KR20100053407A - Method of sharing security information - Google Patents

Abstract

PURPOSE: A privacy information sharing method is provided to exchange basic capability messages safely by exchanging security related information before proceeding of an authentication process between a base station and a mobile station. CONSTITUTION: An MS(Mobile Station) transmits an SSC- REQ (SS(Subscribe Station) Security Capability request) message to a BS(Base Station)(S330). The base station transmits an SSC- RSP (SS(Subscribe Station) Security Capability response) including security related information to the mobile station(S340). The mobile station and the base station configures a key for SBC negotiation(S350). The mobile station transmits a security set SBC-REQ(SS Basic Capability request) message to the base station(S360). The base station transmits the security set SBC- RSP (SS Basic Capability response) message to the mobile station(S370).

Description

Method of sharing security information

The present invention relates to a method of securely sharing security-related information in a wireless access system.

Hereinafter, the security sublayer used in the broadband wireless access system will be briefly described.

Security services are those that provide the confidentiality and integrity of network data. Integrity refers to whether the original message content is delivered to the other party in the same content. In other words, integrity is to ensure that the message has not been arbitrarily altered by a third party or the like. Confidentiality is the disclosure of information only to authorized persons. In other words, confidentiality is to completely protect the content of the transmitted data to prevent unauthorized access to the content.

The security sublayer provides security, authentication, and confidentiality in broadband wireless networks. The security sublayer may apply an encryption function to a media access control (MAC) protocol data unit (PDU) delivered between the terminal and the base station. Thus, the base station and the mobile station can provide a robust defense against an illegal user's service theft attack. The base station encrypts the service flow throughout the network to prevent unauthorized access to the data transmission service. The security sublayer controls the base station to distribute information associated with the key to the mobile station using a key management protocol of an authenticated client / server architecture. At this time, the digital certificate-based terminal device authentication may be added to the key management protocol to further strengthen the function of the basic security mechanism.

During the SBC-REQ / RSP, authentication and key exchange procedures are omitted if the mobile station does not provide security. And even when a specific mobile station is registered as a mobile station that does not support the authentication function, the base station can consider that the authority of the mobile station has been verified. If a particular mobile station does not support a security function, the mobile station does not provide a security service and thus does not perform a key exchange or data encryption function.

The security sublayer consists of an encapsulation protocol and a key management protocol (PKM). The encapsulation protocol is a protocol for the security of packet data in a broadband wireless network. The encapsulation protocol provides a method for applying such an algorithm to a set representing a cryptographic suite such as data encryption and data authentication algorithms and a MAC PDU payload. The key management protocol is a protocol that provides a method for securely distributing key related data from a base station to a terminal. The base station and the terminal may provide a method for securely distributing key related data using a key management protocol. By using the key management protocol, key-related data can be shared between the terminal and the base station, and the base station can control the network access.

The present invention has been made to solve the problems of the general technology as described above, an object of the present invention is to provide a method for securely sharing security-related information.

Another object of the present invention is to provide a method for securely exchanging messages (eg, SBC-REQ / SBC-RSP) used in terminal capability negotiation.

It is still another object of the present invention to provide a method for a base station and a mobile station to transmit and receive security related information before an authorization procedure is performed.

It is another object of the present invention to reduce the overhead of information contained in the SBC exchange procedure and message by sharing security-related information before the base station and mobile station.

In order to solve the above technical problem, the present invention discloses various methods for securely sharing security information in a wireless access system.

In one aspect of the present invention, a method for sharing security-related information in a wireless access system includes transmitting a first message including a first security negotiation parameter supported by a mobile station to a base station and a second security negotiation parameter supported by the base station. Receiving a second message comprising the step of transmitting a basic performance request (SBC-REQ) encrypted using the second security negotiation parameters and the basic performance response (SBC) encrypted using the second security negotiation parameters -RSP) message may be received.

