CN100521820C - Method for checking distance measurement requirement information and wireless access network - Google Patents
Method for checking distance measurement requirement information and wireless access network Download PDFInfo
- Publication number
- CN100521820C CN100521820C CNB2006101038904A CN200610103890A CN100521820C CN 100521820 C CN100521820 C CN 100521820C CN B2006101038904 A CNB2006101038904 A CN B2006101038904A CN 200610103890 A CN200610103890 A CN 200610103890A CN 100521820 C CN100521820 C CN 100521820C
- Authority
- CN
- China
- Prior art keywords
- target
- mobile subscriber
- subscriber station
- person
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses one distance test require and correction method and its wireless interface network, which solves the current process improper problem, which comprises the following steps: mobile user station sends require message to aim base station; aim base station gets authorization keys for correction of the distance measurement message. The invention method reduces the network inner signal charge and ensures the MSS message Authenticator with valid message and accurate aim BS.
Description
Technical field
The present invention relates to the communications field, relate in particular under a kind of authentication person of striding (Authenticator) situation method of calibration and a kind of Radio Access Network when carrying message authentication code (MAC) for distance measurement request message.
Background technology
Extensive use along with the flourish and wireless network of internet service, increasing security requirement has been proposed wireless access network, remove and adopt present widely used device authentication, method such as subscription authentication and authorization of service improves outside the fail safe of radio communication, the foundation of escape way between mobile subscriber station (MSS) and base station (BS), the exchange of security information, and BS and authentication person (Authenticator), the foundation of the escape way between Authenticator and the authentication server (Authentication Server), exchange of security information or the like all is the problem that needs special concern at present.
Fig. 1 has shown the security network infrastructure system schematic diagram of wireless access network in the prior art.As shown in Figure 1, in the security network infrastructure of wireless access network, be mainly concerned with following network element: MSS, BS, Authenticator and Authentication Server.Wherein, the major function of MSS in described security architecture is to initiate authentication, authentication, produce the required information of root key with Authentication Server exchange, generate root key, produce according to root key air interface data is encrypted needed KI (AK, Authorization Key) and derived other key informations of being used for enciphered data and administrative messag consistency check etc. according to AK; The function of BS in above-mentioned security architecture is to provide the security system passage for Authenticator and MSS, air interface data is compressed and encryption, security information between exchange BS and the MSS is for MSS provides escape way from BS to Authenticator etc.; The major function of Authenticator in above-mentioned security architecture is to provide agent functionality for the MSS authentication, the root key information of equity and the sign of BS between that provide according to Authentication Server and the MSS, produce between BS and the MSS and set up the required AK of escape way, and AK is distributed to corresponding BS; The major function of Authentication Server comprises: for MSS carries out authentication, produce and the distribution root key information to Authenticator, the consequence that notice Authenticator and changes of other NE User information are in time produced when user profile changes.
Like this, the data of transmitting on the air interface can both realize safe transmission by encrypting, and the administrative messag that transmits on the air interface also can be used for message authentication code (MAC, Message Authentication Code) the realization safe transmission of consistency check by use.If adopt the HASH algorithm, this message authentication code is called hash message authentication code (HMAC, Hash Message Authentication Code) so.In the WiMAX system,, can also use based on the message authentication code of encrypting (CMAC, Cipherbased Message Authentication Code) etc. and be used for carrying out consistency desired result except the message authentication code that adopts the HASH algorithm.
Consider above-mentioned structure system, when MSS is moved target approach BS coverage, with target BS synchronously, obtain the up-downgoing parameter of air interface after, to carry out ranging process, come notification target BS by sending RNG-REQ message, this MSS successfully moves and is linked under the target BS, and (under switch instances, MSS will be by target BS and opposite end telex network; And under MSS is in idle pulley, move and be linked under this target BS by this MSS of notice BS, the position renewal has taken place in this MSS by target BS notice paging controller, in time the notice paging controller upgrades the positional information of MSS, thereby be convenient to MSS when paged, can correctly message be sent on the MSS by target BS) usually in order to guarantee the consistency of air interface management message, this message can be added HMAC/CMAC, so that BS carries out consistency desired result, in case by consistency desired result then can omit and re-authenticate, the process of authorizing and authenticating.When BS carries out consistency desired result, need to obtain AK.As mentioned above, AK need utilize the information of the key information stored in Authenticator and target BS to regenerate on Authenticator.Two kinds of situations so just may appear:
(1) Authenticator under the target BS preserves the key information of this MSS.
(2) key information of this MSS not of the Authenticator under the target BS, the key information of this MSS is kept on the former Authenticator.
How to finish to RNG-REQ message with and subsequent the consistency desired result of administrative messag just become a problem.
In the prior art, the variation of Authenticator has taken place in handoff procedure as MSS, Authenticator under the target BS is during the key information of this MSS, target BS according to flow process shown in Figure 2 to RNG-REQ message with and subsequent the consistency desired result of administrative messag.
S201, MSS move to target BS from former BS, with target BS synchronously, receive the descending and ascending idle resource allocation parameters of recognition objective BS after, send the RNG-REQ administrative messag to target BS, subsidiary after this message have HMAC information;
S202, the target BS service Authenticator under it sends AK_Request message, has comprised MSS, the sign of target BS and message body and the HMAC in the range finding message in the message;
It is that target BS produces air interface key AK that S203, service Authenticator require the latter to former Authenticator application, will comprise MSS, the sign of target BS and message body and the HMAC in the range finding message simultaneously and be transmitted to former Authenticator;
S204, former Authenticator are that target BS produces air interface key AK according to the key information of the MSS of the sign of MSS and target BS and storage, according to this AK message body and HMAC in the range finding message are carried out consistency desired result simultaneously, have only consistency desired result to pass through, just with AK and corresponding AKID, the life cycle of AK and other key information (as EIK) send on the target BS by service Authenticator;
S205, target BS obtain air interface key AK, and the content of RNG-REQ is analyzed and handled;
Additional HMAC in S206, structure response message RNG-RSP and this message.
After this utilize AK, can carry out verification to the administrative messag of this MSS that contains HMAC that receives, also the additional HMAC of administrative messag that can send to MSS to needs is so that consistency desired result is carried out in the opposite end, can also produce the confidentiality that is used for guaranteeing at the encryption key on the data path that session service transmits on the interface aloft by AK.
In the prior art, in order to carry out first consistency desired result, need all pass through service Authenticator to whole RNG-REQ message body and HMAC and send to former Authenticator, the increase of content has caused the expense of signaling in the network internal interface; And target BS send to the service Authenticator message in, do not have any information about former Authenticator, causing serving Authenticator can't effectively, correctly be forwarded to message among the former Authenticator.There is certain irrationality in whole flow process, needs to improve definitely.
Summary of the invention
The invention provides a kind of distance measurement request message method of calibration, exist flow process unreasonable, the problem of waste network internal interface signaling expense in order to solve in the prior art.
The inventive method comprises:
A kind of distance measurement request message method of calibration is applied to the mobile subscriber and stands in the situation of striding authentication person in the mobile handoff procedure, may further comprise the steps:
Mobile subscriber station sends distance measurement request message to target BS;
Object base station to obtain KI, and described distance measurement request message carried out consistency desired result.
Described mobile subscriber station sends the distance measurement request messages step to target BS, further comprises:
Mobile subscriber station and target BS are synchronous, and receive the descending and ascending idle resource allocation parameters of recognition objective base station.
Described mobile subscriber station sends in the distance measurement request messages step to target BS, carries message authentication code in the described distance measurement request message.
Described message authentication code is for hash message authentication code or based on the message authentication code of encrypting.
The step of described object base station to obtain KI comprises:
Target BS sends the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber station and former authentication person's positional information;
Former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
Described former authentication person's positional information is former authentication person's identification information or former Base Station Identification information.
Described method if described former authentication person's positional information is former Base Station Identification information, then also comprises according to the described former authentication person of described former Base Station Identification information searching.
Described former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and for target BS produces the KI step of this mobile subscriber station, further comprise:
The entitlement person sends KI application request message to former authentication person, wherein comprises the sign of mobile subscriber station and target BS;
Former authentication person is according to the sign of mobile subscriber station and target BS, and the key information of former authentication person storage, produces the KI and the relevant information of this mobile subscriber station for target BS;
The entitlement person is sent to target BS with described KI and relevant information.
Described former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and for target BS produces the KI step of this mobile subscriber station, further comprise:
The entitlement person sends key application request message to former authentication person, has wherein comprised the sign of mobile subscriber station;
Former authentication person is with the key information of mobile subscriber station of the storage person that sends to the entitlement, the entitlement person is according to the sign of mobile subscriber station and target BS, and the key information of mobile subscriber station is KI and relevant information that target BS produces this mobile subscriber station;
The entitlement person is sent to target BS with described KI and relevant information.
Described object base station to obtain KI, and described distance measurement request message carried out the consistency desired result step, further comprise:
The entitlement person of target BS under it sends the KI request message, in this KI request message, includes the sign of mobile subscriber station and paging controller;
Mutual described mobile subscriber station of paging controller and entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
Described object base station to obtain KI, and described distance measurement request message carried out in the consistency desired result step, if the entitlement person under the target BS preserves the key information of this mobile subscriber station, then target BS directly uses the KI of this mobile subscriber station of described entitlement person generation, and described distance measurement request message is carried out consistency desired result.
Described object base station to obtain KI, and described distance measurement request message carried out the consistency desired result step, further comprise:
Target BS sends the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber's station identifications and target BS sign;
The entitlement person produces the KI and the relevant information of this mobile subscriber station according to described mobile subscriber's station identifications and target BS sign for target BS.
Described object base station to obtain KI step further comprises:
Target BS sends the KI request message to former authentication person, in the described KI request message, includes mobile subscriber station information;
Former authentication person produces KI for target BS, and KI is sent to target BS.
Described KI relevant information comprises the KI sign, the life cycle of KI and other contextual information.
Described method also comprises step:
Target BS makes up message authentication code additional in distance measurement request response message and this message and sends to mobile subscriber station.
Described method also comprises step:
Target BS uses described KI that the administrative messag of this mobile subscriber station of receiving is carried out consistency desired result.
Described method also comprises step:
Target BS sends to additional messages authentication code in the administrative messag of mobile subscriber station at needs, so that consistency desired result is carried out in the opposite end.
Target BS produces encryption key by described KI.
Radio Access Network of the present invention comprises:
A kind of Radio Access Network, comprise mobile subscriber station, be used for the former authentication person that mobile subscriber station moves the key information of the preceding former base station of inserting and this mobile subscriber station of storage, be used for mobile subscriber station and move the target BS of back access and the entitlement person of linking objective base station, and with former authentication person and the authentication server that the entitlement person links to each other, be applied to the mobile subscriber and stand in the situation of striding authentication person in the mobile handoff procedure;
Described mobile subscriber station is provided with:
The distance measurement request message sending unit is used for sending distance measurement request message to target BS;
Described target BS is provided with:
The KI acquiring unit is used to obtain KI;
Verification unit is used for described distance measurement request message is carried out consistency desired result.
Described mobile subscriber station further comprises:
Lock unit is used for target BS synchronous.
Described KI acquiring unit further comprises:
KI request message transmitting element is used for sending the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber station and former authentication person's positional information;
Former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
Described entitlement person further comprises:
KI application request message transmitting element is used for sending KI application request message to former authentication person, wherein comprises the sign of mobile subscriber station and target BS;
Described former authentication person further comprises:
KI and relevant information generation unit are used for the sign according to mobile subscriber station and target BS, and the key information of former authentication person storage, produce the KI and the relevant information of this mobile subscriber station for target BS;
KI and relevant information transmitting element are used for described KI and relevant information are sent to target BS.
Described target BS further comprises:
KI request message transmitting element is used for sending the KI request message to former authentication person, in the described KI request message, includes mobile subscriber station information;
Described former authentication person further comprises:
The KI transmitting element is used for KI is sent to target BS.
Described target BS further comprises:
The distance measurement request response message generation unit is used for making up distance measurement request response message and the additional message authentication code of this message;
The distance measurement request response message transmitting element is used for described distance measurement request response message is sent to mobile subscriber station.
The present invention program proposed a kind of consistency desired result during for RNG_REQ message band HMAC/CMAC with and subsequent administrative messag consistency desired result flow process.This improvement flow process has reduced the signaling consumption of network internal, guaranteed that simultaneously the Authenticator that preserves this MSS key information effectively, correctly is transmitted to target BS with the key solicitation message, the final AK that obtains analyzes and handles the content of RNG-REQ, makes up HMAC/CMAC additional in response message RNG-RSP and this message simultaneously.After this utilize AK, can carry out verification to the administrative messag of this MSS that contains HMAC/CMAC that receives, also the additional HMAC/CMAC of administrative messag that can send to MSS to needs is so that consistency desired result is carried out in the opposite end, can also produce the confidentiality that is used for guaranteeing at the encryption key on the data path that session service transmits on the interface aloft by AK.
Description of drawings
Fig. 1 is the security network infrastructure system schematic diagram of wireless access network in the prior art;
Fig. 2 is for striding the checking process schematic diagram when target BS is carried message authentication code (MAC) for distance measurement request message under authentication person (Authenticator) situation in the prior art;
Fig. 3 strides under the Authenticator situation MAC of checking process schematic diagram when carrying to(for) distance measurement request message for the embodiment of the invention 1;
Fig. 4 produces the schematic flow sheet of the scheme one of KI for the present invention;
Fig. 5 produces the schematic flow sheet of the scheme two of KI for the present invention;
Fig. 6 is the schematic flow sheet of the embodiment of the invention 2;
Fig. 7 is the present invention program 3 a schematic flow sheet;
Fig. 8 is the structural representation of Radio Access Network of the present invention;
Fig. 9 is that Radio Access Network of the present invention is at the system construction drawing when service Authenticator obtains KI;
Figure 10 is that Radio Access Network of the present invention is at the system construction drawing when former Authenticator obtains KI.
Embodiment
Below in conjunction with Figure of description the specific embodiment of the present invention is described.
When MSS moves into the target BS coverage, access point is become the process of target BS from original target BS, target BS is in distance measurement request (RNG-REQ) message that receives the band HMAC/CMAC that this MSS sends, if during not relevant with target BS sign AK, can cause and to carry out consistency desired result to this message with this MSS.In this case, the present invention need notify the former Authenticator of this MSS key information of storage with AK and corresponding AKID, the life cycle of AK and other key information (as EIK:EAP Integrity Key) etc. send on the target BS, the content of RNG-REQ is analyzed and handled, make up HMAC/CMAC additional in response message (RNG-RSP) and this message simultaneously.After this utilize AK, can carry out verification to the administrative messag of this MSS that contains HMAC/CMAC that receives, also the additional HMAC/CMAC of administrative messag that can send to MSS to needs is so that opposite end (MSS) carries out consistency desired result, can also produce the confidentiality that is used for guaranteeing at the encryption key on the data path that session service transmits on the interface aloft by AK.
If preserve the key information of this MSS on the Authenticator under the target BS, so described Authenticator just identifies AK and the corresponding AKID that produces this MSS according to MSS sign and target BS, the life cycle of AK and other key information (as EIK:EAP Integrity Key), and they are sent on the target BS.Service Authenticator among the Dui Ying embodiment 1 and 2 and the interacting message between the former Authenticator will omit in this case.
Embodiment 1:
Switch in the MSS moving process and the consistency desired result when striding under the Authenticator situation for RNG_REQ message band HMAC with and subsequent administrative messag consistency desired result flow process as shown in Figure 3:
S301, MSS send RNG-REQ message to target BS, in the described RNG-REQ message, carry MAC;
When MSS moves to target BS from serving BS broadcasts, and with target BS synchronously, receive the descending and ascending idle resource allocation parameters of recognition objective BS after, MSS will send the RNG-REQ administrative messag to target BS, and subsidiary after this message have MAC information, adopts HMAC in the present embodiment.
S302, the target BS service Authenticator under it sends KI request (AK_Request) message, in this AK_Request message, includes MSS and target BS identification information, and former Authenticator positional information;
The service Authenticator of target BS under it sends AK_Request message, MSS, the sign of target BS and directly/indirectly positional information of former Authenticator in this message, have been comprised, wherein the sign of MSS and target BS is in order to produce the air interface key AK relevant with MSS and target BS, and former Authenticator directly/positional information is can be addressed to former Authenticator in order to serve Authenticator indirectly.This former Authenticator positional information can be former Authenticator identification information or former BS identification information.If this former Authenticator positional information is former BS identification information, then also need to search described former Authenticator by the Authenticator under the former BS according to described former BS identification information.
S303, former Authenticator and the service mutual described MSS of Authenticator and target BS identification information, and produce the KI of this MSS for target BS;
In this step, Authenticator is according to the former Authenticator positional information among the step S2 in service, with mutual described MSS of former Authenticator and target BS identification information, and is target BS generation KI.
S304, target BS are handled RNG-REQ message according to described KI.
Target BS obtains KI AK, and the content of RNG-REQ is analyzed and handled;
S305, target BS make up HMAC additional in response message RNG-RSP and this message.
In the such scheme, the scheme that this produces KI, can adopt following two kinds of schemes to finish:
Scheme one may further comprise the steps as shown in Figure 4:
S401, service Authenticator send AK_Request message to former Authenticator, wherein comprise the sign of MSS and target BS;
S402, former Authenticator are according to the sign of MSS and target BS, and the key information of former Authenticator storage, are AK and the relevant information of target BS generation at this MSS;
S403, service Authenticator are sent to target BS with described AK and relevant information.
Scheme two may further comprise the steps as shown in Figure 5:
S501, service Authenticator send key application request message to former Authenticator, have wherein comprised the sign of MSS;
S502, former Authenticator send to service Authenticator with the key information of the MSS of storage, and service Authenticator is according to the sign of MSS and target BS, and the key information of MSS is that target BS produces AK and the relevant information at this MSS;
S503, service Authenticator are sent to target BS with described AK and relevant information.
In the foregoing, this AK relevant information can comprise AKID, the life cycle of AK and other contextual information etc.
After this utilize AK, can carry out verification to the administrative messag of this MSS that contains HMAC that receives, also the additional HMAC of administrative messag that can send to MSS to needs is so that consistency desired result is carried out in the opposite end, can also produce the confidentiality that is used for guaranteeing at the encryption key on the data path that session service transmits on the interface aloft by AK.
Embodiment 2:
Consistency desired result when being in idle condition in the MSS moving process and striding under the Authenticator situation for RNG_REQ message band HMAC with and subsequent administrative messag consistency desired result flow process as shown in Figure 6: in this case, Authenticator under paging controller (being former Authenticator) and the target BS is different, and the key information of MSS is stored on the paging controller (being former Authenticator).
S601, MSS send RNG-REQ message to target BS, in the described RNG-REQ message, carry the sign of MAC and paging controller (being former Authenticator);
When MSS moves to target BS from serving BS broadcasts, and with target BS synchronously, receive the descending and ascending idle resource allocation parameters of recognition objective BS after, MSS will send the RNG-REQ administrative messag to target BS, subsidiary after this message have MAC information and paging controller to identify, and this MAC information adopts HMAC in the present embodiment.
In this step, this former Authenticator has the function that produces and distribute KI, and is set to one with paging controller.
S602, the target BS service Authenticator under it sends KI request (AK_Request) message, in this AK_Request message, include MSS and target BS identification information, and the positional information of paging controller (being former Authenticator);
The service Authenticator of target BS under it sends message AK_Request, MSS, the sign of target BS and the direct position information of paging controller (being former Authenticator) in this message, have been comprised, wherein the sign of MSS and target BS is in order to produce the air interface key AK relevant with MSS and target BS, and the direct position information of paging controller (being former Authenticator) is can be addressed to paging controller (being former Authenticator) in order to serve Authenticator.This paging controller (being former Authenticator) positional information is former Authenticator identification information.
S603, paging controller (being former Authenticator) and service mutual described MSS of Authenticator and target BS identification information, and produce the KI of this MSS for target BS;
In this step, Authenticator is according to the paging controller among the step S2 (being former Authenticator) positional information in service, with paging controller (being former Authenticator) mutual described MSS and target BS identification information, and be the KI of target BS generation at this MSS.
The scheme that this produces KI can adopt the pairing scheme of Fig. 4 or Fig. 5.
S604, target BS are handled RNG-REQ message according to described KI.
Target BS obtains KI AK, the content of RNG-REQ is analyzed and is handled, the location update message of this MSS of notice paging controller;
S605, target BS make up HMAC additional in response message RNG-RSP and this message.
Embodiment 3:
Apply for that AK and target BS have obtained former authentication person's network identity if allow target BS directly to visit former Authenticator, even striding under the situation of Authenticator so, as shown in Figure 7, target BS also can obtain KI by following steps:
S701, target BS send the KI request message to former authentication person (Authenticator), in the described KI request message, include MSS information;
S702, former Authenticator are that target BS produces KI, and KI is sent to target BS.
As shown in Figure 8, it is the structural representation of Radio Access Network of the present invention, as seen from the figure, Radio Access Network of the present invention mainly comprises: MSS10, the former Authenticator30 that is used for MSS former BS20 that inserts and the key information of storing this MSS, target BS 40 after being used for MSS and moving and the service Authenticator50 of linking objective BS, and Authentication Server60;
The present invention is provided with at MSS:
Distance measurement request message sending unit 110 is used for sending distance measurement request message to target BS 40;
Be provided with in target BS 40:
Distance measurement request response message generation unit 430 is used for making up distance measurement request response message and the additional message authentication code of this message;
Distance measurement request response message transmitting element 440 is used for described distance measurement request response message is sent to MSS10.
Described MSS10 is provided with:
In the such scheme, the concrete method to set up of KI acquiring unit 410 can be according to obtaining KI from service Authenticator50 or former Authenticator30 and decide, and is specific as follows:
Scheme one: Authenticator50 obtains KI to service.
As shown in Figure 9, further be provided with at KI acquiring unit 410:
The first KI request message transmitting element 411 is used for sending the KI request message to service Authenticator50, in the described KI request message, includes the positional information of MSS10 and former Authenticator30;
Former Authenticator30 and service mutual described MSS10 of Authenticator50 and target BS 40 identification informations, and be the KI that target BS 40 produces this MSS10.
Under this scheme, service Authenticator50 is provided with:
KI application request message transmitting element 510 is used for sending KI application request message to former Authenticator30, wherein comprises the sign of MSS10 and target BS 40;
Be provided with at described former Authenticator30:
KI and relevant information generation unit 310 are used for the sign according to MSS10 and target BS 40, and the key information of former Authenticator30 storage, produce KI and the relevant information of this MSS10 for target BS 40;
KI and relevant information transmitting element 320 are used for described KI and relevant information are sent to target BS 40.
Scheme two: obtain KI to former Authenticator30
Can be directly when former Authenticator30 obtain KI when serving BS broadcasts, as shown in figure 10, described KI acquiring unit 410 is provided with:
The second KI request message transmitting element 412 is used for sending the KI request message to former Authenticator30, in the described KI request message, includes MSS10 information;
Described former Authenticator30 is provided with:
A kind of Authenticator of striding situation of consistency desired result when the present invention program has proposed under to(for) RNG_REQ message band HMAC/CMAC with and subsequent administrative messag consistency desired result scheme.This invention both had been applicable to that MSS at the ongoing situation of movement of conversation, was applicable to the situation of movement of MSS under idle condition again.In the present invention, former Authenticator is defined as the Authenticator that stored energy produces the key information of this MSS AK, the Authenticator under the not necessarily former BS.This improvement flow process has reduced the signaling consumption of network internal, guaranteed that simultaneously target BS effectively, correctly is forwarded to the key solicitation message among the former Authenticator, thereby make target BS finally obtain AK the content of RNG-REQ is analyzed and handled, make up HMAC/CMAC additional in response message RNG-RSP and this message simultaneously.After this utilize AK, can carry out verification to the administrative messag of this MSS that contains HMAC/CMAC that receives, also the additional HMAC/CMAC of administrative messag that can send to MSS to needs is so that consistency desired result is carried out in the opposite end, can also produce the confidentiality that is used for guaranteeing at the encryption key on the data path that session service transmits on the interface aloft by AK.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (24)
1, a kind of distance measurement request message method of calibration is characterized in that, is applied to the mobile subscriber and stands in the situation of striding authentication person in the mobile handoff procedure, may further comprise the steps:
Mobile subscriber station sends distance measurement request message to target BS;
Object base station to obtain KI, and described distance measurement request message carried out consistency desired result.
2, the method for claim 1 is characterized in that, described mobile subscriber station sends the distance measurement request messages step to target BS, further comprises:
Mobile subscriber station and target BS are synchronous, and receive the descending and ascending idle resource allocation parameters of recognition objective base station.
3, the method for claim 1 is characterized in that, described mobile subscriber station sends in the distance measurement request messages step to target BS, carries message authentication code in the described distance measurement request message.
4, method as claimed in claim 3 is characterized in that, described message authentication code is for hash message authentication code or based on the message authentication code of encrypting.
5, the method for claim 1 is characterized in that, the step of described object base station to obtain KI comprises:
Target BS sends the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber station and former authentication person's positional information;
Former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
6, method as claimed in claim 5 is characterized in that, described former authentication person's positional information is former authentication person's identification information or former Base Station Identification information.
7, method as claimed in claim 6 is characterized in that, if described former authentication person's positional information is former Base Station Identification information, then also comprises according to the described former authentication person of described former Base Station Identification information searching.
8, method as claimed in claim 5 is characterized in that, described former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and for target BS produces the KI step of this mobile subscriber station, further comprise:
The entitlement person sends KI application request message to former authentication person, wherein comprises the sign of mobile subscriber station and target BS;
Former authentication person is according to the sign of mobile subscriber station and target BS, and the key information of former authentication person storage, produces the KI and the relevant information of this mobile subscriber station for target BS;
The entitlement person is sent to target BS with described KI and relevant information.
9, method as claimed in claim 5 is characterized in that, described former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and for target BS produces the KI step of this mobile subscriber station, further comprise:
The entitlement person sends key application request message to former authentication person, has wherein comprised the sign of mobile subscriber station;
Former authentication person is with the key information of mobile subscriber station of the storage person that sends to the entitlement, the entitlement person is according to the sign of mobile subscriber station and target BS, and the key information of mobile subscriber station is KI and relevant information that target BS produces this mobile subscriber station;
The entitlement person is sent to target BS with described KI and relevant information.
10, the method for claim 1 is characterized in that, described object base station to obtain KI, and described distance measurement request message carried out the consistency desired result step, further comprise:
The entitlement person of target BS under it sends the KI request message, in this KI request message, includes the sign of mobile subscriber station and paging controller;
Mutual described mobile subscriber station of paging controller and entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
11, the method for claim 1, it is characterized in that, described object base station to obtain KI, and described distance measurement request message carried out in the consistency desired result step, if the entitlement person under the target BS preserves the key information of this mobile subscriber station, then target BS directly uses the KI of this mobile subscriber station of described entitlement person generation, and described distance measurement request message is carried out consistency desired result.
12, method as claimed in claim 11 is characterized in that, described object base station to obtain KI, and described distance measurement request message carried out the consistency desired result step, further comprise:
Target BS sends the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber's station identifications and target BS sign;
The entitlement person produces the KI and the relevant information of this mobile subscriber station according to described mobile subscriber's station identifications and target BS sign for target BS.
13, the method for claim 1 is characterized in that, described object base station to obtain KI step further comprises:
Target BS sends the KI request message to former authentication person, in the described KI request message, includes mobile subscriber station information;
Former authentication person produces KI for target BS, and KI is sent to target BS.
14, method as claimed in claim 8 or 9 is characterized in that, described KI relevant information comprises the KI sign, the life cycle of KI and other contextual information.
15, the method for claim 1 is characterized in that, also comprises step:
Target BS makes up message authentication code additional in distance measurement request response message and this message and sends to mobile subscriber station.
16, the method for claim 1 is characterized in that, also comprises step:
Target BS uses described KI that the administrative messag of this mobile subscriber station of receiving is carried out consistency desired result.
17, the method for claim 1 is characterized in that, also comprises step:
Target BS sends to additional messages authentication code in the administrative messag of mobile subscriber station at needs, so that consistency desired result is carried out in the opposite end.
18, the method for claim 1 is characterized in that, also comprises step:
Produce encryption key by described KI.
19, a kind of Radio Access Network, comprise mobile subscriber station, be used for the former authentication person that mobile subscriber station moves the key information of the preceding former base station of inserting and this mobile subscriber station of storage, be used for mobile subscriber station and move the target BS that inserts the back and the entitlement person of linking objective base station, and the authentication server that links to each other with the entitlement person with former authentication person; It is characterized in that, be applied to the mobile subscriber and stand in the situation of striding authentication person in the mobile handoff procedure;
Described mobile subscriber station is provided with:
The distance measurement request message sending unit is used for sending distance measurement request message to target BS;
Described target BS is provided with:
The KI acquiring unit is used to obtain KI;
Verification unit is used for described distance measurement request message is carried out consistency desired result.
20, Radio Access Network as claimed in claim 19 is characterized in that,
Described mobile subscriber station also is provided with:
Lock unit is used for target BS synchronous.
21, Radio Access Network as claimed in claim 19 is characterized in that,
Described KI acquiring unit also is provided with:
KI request message transmitting element is used for sending the KI request message to the entitlement person, in the described KI request message, includes mobile subscriber station and former authentication person's positional information;
Former authentication person and mutual described mobile subscriber station of entitlement person and target BS identification information, and produce the KI of this mobile subscriber station for target BS.
22, Radio Access Network as claimed in claim 21 is characterized in that,
Described entitlement person also is provided with:
KI application request message transmitting element is used for sending KI application request message to former authentication person, wherein comprises the sign of mobile subscriber station and target BS;
Described former authentication person also is provided with:
KI and relevant information generation unit are used for the sign according to mobile subscriber station and target BS, and the key information of former authentication person storage, produce the KI and the relevant information of this mobile subscriber station for target BS;
KI and relevant information transmitting element are used for described KI and relevant information are sent to target BS.
23, Radio Access Network as claimed in claim 19 is characterized in that,
Described target BS also is provided with:
KI request message transmitting element is used for sending the KI request message to former authentication person, in the described KI request message, includes mobile subscriber station information;
Described former authentication person also is provided with:
The KI transmitting element is used for KI is sent to target BS.
24, Radio Access Network as claimed in claim 19 is characterized in that,
Described target BS further is provided with:
The distance measurement request response message generation unit is used for making up distance measurement request response message and the additional message authentication code of this message;
The distance measurement request response message transmitting element is used for described distance measurement request response message is sent to mobile subscriber station.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101038904A CN100521820C (en) | 2005-08-23 | 2006-08-08 | Method for checking distance measurement requirement information and wireless access network |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510093287 | 2005-08-23 | ||
| CN200510093287.8 | 2005-08-23 | ||
| CNB2006101038904A CN100521820C (en) | 2005-08-23 | 2006-08-08 | Method for checking distance measurement requirement information and wireless access network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101014185A CN101014185A (en) | 2007-08-08 |
| CN100521820C true CN100521820C (en) | 2009-07-29 |
Family
ID=38701423
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101038904A Active CN100521820C (en) | 2005-08-23 | 2006-08-08 | Method for checking distance measurement requirement information and wireless access network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100521820C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101198181B (en) * | 2007-12-24 | 2010-10-06 | 中国科学院计算技术研究所 | Network processing system for wireless network and method thereof |
| CN101610511A (en) * | 2009-07-08 | 2009-12-23 | 中兴通讯股份有限公司 | The guard method of terminal privacy and device |
-
2006
- 2006-08-08 CN CNB2006101038904A patent/CN100521820C/en active Active
Non-Patent Citations (2)
| Title |
|---|
| WiMAX安全机制研究. 庞辽军,王育民.中兴通讯技术,第11卷第2期. 2005 |
| WiMAX安全机制研究. 庞辽军,王育民.中兴通讯技术,第11卷第2期. 2005 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101014185A (en) | 2007-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20140007207A1 (en) | Method and device for generating local interface key | |
| CN102111766B (en) | Network accessing method, device and system | |
| CN102026178B (en) | User identity protection method based on public-key mechanism | |
| EP1919239A1 (en) | Mobile station, radio access network device, mobile exchange station, mobile communication system, and communication service access method | |
| CN102238484B (en) | Based on the authentication method of group and system in the communication system of Machine To Machine | |
| CN102469458B (en) | Group authentication method in a kind of M2M communication and system | |
| EP4099733A1 (en) | Security authentication method and apparatus, and electronic device | |
| CN102106111A (en) | Method of deriving and updating traffic encryption key | |
| CN1249588A (en) | Method for updating encrypted shared data in radio communication system | |
| AU4882600A (en) | Method and apparatus for performing a key update using bidirectional validation | |
| CN101771992A (en) | Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI | |
| CN100563186C (en) | A kind of method of in wireless access network, setting up escape way | |
| KR20110073750A (en) | Apparatus and method for network reentry of mobile statiom in wireless communication system | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN104303583A (en) | System and method for establishing a secure connection in communications systems | |
| US20190349753A1 (en) | Message protection method, user equipment, and core network device | |
| CN101785343A (en) | Fast transitioning resource negotiation | |
| CN101616407B (en) | Pre-authentication method and authentication system | |
| KR101042839B1 (en) | Authentication system in wireless mobile communication system and method thereof | |
| CN100521820C (en) | Method for checking distance measurement requirement information and wireless access network | |
| CN101707769A (en) | Method and system for WAPI reauthentication in wireless local area network | |
| CN101167380A (en) | Method and apparatus for generating session keys | |
| CN101026866A (en) | AK context cache method for wireless communication system | |
| CN101742492B (en) | Key processing method and system | |
| CN1964259B (en) | A method to manage secret key in the course of switch-over |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |