WO2009065347A1 - Security communication method, system and apparatus for home base-station - Google Patents

Security communication method, system and apparatus for home base-station Download PDF

Info

Publication number
WO2009065347A1
WO2009065347A1 PCT/CN2008/073065 CN2008073065W WO2009065347A1 WO 2009065347 A1 WO2009065347 A1 WO 2009065347A1 CN 2008073065 W CN2008073065 W CN 2008073065W WO 2009065347 A1 WO2009065347 A1 WO 2009065347A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
home base
security
tunnel
address
Prior art date
Application number
PCT/CN2008/073065
Other languages
French (fr)
Chinese (zh)
Inventor
Jing Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009065347A1 publication Critical patent/WO2009065347A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a method, system and apparatus for secure communication of a home base station. Background technique
  • the arrangement of the network nodes is generally planned by the operator in advance, and the network arrangement is completed according to the planned content.
  • all users in the same location area share the resources of the cell. After the high-speed or high-bandwidth service is accessed, the access of other users may be affected.
  • the introduction of HB (Home Base-station, Home Base Station) fully satisfies the above requirements and the development needs of the network.
  • the home base station is a home micro base station, and the mobile user can arrange such a base station in a hotspot coverage area such as a home or an office, and access the mobile communication network through the Internet to obtain a wireless communication service.
  • the introduction of the home base station solves the bottleneck problem of the hollow port resource of the wireless data service, so that the user can enjoy the high-speed, high-bandwidth network service.
  • the home base station accesses through the Internet, which saves the transmission cost of the mobile operator and increases the capacity of the mobile network.
  • the home base station is mainly used in hot spots such as home personal use, office space, and blind spot coverage in remote areas, which improves the coverage of the mobile network and optimizes the quality of the network.
  • the home base station needs to communicate with the OAM (Operation Administration Maintenance) domain and the Service (Service) domain of the PLMN (Public Land Mobile Network) network.
  • the home base station communicates with the two domains through an untrusted network such as the Internet, and cannot secure communication between the home base station and the PLMN network. Therefore, a mechanism is needed to provide security for communication between the two domains of the home base station and the PLMN. .
  • Embodiments of the present invention provide a method, system, and apparatus for secure communication of a home base station, so as to secure communication between a home base station and a PLMN network.
  • an embodiment of the present invention provides a method for secure communication of a home base station, including the following steps:: a home base station and a security gateway perform mutual authentication; and the home base station establishes a security tunnel with the security gateway to protect the The communication security between the home base station and the public land mobile network PLMN is described.
  • the embodiment of the present invention further provides a home base station, including: an authentication module, configured to perform mutual authentication with a security gateway; and an establishing module, connected to the authentication module, configured to establish after the authentication module is authenticated A secure tunnel to protect the communication between the home base station and the PLMN.
  • a home base station including: an authentication module, configured to perform mutual authentication with a security gateway; and an establishing module, connected to the authentication module, configured to establish after the authentication module is authenticated A secure tunnel to protect the communication between the home base station and the PLMN.
  • an embodiment of the present invention further provides a communication system, including: a security gateway and the foregoing home base station.
  • DRAWINGS 1 is a flowchart of a method for secure communication of a home base station according to an embodiment of the present invention
  • FIG. 2 is a flowchart of Embodiment 1 of a method for secure communication of a home base station according to the present invention
  • FIG. 4 is a flowchart of Embodiment 4 of a method for secure communication of a home base station according to the present invention
  • FIG. 5 is a structural diagram of a system for secure communication of a home base station according to an embodiment of the present invention. detailed description
  • Embodiments of the present invention provide a method for secure communication of a home base station, which secures communication between a home base station and a PLMN network by using a secure tunnel established between the home base station and the PLMN network.
  • the secure tunnel established between the home base station and the PLMN may be one or more. These secure tunnels may be established on one security gateway or on multiple security gateways. These secure tunnels can be the same type of secure tunnel or different types of secure tunnels.
  • FIG. 1 it is a flowchart of a method for secure communication of a home base station according to an embodiment of the present invention, which specifically includes the following steps:
  • Step S101 The home base station performs mutual authentication with the security gateway.
  • the mutual authentication between the home base station and the security gateway can be completed between the home base station and the security gateway by using an EAP (Extensible Authentication Protocol)-based method, a pre-shared key-based manner, or a certificate-based manner.
  • EAP Extensible Authentication Protocol
  • Step S102 The home base station establishes a secure tunnel with the security gateway to protect communication security between the home base station and the public land mobile network PLMN.
  • One or more secure tunnels can be established between the home base station and the PLMN.
  • the secure tunnel may be an IPsec (Internet Protocol security) security tunnel or a TLS (Transport Layer Security) secure tunnel.
  • IPsec Internet Protocol security
  • TLS Transport Layer Security
  • the home base station can establish a secure tunnel with the security gateway to simultaneously protect the communication security between the home base station and the OAM domain and the service domain.
  • the home base station and the security gateway establish two secure tunnels respectively to protect the home. Communication security between the base station and the OAM domain and communication between the home base station and the Service domain.
  • the home base station After the home base station establishes a secure tunnel with the security gateway, the home base station performs mutual authentication again with the PLMN network on the established security tunnel.
  • the home base station performs mutual authentication with the security gateway of the PLMN network, and establishes a security tunnel, thereby providing a security protection for communication between the OAM domain and the Service domain of the home base station and the PLMN.
  • the mechanism ensures the communication security of the home base station and the PLMN network.
  • Embodiment 1 of a method for secure communication of a home base station As shown in FIG. 2, it is a flowchart of Embodiment 1 of a method for secure communication of a home base station according to the present invention.
  • the scenario described in Embodiment 1 of the method for secure communication of a home base station of the present invention is: a security gateway SGo of an OAM domain of a home base station and a PLMN network.
  • a security tunnel is established between the security gateway (Security Gateway) and the security gateway SGs of the Service domain of the PLMN network, and these secure tunnels are used to protect communication between the home base station and the PLMN network.
  • an IPsec tunnel is used as an example.
  • an IPsec tunnel must be established between the home base station and the SGo/SGs.
  • the tunnel between the home base station and the SGo may be different from the tunnel between the home base station and the SGs.
  • a TLS tunnel is established between the home base station and the SGo, and an IPsec tunnel is established between the home base station and the SGs.
  • This embodiment specifically includes the following steps:
  • Step S201 The HB obtains the IP address of the security gateway SGo of the OAM domain.
  • Sail security association information
  • KEi DH exchange value
  • Na nonce (random number)
  • Step S203 SGo selects a security association of an IKE (Internet Key Exchange) SA (Security Association), and sends the selection result to the HB.
  • the DH exchange value (KEr) and nonce (Nr ) are also sent to HB together. After this step is over, SGo and HB negotiate to complete the IKE SA.
  • IKE Internet Key Exchange
  • SA Security Association
  • HB and SGo start negotiation of IPsec security association.
  • EAP Extensible Authentication Protocol
  • AKA Authentication and Key Agreement
  • SIM Subscriber Identity Modular
  • HB sends the identity of the HB, which is the ID (Identifier) of HB.
  • the identity of the HB is based on the IMSI (International Mobile Subscriber Identification) in the USIM (Universal Mobile Telecommunications System Subscriber Identification Module) inserted in the HB.
  • IMSI International Mobile Subscriber Identification
  • USIM Universal Mobile Telecommunications System Subscriber Identification Module
  • the internal network IP address of the OAM domain that the CP uses to request the SG to allocate to the HB is an optional parameter. This message does not carry the AUTH (Authentication) field to indicate that SGo needs to perform EAP authentication.
  • AUTH Authentication
  • Step S205 SGo sends the identity of HB to AAA (Authentication)
  • Step S206 the AAA server interacts with the storage server storing the HB related information to obtain the authentication vector of the HB.
  • the HB profile (contract information) may also be sent to the AAA server.
  • Step S207 the AAA server sends the EAPAKA/SIM Challenge to the SGo.
  • Step S208 SGo sends the EAP AKA/SIM Challenge to the HB.
  • the identity ID of the SGo, the certificate of the SG, and the AUTH payload calculated by the SG using the certificate are also sent to the mess.
  • Step S209 the HB generates a corresponding EAP response message and sends it to the SGo.
  • Step S210 the SGo forwards the EAP response message to the AAA server.
  • Step S211 The AAA server verifies the EAP response message. After the verification is successful, an EHB success message is sent. And send the corresponding key material to SGo.
  • Step S212 The SGo sends information such as the identity of the HB to the AAA server, and the AAA server performs an authorization check according to the profile of the HB.
  • Step S213 the SGo forwards the EAP success message to the HB. After this step is over, SGo and HB share the key material key material, completing the interactive authentication between SG and HB.
  • Step S214 the HB sends an IKE message, where the AUTH payload is carried.
  • the AUTH payload is calculated using a shared key.
  • Step S215 The SGo sends an IKE message carrying the AUTH payload (calculated using the shared key), the selected IPsec SA (Sar2), and the selected policy selectors (TSi and TSr). If the HB requests the intranet IP address, the SG responds to the CP payload, where the CP payload carries the intranet IP address of the HB.
  • Step S216 SGo interacts with the HB to delete the old IKE SA shared between the SGo and the HB. Subsequently, if more secure tunnels need to be established between HB and SGo, the CREATE CHILD SA exchange between HB and SGo is used to establish more IPsec security tunnels to protect information with different security requirements.
  • Step S217 the security mechanism of the application layer may be performed between the devices of the HB and OAM domains.
  • Step S218 The HB communicates with the EMS (Element Management System) to obtain configuration data and other information from the EMS. HB obtains its IP address in the Service domain and the address of the security gateway of the Service domain.
  • EMS Event Management System
  • Step S219 the HB and the security gateway SGs of the service domain perform IKE exchange.
  • HB sends its supported security association information (SAil), DH exchange value (KEi) and nonce (Ni) to the SGs.
  • SAil security association information
  • KEi DH exchange value
  • Ni nonce
  • Step S220 The SGs selects the security association of the IKE SA, and sends the selection result to the HB.
  • the DH exchange value (KEr) and nonce (Nr) are also sent to the HB together. After this step is completed, the SGs and the HB negotiate to complete the IKE SA.
  • HB starts the negotiation of the second phase of IKE.
  • HB sends its identity to the SGs.
  • This identity has a special identity format.
  • SGs can address the AAA server located in the OAM domain according to the special format of this identity, and can obtain the same key as HB according to this special identity.
  • This identity format can be RAND@HBServiceDomainAUTH.operator.com.
  • HB use in the OAM domain
  • Step S222 the SGs address the corresponding AAA server according to the special format of the ID, and request the key K from the AAA server.
  • the IP address tells AAA.
  • Step S223 The SGs use the key K to verify the correctness of the AUTH and complete the negotiation of the IPsec SA.
  • the AUTH in the reply message is also calculated using the key K. If more secure tunnels are needed to protect different information, such as different security protection for signaling and data, then SGs can exchange CREATE CHILD SA with HB to establish more IPsec secure tunnels.
  • the security association between the home base station and the SGo is established by using the EAP-AKA method for authentication, but the establishment of the security association between the home base station and the SGo can also be established in other manners, such as EAP. - SIM mode, pre-shared key based approach, certificate based approach, etc.
