algorithm that the UE of ERAN decision is used were included in the message, and message is sent to ECN, comprise RES in the message, UIA, UEA.After ECN received message, preservation information was come authentication user by RES.
According to a further aspect in the invention, provide a kind of in LTE, especially when UE moves to a new Routing Area, merged AKA process, local cipher process and routing update process and upgrade and method of encrypting, comprised step:
1) UE sends the routing region updating request message to ECN;
2) ECN sends the routing region updating acknowledge message to ERAN;
3) ERAN preserves corresponding information, produces random number, produces information and sending according to the message that receives then and gives UE;
4) UE produces and sends message to ERAN according to the message that receives; And
5) ERAN produces and sends message to ECN, so that authentication user according to the message that receives.
Comprise integrity protection information: IK in " routing region updating affirmation " message that ECN sends; UIAs; if ECN need initiate authentication process; the message the inside comprises authentication information: AUTN, and RAND is if ERAN need carry out encryption to the RRC signaling; perhaps the encryption of data realizes on ERAN; the parameter that also comprises encryption in the message, CK, UEAs.ERAN preserves the IK of message the inside, CK, and produce a random number FRESH, send " routing region updating affirmation " message and give UE; message comprises the sign that ECN distributes, UIA, UEA, FRESH; AUTN (optional), RAND (optional), integrity protection information (MAC-I).After UE received message, if comprise AUTN, UE carried out authentication to network, if network is legal, and UE checked for integrity protection information, if all correct, UE sends response message " routing region updating is finished " message and gives ERAN.After ERAN checked that the integrality of message is correct, protection algorithm integrallty and cryptographic algorithm that the UE of ERAN decision is used were included in the message, and message is sent to ECN, comprise RES in the message, UIA, UEA.After ECN receives message, come authentication user by RES.
Utilize method of the present invention, reduced the mutual of signaling plane, if before setting up the plane, network need carry out AKA process and local cipher process, just can reduce the foundation of user plane, and, the fail safe of existing AKA process and local cipher process do not reduced.
Description of drawings
The existing 3GPP system configuration of Fig. 1;
The existing integral algorithm of Fig. 2;
The existing cryptographic algorithm of Fig. 3;
Authentication and ciphering process after the existing UE start of Fig. 4;
Existing authentication of Fig. 5 and secret key are consulted (AKA) process;
Under Fig. 6 existing system, the authentication ciphering process in the area update procedures especially;
The structure of Fig. 7 LTE;
Among Fig. 8 LTE, authentication and ciphering process after the UE start;
The action specification of ECN among Fig. 9 embodiment 1;
The action specification of ERAN among Figure 10 embodiment 1;
The action specification of UE among Figure 11 embodiment 1;
Among Figure 12 LTE, the authentication ciphering process in the area update procedures especially;
The action specification of ECN among Figure 13 embodiment 2;
The action specification of ERAN among Figure 14 embodiment 2; And
The action specification of UE among Figure 15 embodiment 2.
Embodiment
Fig. 7 is the system configuration of invention LTE.
The system configuration of existing 3GPP is made up of Node B, RNC, SGSN, GGSN, among the LTE system configuration is simplified, the system configuration of LTE is by ERAN (EvolvedRAN), ECN (Evolved CN) and UE form, ERAN can comprise Node B and RAN controller, ERAN supports the agreement relevant with wireless access, such as radio resource control layer (RRC) agreement.Interconnect by IP between ERAN and the ECN.ECN is equivalent to a gateway concerning external network, the user's data under external network and the LTE network all needs to transmit by ECN.Concerning ERAN, ECN has realized the function of original SGSN.
Fig. 8 is the flow chart of first embodiment.