In this case, the first message may further include a connection identifier and an extended authentication protocol (EAP) authentication type field. In addition, the second security negotiation parameter may include a message confidentiality mode parameter supported by the base station, and the message confidentiality mode parameter may indicate whether a specific message is selectively protected.

In an aspect of the present invention, the first message may be a ranging request (RNG-REQ) message, and the second message may be a ranging response (RNG-RSP) message. Alternatively, the first message may be a security performance request (SSC-REQ) message, and the second message may be a security performance response (SSC-RSP) message.

In another aspect of the present invention, a method for sharing security-related information in a wireless access system includes receiving a first message from the mobile station, the first message including a first security negotiation parameter supported by the mobile station, and a second security negotiation supported by the base station. Transmitting a second message comprising parameters to the mobile station; receiving an SBC-REQ message encrypted using the second security negotiation parameter; and basic performance encrypted using the second security negotiation parameter. Sending a response (SBC-RSP) message.

In this case, the first message may further include a connection identifier and an extended authentication protocol (EAP) authentication type field. In addition, the second security negotiation parameter may include a message confidentiality mode parameter supported by the base station, and the message confidentiality mode parameter may indicate whether a specific message is selectively protected.

In another aspect of the present invention, the first message may be a ranging request (RNG-REQ) message, and the second message may be a ranging response (RNG-RSP) message. Alternatively, the first message may be a security performance request (SSC-REQ) message, and the second message may be a security performance response (SSC-RSP) message.

According to the embodiments of the present invention, the following effects are obtained.

First, by using embodiments of the present invention, mobile stations and base stations can securely share security-related information.

Second, through the embodiments of the present invention, it is possible to securely exchange terminal performance message (SBC-REQ / SBC-RSP).

Third, the base station and the mobile station can securely exchange basic performance messages by exchanging security related information before the authorization procedure is performed.

Fourth, the base station and the mobile station can share the security-related information prior to the authorization procedure, thereby reducing the overhead of the information contained in the SBC exchange procedure and message.

The present invention relates to a wireless access system. Hereinafter, as various embodiments of the present invention, various methods for securely sharing security information in a wireless access system are disclosed.

The following embodiments are a combination of elements and features of the present invention in a predetermined form. Each component or feature may be considered to be optional unless otherwise stated. Each component or feature may be implemented in a form that is not combined with other components or features. In addition, some of the elements and / or features may be combined to form an embodiment of the present invention. The order of the operations described in the embodiments of the present invention may be changed. Some configurations or features of certain embodiments may be included in other embodiments, or may be replaced with corresponding configurations or features of other embodiments.

In the description of the drawings, procedures or steps which may obscure the gist of the present invention are not described, and procedures or steps that can be understood by those skilled in the art are not described.

In the present specification, embodiments of the present invention have been described based on data transmission / reception relations between a base station and a mobile station. Here, the base station is meant as a terminal node of a network that directly communicates with a mobile station. The specific operation described as performed by the base station in this document may be performed by an upper node of the base station in some cases.

That is, various operations performed for communication with a terminal in a network consisting of a plurality of network nodes including a base station may be performed by the base station or other network nodes other than the base station. In this case, the 'base station' may be replaced by terms such as a fixed station, a Node B, an eNode B (eNB), and an access point. In addition, the term 'mobile station' may be replaced with terms such as a user equipment (UE), a subscriber station (SS), a mobile subscriber station (MSS), a mobile terminal, or a terminal. .

In addition, the transmitting end refers to a node transmitting data or voice service, and the receiving end refers to a node receiving data or voice service. Therefore, in uplink, a terminal may be a transmitting end and a base station may be a receiving end. Similarly, in downlink, a terminal may be a receiving end and a base station may be a transmitting end.

On the other hand, the mobile terminal of the present invention PDA (Personal Digital Assistant), cellular phone, PCS (Personal Communication Service) phone, GSM (Global System for Mobile) phone, WCDMA (Wideband CDMA) phone, MBS (Mobile Broadband System) phone And the like can be used.

Embodiments of the invention may be implemented through various means. For example, embodiments of the present invention may be implemented by hardware, firmware, software, or a combination thereof.

In the case of a hardware implementation, the method according to embodiments of the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs). Field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, and the like.

In the case of an implementation by firmware or software, the method according to the embodiments of the present invention may be implemented in the form of a module, a procedure, or a function that performs the functions or operations described above. The software code may be stored in a memory unit and driven by a processor. The memory unit may be located inside or outside the processor, and may exchange data with the processor by various known means.

Embodiments of the present invention may be supported by standard documents disclosed in at least one of the wireless access systems IEEE 802 system, 3GPP system, 3GPP LTE system and 3GPP2 system. That is, steps or parts which are not described to clearly reveal the technical spirit of the present invention among the embodiments of the present invention may be supported by the above documents. In addition, all terms disclosed in the present document can be described by the above standard document. In particular, embodiments of the present invention may be supported by one or more of the standard documents P802.16-2004, P802.16e-2005, and P802.16Rev2 documents of the IEEE 802.16 system.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. In addition, specific terms used in the embodiments of the present invention are provided to help the understanding of the present invention, and the use of the specific terms may be changed into other forms without departing from the technical spirit of the present invention. .

1 is a diagram illustrating an example of a process of negotiating basic capabilities in a mobile station and a base station.

Upon initial network entry, a mobile station (MS, or subscriber station (SS)) may transmit a ranging request (RNG-REQ) message to the base station to perform initial ranging. In this case, the ranging request message may include a connection identifier (CID) denoted by 0x0000 and a medium access control address (MAC Addr.) Of the mobile station (S110).

A base station (BS) may transmit a ranging response (RNG-RSP) message to the mobile station in response to the ranging request message. In this case, the ranging response message may include a connection identifier indicated by 0x0000, a medium access control address of the mobile station, a primary CID, and a primary MNG CID (S120).

Through steps S110 and S120, the mobile station can scan the downlink channel and synchronize downlink with the base station. In addition, the mobile station can obtain an uplink parameter through the RNG-RSP message. In addition, the mobile station and the base station can negotiate basic capabilities and perform an authorization procedure.

Referring to FIG. 1, a mobile station (MS) transmits a registration request (REG-REQ) message including a primary MNG CID to a base station (BS) after completion of an authorization procedure. (S130).

The base station transmits a registration response (REG-RSP) message including a primary MNG connection identifier (primary MNG CID) and / or a secondary MNG connection identifier (secondary MNG CID) to the mobile station (S140).

When the mobile station successfully receives the configuration file from the base station, it sends a TFTP-CPLT (config file TFTP complete) message to the base station. The TFTP-CPLT message is used to inform the base station that the mobile station has completed initialization and is ready to receive a service (S160).

The base station transmits the TFTP-RSP message to the mobile station in response to the TFTP-CLPT message (S170). The mobile station receives the service from the base station and communicates with the base station.

2 is a diagram illustrating a ranging procedure and a basic capability negotiation procedure of an initial network entry process.

The mobile station (or subscriber station) may transmit a ranging request (RNG-REQ) message to the base station to request a power and / or downlink burst profile (DL burst profile) at network initialization (S210).

Table 1 below shows an example of a ranging request message format.

Syntex Size (bit) Note RNG-REQ_Message_Formate () { -  Management Message Type = 4 8  Reserved 8 shall be set to zero  TLV Encoded Information variable TLV-specific } -

Most of the parameters included in the ranging request message may be encoded in the form of a TLV tuple. In embodiments of the present invention, parameters included in the ranging request message may refer to IEEE 802.16 specification documents.

The base station may send the ranging response message to the mobile station in response to the ranging request message. In addition, the ranging response message may be asynchronously transmitted to deliver correction values according to the measured value based on other received data or MAC message (S220).

Table 2 below shows an example of a ranging response message format.

Syntex Size (bit) Note RNG-RNG_Message_Formate () { -  Management Message Type = 5 8  Reserved 8 shall be set to zero  TLV Encoded Information variable TLV-specific } -

Most parameters included in the ranging response message may be encoded in the form of a TLV tuple. In embodiments of the present invention, parameters included in the ranging request message may refer to IEEE 802.16 specification documents. However, the ranging response message must include a ranging status parameter.

The mobile station may transmit a basic performance request message (SBC-REQ: SS Basic Capability Request) to the base station in an initialization step for entering the base station (S230).

Table 3 below shows an example of the basic performance request message format.

Syntex Size (bit) Note SBC-REQ_Message_Formate () { -  Management Message Type = 26 8  TLV Encoded Information variable TLV-specific } -

Most of the parameters included in the basic performance request message may be encoded in the form of a TLV tuple. SBC-REQ messages include the Basic CID, the Service Information Query field, the Physical Parameters Supported field, and the Capabilities for Construction and Transmission of MAC. PDUs field, Security Negotiation Parameters, Visited NSP ID, Auth Type for EAP field, and MIH Capability Supported field, Extended Performance SDU MTH One or more of an Extended Capability SDU MTH Capability field and a DL Coordinated Zone Capability field may be included.

The base station may transmit an SSBC basic capability response (SBC-RSP) message to the mobile station as a response to the SBC-REQ message (S240).

Table 4 below shows an example of the basic performance response message format.

Syntex Size (bit) Note SBC-RSP_Message_Formate () { -  Management Message Type = 27 8  TLV Encoded Information variable TLV-specific } -

Most of the parameters included in the basic performance response message may be encoded in the form of a TLV tuple. SBC-RSP messages include the CID, the Service Data Unit MTU Capability field, the Physical Parameters Supported field, the Bandwidth Allocation Support field, and the Security Negotiation Parameters. ), One or more of an HMAC / CMAC tuple, a maximum number of supported security association fields, an NSP list, and a MIH performance support field.

1 and 2, the mobile station and the base station may perform the basic capability negotiation before performing the authorization procedure. Therefore, a problem may occur that messages for basic capability negotiation (eg, SBC-REQ / SBC-RSP) cannot be securely exchanged. That is, the base station and the mobile station need to exchange security-related information prior to the authorization procedure in order to securely transmit and receive the SBC message.

3 is a diagram illustrating one method of sharing security related information according to an embodiment of the present invention.

The IEEE 802.16m system aims to support a secure SBC negotiation function between a mobile station and a base station. For this purpose, in the initial stage (e.g. network entry, etc.), the authorization procedure should be made before the SBC exchange, and it is preferable that security-related information is shared between the mobile station and the base station before the authorization procedure is performed. Accordingly, embodiments of the present invention disclose a method for sharing security related information between a mobile station and a base station before the authorization process begins.

In FIG. 3, the ranging procedure between the base station and the mobile station is similar to the ranging procedure of FIGS. 1 and 2. Therefore, steps S310 and S320 may refer to the description of FIGS. 1 and 2.

In the embodiment of the present invention, new messages are defined to share the subject-related information before the authorization procedure. For example, as a new message for exchanging security related information among information included in the SBC-REQ / SBC-RSP message, an SS Security Capability request (SSC-REQ) message and a SSC- You can define an RSP: SS Security Capability response message.

Referring to FIG. 3, the mobile station can transmit an SS Security Capability Request (SSC-REQ) message to request security related information to the base station (S330).

Table 5 below shows an example of the SSC-REQ message format.

Syntex Size (bits) Notes SSC-REQ_Message_Format () { -  Management Message Type = xx 8  TLV encoded information variable TLV-Specific } -

Referring to Table 5, most parameters included in the SSC-REQ message may be encoded in the form of a TLV tuple. In this case, the SSC-REQ message may include at least one of a connection identifier (CID), a security negotiation parameter (Security Negotiation Parameters), and an Extensible Authentication Protocol (EAP) Auth Type for EAP field.

Table 6 below shows an example of an authentication type field format for EAP.

Name Type Length Value Scope Auth Type for Single EAP 181 One Auth type for single EAP shall only be included when bit # 1 of MS Auth Policy support (see 11.8.4.2) has a value of '1'.
Only one of the bit indicators, bit # 0 of bit # 1 of Auth Type for Single EAP shall be set to a value of '1'.
Bit # 0: device authentication
Bit # 1: user authentication
Bit # 2- # 7: reserved SBC-REQ / SSC-REQ

Referring to Table 6, the authentication type field for EAP is SSC-REQ (or SBC-REQ) only when the value of bit # 1 of the MS Auth Policy Support field is '1'. ) May be included in the message. In Table 6, bit 0 (Bit # 0) of the authentication type field for EAP represents device authentication, and bit 1 (Bit # 1) represents user authentication. The remaining bit values are reserved values.

Referring back to FIG. 3, the base station may transmit an SSC-RSP message including security related information provided by the base station as a response to the SSC-REQ message to the mobile station (S340).

Table 7 below shows an example of the SSC-RSP message format.

Syntex Size (bits) Notes SSC-RSP_Message_Format () { -  Management Message Type = xx 8  TLV encoded information variable TLV-Specific } -

Referring to Table 7, most parameters included in the SSC-RSP message may be encoded in the form of a TLV tuple. The SSC-RSP message may include one or more of a connection identifier (CID) provided by the base station and a security negotiation parameter (Security Negotiation Parameters) provided by the base station.

Hereinafter, security negotiation parameters used in the embodiments of the present invention will be described. Table 8 below shows an example of a security negotiation parameter.

Type Length Value Scope 25 variable The compound field contains the sub-attributes as defined in the table below SBC-REQ,
SBC-RSP,
SSC-REQ,
SSC-RSP

The security negotiation parameters in Table 8 contain the appendages shown in Table 9. Table 9 below shows sub-attributes of security negotiation parameters.

Attribute Contents PKM Version Support Version of privacy Sub-layer supported Authorization Policy Support Authorization Policy to Support Message Authentication Code Mode Message Authentication Code to support Message Confidentiality Mode Message Confidentiality to support PN Window Size Size of capability of the receiver PN window per SAID PKM Flow Control Maximum number of concurrent PKM transaction Maximum Number of Supported Security Association Maximum number of supported SA

Referring to Table 9, the security negotiation parameters include PKM (Privacy Key Management) version support (PKM version support) parameters, Authentication Policy Support parameters, Message Authentication Code Mode parameters, and Message Confidential Mode ( Message Confidentiality Mode parameter, PN Window Size parameter indicating the size of PN window per receiver security association identifier (SAID), PKM Flow Control parameter indicating the maximum number of simultaneous PKMs, and It may include a maximum number of supported security association parameters. In this case, the message confidentiality mode parameter indicates a message confidentiality that can be supported by the current wireless access system.

Table 10 below shows an example of the PKM version support parameter format.

Type Length Value 25.1 One Bit 0: PKM version 1
Bit 1: PKM version 2
Bit 2: PKM version 3
Bits 3-7: Reserved, shall be set to zero

Referring to Table 10, it is assumed that embodiments of the present invention support PKM version 3. However, PKM version 2 or PKM version 1 may be used in addition to PKM version 3.

Table 11 below shows an example of a message confidential mode mode parameter format.

Type Length Value 25.7 One Bit 0: No Message Confidentiality
Bit 1: Selective Message Confidentiality
Bits 2-7: Reserved. Shall be set to zero

The message confidentiality mode parameter may indicate whether selective confidentiality for the message is provided. Referring to Table 11, if the message confidential mode parameter is set to '0', it may indicate that the message confidential mode is not supported, and if it is set to '1', it may indicate that the optional message confidential mode is supported. The mobile station may support one or more confidentiality protection modes, and may inform the message confidentiality mode supported by the mobile station by transmitting the SBC-REQ message to the base station in step S330. In addition, the base station transmits the SSC-RSP message including the security negotiation parameter in step S340, it can inform the mobile station of the message confidential mode that can be supported by the base station.

Through step S330 and step S340, the mobile station and the base station may identify and share security-related parameters supported by each other. Based on this, the mobile station and the base station may perform an authorization procedure. As a result of the authorization procedure, the mobile station and the base station may set a key for SBC negotiation (S350).

After the authorization procedure is completed, the mobile station may transmit the secured SBC-REQ message to the base station, and the base station may transmit the secured SBC-RSP message to the mobile station. The base station and the mobile station can securely negotiate the basic capability by transmitting and receiving secured SBC-REQ message and SBC-RSP message (S360, S370).

FIG. 4 is a diagram illustrating another method of sharing security related information according to another embodiment of the present invention.

Referring to FIG. 4, the mobile station may share security related information for protecting the SBC message in an initial procedure with the base station. For example, the mobile station may transmit a ranging request (RNG-REQ) message including a security negotiation parameter and an authentication type field for the EAP to the base station (S410).

The base station may send a ranging response (RNG-RSP) message to the mobile station in response to the ranging request message. At this time, the base station includes the security negotiation parameters supported by the base station in the ranging response message to transmit to the mobile station, thereby sharing the security-related information for protecting the confidentiality of the SBC messages (S420).

Since the mobile station and the base station share security-related information for protecting the confidentiality of the SBC messages in advance, the mobile station and the base station can transmit and receive SBC messages safely later. In this case, the security negotiation parameters may refer to the contents of the security negotiation parameters described in Tables 8 to 11.

That is, the mobile station may transmit the secured SBC-REQ message to the base station, and the base station may transmit the secured SBC-RSP message to the mobile station. The base station and the mobile station can securely negotiate the basic capability by transmitting and receiving the secured SBC-REQ message and the SBC-RSP message (S430, S440).

As described above, embodiments of the present invention disclose a method of encrypting an SBC-REQ message and an SBC-RSP message without changing the key hierarchy, encryption algorithm, etc. which are generally used to ensure secure SBC negotiation. That is, embodiments of the present invention define an SSC-REQ message and an SSC-RSP message for sharing security-related information prior to an authorization procedure, and propose an exchange method.

Accordingly, embodiments of the present invention can prevent security vulnerabilities in which the SBC negotiation is transparently transmitted to compromise confidentiality, and SBC-REQ / RSP messages can be safely transmitted and received between the mobile station and the base station. Since SBC-REQ and SBC-RSP messages enable sharing of information that must be negotiated by default between the mobile station and the base station, protection for SBC-REQ and SBC-RSP messages is provided by the Medium Access Control (MAC) layer. It must be provided in, and it is preferable that security-related information for this is shared in advance.

Embodiments of the present invention block the security threat caused by the exposure of the SBC-REQ, RSP message, and by sharing the security-related information of the information exchanged through the SBC before the authorization process, the message required for SBC negotiation Can reduce the size.

As another embodiment of the present invention, a transmitter and a receiver in which the above-described embodiments of the present invention are performed are described.

The mobile station can operate as a transmitter in uplink and as a receiver in downlink. In addition, the base station may operate as a receiver in the uplink, and may operate as a transmitter in the downlink. That is, the mobile station and base station can include a transmitter and a receiver for the transmission of information or data.

The transmitter and receiver may include a processor, module, part, and / or means for carrying out the embodiments of the present invention. In particular, the transmitter and receiver may include a module (means) for encrypting the message, a module for interpreting the encrypted message, an antenna for transmitting and receiving the message, and the like.

The mobile station used in embodiments of the present invention may include a low power radio frequency (RF) / intermediate frequency (IF) module. In addition, the mobile station may perform a controller function, a medium access control (MAC) frame variable control function, a handover function, authentication and encryption function, data according to a controller function, a service characteristic, and a propagation environment for performing the above-described embodiments of the present invention. Means, modules or parts for performing packet modulation and demodulation, high speed packet channel coding, and real-time modem control for transmission.

The base station may transmit data received from the upper layer to the mobile station wirelessly or by wire. The base station may include a low power radio frequency (RF) / intermediate frequency (IF) module. In addition, the base station is a controller function for performing the above-described embodiments of the present invention, orthogonal frequency division multiple access (OFDMA) packet scheduling, time division duplex (TDD) packet scheduling and channel multiplexing function MAC frame variable control function according to service characteristics and propagation environment, high speed traffic real time control function, hand over function, authentication and encryption function, packet modulation and demodulation function for data transmission, high speed packet channel coding function and real time modem control Means, modules or parts for performing functions and the like.

The invention can be embodied in other specific forms without departing from the spirit and essential features of the invention. Accordingly, the above detailed description should not be construed as limiting in all aspects and should be considered as illustrative. The scope of the invention should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of the invention are included in the scope of the invention. In addition, the claims may be combined to form an embodiment by combining claims that do not have an explicit citation relationship or may be incorporated as new claims by post-application correction.

Embodiments of the present invention can be applied to various wireless access systems. Examples of various radio access systems include 3rd Generation Partnership Project (3GPP), 3GPP2 and / or IEEE 802.xx (Institute of Electrical and Electronic Engineers 802) systems. Embodiments of the present invention can be applied not only to the various radio access systems, but also to all technical fields to which the various radio access systems are applied.

1 is a diagram illustrating an example of a process of negotiating basic capabilities in a mobile station and a base station.

2 is a diagram illustrating a ranging procedure and a basic capability negotiation procedure of an initial network entry process.

3 is a diagram illustrating one method of sharing security related information according to an embodiment of the present invention.

FIG. 4 is a diagram illustrating another method of sharing security related information according to another embodiment of the present invention.

Claims (10)

In the method of sharing security-related information in a wireless access system, Transmitting to the base station a first message comprising a first security negotiation parameter supported by the mobile station; Receiving a second message including a second security negotiation parameter supported by the base station; Transmitting an SBC-REQ message encrypted using the second security negotiation parameter; And Receiving an encrypted basic performance response (SBC-RSP) message using the second security negotiation parameter. The method of claim 1, The first message further comprises a connection identifier and an extended authentication protocol (EAP) authentication type field. The method of claim 1, The second security negotiation parameter includes a message confidentiality mode parameter supported by the base station; And wherein the message confidentiality mode parameter indicates whether a particular message is selectively protected. The method of claim 1, The first message is a ranging request (RNG-REQ) message. And the second message is a ranging response (RNG-RSP) message. The method of claim 1, The first message is a security performance request (SSC-REQ) message, And the second message is a security performance response (SSC-RSP) message. In the method of sharing security-related information in a wireless access system, Receiving from the mobile station a first message comprising a first security negotiation parameter supported by the mobile station; Transmitting to the mobile station a second message comprising a second security negotiation parameter supported by a base station; Receiving an SBC-REQ message encrypted using the second security negotiation parameter; And And transmitting an encrypted basic performance response (SBC-RSP) message using the second security negotiation parameter. The method of claim 6, The first message further comprises a connection identifier and an extended authentication protocol (EAP) authentication type field. The method of claim 6, The second security negotiation parameter includes a message confidentiality mode parameter supported by the base station; And wherein the message confidentiality mode parameter indicates whether a particular message is selectively protected. The method of claim 6, The first message is a ranging request (RNG-REQ) message. And the second message is a ranging response (RNG-RSP) message. The method of claim 6, The first message is a security performance request (SSC-REQ) message, The second message is a security performance response (SSC-RSP) message, characterized in that the security information sharing method.

Images