  • the scenario described in the second embodiment of the method for secure communication of the home base station of the present invention is as follows: a secure tunnel is established between the home base station and the security gateway SGo of the OAM domain of the PLMN network and the security gateway SGs of the service domain of the PLMN network, and the secure tunnel is utilized. To protect communication between the home base station and the PLMN network.
  • the following takes the example of establishing an IPsec tunnel as an example to introduce the second embodiment of the present invention.
  • Steps 1 to 17 of the second embodiment are the same as steps S201 to S217 of the first embodiment.
  • Step S218, the home base station and the security gateway SGs of the service domain re-execute the steps described in steps S201 to S216 to establish a home base station and an SGs. Inter-IPsec tunnel. If more secure tunnels are needed between the home base station and the security gateway of the Service domain to protect different information, such as different security protection for signaling and data, the SGs can exchange CREATE CHILD SA with the AP to establish more More IPsec secure tunnels.
  • the security association between the home base station and the SGo/SGs is established.
  • EAP-AKA is used for authentication, but the establishment of security association between the home base station and the SGo/SGs can also be established in other ways, such as EAP-SIM, pre-shared key based, based on The way the certificate is etc.
  • the manner of establishing a security association between the home base station and the SGo may be different from the manner in which the home base station and the SGs establish a security association.
  • FIG. 3 is a flowchart of Embodiment 3 of a method for secure communication of a home base station according to the present invention
  • a scenario described in Embodiment 3 of the method for secure communication of a home base station of the present invention is: a security gateway of an OAM domain of a PLMN network and a PLMN network.
  • the security gateway of the service domain is the same security gateway SG.
  • the home base station and the security gateway establish a secure tunnel and use these secure tunnels to secure communication between the home base station and the PLMN network. Specifically, it includes the following steps:
  • Step S301 The HB acquires an IP address of the SG.
  • Step S302 HB and SG perform IKE-SA-INIT exchange.
  • HB sends its supported security association information (SAil), DH exchange value (KEi), and nonce (Ni) to the SG.
  • SAil security association information
  • KEi DH exchange value
  • Ni nonce
  • Step S303 The SG selects a security association of the IKE SA, and sends the selection result to the HB.
  • the DH exchange value (KEr) and nonce (Nr ) are also sent to HB together. After this step is completed, the SG and the HB negotiate to complete the IKE SA.
  • Step S304 the HB and the SG start the negotiation of the IPsec security association.
  • HB and SG use EAP AKA/SIM for mutual authentication.
  • HB sends the identity of the HB, ie ID of HB, derived from the IMSI inserted in the USIM card in the HB, the identity of the NAI format, the certificate request (CERT REQUEST, the certificate used to request the SG), the intranet IP address request (CP, The intranet IP address for requesting the SG to allocate the OAM domain to the HB, optionally), the security association information (SAi2) supported by the HB, and the policy selector (TSi, TSr).
  • This message does not carry the AUTH field to indicate that the SG needs to perform EAP authentication.
  • Step S305 the SG sends the identity of the HB to the AAA server.
  • Step S306 the AAA server interacts with the storage server storing the HB related information to obtain the authentication vector of the HB.
  • the profile of the HB may also be sent to the AAA server.
  • Step S307 the AAA server sends an EAP AKA/SIM Challenge to the SG.
  • the identity ID of the SG, the certificate of the SG, and the AUTH payload calculated by the SG using the certificate are also sent to the HB together.
  • Step S309 the HB generates a corresponding EAP response message and sends the message to the SG.
  • Step S310 the SG forwards the EAP response message to the AAA server.
  • Step S311 The AAA server verifies the EAP response message. After the verification is successful, an EAP success message is sent. And send the corresponding key material to the SG.
  • Step S312 the SG sends information such as the identity of the HB to the AAA server, and the AAA server performs an authorization check according to the profile of the HB.
  • Step S313 the SG forwards the EAP success message to the HB. After this step, SG and HB share the key material key material and complete the interaction authentication between SG and HB.
  • Step S314 the HB sends an IKE message, where the AUTH payload is carried.
  • the AUTH payload is calculated using a shared key.
  • Step S315 the SG sends an IKE message, where the AUTH payload (calculated using the shared key), the selected IPsec SA (Sar2), and the selected policy selectors (TSi and TSr) are carried. If the HB requests the intranet IP address, the SG responds to the CP payload, where the CP payload carries the intranet IP address of the HB.
  • Step S316 the SG and the HB interact to delete the old IKE SA shared between the SG and the HB. Subsequently, if HB and SG need more security associations to protect different types of communication between HB and OAM, HB and SG can establish multiple IPsec secure tunnels through CREATE CHILD SA exchange.
  • Step S317 the HB communicates with the EMS, and obtains configuration data and the like from the EMS.
  • the HB obtains the IP address of the HB in the service domain. If the IP address of the HB in the service domain and the OAM domain is the same, the HB does not need to obtain the IP address again.
  • HB may need to establish a new IPsec security association for the Service domain.
  • the CREATE CHILD SA exchange is performed between the HB and the SG, and the HB sends an IKE message requesting to generate an IPsec SA.
  • the HB can also carry the CP payload request in this message to obtain the IP address of the HB in the Service domain. If the IP address of the HB in the Service domain and the OAM domain is the same, the HB does not need to obtain the IP address again.
  • Step S319 the SG completes the negotiation of the IPsec SA, and sends a corresponding IKE message to notify the IPsec SA selected by the SG.
  • HB may need to establish multiple IPsec associations between security gateways to protect different types of communication. In this case, multiple IPsec associations can be established between HB and SG through CREATE CHILD SA exchange.
  • the security association between the home base station and the SG is established by using the EAP-AKA method for authentication, but the establishment of the security association between the home base station and the SGo can also be established in other manners, such as EAP. - SIM mode, pre-shared key based approach, certificate based approach, etc.
  • Embodiment 4 of a method for secure communication of a home base station As shown in FIG. 4, it is a flowchart of Embodiment 4 of a method for secure communication of a home base station according to the present invention.
  • the scenario described in Embodiment 4 of the method for secure communication of a home base station of the present invention is: a security gateway of an OAM domain of a PLMN network and a PLMN network.
  • the security gateway of the service domain is the same security gateway SG.
  • the home base station and the security gateway establish a secure tunnel and use these secure tunnels to secure communication between the home base station and the PLMN network. Specifically, it includes the following steps:
  • Step S401 the HB and the security gateway establish a secure tunnel.
  • the IKEv2 carries the EAP to perform mutual authentication.
  • an IPsec tunnel is established between the HB and the security gateway.
  • Step S402 Bind the established IPsec secure tunnel to the IP address of the HB.
  • HB requests two IP addresses using the CP payload in the IKEv2 protocol: the IP address of the HB in the OAM domain and the IP address of the HB in the Service domain.
  • the IPsec secure tunnel established between the HB and the security gateway is bound to the two IP addresses; or,
  • HB uses the CP payload in the IKEv2 protocol to request the IP address of the HB in the OAM domain.
  • the IPsec secure tunnel established between the HB and the security gateway is bound to the IP address of the HB in the OAM domain.
  • HB requests the IP address of the HB in the service domain, and binds the IPsec secure tunnel established between the HB and the security gateway to the IP address of the HB in the service domain; or
  • HB uses the same IP address in the OAM domain and the Service domain, so that HB only needs To use the CP payload in IKEv2 to request the same IP address, and bind the IPsec secure tunnel established between the HB and the security gateway to the IP address.
  • the above is the process of performing security association negotiation between the HB and the security gateway, that is, during the establishment of the IPsec security tunnel, the HB obtains the IP address of the HB in the OAM domain and the service domain, and may also be after the IPsec security tunnel is established. Obtain the IP address of the HB in the OAM domain and the service domain, and then bind the IP address to the established IPsec secure tunnel.
  • Step S403 the communication between the HB and the OAM domain and the communication between the HB and the Service domain are protected by the established IPsec secure tunnel.
  • the HB and PLMN networks complete the mutual authentication of the HB and PLMN networks in the process of establishing a secure tunnel.
  • the HB and PLMN networks may need to be further authenticated, that is, HB first authenticates with the PLMN network, establishes a security tunnel, and then the HB and PLMN networks perform mutual authentication again.
  • the method between Embodiment 1 and Embodiment 4 can be used between the AP and the security gateway to complete the between the HB and the security gateway based on the EAP-based manner, the pre-shared key-based manner, and the certificate-based manner.
  • the HB then performs interactive authentication with the PLMN network on the established secure tunnel.
  • a structural diagram of a system for secure communication of a home base station includes a security gateway 1, and further includes: a home base station 2, configured to perform mutual authentication with the security gateway 1, and establish a security tunnel to protect the home.
  • the communication between the base station 2 and the PLMN is secure.
  • the home base station 2 includes: an authentication module 21, configured to perform mutual authentication with the security gateway 1;
  • the establishing module 22 is connected to the authentication module 21, and is configured to establish a secure tunnel after the authentication module 21 is authenticated to protect the communication security between the home base station 2 and the PLMN.
  • the establishing module 22 includes: an OAM domain establishing submodule 221, configured to establish a security tunnel by using a security association negotiation with the security gateway of the OAM domain to protect the communication security between the home base station 2 and the OAM domain.
  • the establishing module 22 further includes: a service domain establishing submodule 222, configured to be in the OAM After the domain establishment sub-module 221 establishes a security tunnel with the security gateway of the OAM domain, the security information shared by the security gateway of the service domain is established according to the secret information shared by the security gateway of the home base station 2 and the OAM domain; or, the security gateway of the service domain is secure. Association negotiation establishes a security tunnel to protect the communication security between the home base station 2 and the service domain.
  • the home base station 2 further includes: an IP address obtaining module 23, connected to the establishing module 22, configured to acquire one of the OAM domain and the IP address of the service domain of the home base station 2 after the establishing module 22 establishes an IPsec secure tunnel. Two kinds;
  • the binding module 24 is connected to the IP address obtaining module 23, and is configured to bind the IPsec secure tunnel to the IP address obtained by the IP address obtaining module 23 to protect the communication security between the home base station and the OAM domain and the service domain.
  • the binding module 24 binds the IPsec secure tunnel to the IP address obtained by the IP address obtaining module 23, and specifically: the IP address of the home base station 2 and the service domain acquired by the IPsec secure tunnel and the IP address obtaining module 23 in the OAM domain and the service domain.
  • the IPsec secure tunnel is bound to the IP address of the OAM domain of the home base station 2 acquired by the IP address obtaining module 23, and the home base station 2 acquired by the IPsec secure tunnel and the IP address obtaining module 23 is in the service domain.
  • the IP address is bound.
  • the establishing module 22 further includes: a tunneling new sub-module 223, configured to: after the binding module 24 binds the IPsec secure tunnel to the IP address of the OAM domain of the home base station 2, according to the home base station acquired by the IP address obtaining module 23 2
  • the security association between the IP address of the service domain and the security gateway 1 establishes another IPsec tunnel to protect the communication security between the home base station 2 and the service domain.
  • the home base station 2 performs mutual authentication with the security gateway 1 of the PLMN network, and establishes a secure tunnel, thereby providing a security for communication between the OAM domain and the Service domain of the home base station 2 and the PLMN.
  • the protection mechanism ensures the communication security of the home base station 2 and the PLMN network.
  • the technical solution of the present invention can be embodied in the form of a software product, and the software product can be saved.
  • a non-volatile storage medium which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a computer device which may be a personal computer, a server, a network device, etc.

Abstract

A security communication method for a home base-station is provided. The method includes steps as following: the base-station implements mutual authentication with a security gateway; in order to protect the security communication between the home base-station and the public land mobile network PLMN network, the home base-station establishes a security tunnel to the security gateway. Based on the preferred embodiments of the invention, the home base-station implements mutual authentication with the security gateways of the PLMN network and establishes a security tunnel, thereby a mechanism is provided, which is used for providing security protection for a communication between the base-station and an OAM domain and a Service domain of the PLMN, and the security communication between the base-station and the PLMN network is ensured.

Description

一种家庭基站安全通信的方法、 系统和装置 本申请要求了 2007年 11 月 16 日提交中国专利局, 申请号为 200710187239.4,发明名称为 "一种家庭基站接入的方法、系统和装置" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  Method, system and device for safe communication of home base station The present application claims to be submitted to the Chinese Patent Office on November 16, 2007, the application number is 200710187239.4, and the invention name is "a method, system and device for accessing a home base station" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field
本发明涉及网络通信技术领域,尤其涉及一种家庭基站安全通信 的方法、 系统和装置。 背景技术  The present invention relates to the field of network communication technologies, and in particular, to a method, system and apparatus for secure communication of a home base station. Background technique
在目前的移动通信网络中, 对于网络节点的布置, 一般来说, 都 是由运营商事先规划好, 根据规划的内容来完成网络的布置。 在网络 中, 在同一位置区域中的所有用户共享小区的资源, 当高速率或高带 宽的业务接入之后, 有可能会对其他用户的接入造成影响。  In the current mobile communication network, the arrangement of the network nodes is generally planned by the operator in advance, and the network arrangement is completed according to the planned content. In the network, all users in the same location area share the resources of the cell. After the high-speed or high-bandwidth service is accessed, the access of other users may be affected.
随着 Internet的发展以及各种无线业务的广泛应用,用户对于无线 网络提出了高速、 便捷、 低成本等方面的需求。 另一方面, 从运营商 的角度来看,需要充分地利用现有网络的资源,扩大容量,减少成本, 更好地为用户提供服务。  With the development of the Internet and the wide application of various wireless services, users have demanded high speed, convenience, and low cost for wireless networks. On the other hand, from the perspective of operators, it is necessary to make full use of the resources of existing networks, expand capacity, reduce costs, and better serve users.
HB ( Home Base-station, 家庭基站)的提出, 充分的满足了上面 的需求和网络的发展需求。 家庭基站是一种家用的微型基站, 移动用 户可以在家庭、办公场所等热点覆盖区域布置这种基站,通过 Internet 接入移动通信网络, 来获得无线通信服务。 家庭基站的引入, 解决了 无线数据业务中空口资源的瓶颈问题, 使得用户可以享用到高速率、 高带宽的网络服务。 另一方面, 家庭基站通过 Internet接入, 节省了移 动运营商的传输费用, 提高了移动网络的容量。 而且, 家庭基站主要 应用在家庭个人使用, 办公场所等热点区域, 以及边远地区的盲点覆 盖, 提高了移动网络的覆盖率, 优化了网络的质量。 家庭基站需要和 PLMN ( Public Land Mobile Network, 公众陆地 移动网 )网络的 OAM ( Operation Administration Maintenance, 运行管 理维护 )域和 Service (服务)域进行通信。 家庭基站通过 Internet等不 可信的网络和这两个域进行通信, 无法确保家庭基站和 PLMN网络的 通信安全, 因此需要有一种机制为家庭基站和 PLMN的这两个域之间 的通信提供安全保护。 The introduction of HB (Home Base-station, Home Base Station) fully satisfies the above requirements and the development needs of the network. The home base station is a home micro base station, and the mobile user can arrange such a base station in a hotspot coverage area such as a home or an office, and access the mobile communication network through the Internet to obtain a wireless communication service. The introduction of the home base station solves the bottleneck problem of the hollow port resource of the wireless data service, so that the user can enjoy the high-speed, high-bandwidth network service. On the other hand, the home base station accesses through the Internet, which saves the transmission cost of the mobile operator and increases the capacity of the mobile network. Moreover, the home base station is mainly used in hot spots such as home personal use, office space, and blind spot coverage in remote areas, which improves the coverage of the mobile network and optimizes the quality of the network. The home base station needs to communicate with the OAM (Operation Administration Maintenance) domain and the Service (Service) domain of the PLMN (Public Land Mobile Network) network. The home base station communicates with the two domains through an untrusted network such as the Internet, and cannot secure communication between the home base station and the PLMN network. Therefore, a mechanism is needed to provide security for communication between the two domains of the home base station and the PLMN. .
在实现本发明的过程中, 发明人发现现有技术至少存在以下问 题:没有为家庭基站和 PLMN的 OAM域和 Service域之间的通信提供安 全保护的机制, 无法保证家庭基站和 PLMN网络的通信安全。 发明内容  In the process of implementing the present invention, the inventors have found that the prior art has at least the following problems: no mechanism for providing security protection for communication between the home base station and the OMN domain and the service domain of the PLMN, and the communication between the home base station and the PLMN network cannot be guaranteed. Safety. Summary of the invention
本发明实施例提供一种家庭基站安全通信的方法、 系统和装置, 以实现保护家庭基站和 PLMN网络之间的通信安全。  Embodiments of the present invention provide a method, system, and apparatus for secure communication of a home base station, so as to secure communication between a home base station and a PLMN network.
为达到上述目的,本发明实施例一方面提供一种家庭基站安全通 信的方法, 包括以下步骤: 家庭基站与安全网关进行交互认证; 所述 家庭基站与所述安全网关建立安全隧道,以保护所述家庭基站与公众 陆地移动网 PLMN的通信安全。  To achieve the above objective, an embodiment of the present invention provides a method for secure communication of a home base station, including the following steps:: a home base station and a security gateway perform mutual authentication; and the home base station establishes a security tunnel with the security gateway to protect the The communication security between the home base station and the public land mobile network PLMN is described.
再一方面,本发明实施例还提供一种家庭基站, 包括:认证模块, 用于与安全网关进行交互认证; 建立模块, 与所述认证模块连接, 用 于在所述认证模块认证后, 建立安全隧道, 以保护所述家庭基站与 PLMN的通信安全。  In another aspect, the embodiment of the present invention further provides a home base station, including: an authentication module, configured to perform mutual authentication with a security gateway; and an establishing module, connected to the authentication module, configured to establish after the authentication module is authenticated A secure tunnel to protect the communication between the home base station and the PLMN.
再一方面, 本发明实施例还提供一种通信系统, 包括, 安全网关 和上述的家庭基站。  In another aspect, an embodiment of the present invention further provides a communication system, including: a security gateway and the foregoing home base station.
与现有技术相比, 本发明实施例具有以下优点: 通过在家庭基站 和 PLMN的安全网关之间建立安全隧道, 为家庭基站和 PLMN网络 之间的通信提供了安全保护。 附图说明 图 1为本发明实施例家庭基站安全通信的方法的流程图; 图 2为本发明家庭基站安全通信的方法实施例一的流程图; 图 3为本发明家庭基站安全通信的方法实施例三的流程图; 图 4为本发明家庭基站安全通信的方法实施例四的流程图; 图 5为本发明实施例家庭基站安全通信的系统的结构图。 具体实施方式 Compared with the prior art, the embodiment of the present invention has the following advantages: By establishing a secure tunnel between the home base station and the security gateway of the PLMN, security protection is provided for communication between the home base station and the PLMN network. DRAWINGS 1 is a flowchart of a method for secure communication of a home base station according to an embodiment of the present invention; FIG. 2 is a flowchart of Embodiment 1 of a method for secure communication of a home base station according to the present invention; FIG. 4 is a flowchart of Embodiment 4 of a method for secure communication of a home base station according to the present invention; FIG. 5 is a structural diagram of a system for secure communication of a home base station according to an embodiment of the present invention. detailed description
本发明实施例提供了一种家庭基站安全通信的方法,通过在家庭 基站和 PLMN网络之间建立的安全隧道来保护家庭基站和 PLMN网 络之间的通信安全。 家庭基站和 PLMN之间建立的安全隧道可以是 一条或者多条, 这些安全隧道可能在一个安全网关上建立, 也可能在 多个安全网关上建立。 这些安全隧道可以是相同类型的安全隧道, 也 可以是不同类型的安全隧道。  Embodiments of the present invention provide a method for secure communication of a home base station, which secures communication between a home base station and a PLMN network by using a secure tunnel established between the home base station and the PLMN network. The secure tunnel established between the home base station and the PLMN may be one or more. These secure tunnels may be established on one security gateway or on multiple security gateways. These secure tunnels can be the same type of secure tunnel or different types of secure tunnels.
如图 1 所示, 为本发明实施例家庭基站安全通信的方法的流程 图, 具体包括以下步骤:  As shown in FIG. 1 , it is a flowchart of a method for secure communication of a home base station according to an embodiment of the present invention, which specifically includes the following steps:
步骤 S101 , 家庭基站与安全网关进行交互认证。 家庭基站和安 全网关之间可以釆用基于 EAP ( Extensible Authentication Protocol ,可 扩展认证协议)的方式、 基于预共享密钥的方式、 基于证书的方式等 完成家庭基站和安全网关之间的交互认证。  Step S101: The home base station performs mutual authentication with the security gateway. The mutual authentication between the home base station and the security gateway can be completed between the home base station and the security gateway by using an EAP (Extensible Authentication Protocol)-based method, a pre-shared key-based manner, or a certificate-based manner.
步骤 S102, 家庭基站与安全网关建立安全隧道, 以保护家庭基 站与公众陆地移动网 PLMN的通信安全。 家庭基站和 PLMN之间可 以建立一条或者多条安全隧道。 该安全隧道可以是 IPsec ( Internet Protocol security,因特网协议安全)安全隧道,也可以是 TLS( Transport Layer Security, 传输层安全)安全隧道。 当 PLMN网络的 OAM域的 安全网关和 Service (服务)域的安全网关为不同的安全网关时, 家 庭基站可以与 OAM域的安全网关和 Service域的安全网关分别建立 安全隧道, 以保护家庭基站与 OAM域和 Service域的通信安全。 当 PLMN网络的 OAM域的安全网关和 Service域的安全网关为相同的 安全网关时, 家庭基站可以与该安全网关建立一条安全隧道, 以同时 保护家庭基站与 OAM域和 Service域的通信安全; 或者, 家庭基站 与该安全网关分别建立两条安全隧道, 以分别保护家庭基站与 OAM 域的通信安全和家庭基站与 Service域的通信安全。 Step S102: The home base station establishes a secure tunnel with the security gateway to protect communication security between the home base station and the public land mobile network PLMN. One or more secure tunnels can be established between the home base station and the PLMN. The secure tunnel may be an IPsec (Internet Protocol security) security tunnel or a TLS (Transport Layer Security) secure tunnel. When the security gateway of the OAM domain of the PLMN network and the security gateway of the Service domain are different security gateways, the home base station can establish a security tunnel with the security gateway of the OAM domain and the security gateway of the service domain respectively to protect the home base station and The communication between the OAM domain and the Service domain is secure. When the security gateway of the OAM domain of the PLMN network and the security gateway of the Service domain are the same In the case of the security gateway, the home base station can establish a secure tunnel with the security gateway to simultaneously protect the communication security between the home base station and the OAM domain and the service domain. Alternatively, the home base station and the security gateway establish two secure tunnels respectively to protect the home. Communication security between the base station and the OAM domain and communication between the home base station and the Service domain.
在家庭基站与安全网关建立安全隧道之后,家庭基站在建立的安 全隧道上和 PLMN网络再次进行交互认证。  After the home base station establishes a secure tunnel with the security gateway, the home base station performs mutual authentication again with the PLMN network on the established security tunnel.
上述家庭基站安全通信的方法中, 家庭基站与 PLMN 网络的安 全网关进行交互认证, 并建立安全隧道, 从而提供了一种为家庭基站 和 PLMN的 OAM域和 Service域之间的通信提供安全保护的机制, 确保了家庭基站和 PLMN网络的通信安全。  In the method for secure communication of the home base station, the home base station performs mutual authentication with the security gateway of the PLMN network, and establishes a security tunnel, thereby providing a security protection for communication between the OAM domain and the Service domain of the home base station and the PLMN. The mechanism ensures the communication security of the home base station and the PLMN network.
如图 2所示,为本发明家庭基站安全通信的方法实施例一的流程 图, 本发明家庭基站安全通信的方法实施例一描述的场景为: 家庭基 站与 PLMN网络的 OAM域的安全网关 SGo ( Security Gateway, 安 全网关)和 PLMN网络的 Service域的安全网关 SGs之间分别建立安 全隧道, 并利用这些安全隧道来保护家庭基站和 PLMN 网络之间的 通信。 本实施例中以 IPsec隧道为例进行介绍, 但是并不要求家庭基 站和 SGo/SGs之间都必须建立 IPsec隧道,家庭基站和 SGo之间的隧 道可以与家庭基站和 SGs之间的隧道不同, 如家庭基站和 SGo之间 建立 TLS隧道, 而家庭基站和 SGs之间建立 IPsec隧道。本实施例具 体包括以下步骤:  As shown in FIG. 2, it is a flowchart of Embodiment 1 of a method for secure communication of a home base station according to the present invention. The scenario described in Embodiment 1 of the method for secure communication of a home base station of the present invention is: a security gateway SGo of an OAM domain of a home base station and a PLMN network. A security tunnel is established between the security gateway (Security Gateway) and the security gateway SGs of the Service domain of the PLMN network, and these secure tunnels are used to protect communication between the home base station and the PLMN network. In this embodiment, an IPsec tunnel is used as an example. However, an IPsec tunnel must be established between the home base station and the SGo/SGs. The tunnel between the home base station and the SGo may be different from the tunnel between the home base station and the SGs. For example, a TLS tunnel is established between the home base station and the SGo, and an IPsec tunnel is established between the home base station and the SGs. This embodiment specifically includes the following steps:
步骤 S201 , HB获取 OAM域的安全网关 SGo的 IP地址; 步骤 S202, HB和 OAM域的安全网关进行 IKE— SA— INIT交换。 HB发送其支持的安全关联信息( Sail )、 DH交换值( KEi )和 nonce (随机数) ( Ni )给 SGo。  Step S201: The HB obtains the IP address of the security gateway SGo of the OAM domain. Step S202: The security gateway of the HB and OAM domain performs IKE-SA-INIT exchange. HB sends its supported security association information (Sail), DH exchange value (KEi), and nonce (random number) (Ni) to SGo.
步骤 S203 , SGo选择 IKE ( Internet Key Exchange , 因特网密钥 交换) SA ( Security Association, 安全关联)的安全关联, 将选择结 果发送给 HB。 并将 DH交换值(KEr )、 nonce ( Nr )也一起发送给 HB。 这一步结束后, SGo和 HB协商完成 IKE SA。  Step S203: SGo selects a security association of an IKE (Internet Key Exchange) SA (Security Association), and sends the selection result to the HB. The DH exchange value (KEr) and nonce (Nr ) are also sent to HB together. After this step is over, SGo and HB negotiate to complete the IKE SA.
步骤 S204, HB和 SGo开始进行 IPsec安全关联的协商。 在安全 关联协商的过程中, HB和 SGo利用 EAP ( Extensible Authentication Protocol ,可扩展认证协议 ) AKA( Authentication and Key Agreement, 认证和密钥协商 ) /SIM ( Subscriber Identity Modular, 客户身份模块 ) 进行交互认证。 HB发送 HB的身份,即 ID ( Identifier,标识) of HB, 该 HB 的身份是根据 HB 中插入的 USIM ( Universal Mobile Telecommunications System Subscriber Identification Module ,通用移动 通信系统)卡中的 IMSI ( International Mobile Subscriber Identification number , 国际移动用户识别码)推导出来的 NAI ( Network Access Identifier, 网络接入标识符)格式的身份、 证书请求(请求 SG的证 书)、 内网 IP地址请求 CP ( Configuration Payload, 配置负载), HB 支持的安全关联信息 (SAi2 )和策略选择符 ( TSi, TSr )。 其中, CP 用于请求 SG给该 HB分配的 OAM域的内网 IP地址, 是可选参数。 这条消息中不携带 AUTH ( Authentication, 鉴权) 字段以指示 SGo 需要执行 EAP认证。 In step S204, HB and SGo start negotiation of IPsec security association. In safety In the process of association negotiation, HB and SGo use EAP (Extensible Authentication Protocol) AKA (Authentication and Key Agreement) / SIM (Subscriber Identity Modular) to perform mutual authentication. HB sends the identity of the HB, which is the ID (Identifier) of HB. The identity of the HB is based on the IMSI (International Mobile Subscriber Identification) in the USIM (Universal Mobile Telecommunications System Subscriber Identification Module) inserted in the HB. Number, International Mobile Subscriber Identity) derived NAI (Network Access Identifier) format identity, certificate request (request for SG certificate), intranet IP address request CP (Configuration Payload, configuration load), HB-supported security association information (SAi2) and policy selectors (TSi, TSr). The internal network IP address of the OAM domain that the CP uses to request the SG to allocate to the HB is an optional parameter. This message does not carry the AUTH (Authentication) field to indicate that SGo needs to perform EAP authentication.
步骤 S205 , SGo 将 HB 的身份发送给 AAA ( Authentication Step S205, SGo sends the identity of HB to AAA (Authentication)
Authorization Accounting , 认证、 4受权、 计费)月良务器。 Authorization Accounting, authentication, 4 authorized, billing).
步骤 S206, AAA服务器和存储 HB相关信息的存储服务器交互 以获得 HB的认证向量。 HB的 profile (签约信息)可能也同时发送 给 AAA服务器。  Step S206, the AAA server interacts with the storage server storing the HB related information to obtain the authentication vector of the HB. The HB profile (contract information) may also be sent to the AAA server.
步骤 S207, AAA服务器发送 EAPAKA/SIM Challenge给 SGo。 步骤 S208, SGo将 EAP AKA/SIM Challenge发送给 HB。 SGo 的身份 IDr、 SG的证书和 SG利用证书计算的 AUTH载荷也一起发 送给亂  Step S207, the AAA server sends the EAPAKA/SIM Challenge to the SGo. Step S208, SGo sends the EAP AKA/SIM Challenge to the HB. The identity ID of the SGo, the certificate of the SG, and the AUTH payload calculated by the SG using the certificate are also sent to the mess.
步骤 S209, HB生成相应的 EAP响应消息, 发送给 SGo。  Step S209, the HB generates a corresponding EAP response message and sends it to the SGo.
步骤 S210, SGo将 EAP响应消息转发给 AAA服务器。  Step S210, the SGo forwards the EAP response message to the AAA server.
步骤 S211 , AAA服务器对 EAP响应消息进行验证。验证成功后, 发送 EHB success消息。 并将相应的密钥素材发送给 SGo。  Step S211: The AAA server verifies the EAP response message. After the verification is successful, an EHB success message is sent. And send the corresponding key material to SGo.
步骤 S212, SGo将 HB的身份等信息发送给 AAA服务器, AAA 服务器根据 HB的 profile进行授权检查。 步骤 S213 , SGo转发 EAP success消息给 HB。 这一步结束后, SGo和 HB共享了密钥素材 key material, 完成了 SG和 HB之间的交 互认证。 Step S212: The SGo sends information such as the identity of the HB to the AAA server, and the AAA server performs an authorization check according to the profile of the HB. Step S213, the SGo forwards the EAP success message to the HB. After this step is over, SGo and HB share the key material key material, completing the interactive authentication between SG and HB.
步骤 S214, HB发送 IKE消息, 其中携带 AUTH载荷。 AUTH 载荷使用共享密钥计算。  Step S214, the HB sends an IKE message, where the AUTH payload is carried. The AUTH payload is calculated using a shared key.
步骤 S215 , SGo发送 IKE消息, 其中携带 AUTH载荷(使用共 享密钥计算)、 选择的 IPsec SA ( SAr2 )、 选择的策略选择符 ( TSi和 TSr )。 如果 HB请求了内网 IP地址, 则 SG回应 CP载荷, 其中 CP 载荷中携带 HB的内网 IP地址。  Step S215: The SGo sends an IKE message carrying the AUTH payload (calculated using the shared key), the selected IPsec SA (Sar2), and the selected policy selectors (TSi and TSr). If the HB requests the intranet IP address, the SG responds to the CP payload, where the CP payload carries the intranet IP address of the HB.
步骤 S216, SGo与 HB进行交互, 删除 SGo和 HB间共享的旧 的 IKE SA。 后续如果 HB和 SGo之间需要建立更多的安全隧道, 则 HB和 SGo之间利用 CREATE CHILD SA交换来建立更多的 IPsec安 全隧道以保护有不同安全需求的信息。  Step S216: SGo interacts with the HB to delete the old IKE SA shared between the SGo and the HB. Subsequently, if more secure tunnels need to be established between HB and SGo, the CREATE CHILD SA exchange between HB and SGo is used to establish more IPsec security tunnels to protect information with different security requirements.
步骤 S217 , HB和 OAM域的设备之间可能执行应用层的安全机 制。  Step S217, the security mechanism of the application layer may be performed between the devices of the HB and OAM domains.
步骤 S218, HB和 EMS ( Element Management System, 网元管 理系统)通信,从 EMS中获取配置数据等信息。 HB获得其在 Service 域的 IP地址和 Service 域的安全网关的地址。  Step S218: The HB communicates with the EMS (Element Management System) to obtain configuration data and other information from the EMS. HB obtains its IP address in the Service domain and the address of the security gateway of the Service domain.
步骤 S219, HB和服务域的安全网关 SGs进行 IKE交换。 HB发 送其支持的安全关联信息( SAil )、 DH交换值( KEi )和 nonce ( Ni ) 给 SGs。  Step S219, the HB and the security gateway SGs of the service domain perform IKE exchange. HB sends its supported security association information (SAil), DH exchange value (KEi) and nonce (Ni) to the SGs.
步骤 S220, SGs选择 IKE SA的安全关联, 将选择结果发送给 HB。 DH交换值(KEr )、 nonce ( Nr )也一起发送给 HB。 这一步结 束后, SGs和 HB协商完成 IKE SA。  Step S220: The SGs selects the security association of the IKE SA, and sends the selection result to the HB. The DH exchange value (KEr) and nonce (Nr) are also sent to the HB together. After this step is completed, the SGs and the HB negotiate to complete the IKE SA.
步骤 S221 , HB开始进行 IKE第二阶段的协商。 HB发送其身份 给 SGs。这个身份有特殊的身份格式, SGs根据这个身份的特殊格式, 可以寻址到位于 OAM域的 AAA服务器, 并可以根据这个特殊的身 份, 获得和 HB 相 同 的 密钥 。 这个身份格式可以是 RAND@HBServiceDomainAUTH.operator.com。 HB利用在 OAM域认 证时生成的 CK ( Cryptographic Key, 力口密密钥) /IK ( Integrality Key, 完整性密钥)计算出密钥 K = ( CK||IK, IP of SGs, ... ), 然后利用密钥 K计算 AUTH。 In step S221, HB starts the negotiation of the second phase of IKE. HB sends its identity to the SGs. This identity has a special identity format. SGs can address the AAA server located in the OAM domain according to the special format of this identity, and can obtain the same key as HB according to this special identity. This identity format can be RAND@HBServiceDomainAUTH.operator.com. HB use in the OAM domain The CK (Cryptographic Key) / IK (Integrality Key) generated by the certificate calculates the key K = ( CK||IK, IP of SGs, ... ), and then uses the secret Key K calculates AUTH.
步骤 S222, SGs根据 ID的特殊格式, 寻址到对应的 AAA服务 器, 并向 AAA服务器请求密钥 K。 AAA服务器利用和 ΗΒ相同的方 法计算出密钥 K = ( CK||IK, IP of SGs, ... )„ 并将密钥 K发送给 SGs。 其中, SGs可能需要将 HB计算 K时的 SGs的 IP地址告诉 AAA。  Step S222, the SGs address the corresponding AAA server according to the special format of the ID, and request the key K from the AAA server. The AAA server uses the same method as ΗΒ to calculate the key K = ( CK | | IK, IP of SGs, ... ) „ and sends the key K to the SGs. Among them, the SGs may need to calculate the SGs when the K is calculated. The IP address tells AAA.
步骤 S223 , SGs利用密钥 K验证 AUTH的正确性,并完成 IPsec SA的协商。 回复消息中的 AUTH也使用密钥 K计算。 如果需要更多 的安全隧道来保护不同的信息, 如对信令和数据釆用不同的安全保 护,那么 SGs可以和 HB进行 CREATE CHILD SA交换来建立更多的 IPsec安全隧道。  Step S223: The SGs use the key K to verify the correctness of the AUTH and complete the negotiation of the IPsec SA. The AUTH in the reply message is also calculated using the key K. If more secure tunnels are needed to protect different information, such as different security protection for signaling and data, then SGs can exchange CREATE CHILD SA with HB to establish more IPsec secure tunnels.
在本实施例中, 家庭基站和 SGo 之间的安全关联建立釆用了 EAP-AKA的方式进行认证, 但是, 家庭基站和 SGo之间的安全关联 建立也可以釆用其他的方式建立, 如 EAP-SIM的方式、 基于预共享 密钥的方式、 基于证书的方式等。  In this embodiment, the security association between the home base station and the SGo is established by using the EAP-AKA method for authentication, but the establishment of the security association between the home base station and the SGo can also be established in other manners, such as EAP. - SIM mode, pre-shared key based approach, certificate based approach, etc.
本发明家庭基站安全通信的方法实施例二描述的场景为: 家庭基 站与 PLMN网络的 OAM域的安全网关 SGo和 PLMN网络的 Service 域的安全网关 SGs之间分别建立安全隧道,并利用这些安全隧道来保 护家庭基站和 PLMN网络之间的通信。下面以建立 IPsec隧道为例介 绍, 介绍本发明实施例二。  The scenario described in the second embodiment of the method for secure communication of the home base station of the present invention is as follows: a secure tunnel is established between the home base station and the security gateway SGo of the OAM domain of the PLMN network and the security gateway SGs of the service domain of the PLMN network, and the secure tunnel is utilized. To protect communication between the home base station and the PLMN network. The following takes the example of establishing an IPsec tunnel as an example to introduce the second embodiment of the present invention.
实施例二的步骤 1~17与实施例一的步骤 S201〜步骤 S217相同; 步骤 S218,家庭基站和 Service域的安全网关 SGs重新执行步骤 S201〜步骤 S216中描述的步骤以建立家庭基站和 SGs之间的 IPsec隧 道。 如果家庭基站和 Service域的安全网关之间需要更多的安全隧道 来保护不同的信息, 如对信令和数据釆用不同的安全保护, 那么 SGs 可以和 AP进行 CREATE CHILD SA交换, 以建立更多的 IPsec安全 隧道。  Steps 1 to 17 of the second embodiment are the same as steps S201 to S217 of the first embodiment. Step S218, the home base station and the security gateway SGs of the service domain re-execute the steps described in steps S201 to S216 to establish a home base station and an SGs. Inter-IPsec tunnel. If more secure tunnels are needed between the home base station and the security gateway of the Service domain to protect different information, such as different security protection for signaling and data, the SGs can exchange CREATE CHILD SA with the AP to establish more More IPsec secure tunnels.
在本发明实施例中, 家庭基站和 SGo/SGs之间的安全关联建立 釆用了 EAP-AKA的方式进行认证,但是, 家庭基站和 SGo/SGs之间 的安全关联建立也可以釆用其他的方式建立, 如 EAP-SIM的方式、 基于预共享密钥的方式、 基于证书的方式等。 并且家庭基站和 SGo 之间建立安全关联的方式可以和家庭基站与 SGs之间建立安全关联 的方式不同。 In the embodiment of the present invention, the security association between the home base station and the SGo/SGs is established. EAP-AKA is used for authentication, but the establishment of security association between the home base station and the SGo/SGs can also be established in other ways, such as EAP-SIM, pre-shared key based, based on The way the certificate is etc. The manner of establishing a security association between the home base station and the SGo may be different from the manner in which the home base station and the SGs establish a security association.
如图 3所示,为本发明家庭基站安全通信的方法实施例三的流程 图, 本发明家庭基站安全通信的方法实施例三描述的场景为: PLMN 网络的 OAM域的安全网关和 PLMN网络的 Service域的安全网关是 同一个安全网关 SG。 家庭基站和这个安全网关建立安全隧道, 并利 用这些安全隧道来保护家庭基站和 PLMN 网络之间的通信。 具体包 括以下步骤:  As shown in FIG. 3, which is a flowchart of Embodiment 3 of a method for secure communication of a home base station according to the present invention, a scenario described in Embodiment 3 of the method for secure communication of a home base station of the present invention is: a security gateway of an OAM domain of a PLMN network and a PLMN network. The security gateway of the service domain is the same security gateway SG. The home base station and the security gateway establish a secure tunnel and use these secure tunnels to secure communication between the home base station and the PLMN network. Specifically, it includes the following steps:
步骤 S301 , HB获取 SG的 IP地址;  Step S301: The HB acquires an IP address of the SG.
步骤 S302, HB和 SG进行 IKE— SA— INIT交换。 HB发送其支持 的安全关联信息 (SAil )、 DH交换值(KEi )和 nonce ( Ni )给 SG。  Step S302, HB and SG perform IKE-SA-INIT exchange. HB sends its supported security association information (SAil), DH exchange value (KEi), and nonce (Ni) to the SG.
步骤 S303 , SG选择 IKE SA的安全关联,将选择结果发送给 HB。 并将 DH交换值(KEr )、 nonce ( Nr )也一起发送给 HB。 这一步结 束后, SG和 HB协商完成 IKE SA。  Step S303: The SG selects a security association of the IKE SA, and sends the selection result to the HB. The DH exchange value (KEr) and nonce (Nr ) are also sent to HB together. After this step is completed, the SG and the HB negotiate to complete the IKE SA.
步骤 S304, HB和 SG开始进行 IPsec安全关联的协商。 在安全 关联的协商过程中, HB和 SG利用 EAP AKA/SIM进行交互认证。 HB发送 HB的身份, 即 ID of HB , 根据 HB中插入的 USIM卡中的 IMSI推导出来 NAI格式的身份、 证书请求(CERT REQUEST, 用于 请求 SG的证书)、 内网 IP地址请求( CP, 用于请求 SG给该 HB分 配 OAM域的内网 IP地址, 可选)、 HB支持的安全关联信息( SAi2 ) 和策略选择符(TSi, TSr )。这条消息中不携带 AUTH字段以指示 SG 需要进行 EAP认证。  Step S304, the HB and the SG start the negotiation of the IPsec security association. In the negotiation process of security association, HB and SG use EAP AKA/SIM for mutual authentication. HB sends the identity of the HB, ie ID of HB, derived from the IMSI inserted in the USIM card in the HB, the identity of the NAI format, the certificate request (CERT REQUEST, the certificate used to request the SG), the intranet IP address request (CP, The intranet IP address for requesting the SG to allocate the OAM domain to the HB, optionally), the security association information (SAi2) supported by the HB, and the policy selector (TSi, TSr). This message does not carry the AUTH field to indicate that the SG needs to perform EAP authentication.
步骤 S305, SG将 HB的身份发送给 AAA服务器。  Step S305, the SG sends the identity of the HB to the AAA server.
步骤 S306, AAA服务器和存储 HB相关信息的存储服务器交互 以获得 HB的认证向量。 HB的 profile可能也发送给 AAA服务器。  Step S306, the AAA server interacts with the storage server storing the HB related information to obtain the authentication vector of the HB. The profile of the HB may also be sent to the AAA server.
步骤 S307 , AAA服务器发送 EAP AKA/SIM Challenge给 SG。 步骤 S308, SG将 EAP AKA/SIM Challenge发送给 HB。 SG的身 份 IDr、 SG的证书和 SG利用证书计算的 AUTH载荷也一起发送给 HB。 Step S307, the AAA server sends an EAP AKA/SIM Challenge to the SG. Step S308, the SG sends the EAP AKA/SIM Challenge to the HB. The identity ID of the SG, the certificate of the SG, and the AUTH payload calculated by the SG using the certificate are also sent to the HB together.
步骤 S309, HB生成相应的 EAP响应消息, 发送给 SG。  Step S309, the HB generates a corresponding EAP response message and sends the message to the SG.
步骤 S310, SG将 EAP响应消息转发给 AAA服务器。  Step S310, the SG forwards the EAP response message to the AAA server.
步骤 S311 , AAA服务器对 EAP响应消息进行验证。在验证成功 后, 发送 EAP success消息。 并将相应的密钥素材发送给 SG。  Step S311: The AAA server verifies the EAP response message. After the verification is successful, an EAP success message is sent. And send the corresponding key material to the SG.
步骤 S312, SG将 HB的身份等信息发送给 AAA服务器, AAA 服务器根据 HB的 profile进行授权检查。  Step S312, the SG sends information such as the identity of the HB to the AAA server, and the AAA server performs an authorization check according to the profile of the HB.
步骤 S313 , SG转发 EAP success消息给 HB。这一步结束后, SG 和 HB共享了密钥素材 key material , 完成了 SG和 HB之间的交互认 证。  Step S313, the SG forwards the EAP success message to the HB. After this step, SG and HB share the key material key material and complete the interaction authentication between SG and HB.
步骤 S314, HB发送 IKE消息, 其中携带 AUTH载荷。 AUTH 载荷使用共享密钥计算。  Step S314, the HB sends an IKE message, where the AUTH payload is carried. The AUTH payload is calculated using a shared key.
步骤 S315, SG发送 IKE消息, 其中携带 AUTH载荷(使用共 享密钥计算)、 选择的 IPsec SA ( SAr2 )、 选择的策略选择符 ( TSi和 TSr )。 如果 HB请求了内网 IP地址, 则 SG回应 CP载荷, 其中 CP 载荷中携带 HB的内网 IP地址。  Step S315, the SG sends an IKE message, where the AUTH payload (calculated using the shared key), the selected IPsec SA (Sar2), and the selected policy selectors (TSi and TSr) are carried. If the HB requests the intranet IP address, the SG responds to the CP payload, where the CP payload carries the intranet IP address of the HB.
步骤 S316 , SG和 HB进行交互, 删除 SG和 HB间共享的旧的 IKE SA。后续如果 HB和 SG需要更多的安全关联以保护 HB和 OAM 间不同性质的通信, HB和 SG可以通过 CREATE CHILD SA交换建 立多条 IPsec安全隧道。  Step S316, the SG and the HB interact to delete the old IKE SA shared between the SG and the HB. Subsequently, if HB and SG need more security associations to protect different types of communication between HB and OAM, HB and SG can establish multiple IPsec secure tunnels through CREATE CHILD SA exchange.
步骤 S317, HB和 EMS通信, 从 EMS中获取配置数据等信息。 HB获得该 HB在 Service域的 IP地址, 若 HB在 Service域和 OAM 域的 IP地址相同, 则 HB不需要再次获得 IP地址。  Step S317, the HB communicates with the EMS, and obtains configuration data and the like from the EMS. The HB obtains the IP address of the HB in the service domain. If the IP address of the HB in the service domain and the OAM domain is the same, the HB does not need to obtain the IP address again.
步骤 S318, HB和 Service域进行通信。 这时 HB可能需要建立 一个新的 IPsec安全关联用于 Service域。 HB和 SG之间执行 CREATE CHILD SA交换, HB发送 IKE消息请求生成一个 IPsec SA。 HB也 可以在这条消息中携带 CP载荷请求获得 HB在 Service域的 IP地址。 若 HB在 Service域和 OAM域的 IP地址相同 , 则 HB不需要再次获 得 IP地址。 Step S318, the HB communicates with the Service domain. At this time, HB may need to establish a new IPsec security association for the Service domain. The CREATE CHILD SA exchange is performed between the HB and the SG, and the HB sends an IKE message requesting to generate an IPsec SA. The HB can also carry the CP payload request in this message to obtain the IP address of the HB in the Service domain. If the IP address of the HB in the Service domain and the OAM domain is the same, the HB does not need to obtain the IP address again.
步骤 S319, SG完成 IPsec SA的协商, 并发送相应 IKE消息通 知 HB该 SG选定的 IPsec SA。 HB可能需要在安全网关之间建立多 条 IPsec关联以保护不同性质的通信, 这时, HB和 SG之间可以通过 CREATE CHILD SA交换建立多条 IPsec关联。  Step S319, the SG completes the negotiation of the IPsec SA, and sends a corresponding IKE message to notify the IPsec SA selected by the SG. HB may need to establish multiple IPsec associations between security gateways to protect different types of communication. In this case, multiple IPsec associations can be established between HB and SG through CREATE CHILD SA exchange.
在本实施例中, 家庭基站和 SG 之间的安全关联建立釆用了 EAP-AKA的方式进行认证, 但是, 家庭基站和 SGo之间的安全关联 建立也可以釆用其他的方式建立, 如 EAP-SIM的方式、 基于预共享 密钥的方式、 基于证书的方式等。  In this embodiment, the security association between the home base station and the SG is established by using the EAP-AKA method for authentication, but the establishment of the security association between the home base station and the SGo can also be established in other manners, such as EAP. - SIM mode, pre-shared key based approach, certificate based approach, etc.
如图 4所示,为本发明家庭基站安全通信的方法实施例四的流程 图, 本发明家庭基站安全通信的方法实施例四描述的场景为: PLMN 网络的 OAM域的安全网关和 PLMN网络的 Service域的安全网关是 同一个安全网关 SG。 家庭基站和这个安全网关建立安全隧道, 并利 用这些安全隧道来保护家庭基站和 PLMN 网络之间的通信。 具体包 括以下步骤:  As shown in FIG. 4, it is a flowchart of Embodiment 4 of a method for secure communication of a home base station according to the present invention. The scenario described in Embodiment 4 of the method for secure communication of a home base station of the present invention is: a security gateway of an OAM domain of a PLMN network and a PLMN network. The security gateway of the service domain is the same security gateway SG. The home base station and the security gateway establish a secure tunnel and use these secure tunnels to secure communication between the home base station and the PLMN network. Specifically, it includes the following steps:
步骤 S401 , HB和安全网关建立安全隧道。 HB和安全网关间利 用 IKEv2承载 EAP的方式进行交互认证, 交互认证后, HB和安全 网关间建立好一条 IPsec安全隧道。  Step S401, the HB and the security gateway establish a secure tunnel. Between the HB and the security gateway, the IKEv2 carries the EAP to perform mutual authentication. After the mutual authentication, an IPsec tunnel is established between the HB and the security gateway.
步骤 S402, 将建立的 IPsec安全隧道与 HB的 IP地址进行绑定。 在协商安全关联时, HB利用 IKEv2协议中的 CP载荷请求两个 IP地 址: HB在 OAM域的 IP地址和 HB在 Service域的 IP地址。 HB和 安全网关间建立的 IPsec安全隧道和这两个 IP地址绑定; 或者,  Step S402: Bind the established IPsec secure tunnel to the IP address of the HB. When negotiating a security association, HB requests two IP addresses using the CP payload in the IKEv2 protocol: the IP address of the HB in the OAM domain and the IP address of the HB in the Service domain. The IPsec secure tunnel established between the HB and the security gateway is bound to the two IP addresses; or,
在协商安全关联时, HB利用 IKEv2协议中的 CP载荷请求该 HB 在 OAM域的 IP地址。 HB和安全网关间建立的 IPsec安全隧道与该 HB在 OAM域的 IP地址绑定。 然后 HB请求该 HB在 Service域的 IP地址 ,将 HB和安全网关间建立的 IPsec安全隧道与该 HB在 Service 域的 IP地址进行绑定; 或者,  When negotiating a security association, HB uses the CP payload in the IKEv2 protocol to request the IP address of the HB in the OAM domain. The IPsec secure tunnel established between the HB and the security gateway is bound to the IP address of the HB in the OAM domain. Then HB requests the IP address of the HB in the service domain, and binds the IPsec secure tunnel established between the HB and the security gateway to the IP address of the HB in the service domain; or
HB在 OAM域和 Service域使用相同的 IP地址, 这样 HB仅需 要利用 IKEv2中的 CP载荷请求该相同的 IP地址,并将 HB和安全网 关间建立的 IPsec安全隧道与该 IP地址绑定即可。上述为在 HB与安 全网关进行安全关联协商的过程中, 即在 IPsec安全隧道的建立过程 中, HB获取该 HB在 OAM域和服务域的 IP地址, 也可以在 IPsec 安全隧道建立之后 , HB再获取该 HB在 OAM域和服务域的 IP地址, 然后将该 IP地址与建立的 IPsec安全隧道进行绑定。 HB uses the same IP address in the OAM domain and the Service domain, so that HB only needs To use the CP payload in IKEv2 to request the same IP address, and bind the IPsec secure tunnel established between the HB and the security gateway to the IP address. The above is the process of performing security association negotiation between the HB and the security gateway, that is, during the establishment of the IPsec security tunnel, the HB obtains the IP address of the HB in the OAM domain and the service domain, and may also be after the IPsec security tunnel is established. Obtain the IP address of the HB in the OAM domain and the service domain, and then bind the IP address to the established IPsec secure tunnel.
步骤 S403 , 通过建立的 IPsec安全隧道保护 HB与 OAM域的通 信和 HB与 Service域的通信。  Step S403, the communication between the HB and the OAM domain and the communication between the HB and the Service domain are protected by the established IPsec secure tunnel.
上述实施例一至四中描述的方案大都釆用了 EAP-AKA的方式作 为建立安全隧道时, HB和安全网关交互认证的方法。在这种情况下, HB和 PLMN网络在建立安全隧道的过程中就完成了 HB和 PLMN网 络的交互认证。 但是, 在某些情况下, HB和 PLMN网络可能还需要 再做进一步的认证, 即 HB首先和 PLMN网络进行交互认证,建立安 全隧道, 然后 HB和 PLMN网络再次进行交互认证。 在这种场景下, AP 和安全网关之间可以釆用实施例一到实施例四的方法, 以基于 EAP的方式、基于预共享密钥的方式、基于证书的方式完成 HB和安 全网关间的交互认证, 并完成安全隧道的建立。 然后 HB再在建立的 安全隧道上和 PLMN网络执行交互认证。  Most of the solutions described in the first embodiment to the fourth embodiment use the EAP-AKA method as the method for mutual authentication of the HB and the security gateway when establishing a secure tunnel. In this case, the HB and PLMN networks complete the mutual authentication of the HB and PLMN networks in the process of establishing a secure tunnel. However, in some cases, the HB and PLMN networks may need to be further authenticated, that is, HB first authenticates with the PLMN network, establishes a security tunnel, and then the HB and PLMN networks perform mutual authentication again. In this scenario, the method between Embodiment 1 and Embodiment 4 can be used between the AP and the security gateway to complete the between the HB and the security gateway based on the EAP-based manner, the pre-shared key-based manner, and the certificate-based manner. Interactive authentication and complete the establishment of a secure tunnel. The HB then performs interactive authentication with the PLMN network on the established secure tunnel.
如图 5 所示, 为本发明实施例家庭基站安全通信的系统的结构 图, 包括安全网关 1 , 还包括: 家庭基站 2, 用于与安全网关 1进行 交互认证, 建立安全隧道, 以保护家庭基站 2与 PLMN的通信安全。  As shown in FIG. 5, a structural diagram of a system for secure communication of a home base station according to an embodiment of the present invention includes a security gateway 1, and further includes: a home base station 2, configured to perform mutual authentication with the security gateway 1, and establish a security tunnel to protect the home. The communication between the base station 2 and the PLMN is secure.
其中, 家庭基站 2包括: 认证模块 21 , 用于与安全网关 1进行 交互认证;  The home base station 2 includes: an authentication module 21, configured to perform mutual authentication with the security gateway 1;
建立模块 22 , 与认证模块 21连接, 用于在认证模块 21认证后, 建立安全隧道, 以保护家庭基站 2与 PLMN的通信安全。  The establishing module 22 is connected to the authentication module 21, and is configured to establish a secure tunnel after the authentication module 21 is authenticated to protect the communication security between the home base station 2 and the PLMN.
其中,建立模块 22包括: OAM域建立子模块 221 ,用于与 OAM 域的安全网关进行安全关联协商建立安全隧道,以保护家庭基站 2与 OAM域的通信安全。  The establishing module 22 includes: an OAM domain establishing submodule 221, configured to establish a security tunnel by using a security association negotiation with the security gateway of the OAM domain to protect the communication security between the home base station 2 and the OAM domain.
其中,建立模块 22还包括:服务域建立子模块 222,用于在 OAM 域建立子模块 221与 OAM域的安全网关建立安全隧道之后, 根据家 庭基站 2与 OAM域的安全网关共享的秘密信息与服务域的安全网关 建立安全隧道; 或者, 与服务域的安全网关进行安全关联协商建立安 全隧道, 以保护家庭基站 2与服务域的通信安全。 The establishing module 22 further includes: a service domain establishing submodule 222, configured to be in the OAM After the domain establishment sub-module 221 establishes a security tunnel with the security gateway of the OAM domain, the security information shared by the security gateway of the service domain is established according to the secret information shared by the security gateway of the home base station 2 and the OAM domain; or, the security gateway of the service domain is secure. Association negotiation establishes a security tunnel to protect the communication security between the home base station 2 and the service domain.
其中, 家庭基站 2还包括: IP地址获取模块 23 , 与建立模块 22 连接, 用于在建立模块 22建立 IPsec安全隧道之后, 获取家庭基站 2 在 OAM域和服务域的 IP地址中的一种或两种;  The home base station 2 further includes: an IP address obtaining module 23, connected to the establishing module 22, configured to acquire one of the OAM domain and the IP address of the service domain of the home base station 2 after the establishing module 22 establishes an IPsec secure tunnel. Two kinds;
绑定模块 24, 与 IP地址获取模块 23连接, 用于将 IPsec安全隧 道与 IP地址获取模块 23获取的 IP地址进行绑定, 以保护家庭基站 与 OAM域和服务域的通信安全。  The binding module 24 is connected to the IP address obtaining module 23, and is configured to bind the IPsec secure tunnel to the IP address obtained by the IP address obtaining module 23 to protect the communication security between the home base station and the OAM domain and the service domain.
其中,绑定模块 24将 IPsec安全隧道与 IP地址获取模块 23获取 的 IP地址进行绑定具体为: 将 IPsec安全隧道与 IP地址获取模块 23 获取的家庭基站 2在 OAM域和服务域的 IP地址进行绑定; 或者, 将 IPsec安全隧道与 IP地址获取模块 23获取的家庭基站 2在 OAM域的 IP地址进行绑定,再将 IPsec安全隧道与 IP地址获取模块 23获取的家庭基站 2在服务域的 IP地址进行绑定。  The binding module 24 binds the IPsec secure tunnel to the IP address obtained by the IP address obtaining module 23, and specifically: the IP address of the home base station 2 and the service domain acquired by the IPsec secure tunnel and the IP address obtaining module 23 in the OAM domain and the service domain. The IPsec secure tunnel is bound to the IP address of the OAM domain of the home base station 2 acquired by the IP address obtaining module 23, and the home base station 2 acquired by the IPsec secure tunnel and the IP address obtaining module 23 is in the service domain. The IP address is bound.
其中, 建立模块 22还包括: 隧道新建子模块 223 , 用于在绑定 模块 24将 IPsec安全隧道与家庭基站 2在 OAM域的 IP地址进行绑 定之后, 根据 IP地址获取模块 23获取的家庭基站 2在服务域的 IP 地址与安全网关 1进行安全关联协商建立另一 IPsec隧道, 以保护家 庭基站 2与服务域的通信安全。  The establishing module 22 further includes: a tunneling new sub-module 223, configured to: after the binding module 24 binds the IPsec secure tunnel to the IP address of the OAM domain of the home base station 2, according to the home base station acquired by the IP address obtaining module 23 2 The security association between the IP address of the service domain and the security gateway 1 establishes another IPsec tunnel to protect the communication security between the home base station 2 and the service domain.
上述家庭基站安全通信的系统, 家庭基站 2与 PLMN网络的安 全网关 1进行交互认证, 并建立安全隧道, 从而提供了一种为家庭基 站 2和 PLMN的 OAM域和 Service域之间的通信提供安全保护的机 制, 确保了家庭基站 2和 PLMN网络的通信安全。  In the system for secure communication of the home base station, the home base station 2 performs mutual authentication with the security gateway 1 of the PLMN network, and establishes a secure tunnel, thereby providing a security for communication between the OAM domain and the Service domain of the home base station 2 and the PLMN. The protection mechanism ensures the communication security of the home base station 2 and the PLMN network.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明方法实施例的全部或部分步骤, 可以通过硬件实现, 也可以 借助软件加必要的通用硬件平台的方式来实现。基于这样的理解, 本 发明的技术方案可以以软件产品的形式体现出来,该软件产品可以存 储在一个非易失性存储介质 (可以是 CD-ROM, U盘, 移动硬盘等) 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服 务器, 或者网络设备等)执行本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand all or part of the steps of the method embodiments of the present invention, which may be implemented by hardware or by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, and the software product can be saved. Stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to execute the present The methods described in the various embodiments are invented.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种家庭基站安全通信的方法, 其特征在于, 包括: 家庭基站与安全网关进行交互认证; A method for secure communication of a home base station, comprising: performing mutual authentication between a home base station and a security gateway;
所述家庭基站与所述安全网关建立安全隧道,以保护所述家庭基 站与公众陆地移动网 PLMN网络的通信安全。  The home base station establishes a secure tunnel with the security gateway to protect communication security between the home base station and the public land mobile network PLMN network.
2、 如权利要求 1所述家庭基站安全通信的方法, 其特征在于, 所述安全网关包括: 运行管理维护 OAM域的安全网关,  2. The method for secure communication of a home base station according to claim 1, wherein the security gateway comprises: a security gateway running an OAM domain,
所述家庭基站与所述安全网关建立安全隧道具体包括:所述家庭 基站与所述 OAM域的安全网关进行安全关联协商建立安全隧道。  The establishing a security tunnel between the home base station and the security gateway includes: the home base station and the security gateway of the OAM domain perform security association negotiation to establish a security tunnel.
3、 如权利要求 2所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站与所述 OAM域的安全网关进行安全关联协商建立安 全隧道之后, 还包括: 所述家庭基站与所述 OAM域共享密钥。  The method for secure communication of the home base station according to claim 2, wherein after the home base station performs security association negotiation with the security gateway of the OAM domain to establish a security tunnel, the method further includes: the home base station and the The OAM domain shared key.
4、 如权利要求 3所述家庭基站安全通信的方法, 其特征在于, 所述安全网关还包括: 服务域的安全网关,  The method for secure communication of a home base station according to claim 3, wherein the security gateway further comprises: a security gateway of the service domain,
所述家庭基站与所述安全网关建立安全隧道还包括:所述家庭基 站与所述服务域的安全网关根据所述共享密钥建立安全隧道。  The establishing a secure tunnel between the home base station and the security gateway further includes: the home base station and the security gateway of the service domain establish a secure tunnel according to the shared key.
5、 如权利要求 4所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站与所述服务域的安全网关根据所述共享密钥建立安 全隧道之前, 还包括:  The method for secure communication of the home base station according to claim 4, wherein before the home base station and the security gateway of the service domain establish a security tunnel according to the shared key, the method further includes:
所述家庭基站将所述共享密钥的标识符发送给所述服务域的安 全网关。  The home base station transmits the identifier of the shared key to a security gateway of the service domain.
6、 如权利要求 1所述家庭基站安全通信的方法, 其特征在于, 所述安全网关包括: 服务域的安全网关,  The method for secure communication of a home base station according to claim 1, wherein the security gateway comprises: a security gateway of a service domain,
所述家庭基站与所述安全网关建立安全隧道包括:所述家庭基站 与所述服务域的安全网关进行安全关联协商建立安全隧道。  The establishing a secure tunnel between the home base station and the security gateway includes: the home base station and the security gateway of the service domain perform security association negotiation to establish a secure tunnel.
7、 如权利要求 1至 6任意一项所述家庭基站安全通信的方法, 其特征在于, 所述安全隧道为: 因特网协议安全 IPsec隧道或安全传 输层 TLS隧道。 The method for secure communication of a home base station according to any one of claims 1 to 6, wherein the secure tunnel is: an Internet Protocol Secure IPsec Tunnel or a Secure Transport Layer TLS Tunnel.
8、 如权利要求 1所述家庭基站安全通信的方法, 其特征在于, 所述安全隧道为 IPsec安全隧道时, The method for secure communication of a home base station according to claim 1, wherein when the secure tunnel is an IPsec secure tunnel,
所述方法还包括:  The method further includes:
所述家庭基站获取所述家庭基站在 OAM域和服务域的 IP地址; 所述家庭基站和安全网关将所述 IPsec安全隧道与所述 OAM域 和服务域的 IP地址进行绑定。  The home base station acquires an IP address of the home base station in the OAM domain and the service domain; the home base station and the security gateway bind the IPsec secure tunnel to an IP address of the OAM domain and the service domain.
9、 如权利要求 1所述家庭基站安全通信的方法, 其特征在于, 所述安全隧道为 IPsec安全隧道时,  The method for secure communication of a home base station according to claim 1, wherein when the secure tunnel is an IPsec secure tunnel,
所述方法还包括:  The method further includes:
所述家庭基站获取所述家庭基站在 OAM域的 IP地址; 所述家庭基站和安全网关将所述 IPsec安全隧道与所述 OAM域 的 IP地址进行绑定。  The home base station acquires an IP address of the home base station in an OAM domain; the home base station and the security gateway bind the IPsec secure tunnel to an IP address of the OAM domain.
10、 如权利要求 9所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站和安全网关将所述 IPsec安全隧道与所述 OAM域的 IP地址进行绑定之后, 还包括:  The method for secure communication of the home base station according to claim 9, wherein after the home base station and the security gateway bind the IPsec secure tunnel to the IP address of the OAM domain, the method further includes:
所述家庭基站获取所述家庭基站在服务域的 IP地址;  Obtaining, by the home base station, an IP address of the home base station in a service domain;
所述家庭基站和安全网关将所述 IPsec安全隧道与所述服务域的 IP地址进行绑定。  The home base station and the security gateway bind the IPsec secure tunnel to an IP address of the service domain.
11、 如权利要求 10所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站获取所述家庭基站在服务域的 IP地址之后,还包括: 所述家庭基站和所述安全网关根据所述服务域的 IP地址进行安全关 联协商建立另一 IPsec隧道。  The method for secure communication of the home base station according to claim 10, wherein after the home base station acquires the IP address of the home base station in the service domain, the method further includes: the home base station and the security gateway according to The IP address of the service domain performs security association negotiation to establish another IPsec tunnel.
12、 如权利要求 9所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站和安全网关将所述 IPsec安全隧道与所述 OAM域的 IP地址进行绑定之后, 还包括:  The method for secure communication of the home base station according to claim 9, wherein after the home base station and the security gateway bind the IPsec secure tunnel to the IP address of the OAM domain, the method further includes:
如果所述家庭基站在服务域的 IP地址与在所述 OAM域的 IP地 址相同, 所述家庭基站和所述安全网关根据所述 OAM域的 IP地址 进行安全关联协商建立另一 IPsec隧道。  If the IP address of the home base station is the same as the IP address of the OAM domain, the home base station and the security gateway establish another IPsec tunnel according to the security association negotiation of the IP address of the OAM domain.
13、 如权利要求 1所述家庭基站安全通信的方法, 其特征在于, 在所述家庭基站与所述安全网关建立安全隧道之后, 还包括: 所述家 庭基站在所述安全隧道上与所述 PLMN网络进行交互认证。 13. The method of secure communication of a home base station according to claim 1, wherein: After the home base station establishes a security tunnel with the security gateway, the method further includes: the home base station performing mutual authentication with the PLMN network on the secure tunnel.
14、 一种家庭基站, 其特征在于, 包括:  14. A home base station, comprising:
认证模块, 用于与安全网关进行交互认证;  An authentication module, configured to perform mutual authentication with the security gateway;
建立模块, 与所述认证模块连接, 用于在所述认证模块认证后, 建立安全隧道, 以保护所述家庭基站与 PLMN的通信安全。  The establishing module is connected to the authentication module, and is configured to establish a security tunnel after the authentication module is authenticated to protect communication between the home base station and the PLMN.
15、 如权利要求 14所述家庭基站, 其特征在于, 所述建立模块 包括: OAM域建立子模块, 用于与所述 OAM域的安全网关进行安 全关联协商建立安全隧道。  The home base station according to claim 14, wherein the establishing module comprises: an OAM domain establishing submodule, configured to establish a security tunnel by performing security association negotiation with the security gateway of the OAM domain.
16、 如权利要求 15所述家庭基站, 其特征在于, 所述建立模块 还包括: 服务域建立子模块, 用于在所述 OAM域建立子模块与所述 OAM域的安全网关建立安全隧道之后, 根据所述家庭基站与所述 OAM域的安全网关共享的秘密信息与所述服务域的安全网关建立安 全隧道; 或者, 与所述服务域的安全网关进行安全关联协商建立安全 隧道。  The home base station according to claim 15, wherein the establishing module further comprises: a service domain establishing submodule, configured to: after the OAM domain establishing submodule establishes a security tunnel with the security gateway of the OAM domain, And establishing a security tunnel with the security gateway of the service domain according to the secret information shared by the home base station and the security gateway of the OAM domain; or establishing a security tunnel by performing security association negotiation with the security gateway of the service domain.
17、 如权利要求 14所述家庭基站, 其特征在于, 还包括: The home base station according to claim 14, further comprising:
IP地址获取模块, 与所述建立模块连接,用于在所述建立模块建 立 IPsec安全隧道时或建立 IPsec安全隧道之后, 获取所述家庭基站 在 OAM域和服务域的 IP地址中的一种或两种; An IP address obtaining module, configured to connect to the establishing module, to obtain one of an IP address of the OAM domain and the service domain of the home base station after the establishing module establishes an IPsec secure tunnel or after establishing an IPsec secure tunnel Two kinds;
绑定模块, 与所述 IP地址获取模块连接, 用于将所述 IPsec安全 隧道与所述 IP地址获取模块获取的 IP地址进行绑定。  The binding module is connected to the IP address obtaining module, and is configured to bind the IPsec secure tunnel to an IP address obtained by the IP address obtaining module.
18、 如权利要求 17所述家庭基站, 其特征在于, 所述绑定模块 将所述 IPsec安全隧道与所述 IP地址获取模块获取的 IP地址进行绑 定时, 所述绑定模块具体用于:  The home base station according to claim 17, wherein, when the binding module binds the IPsec secure tunnel to an IP address obtained by the IP address obtaining module, the binding module is specifically configured to: :
将所述 IPsec安全隧道与所述 IP地址获取模块获取的所述家庭基 站在 OAM域和服务域的 IP地址进行绑定; 或者,  Binding the IPsec secure tunnel to the IP address of the OAM domain and the service domain of the home base station obtained by the IP address obtaining module; or
将所述 IPsec安全隧道与所述 IP地址获取模块获取的所述家庭基 站在 OAM域的 IP地址进行绑定,再将所述 IPsec安全隧道与所述 IP 地址获取模块获取的所述家庭基站在服务域的 IP地址进行绑定。 Binding the IPsec secure tunnel with the IP address of the home base station acquired by the IP address obtaining module in the OAM domain, and then the IPsec secure tunnel and the home base station acquired by the IP address obtaining module are The IP address of the service domain is bound.
19、 如权利要求 18所述家庭基站, 其特征在于, 所述建立模块 还包括: 隧道新建子模块, 用于在所述绑定模块将所述 IPsec安全隧 道与所述家庭基站在 OAM域的 IP地址进行绑定之后, 根据所述 IP 地址获取模块获取的所述家庭基站在服务域的 IP地址与所述安全网 关进行安全关联协商建立另一 IPsec隧道。 The home base station according to claim 18, wherein the establishing module further comprises: a tunnel new sub-module, configured to: in the binding module, the IPsec secure tunnel and the home base station in an OAM domain After the IP address is bound, another IPsec tunnel is established by performing security association negotiation with the security gateway by the IP address of the home base station obtained by the IP address obtaining module.
20、 一种通信系统, 其特征在于, 包括:  20. A communication system, comprising:
安全网关和根据权利要求 14至 19任意一项所述的家庭基站。  A security gateway and a home base station according to any one of claims 14 to 19.
PCT/CN2008/073065 2007-11-16 2008-11-14 Security communication method, system and apparatus for home base-station WO2009065347A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101872394A CN101437223B (en) 2007-11-16 2007-11-16 Access method, system and apparatus for household base station
CN200710187239.4 2007-11-16

Publications (1)

Publication Number Publication Date
WO2009065347A1 true WO2009065347A1 (en) 2009-05-28

Family

ID=40667129

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073065 WO2009065347A1 (en) 2007-11-16 2008-11-14 Security communication method, system and apparatus for home base-station

Country Status (2)

Country Link
CN (1) CN101437223B (en)
WO (1) WO2009065347A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730189A (en) * 2009-11-11 2010-06-09 中兴通讯股份有限公司 Method and system for locking femtocell positions

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101932121B (en) * 2009-06-19 2014-12-10 中兴通讯股份有限公司 Method and system for accessing local network through family base station system by mobile terminal
CN101945390B (en) * 2009-07-08 2013-12-04 华为技术有限公司 Admission control method and device
CN101990218A (en) * 2009-08-05 2011-03-23 中兴通讯股份有限公司 Access method, device, system and AAA server for home base station
CN102036415B (en) * 2009-09-27 2013-09-11 中兴通讯股份有限公司 Femto sharing method and femto system
CN102036342B (en) * 2009-09-27 2013-09-11 中兴通讯股份有限公司 Method for sharing femto and femto system
CN102056164B (en) 2009-11-10 2015-04-01 中兴通讯股份有限公司 Method for accessing home base station into network and home base station management server
CN101841886A (en) * 2010-04-15 2010-09-22 中兴通讯股份有限公司 LIPA data flow transmission method and system
CN101867928A (en) * 2010-05-21 2010-10-20 西安电子科技大学 Authentication method for accessing mobile subscriber to core network through femtocell
CN102316494B (en) * 2010-07-07 2015-09-16 中兴通讯股份有限公司 resource authorization method and system
CN102316529B (en) * 2010-07-09 2015-06-03 中兴通讯股份有限公司 Method and system for controlling service access
WO2012022234A1 (en) * 2010-08-20 2012-02-23 中兴通讯股份有限公司 Network accessing device and method for mutual authentication therebetween
CN102655641B (en) * 2011-03-01 2015-09-30 华为技术有限公司 Secure tunnel method for building up and base station
CN102724665B (en) * 2011-03-31 2015-07-22 中国联合网络通信集团有限公司 Security certificate method of femtocell base station and femtocell wireless communication system
CN102801545B (en) * 2011-05-25 2015-12-09 华为技术有限公司 The acquisition methods of configuration information and equipment
CN102833359A (en) * 2011-06-14 2012-12-19 中兴通讯股份有限公司 Tunnel information acquiring method, SeGW (security gateway), evolution H(e)NB (home node B)/H(e)NB
CN103096398B (en) 2011-11-08 2016-08-03 华为技术有限公司 A kind of method and apparatus of network switching
CN103024742B (en) * 2012-12-04 2015-09-02 广州杰赛科技股份有限公司 Home base station network safety access method, equipment and system
CN103716863B (en) * 2013-12-27 2017-05-10 福建三元达网络技术有限公司 Method and system for controlling base station access by LTE Femto gateway
CN108616877B (en) * 2016-12-27 2020-10-30 大唐移动通信设备有限公司 Communication method, system and equipment of small base station
CN114244614A (en) * 2021-12-20 2022-03-25 武汉华莘教育科技有限公司 EAP-AKA authentication method based on USIM card

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878168A (en) * 2005-06-06 2006-12-13 华为技术有限公司 Access network of WiMAX system
WO2007057732A1 (en) * 2005-11-15 2007-05-24 Alcatel Lucent Access network, gateway and management server for a cellular wireless communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100596069C (en) * 2006-08-15 2010-03-24 中国电信股份有限公司 Automatic configuration system and method of IPSec safety tactis in domestic gateway

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878168A (en) * 2005-06-06 2006-12-13 华为技术有限公司 Access network of WiMAX system
WO2007057732A1 (en) * 2005-11-15 2007-05-24 Alcatel Lucent Access network, gateway and management server for a cellular wireless communication system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101730189A (en) * 2009-11-11 2010-06-09 中兴通讯股份有限公司 Method and system for locking femtocell positions
CN101730189B (en) * 2009-11-11 2014-12-10 中兴通讯股份有限公司 Method and system for locking femtocell positions

Also Published As

Publication number Publication date
CN101437223B (en) 2011-11-02
CN101437223A (en) 2009-05-20

Similar Documents

Publication Publication Date Title
WO2009065347A1 (en) Security communication method, system and apparatus for home base-station
US8769647B2 (en) Method and system for accessing 3rd generation network
KR100762644B1 (en) WLAN-UMTS Interworking System and Authentication Method Therefor
EP1766915B1 (en) Method and system for controlling access to communication networks, related network and computer program therefor
JP5992554B2 (en) System and method for authenticating a second client station using first client station credentials
TWI293844B (en) A system and method for performing application layer service authentication and providing secure access to an application server
CA2792490C (en) Key generation in a communication system
US20060019635A1 (en) Enhanced use of a network access identifier in wlan
US8094821B2 (en) Key generation in a communication system
CN101442402B (en) Method, system and apparatus for authenticating access point equipment
WO2009152749A1 (en) A binding authentication method, system and apparatus
WO2011017924A1 (en) Method, system, server, and terminal for authentication in wireless local area network
CN102215487A (en) Method and system safely accessing to a private network through a public wireless network
CN103597779A (en) Method and apparatus for providing network access to a user entity
WO2006135217A1 (en) System and method for otimizing tunnel authentication procedure over a 3g-wlan interworking system
CN105027529A (en) Method and device for secure network access
US20060046693A1 (en) Wireless local area network (WLAN) authentication method, WLAN client and WLAN service node (WSN)
WO2006079953A1 (en) Authentication method and device for use in wireless communication system
KR101272576B1 (en) Android mobile device capable of connecting with I-WLAN, and method of connecting android mobile device with I-WLAN
CN102014385A (en) Authentication method for mobile terminal, and mobile terminal
KR100527631B1 (en) System and method for user authentication of ad-hoc node in ad-hoc network
Wang et al. Security mechanisms and security analysis: hotspot WLANs and inter-operator roaming
McCann et al. Novel WLAN hotspot authentication
WO2016065847A1 (en) Wifi offload method, device and system
TW201709694A (en) Femtocell and method for configuring IP

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08852529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08852529

Country of ref document: EP

Kind code of ref document: A1