After the 801:UE110 start, at first set up wireless connections with ERAN.UE sends message to ERAN, gives ERAN the wireless access capability of UE and START value reporting, and wireless access capability information comprises the cryptographic capabilities of UE.Cryptographic capabilities comprises the cryptographic algorithm of UE support and the integral algorithm that UE supports.The START value is that UE is kept at a value on usim card and the terminal, is the high 20 of Hyper Frame Number HFN.ERAN preserves cryptographic capabilities and the START value of UE, gives the UE distributing radio resource, sends message to UE, and message comprises the temporary mark to an ERAN scope of UE distribution, and ERAN also can distribute a DRX parameter to UE, is also contained in the message that ERAN sends to UE.The UE of idle pulley preserves the DRX parameter, when UE calculates paging gap (Paging Occasion), use the DRX parameter.Paging time-slot is the moment that UE listens to paging information, in that UE paging receiving information just constantly, other constantly, UE is a received signal not.
802:UE110 sends " register requirement " message and gives ECN." register requirement (ATTACHREQUEST) " message comprises information IMSI, old RAI, DRX parameter.IMSI is user's a permanent sign; Old RAI is the indication of the Routing Area of UE preservation; The DRX parameter is to point out whether UE uses discontinuous reception, if support, and points out the length of the circulation of discontinuous reception.
803:ECN receives " register requirement " message, if ECN does not preserve the information of UE, and does not also comprise old P-TMSI in " register requirement " message, and then ECN sends message " transmission authentication information " and gives HLR, comprises the IMSI of UE in this message.HLR is an entity of preserving the enciphered message of UE.
After 804:HLR receives this message, send " authentication information affirmation " message and give ECN, message comprises a sequential matrix of encrypting vector, and each encrypts vector is one group of parameter with authentication and security-related system, comprises RAND, XRES, AUTN, CK and IK.Wherein RAND is a random number, and XRES is a parameter of judging that the user is whether legal, and ECN receives the message that UE sends, and comprises a parameter in the message, is known as RES.If RES is identical with XRES, then SGSN thinks whether the user is validated user, the success of AKA process, if RES follows the XRES difference, SGSN thinks that the user is illegal user, the AKA procedure failure.AUTN is the network authentication mark, and USIM is used for judging whether network is legal, and CK is an input parameter of cryptographic algorithm, and IK is an input parameter of protection algorithm integrallty.
805: the principle of first-in first-out is followed in the use of encrypting vector in proper order, and primary ciphering process uses first vector in the matrix, when ECN carries out authentication and secret key negotiation (AKA) for the second time to UE process, uses second vector in the scrambled matrix.The matrix that ECN selects the next one to use in order.Network can determine the combination UEAs of the cryptographic algorithm that the user under network should use; combination UIAs with protection algorithm integrallty; this combination can be pre-configured; it doesn't matter for a merchandiser user's ability, and all users should use certain cryptographic algorithm and the protection algorithm integrallty in this combination range.
806: if the signaling integrity protection realizes that at ERAN ECN sends message, and " authentication and safe mode request information are given ERAN, and message comprises the combination UIAs of the operable protection algorithm integrallty of user, UEAs, AUTN, RAND, IK, CK.The combination UIAs of the operable protection algorithm integrallty of user and the combination UEAs of cryptographic algorithm determine in 805 steps.
The information that the message that ECN sends to ERAN comprises:
-AUTN
-RAND
-UIAs
-UEAs
-IK
-CK
807: in 801 steps, ERAN has obtained the ability of UE, and ERAN knows cryptographic algorithm and the integral algorithm that can support of UE.In 806 steps, ERAN knows the operable cryptographic algorithm of user and the integral algorithm combination of network decision, and ERAN selects the cryptographic algorithm and the integral algorithm of UE use according to ability and the operable algorithm combination of UE.Operable cryptographic algorithm combination UEAs such as the decision of, network be UEA1, UEA2, UEA3, UEA4}, user's ability supports that { UEA1, UEA2}, ERAN can determine to use the cryptographic algorithm of UEA1 as the user to cryptographic algorithm.ERAN produces a random number FRESH simultaneously, and random number is used in the process of local cipher.ERAN can enable integrity protection to the RRC message after 807 steps.ERAN preserves information UIA, IK, if the Non-Access Stratum signaling also needs encipherment protection, perhaps the ERAN that is encrypted in of data goes up realization, and ERAN also needs to preserve enciphered message UEA, and CK.
