CN101094531A - Decision method of not carrying out encryption on customers - Google Patents

Decision method of not carrying out encryption on customers Download PDF

Info

Publication number
CN101094531A
CN101094531A CNA2007101378667A CN200710137866A CN101094531A CN 101094531 A CN101094531 A CN 101094531A CN A2007101378667 A CNA2007101378667 A CN A2007101378667A CN 200710137866 A CN200710137866 A CN 200710137866A CN 101094531 A CN101094531 A CN 101094531A
Authority
CN
China
Prior art keywords
user
customer side
encryption
side encryption
enb
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101378667A
Other languages
Chinese (zh)
Inventor
甘露
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CNA2007101378667A priority Critical patent/CN101094531A/en
Publication of CN101094531A publication Critical patent/CN101094531A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention is used for reducing the processing load of evolution packet system. The method comprises: when user device is attached, the information for indicating there is no need to encrypt the user plane is added into user subscription data sent from the home subscriber server (HSS) to the mobile management unit; according to the identification capability of said indication information capable of being identified by said mobile management unit and the support capability of the evolved base station to the encryption of user plane, determining that the user plane encryption is not executed.

Description

The method that a kind of decision does not carry out encryption on customers
Technical field
The present invention relates to the mobile communication technology field, specifically, relate to the method that a kind of decision does not carry out encryption on customers.
Background technology
As shown in Figure 1, grouping system (the EPS of 3GPP evolution, Evolved Packet System) by the land radio access web (EUTRAN of evolution, Evolved UMTS Terrestrial Radio AccessNetwork, UMTS), EPS core net (EPC, Evolved Packet Core) by mobile management unit (MME, Mobility Management Entity), gateway (S-GW, ServingGateway), packet data network gateway (PDN GW, Packet Data Network), home subscriber server (HSS, Home Subscriber Server), and other support nodes are formed.Interface between EUTRAN and the mobile management unit is that the interface between S1-MME and the gateway is S1-U, interface between mobile management unit and the home subscriber server is that the interface between S6a and the gateway is S11, and the interface between gateway and the packet data network gateway is S5.Packet data network gateway is SGi to the interface of external network.
Wherein, mobile management unit is responsible for mobile management, the processing of Non-Access Stratum signaling, chain of command related works such as user's safe mode management.Home subscriber server mainly is responsible for storage user's subscription data, the position in network, and the configuration of network etc.
In the UTRAN of evolution, base station equipment is the base station (eNB, evolved Node-B) of evolution, mainly is responsible for wireless telecommunications, mobility context management and/or user's safe mode management.
The user contracting data of preserving in home subscriber server comprises the whether network service of signatory certain operator and this user signatory a certain business whether of this user, or the like.
When subscriber equipment (UE, User Equipment) when being attached to certain EPC, after successfully carrying out authentication between UE and the network, MME upgrades user's position to the HSS request, and HSS writes user contracting data to MME, and detailed process comprises step as shown in Figure 2:
Step 201, the eNB of UE in UTRAN sends and adheres to request;
Step 202, eNB will adhere to request and be transmitted to MME;
Step 203, UE optionally carries out authentication by S-GW and PDN GW and evolved packet system, just carries out authentication when also promptly inserting first, if situations such as switching just do not need authentication;
Step 204, after the authentication success, MME upgrades the position of UE to the HSS request;
Step 205, HSS writes this user's subscription data to MME, and MME sets up the context of this UE;
Step 206, MME replys to HSS and writes the user contracting data affirmation;
Step 207, HSS replys to MME and upgrades the UE location confirmation;
Step 208-209, MME require S-GW and PDN GW to set up carrying;
Step 210, MME notice eNB adheres to acceptance;
Step 211-212, UE and UTRAN set up radio bearer;
Step 213, the eNB among the UTRAN adheres to successfully to the MME notice.
In EPS, need to carry out the integrity protection and the encryption of Non-Access Stratum (NAS, Non AccessStratum) signaling between UE and the MME.Need to carry out the encryption and the integrity protection of AS (Access Layer, Access Stratum) signaling between the eNB of UE and UTRAN.Also need to carry out the encryption of user's face between UE and the eNB.UE is with the security capabilities (security capability) of UE, it is the algorithm list that UE supports, comprise that the customer side encryption algorithm list that UE supports sends to evolved packet system, encryption for user's face, the algorithm of user plane tabulation that customer side encryption algorithm list of UE being supported by the eNB of evolved packet system or MME and eNB are supported compares, if support identical algorithm of user plane, then the eNB of evolved packet system or MME select an identical algorithm of user plane to send to UE, detailed process comprises step as shown in Figure 3:
Step 301, UE sends to evolved packet system with the security capabilities of UE by eNB in Attach Request message.
The security capabilities of UE is meant the integrality of UE support and the algorithm list of encryption, comprises the customer side encryption algorithm list.Select if MME carries out algorithm of user plane, then eNB need send the security capabilities of eNB simultaneously to MME when transmitting Attach Request message.
Step 302 is carried out authentication between UE and the evolved packet system.
Step 303, after the successful authentication, the customer side encryption algorithm that evolved packet system functional entity MME or eNB select a UE and evolved packet system to support.
If carrying out algorithm of user plane, evolved packet system functional entity MME selects; MME sends the wireless access network application protocol (eRANAP of evolution; evolved Radio Access NetworkApplication Part) message is given eNB, comprises protection algorithm integrallty and the cryptographic algorithm and the customer side encryption algorithm of selected Access Layer.If carrying out algorithm of user plane, evolved packet system functional entity eNB selects; MME sends eRANAP message to eNB; the protection algorithm integrallty tabulation and the cryptographic algorithm that comprise the Access Layer of UE permission are tabulated and the customer side encryption algorithm list, are selected protection algorithm integrallty and the cryptographic algorithm and the customer side encryption algorithm of Access Layer again by eNB.
Step 304, eNB sends Access Layer safe mode command (SMC, Security ModeCommand) and gives UE, comprises selected customer side encryption algorithm.
Step 305, UE returns safe mode command to eNB and finishes (SMC complete) message.
Step 306, receive that safe mode command is finished message after, eNB begins customer side encryption.
The encryption of user's face mainly is that the content of user's face is encrypted, and for the certain user, only carries out common communication with mobile communcations system, does not involve the content of need to be keep secret, with regard to there is no need the content of user's face is encrypted so.Such as certain user only uses terminal to make a phone call to carry out common chat or contact, and his dialog context there is no need to encrypt so.
For eNB,, can bring bigger processing load (processing load) to eNB so if all will carry out the encryption of user's face to each user.If can encrypt user's face according to specific user's demand, then can significantly reduce the processing load of evolved packet system functional entity eNB.Further, operator can offer the user who needs with customer side encryption as a kind of business.
Summary of the invention
Technical problem to be solved by this invention is that the method that need provide a kind of decision not carry out encryption on customers for mobile communcations system is provided, to reduce the processing load of evolved packet system.
In order to solve the problems of the technologies described above, the invention provides the method that a kind of decision does not carry out encryption on customers, when subscriber equipment adheres to, in the user contracting data that mobile management unit sends, add the indication information that does not need customer side encryption at home subscriber server, can identify the recognition capability of described indication information according to described mobile management unit, and the base station of evolution can not carry out the tenability of described customer side encryption, and decision does not carry out encryption on customers.
In the said method, described not carrying out encryption on customers can be by the base station decision of described mobile management unit or described evolution.
Said method may further include, and need then can determine to carry out customer side encryption to the indication information of customer side encryption if add in described user contracting data; If described mobile management unit does not possess described recognition capability, then can determine to carry out customer side encryption; If the base station of described evolution does not possess described tenability, then also can determine to carry out customer side encryption.
Further, the described customer side encryption that carries out can be by the base station decision of described mobile management unit or described evolution.But also can select the customer side encryption algorithm, and send to described subscriber equipment.Particularly, described customer side encryption algorithm can be selected by described mobile management unit, and sends to described subscriber equipment by the base station of described evolution, perhaps can be directly base station selected by described evolution, and send to described subscriber equipment.
Said method can further send the message that does not carry out encryption on customers to described subscriber equipment.Particularly, the described message that does not carry out encryption on customers can be sent by the base station of described mobile management unit by described evolution, perhaps can be directly by the base station transmission of described evolution.
Compared with prior art, the present invention is owing to have the following advantages:
1) can carry out according to user's selection certain customers are not carried out encryption on customers, therefore reduce the processing load of evolved packet system functional entity eNB;
2) operator can offer the user who needs as a kind of business with customer side encryption, has therefore enriched the service selection of operator.
Description of drawings
Fig. 1 is an EPS system architecture diagram in the prior art.
Fig. 2 writes the signaling process of user contracting data to MME for HSS in the prior art.
Fig. 3 is the signaling process of user encryption negotiating algorithm in the prior art.
Fig. 4 is the inventive method embodiment step schematic diagram.
Fig. 5 is the schematic flow sheet of first Application Example of the inventive method.
Fig. 6 is the schematic flow sheet of the 4th Application Example of the inventive method.
Embodiment
Below in conjunction with accompanying drawing and the present invention is described in further detail.Wherein, provide following examples with provide to of the present invention comprehensively and thorough, rather than the present invention carried out any restriction.
Thought of the present invention is, the user is in user contracting data, and whether add needs indication information that user's face is encrypted; Can identify the recognition capability of the indication information that needs whether encrypt user's face according to evolved packet system functional entity MME self, and can evolved packet system functional entity eNB self support tenability that described user's face is not encrypted, determine whether user's face is encrypted, if promptly the user does not need to carry out customer side encryption yet, and MME can identify this information that does not need to carry out customer side encryption, and eNB supports not carry out encryption on customers, and so just do not carry out encryption on customers; Otherwise just carry out customer side encryption.
Whether, need improve user contracting data, adding therein needs user's face is carried out information encrypted for this reason.In addition, also need evolved packet system functional entity MME is improved, allow it possess to identify whether need recognition capability that user's face is encrypted, and allow evolved packet system functional entity eNB support as required user's face is not encrypted.Certainly, if MME does not possess this recognition capability, whether needing of then ignoring in the user contracting data to be added carried out information encrypted to user's face, directly by prior art user's face encrypted.Perhaps, though MME possesses the ability of the above-mentioned indication information of identification, eNB does not support user's face is not encrypted, and then no matter whether the user needs user's face is encrypted, and all will encrypt user's face.
Fig. 4 shows the step of the inventive method, comprising:
Step 401, whether add in the user contracting data that HSS preserved needs indication information that user's face is encrypted;
Step 402, when UE adhered to, HSS sent to MME and includes the user contracting data that whether needs user's face is encrypted this indication information;
Step 403, MME sets up the UE context according to user contracting data, identifies the recognition capability that whether needs user's face is encrypted this indication information if MME possesses, and then changes step 404, otherwise changes step 407;
Step 404, MME judges not needs customer side encryption according to above indication information, then changes step 405, otherwise changes step 407;
Step 405, determining not needs to carry out customer side encryption according to the tenability of the functional entity eNB of evolved packet system then changes step 406, otherwise also changes step 407;
Step 406, owing to determine not carry out encryption on customers, the functional entity MME of evolved packet system or eNB send the message that does not carry out encryption on customers to UE;
Step 407 because customer side encryption is carried out in decision, so the functional entity MME of evolved packet system or eNB select the customer side encryption algorithm, and sends to UE with selected customer side encryption algorithm.
In the evolved packet system above-mentioned steps 407, select if MME carries out algorithm of user plane, then MME sends eRANAP message to eNB, comprises the selected customer side encryption algorithm of MME in this message, by eNB selected customer side encryption algorithm is sent to UE again; Select if eNB carries out algorithm of user plane, MME then sends eRANAP message to eNB, comprises the customer side encryption algorithm list that UE allows, and by eNB the customer side encryption algorithm is selected, and selected customer side encryption algorithm is sent to UE.
Provide first Application Example of the present invention below, identify the user in the user contracting data and do not needed to carry out customer side encryption, and the evolved packet system functional entity possesses according to user's needs and discerns the whether needs ability of encrypting of user's face, and possesses selection whether to the tenability of customer side encryption, as shown in Figure 5, whether need the signaling process that user's face is encrypted is comprised by the MME decision:
Step 501, UE sends to eNB and adheres to request, be initiation layer 3 message, in this message, UE has reported the security capabilities of UE to evolved packet system, be Non-Access Stratum integrity protection and the cryptographic algorithm tabulation that UE supports, the algorithm list of Access Layer integrity protection and cryptographic algorithm tabulation and customer side encryption;
Step 502, eNB gives MME with above initiation layer 3 forwards, eNB is to the security capabilities of MME report eNB itself simultaneously, be the algorithm list of the integrity protection of the Access Layer supported of eNB and cryptographic algorithm tabulation, customer side encryption, and whether eNB possess the ability that support is not encrypted user's face;
Step 503 is optionally carried out authentication between UE and the evolved packet system;
Step 504, MME upgrades the position of UE to HSS;
Step 505, HSS has this user of indication not need to carry out the information of customer side encryption to the subscription data that MME sends the user in this subscription data;
Step 506, because evolved packet system functional entity MME possesses the ability of the above information of identification, just according to this information, judging the user does not need to carry out customer side encryption;
Step 507, eNB possesses the ability that support is not encrypted user's face, so the process that do not carry out encryption on customers of MME decision, and MME does not carry out algorithm of user plane yet and selects;
Step 508, MME sends eRANAP message to eNB, comprises the announcement information that does not need customer side encryption in this message;
Step 509, eNB sends the Access Layer Security Mode Command message to UE, comprises the announcement information that does not need customer side encryption in this command messages;
Step 510, UE replys the Access Layer safe mode command to eNB and finishes message;
Step 511, receive that the Access Layer safe mode command is finished after, eNB does not start customer side encryption.
In step 506, if operator all is configured to possess the ability that support is not encrypted user's face to all eNB that this MME connects, the direct process that do not carry out encryption on customers of decision of MME so, step 507 can be ignored.Simultaneously, in the step 502, whether eNB also can possess the ability that support is not encrypted user's face to the MME report.
In the middle of second Application Example of the present invention, evolved packet system functional entity MME does not possess the ability that the user does not need to carry out customer side encryption that identifies, then can not discern the information that the user does not need to carry out customer side encryption, therefore MME just ignores this information, and enters the flow process that need encrypt user's face.
In the middle of the 3rd Application Example of the present invention, evolved packet system functional entity MME possesses the ability that the user does not need to carry out customer side encryption that identifies, but evolved packet system functional entity eNB itself does not have the ability that support is not encrypted user's face, so the MME judgement still need be encrypted user's face.
Provide the 4th Application Example of the present invention below, identify the user in the user contracting data and do not needed to carry out customer side encryption, and the evolved packet system functional entity possesses according to user's needs and discerns the whether needs ability of encrypting of user's face, and possesses selection whether to the tenability of customer side encryption, as shown in Figure 6, whether need the signaling process that user's face is encrypted is comprised by the eNB decision:
Step 601, UE sends to eNB and adheres to request, be initiation layer 3 message, in this message, UE is to the ability of evolved packet system report UE, be Access Layer integrity protection and the cryptographic algorithm tabulation that UE supports, the algorithm list of Non-Access Stratum integrity protection and cryptographic algorithm tabulation and customer side encryption;
Step 602, eNB gives MME with above initiation layer 3 forwards;
Step 603 is optionally carried out authentication between UE and the evolved packet system;
Step 604, MME upgrades the position of UE to HSS;
Step 605, HSS has this user of indication not need to carry out the information of customer side encryption to the subscription data that MME sends the user in this subscription data;
Step 606, because evolved packet system functional entity MME possesses the ability of the above information of identification, just according to this information, judging the user does not need to carry out customer side encryption;
Step 607, MME sends eRANAP message to eNB, notifies the user not need to carry out customer side encryption;
Step 608, because eNB allows user's face not encrypt, so the eNB decision do not carry out encryption on customers, and eNB need not carry out algorithm of user plane and selects;
Step 609, eNB sends the Access Layer safe mode command to UE, comprises the announcement information that does not need customer side encryption in this message;
Step 610, UE replys the Access Layer safe mode command to eNB and finishes message;
Step 611, receive that the Access Layer safe mode command is finished after, eNB does not start customer side encryption.
In step 606, if operator all is configured to possess the ability that support is not encrypted user's face to all eNB that this MME connects, eNB does not directly carry out encryption on customers according to the notice decision of MME in the step 608 so, and need not carry out algorithm of user plane and select.
In the middle of the 5th Application Example of the present invention, evolved packet system functional entity MME possesses the ability that the user does not need to carry out customer side encryption that identifies, but evolved packet system functional entity eNB does not have the ability that support is not encrypted user's face, so eNB judges that still decision need be encrypted user's face.
In the middle of other Application Examples of the present invention, identify the user in the user contracting data and need carry out customer side encryption, then no matter whether the evolved packet system functional entity possesses identification user face and whether needs the ability of encrypting, and whether possess according to user's needs and whether select the tenability of customer side encryption is all needed user's face is encrypted.The flow process of encrypting is same as the prior art, repeats no more herein.
The above only is the preferred embodiments of the present invention; be not limited to the present invention; for a person skilled in the art; the present invention can have various changes and variation; all any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1, the method that do not carry out encryption on customers of a kind of decision, it is characterized in that, when subscriber equipment adheres to, in the user contracting data that mobile management unit sends, add the indication information that does not need customer side encryption at home subscriber server, can identify the recognition capability of described indication information according to described mobile management unit, and the base station of evolution can not carry out the tenability of described customer side encryption, and decision does not carry out encryption on customers.
2, the method for claim 1 is characterized in that, described not carrying out encryption on customers by the base station decision of described mobile management unit or described evolution.
3, the method for claim 1 is characterized in that, further comprises, need be if in described user contracting data, add to the indication information of customer side encryption, and then customer side encryption is carried out in decision.
4, the method for claim 1 is characterized in that, further comprises, if described mobile management unit does not possess described recognition capability, then customer side encryption is carried out in decision.
5, the method for claim 1 is characterized in that, further comprises, if the base station of described evolution does not possess described tenability, then customer side encryption is carried out in decision.
As claim 3,4 or 5 described methods, it is characterized in that 6, the described customer side encryption that carries out is by the base station decision of described mobile management unit or described evolution.
7, as claim 3,4 or 5 described methods, it is characterized in that, further select the customer side encryption algorithm, and send to described subscriber equipment.
8, method as claimed in claim 7, it is characterized in that described customer side encryption algorithm is selected by described mobile management unit, and send to described subscriber equipment by the base station of described evolution, perhaps direct base station selected by described evolution, and send to described subscriber equipment.
9, the method for claim 1 is characterized in that, further sends the message that does not carry out encryption on customers to described subscriber equipment.
10, method as claimed in claim 9 is characterized in that, the described message that does not carry out encryption on customers is sent by the base station of described mobile management unit by described evolution, and perhaps direct base station by described evolution sends.
CNA2007101378667A 2007-07-24 2007-07-24 Decision method of not carrying out encryption on customers Pending CN101094531A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101378667A CN101094531A (en) 2007-07-24 2007-07-24 Decision method of not carrying out encryption on customers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101378667A CN101094531A (en) 2007-07-24 2007-07-24 Decision method of not carrying out encryption on customers

Publications (1)

Publication Number Publication Date
CN101094531A true CN101094531A (en) 2007-12-26

Family

ID=38992471

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101378667A Pending CN101094531A (en) 2007-07-24 2007-07-24 Decision method of not carrying out encryption on customers

Country Status (1)

Country Link
CN (1) CN101094531A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101262337B (en) * 2008-02-05 2012-06-06 中兴通讯股份有限公司 Secure function control method and system
CN101128066B (en) * 2007-09-27 2012-07-18 中兴通讯股份有限公司 Method and system without user interface encryption
CN102595406A (en) * 2012-02-15 2012-07-18 电信科学技术研究院 Management method and equipment for subscription information
CN108702303A (en) * 2016-03-08 2018-10-23 华为技术有限公司 One kind is that radio bearer carries out security configuration method and apparatus

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101128066B (en) * 2007-09-27 2012-07-18 中兴通讯股份有限公司 Method and system without user interface encryption
CN101262337B (en) * 2008-02-05 2012-06-06 中兴通讯股份有限公司 Secure function control method and system
CN102595406A (en) * 2012-02-15 2012-07-18 电信科学技术研究院 Management method and equipment for subscription information
CN102595406B (en) * 2012-02-15 2014-08-20 电信科学技术研究院 Management method and equipment for subscription information
CN108702303A (en) * 2016-03-08 2018-10-23 华为技术有限公司 One kind is that radio bearer carries out security configuration method and apparatus
CN108702303B (en) * 2016-03-08 2020-07-07 华为技术有限公司 Method and equipment for carrying out security configuration on radio bearer

Similar Documents

Publication Publication Date Title
CN102986258B (en) Deliver the method and system of short message service message in mobile communication system
JP4475377B2 (en) Wireless communication system, common key management server, and wireless terminal device
CN101142790B (en) Secure switching system for networks and method for secure switching
CN101128061B (en) Method and system for mobile management unit, evolving base station and identifying whether UI is encrypted
CN102869007B (en) The method of secure algorithm negotiation, device and network system
CN1835436B (en) General power authentication frame and method of realizing power auttientication
EP2928220B1 (en) Method, system, base station and cluster epc for establishing group call context
US20120033815A1 (en) Method of handling security key change and related communication device
CN101883346A (en) Safe consultation method and device based on emergency call
CN101128066B (en) Method and system without user interface encryption
US8463239B1 (en) Secure reconfiguration of wireless communication devices
CN104735052A (en) WiFi hot spot safe login method and system
CN103139769B (en) A kind of wireless communications method and network subsystem
CN107979835A (en) A kind of eSIM cards and its management method
CN104244189A (en) Paging method in TD-LTE cluster fail-soft communication system
CN101119381B (en) Method and system for preventing playback attack
CN101925050B (en) Generation method and device of security context
KR101589562B1 (en) Relay Frame structure for supporting transparent and bidirectional relays
CN101094531A (en) Decision method of not carrying out encryption on customers
CN101355507A (en) Method and system for generating cipher key for updating tracking zonetime
KR100842868B1 (en) Spam short message blocking system using call back short message and spam short message blocking method using the same
CN100433911C (en) Safety communication method
CN102065417B (en) Method, equipment and system for realizing security context information synchronization
CN108702303B (en) Method and equipment for carrying out security configuration on radio bearer
CN101166177A (en) A method and system for initialization signaling transmission at non access layer

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20071226