808:ERAN sends message " authentication and safe mode request " and gives UE, and message comprises FRESH, UE cryptographic capabilities, cryptographic algorithm UEA and protection algorithm integrallty UIA that the UE of ERAN decision uses, MAC-I.MAC-I is an integrity information, and in 809 steps, UE is according to the RAND that receives, AUTN calculates IK, CK, UE calculates COUNT-I according to the START value of preserving then, according to method shown in Figure 2, utilize input parameters such as IK, FRESH, COUNT-I, calculate a value, be known as XMAC-I, and the MAC-I of XMAC-I that oneself calculates and ERAN transmission relatively, if identical, think that this RRC message is complete.UE can enable integrity protection to RRC message afterwards.
The information that the message that ERAN sends to UE comprises:
-AUTN
-RAND
-UIA
-UEA
-FRESH
-MAC-I
810:UE sends " authentication and safe mode are finished " and gives ERAN; because UE has obtained with security-related parameter, from this step, the RRC message that UE sends can be brought into use integrity protection; UE can encrypt data and signaling also from this step." authentication and safe mode are finished " message comprises UE according to AUTN, and the parameter that RAND calculates is known as RES, also comprises according to IK and FRESH to calculate integrity information MAC-I.
811:ERAN checking integrity information MAC-I, ERAN is equally according to method shown in Figure 2, utilize IK, FRESH, input parameters such as COUNT-I calculate a value, be known as XMAC-I, if the XMAC-I of relatively more own calculating and MAC-I that UE sends over identical, think that this RRC message is complete then.
The information that the message that UE sends to ERAN comprises:
The sign of-UE
-RES
-MAC-I
812:ERAN sends " authentication and safe mode are finished " and gives ECN, comprises the cryptographic algorithm UEA and the protection algorithm integrallty UIA of the UE use of ERAN decision, also comprises the RES that UE sends.Data after 812 steps can begin encrypted.
The information that the message that ERAN sends to ECN comprises:
The sign of-UE
-UIA
-UEA
-RES
813: if ECN does not have in the position that HLR registers this UE, ECN sends " position renewal " message and gives HLR, and this message comprises ECN number, the address of ECN, the sign IMSI of UE.
814:HLR preserves the position updated information, sends " position is upgraded and confirmed " message then and gives ECN.
815:ECN sends " registration is accepted " message and gives UE.Comprise the temporary mark that ECN distributes to the user in the message.
816: because ECN has distributed new temporary mark P-TMSI to the user, UE need send response message to ECN.
Fig. 9 is the motion flow of ECN in embodiment 1.
901, ECN receives message, send " register requirement " if message is UE, carry out 903 steps, if the enciphered message of the UE that ECN has preserved, then carry out 905 steps, generally speaking, when ECN receives " register requirement " message of UE transmission, the information of not preserving UE, ECN need carry out 904 steps, obtains encrypting the matrix of vector from HLR.Send " authentication and safe mode command " message at 905 step e CN then and give ERAN.This message comprises following information: AUTN, RAND, IK, CK, UEAs, UIAs.Then, ECN continues to receive message, " authentication and safe mode are finished " message is received in expectation, if in a period of time, such as a clock is set, overtime when clock, ECN does not also receive " authentication and safe mode are finished " message, just retransmit " authentication and safe mode command ", perhaps carry out error processing procedure.
ECN receives " authentication and safe mode are finished " message, and comprising a parameter in the message is RES, and ECN is RES and the XRES that encrypts in the vector relatively, in 910 steps, if XRES and RES equate that ECN thinks that UE is a legal users.In 912 steps, ECN sends " registration is accepted " message and gives UE.Wait for the response message that UE sends then.ECN has received response message " register requirement is finished " message that UE sends in 914 steps, and registration process just is through with.
Figure 10 is the motion flow of ERAN in embodiment 1.
1001, ERAN receives message, if message sends over " RRC connection request " message from UE, preserves the information that comprises in the message, such as, START value, the ability of UE etc.ERAN will give the UE distributing radio resource, and such as the sign in the ERAN scope, channel resource sends " RRC connects foundation " message then and gives UE, comprises the resource that ERAN distributes to UE.ERAN continues to receive message then, receives the message " authentication and security command " that sends over from ECN in 1004 steps, and ERAN preserves the enciphered message in the message, such as IK, and CK, UEAs, UIAs.According to the ability of UE, UEA and UIA that ERAN selects UE to use, and ERAN produces a random number FRESH, sends message " authentication and security command " then and gives UE, and message comprises AUTN, RAND, FRESH, UIA, UEA.And this message comprises integrity check info MAC-I.
1007, ERAN receives " authentication and safety are finished " message that UE sends, and if the integrity check info that comprises in the ERAN checking message correct, just sends to ECN to this message.Process finishes.
Figure 11 is the motion flow of UE in embodiment 1.
1101, UE receives message, if receive " RRC the connects foundation " message that sends from ERAN, UE sets up channel in 1103 steps, sends " register requirement " message and gives ECN, continues to receive message then.1104, UE receives " authentication and the security command " message that sends from ERAN, in 1105 steps; the legitimacy of UE authentication network is preserved enciphered message, as required; can start integrity protection and encipherment protection, UE sends " authentication and safety are finished " and gives ECN.Continue then to receive message, 1106, UE receives " registration is accepted " message of sending from ECN, and UE sends message " registration is accepted to finish " message 1107 and gives ECN, and registration process finishes.
As embodiment 2, Figure 12 is in LTE, and especially the UE of idle pulley moves to new Routing Area, initiates the process of routing region updating.
1201:UE moves to a new sub-district, broadcast listening information, broadcast message has the indication of Routing Area, if the indication of the Routing Area that UE preserves is different with the Routing Area indication of new CBCH broadcasting, UE has entered a new Routing Area, and UE will initiate the process of routing region updating.UE at first connects with ERAN.UE gives ERAN the wireless access capability of UE and START value reporting in the process of setting up the connection of following ERAN, wireless access capability information comprises the cryptographic capabilities of UE.Wherein, cryptographic capabilities comprises the cryptographic algorithm of UE support and the integral algorithm that UE supports.The START value is that UE is kept at a value on the SIM card, is the high 20 of Hyper Frame Number HFN.ERAN preserves cryptographic capabilities and the START value of UE.And ERAN distributes the temporary mark of an ERAN scope to UE, and ERAN also can distribute a DRX parameter to UE, and the UE of idle pulley can use the DRX parameter to calculate the moment of listening to paging information, and in that paging receiving information constantly.
" the routing region updating request information is given ECN in 1202:UE 110 transmissions.Message comprises information IMSI, the sign of old Routing Area, DRX parameter, the sign of UE in the old Routing Area.IMSI is user's a permanent sign; Old RAI is the indication of the Routing Area of UE preservation; The DRX parameter is to point out whether UE uses discontinuous reception, if support, and points out the length of the circulation of discontinuous reception; In the old Routing Area sign of UE be ECN in the original Routing Area to the sign that UE distributes, may be the IP address.From this sign or from the sign of old Routing Area, can find original ECN.
1203:ECN receive " the routing region updating request information, if ECN does not preserve the information of UE, ECN finds old ECN, new ECN sends message " authentication information request " and gives old ECN, comprises the IMSI of UE in this message; This message can merge with other message.
1204: after old ECN receives this message, send " authentication information response " message and give SGSN, this message can merge with other message.In the message matrix of encrypting vector is passed on the new ECN from old ECN.
1205: the principle of first-in first-out is followed in the use of encrypting vector in proper order, and primary ciphering process uses first vector in the matrix, when ECN carries out authentication and secret key negotiation (AKA) for the second time to UE process, uses second vector in the scrambled matrix.The matrix that ECN selects the next one to use in order.Network can determine the combination UEAs of the cryptographic algorithm that the user under network should use and the combination UIAs of protection algorithm integrallty; this combination can be pre-configured; it doesn't matter for a merchandiser user's ability, and all users should use certain cryptographic algorithm and the protection algorithm integrallty in this combination range.
1206:ECN sends message " routing region updating affirmation " message and gives ERAN, and message comprises the combination of the operable cryptographic algorithm of UE and the combination of protection algorithm integrallty, AUTN, RAND, IK, information such as CK.
The information that " the routing region updating affirmation " that ECN sends to ERAN comprises:
The sign that-ECN distributes to UE
-AUTN (optional)
-RAND (optional)
-UIAs
-UEAs
-IK
-CK
1207:ERAN is according to the cryptographic algorithm that can support of UE and the operable cryptographic algorithm of UE and the integral algorithm of integral algorithm and network decision, cryptographic algorithm and the integral algorithm of selecting UE to use.Operable cryptographic algorithm combination UEAs such as the decision of, network be UEA1, UEA2, UEA3, UEA4}, user's ability supports that { UEA1, UEA2}, ERAN can determine to use the cryptographic algorithm of UEA1 as the user to cryptographic algorithm.And ERAN produces a random number FRESH, and ERAN can enable integrity protection to RRC message afterwards.
1208:ERAN sends message " routing region updating affirmation " and gives UE, and message comprises FRESH, the UE cryptographic capabilities, and cryptographic algorithm UEA and protection algorithm integrallty UIA that the UE of SRNC decision uses, MAC-I, MAC-I are integrity informations.
The information that " the routing region updating affirmation " that ERAN sends to UE comprises:
The sign that-ECN distributes to UE
-AUTN (optional)
-RAND (optional)
-UIA
-UEA
-FRESH
-MAC-I
In 1209 steps, UE is according to the RAND that receives, AUTN calculates IK, CK, UE calculates COUNT-I according to the START value of preserving then, according to method shown in Figure 2, utilize IK, FRESH, input parameters such as COUNT-I calculate a value, be known as XMAC-I, and the MAC-I of XMAC-I that oneself calculates and ERAN transmission relatively,, think that this RRC message is complete if identical.UE can enable integrity protection to RRC message afterwards, and can the encryption enabled protection.
1210:UE sends " routing region updating is finished " and gives ERAN, if comprise AUTN in 1208 the message, RAND, then " routing region updating is finished " message comprises UE according to AUTN, the RES that RAND calculates, also comprise UE according to IK in " routing region updating is finished " message, the integrity information MAC-I that calculation of parameter such as FRESH go out
1211:ERAN utilizes IK according to method shown in Figure 2, FRESH, and input parameters such as COUNT-I calculate a value, are known as XMAC-I, and if XMAC-I and the MAC-I that relatively oneself calculates identical, thinks that this RRC message is complete then.
1212:ERAN sends " routing region updating is finished " and gives ECN, comprises the cryptographic algorithm UEA and the protection algorithm integrallty UIA of the UE use of ERAN decision, also may comprise the RES that UE sends.Data after 1212 steps can begin encrypted.The information that " routing region updating is finished " that ERAN sends to ECN comprises:
The sign that-ECN distributes to UE
-UIA
-UEA
RES (optional)
After 1212 steps, new ECN can send position updating process, the corresponding relation of new ECN and UE is registered on the HLR of network.
Figure 13 is the motion flow of ECN in embodiment 2.
1301, ECN receives message, 1302 judge type of message, send " routing region updating request " if message is UE, carry out 1303 steps, if the enciphered message of the UE that ECN has preserved, then carry out 1305 steps, if ECN does not preserve the information of UE, ECN need carry out 1304 steps, obtains encrypting the matrix of vector from old ECN.In 1305 steps, ECN sends " routing region updating affirmation " message and gives ERAN then.This message comprises following all or part of information: UE sign, AUTN, RAND, IK, CK, UEAs, UIAs.If ECN does not need to carry out the AKA process, then AUTN and RAND do not need to be included in the message.If cryptographic algorithm does not change, perhaps encrypt and need on ERAN, not carry out, UE has preserved information encrypted, at this moment, does not need to comprise CK, UEAs in the message.After sending message, ECN continues to receive message, " routing region updating is finished " message is received in expectation, if in a period of time, such as a clock being set 1306, also do not receive " routing region updating is finished " message when clock is overtime, just retransmit " routing region updating affirmation ", perhaps carry out 1307 error processing procedures.In 1308 steps, ECN receives " routing region updating is finished " message, if comprise authentication information in " routing region updating affirmation " message, then UE sends in " routing region updating is finished " message and comprises a parameter, is known as RES.ECN is RES and the XRES that encrypts in the vector relatively, if RES and XRES equate that ECN thinks that UE is a legal users.ECN is in response message " routing region updating is finished " message of having received that UE sends, and the routing update process finishes.
Figure 14 is the motion flow of ERAN in embodiment 2.
1401, ERAN receives message, if message sends over " RRC connection request " message from UE, preserves the information that comprises in the message, such as, START value, the ability of UE etc.ERAN will give the UE distributing radio resource, and such as the sign in the ERAN scope, channel resource sends " RRC connects foundation " message then and gives UE, comprises the resource that ERAN distributes to UE.ERAN continues to receive message then, receives the message " routing region updating affirmation " that sends over from ECN in 1404 steps, and ERAN preserves the middle enciphered message of message, such as IK, and CK, UEAs, UIAs.According to the ability of UE, UEA and UIA that ERAN selects UE to use, and ERAN produces a random number FRESH, send message " authentication and security command " then and give UE, message comprises AUTN (optional), RAND (optional), FRESH, UIA (optional), UEA (optional).And this message comprises integrity check info MAC-I.
1407, ERAN receives " routing region updating is finished " message that UE sends, the integrity check info that comprises in the ERAN checking message, if correct, just UIA and the UEA that the UE of ERAN decision is used is included in the message, then message sent to ECN.Process finishes.
Figure 15 is the motion flow of UE in embodiment 2.
1501, UE receives message, if receive " RRC the connects foundation " message that sends from ERAN, UE sets up channel in 1503 steps, and " the routing region updating request information is given ECN, continues to receive message then in transmission.Receive " routing region updating affirmation " message that sends from ERAN at 1104UE, if message comprises AUTN, RAND, in 1505 steps, the legitimacy of UE authentication network.UE preserves enciphered message, such as FRESH.If comprise UIA in the message, UE adopts new protection algorithm integrallty, if comprise UEA in the message, UE adopts new cryptographic algorithm, otherwise UE uses old algorithm.As required, can start integrity protection and encipherment protection, UE sends " routing region updating is finished " and gives ECN.Process finishes.
Claims (19)
- One kind in LTE, merge AKA process and local cipher process and carry out authentication and method of encrypting, comprise step:1) information (806) that the ECN transmission is relevant with safety with authentication is given ERAN; And2) ERAN preserves corresponding information, produces random number, produces first message (808) and sends to UE according to the information that receives, so that UE authentication network.
- 2. method according to claim 1 is characterized in that, in the described information relevant with safety with authentication, comprises the parameter that is used for authentication UE and integral algorithm.
- 3. method according to claim 2 is characterized in that described parameter comprises IK, CK, UIAs, UEAs, AUTN and RAND.
- 4. method according to claim 1 is characterized in that corresponding information comprises IK and CK.
- 5. method according to claim 1 is characterized in that, comprises FRESH in described first message.
- 6. method according to claim 5 is characterized in that, also comprises integrity protection information in described first message.
- 7. method according to claim 1 is characterized in that, also comprises step:3) UE is according to the message that receives, and the authentication network produces and sends second message (810) and gives ERAN; And4) ERAN produces the 3rd message (812) and sends to ECN according to second message that receives, so that authentication user.
- 8. method according to claim 7 is characterized in that, comprises RES in described second message.
- 9. method according to claim 7 is characterized in that, comprises UIA and UEA in described the 3rd message.
- One kind in LTE, when UE moves to a new Routing Area, merge AKA process, local cipher process and routing update process and upgrade and method of encrypting, comprise step:1) UE sends routing region updating request (1202) message and gives ECN;2) ECN sends routing region updating acknowledge message (1206) and gives ERAN;3) ERAN preserves corresponding information, produces random number, produces message (1208) and sends to UE according to the message that receives;4) UE produces and sends message (1210) and give ERAN according to the message (1208) that receives; And5) ERAN produces and sends message (1212) and give ECN, so that authentication user according to the message (1210) that receives.
- 11. method according to claim 10 is characterized in that, step 4) also comprises step: UE network is carried out authentication.
- 12. method according to claim 10 is characterized in that, comprises integrity protection information in the described routing region updating acknowledge message (1206).
- 13. method according to claim 12 is characterized in that, also comprises the parameter of encryption in the described routing region updating acknowledge message (1206).
- 14. method according to claim 10 is characterized in that, described message comprises FRESH in (1208).
- 15. method according to claim 10 is characterized in that, described message (1210) comprises RES.
- 16. method according to claim 13 is characterized in that, also comprises authentication information in the described routing region updating acknowledge message (1206).
- 17. method according to claim 14 is characterized in that, described message also comprises AUTN and RAND in (1208).
- 18. method according to claim 14 is characterized in that, described message also comprises MAC-I in (1208).
- 19. method according to claim 10 is characterized in that, described message comprises UIA and UEA in (1212).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510086496 CN1937487A (en) | 2005-09-22 | 2005-09-22 | LTE authentication and encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510086496 CN1937487A (en) | 2005-09-22 | 2005-09-22 | LTE authentication and encryption method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1937487A true CN1937487A (en) | 2007-03-28 |
Family
ID=37954781
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510086496 Pending CN1937487A (en) | 2005-09-22 | 2005-09-22 | LTE authentication and encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1937487A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012201A1 (en) * | 2008-07-29 | 2010-02-04 | 深圳华为通信技术有限公司 | An authorization method, a communication apparatus and a communication system |
| CN102790965A (en) * | 2011-05-18 | 2012-11-21 | 华为技术有限公司 | Switching method, base station, user device and mobile management entity |
| CN101355809B (en) * | 2008-09-12 | 2013-03-20 | 中兴通讯股份有限公司 | Method and system for negotiating and initiating safety context |
| WO2014113918A1 (en) * | 2013-01-22 | 2014-07-31 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
| US8908863B2 (en) | 2009-09-08 | 2014-12-09 | Huawei Technologies Co., Ltd. | Method, network element, and mobile station for negotiating encryption algorithms |
| US9497625B2 (en) | 2007-08-31 | 2016-11-15 | Huawei Technologies Co., Ltd. | Method for negotiating security capability when terminal moves |
| CN102970678B (en) * | 2009-09-08 | 2016-12-07 | 华为技术有限公司 | Cryptographic algorithm negotiating method, network element and mobile station |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| WO2017128727A1 (en) * | 2016-01-27 | 2017-08-03 | 中兴通讯股份有限公司 | Interaction method for edge computing node and device |
| CN107948972A (en) * | 2017-12-27 | 2018-04-20 | 广东欧珀移动通信有限公司 | The restoration methods and Related product of data service |
| CN108243144A (en) * | 2016-12-23 | 2018-07-03 | 大唐移动通信设备有限公司 | AS safety mode process optimization method in a kind of LTE system |
-
2005
- 2005-09-22 CN CN 200510086496 patent/CN1937487A/en active Pending
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10015669B2 (en) | 2007-08-31 | 2018-07-03 | Huawei Technologies Co., Ltd. | Communication method and device |
| US9497625B2 (en) | 2007-08-31 | 2016-11-15 | Huawei Technologies Co., Ltd. | Method for negotiating security capability when terminal moves |
| US10595198B2 (en) | 2007-08-31 | 2020-03-17 | Huawei Technologies Co., Ltd. | Communication method and device |
| US9538373B2 (en) | 2007-08-31 | 2017-01-03 | Huawei Technologies Co., Ltd. | Method and device for negotiating security capability when terminal moves |
| US10548012B2 (en) | 2007-09-29 | 2020-01-28 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| WO2010012201A1 (en) * | 2008-07-29 | 2010-02-04 | 深圳华为通信技术有限公司 | An authorization method, a communication apparatus and a communication system |
| CN101355809B (en) * | 2008-09-12 | 2013-03-20 | 中兴通讯股份有限公司 | Method and system for negotiating and initiating safety context |
| US8908863B2 (en) | 2009-09-08 | 2014-12-09 | Huawei Technologies Co., Ltd. | Method, network element, and mobile station for negotiating encryption algorithms |
| US9729523B2 (en) | 2009-09-08 | 2017-08-08 | Huawei Technologies Co., Ltd. | Method, network element, and mobile station for negotiating encryption algorithms |
| CN102970678B (en) * | 2009-09-08 | 2016-12-07 | 华为技术有限公司 | Cryptographic algorithm negotiating method, network element and mobile station |
| CN102790965B (en) * | 2011-05-18 | 2016-09-14 | 华为技术有限公司 | Changing method, base station, subscriber equipment and mobile management entity |
| US9398510B2 (en) | 2011-05-18 | 2016-07-19 | Huawei Technologies Co., Ltd. | Handover method, base station, user equipment, and mobility management entity |
| CN102790965A (en) * | 2011-05-18 | 2012-11-21 | 华为技术有限公司 | Switching method, base station, user device and mobile management entity |
| WO2012155862A1 (en) * | 2011-05-18 | 2012-11-22 | 华为技术有限公司 | Handover method, base station, user equipment and mobility management entity |
| WO2014113918A1 (en) * | 2013-01-22 | 2014-07-31 | 华为技术有限公司 | Method and network device for security authentication of mobile communication system |
| WO2017128727A1 (en) * | 2016-01-27 | 2017-08-03 | 中兴通讯股份有限公司 | Interaction method for edge computing node and device |
| CN108243144B (en) * | 2016-12-23 | 2020-07-28 | 大唐移动通信设备有限公司 | Method for optimizing AS security mode process in L TE system |
| CN108243144A (en) * | 2016-12-23 | 2018-07-03 | 大唐移动通信设备有限公司 | AS safety mode process optimization method in a kind of LTE system |
| CN107948972A (en) * | 2017-12-27 | 2018-04-20 | 广东欧珀移动通信有限公司 | The restoration methods and Related product of data service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1937487A (en) | LTE authentication and encryption method | |
| KR100956823B1 (en) | Method of processing a security mode message in a mobile communication system | |
| US11856402B2 (en) | Identity-based message integrity protection and verification for wireless communication | |
| US8583929B2 (en) | Encryption method for secure packet transmission | |
| US11799650B2 (en) | Operator-assisted key establishment | |
| CN1947453B (en) | The user authentication of the improvement of unauthorized mobile access signaling | |
| KR101395204B1 (en) | Methods and apparatuses for enabling non-access stratum(nas) security in lte mobile units | |
| US8295488B2 (en) | Exchange of key material | |
| CN104285422A (en) | Secure communications for computing devices utilizing proximity services | |
| US8565433B2 (en) | Method and system for managing air interface key | |
| CN101180828A (en) | Device and method for encrypting and transmitting data in combined network | |
| JP2003524353A (en) | Integrity check in communication systems | |
| WO2013185735A2 (en) | Encryption realization method and system | |
| EP1121822B1 (en) | Authentication in a mobile communications system | |
| CN101877852B (en) | User access control method and system | |
| US7200750B1 (en) | Method for distributing encryption keys for an overlay data network | |
| CN101162955B (en) | Method of obtaining login key of handset television service system | |
| US20100304713A1 (en) | Technique for restricting access to a wireless communication service | |
| WO2001043476A1 (en) | Communication method | |
| WO2007075068A1 (en) | Method for authentication between ue and network in wireless communication system | |
| CN101137203A (en) | Method to establish user plane | |
| KR101094057B1 (en) | Method and apparatus for processing an initial signalling message in a mobile communication system | |
| EP1359778A1 (en) | System, method and station for use in secure communication | |
| Bluszcz | UMTS Security UMTS Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |